A Risk Assessment software based on COBIT (2019).
(Under development/revision) Developed using Java, the program, uses an own methodology (based on this paper) for evaluating and prioritizing COBIT (2019) processes/objectives.
20240415 Rev. note: I'm evaluating the approach (uploaded, the file I'm using for testing). The idea is eventually incorporate the practices, activities, and the chance to incorporate controls where all this is going to be quite more interesting. In fact, the idea came up for controls, but in order to evaluate the methodology, I just prefered a Top Down approach. Anyway, let's see...
- Because the concept of probability is so much aligned with controls instead of processes, the "inherent" risk associated is only in line with the different impacts of the processes, this is: information impact, financial/economic impact, and others (compliance impact, for example).
- It takes into consideration not only the result of the latest evaluation (in order to evaluate the residual risk) but, also, the aging (the elapsed period) between the date of the latest revision and the current day. 1
- It defines a value (risk exposure) as the quotient between the residual risk and the impact expressed in bits/impact (this is, how much information I have per impact unit. Less value, less information I have and, in consequence, these processes could be considered to be reviewed with highest priority).
It's a client-server program (using SSL) but only for performing login (mainly, for web-service security and performance issues), and for serving the impact and risk exposure values. The program keeps locally the risk map information, and allows export the information in csv format.
1: Asumming that the amortization of the engagements is 5 (five) years.
1) Download the zip file.
2) Unzip it wherever you want.
3) Execute the .bat file.
Requirement note: for sure, you must have java installed and into the "PATH" variable (if not, you can edit the .bat for specifying the executable location). The program was tested with Java 17 Eclipse Temurin. You can download it from here. Plsss, see release descriptions for particular issues.
I find the approach interesting, at least, original! hahah I'm not sure whether it will have organizational impact, but is, in first place, an intellectual and theorical approach. So, any comment, bugs or crashes issues, suggestion, or any kind of feedback, it will be appreciated (luis.alfie@gmail.com).
Enjoy!
