A Study of Information Technology Risk Management of Government and Business Organizations in Thailand using COSO-ERM based on the COBIT 5 Framework

Abstract

Information technology (IT) risk management plays an important role in controlling security and building confidence in using IT system services. Many organizations have focused on risk management for IT security. In this study the committee of sponsoring organizations of the treadway commission (COSO) enterprise risk management (ERM) was used in risk management by identifying risk factors in accordance with the requirements of COBIT 5 areas that need to be controlled. In addition, 2 experiments were conducted with 3 government organizations and 3 private organizations in order to evaluate the performance of IT security control. The first experiment identified the risk levels with risk assessment, which provided the risk levels that need risk response in accordance with COBIT 5 framework implementation life cycle. From the second experiment, it was found that the risk management using all 7 phases of the COBIT 5 implementation life cycle decreased the risk levels for both government and private organizations. However, moderate and low risk levels were still observed which need to be managed in order to keep them at a very low level. In addition, it was found that the risks of government and private organizations were different, which was a result of differences in obstacles and the context of the problems encountered in risk management. The findings of this study provide the guidelines for developing a framework for IT risk management in the future.