The increasing complexity of IT systems and their interoperability has compounded the challenging task of assessing the IT risks and devising cost-effective mitigating measures. Risk factors such as business dynamics and changes arising from new technology and regulatory requirements, affect the risk profile, which requires reassessing the defined IT risks and the corresponding controls. Ensuring effectiveness and efficiency of the implemented controls is crucial to obtain an accurate sense of assurance that, in itself involves risk. IT Risk Assessors, auditors and practitioners use a set of criteria to estimate risk and then derive areas for control improvement. However, it is highly inefficient, subjective and little data is directly collected to support the decisions made. With improvements in technology a range of new organizational data can now potentially be used to support the selection of IT controls. Little empirical research has been conducted to date in this area. A set of related problems is explored in this thesis and the research focuses on one particular researchable problem, stated as: Selecting the best set of IT controls configurations in any situation for the highest business value outcomes. A research question has been derived from the research problem to guide the research processes: What are the criteria for selecting the most effective and efficient controls configurations for the best business value outcomes? To answer the research question, methodologies were explored resulting in the selection of Design Science (DS) as the research methodology for this thesis. DS has been adopted in IT research, as DS has shown to be adequate to research complex and multi-domain problems, when sufficient knowledge is not always available. The key aspect of the DS methodology is to learn through doing. A DS research roadmap and artefacts evaluation criteria have been adopted to ensure the research activities are executed objectively and the anticipated research deliverables are produced.
In this thesis a conceptualised solution was developed, which is a model-based interactive Decision Support System (DSS) to aid management, and practitioners determine the controls configurations that return the best business value. Following the DS methodology process, a model called (G-Model) resulted in game theory applications and a 3-player competitive game to solve the problem of selecting the best performing control configurations. The Gambit software application was used to develop a 3-player game using COBIT 4.1, ITIL v3.0 and ISO 27001/2, security controls as the game players. Each player has two strategies: Implement and Not-Implement. A set of payoff values and guidance on how to calculate a payoff value was prepared along with a Risk Space Matrix definition. A risk register was employed as part of the DSS to capture and assess IT risks and also to apply the controls and processes resulting from the game theory based model. The DSS components were subjected to experts? evaluation, 7 experts in total participated in a two-stage evaluation. Oral and written feedback was obtained, analysed and reflected upon. The artefacts evaluation was benchmarked against an adopted evaluation criteria. Reflecting, by the researcher, on the expert?s feedback and artefacts evaluation, answers for the raised questions were formed. Subsequently, selection criteria to aid practitioners in finding the best set of controls that return the best business value and mitigate the identified risks, were defined. Lastly, in this thesis recommendations for further research are provided. To further investigate the G-Model and analyse the Nash Equilibrium value that results from solving a gaming file. The objective is to find the correlation with the corresponding payoff value to estimate the Capability Maturity Model Integration (CMMI) level of the selected controls. Also, recommendations are made to develop sub-games so that controls can be defined at a granular level. This research investigates the application of the game theory based model in an interactive DSS that allows practitioners to examine the value of forming possible controls configurations. G-Model provides the means for practitioners to enter the payoff values, enabling them to assess the possible controls combinations, holistically and determine the best set of controls in almost real-time. The essence of an effective IT risk management, resource extensive process, is to be conducted timely, and be repeatable with ease. If gaming files are developed for the wider spectrum of IT General Controls (ITGC), and integrated in an interactive DSS software application. Practitioners would be able to assess IT risks as often as required and be able to select the set of controls that return the highest business value outcomes.