Risk Management Proposal For SALT Essay.

SALT (Smart And Living Technologies) is a medium sized Software Development company in South Australia which was established in 2004. It is present in two premises, both of which have their offices. Additionally, they have hosted their information systems in a hosted data centre facility with a service provider. That is the only instance of their IT infrastructure. SALT is providing software solutions and consulting services to clients all over the world, who fall under small to medium sized businesses. The departmental heads are mostly the people who were there since first day of the business, except the CISO that is a new role introduced recently. This explains why heads of department in SALT have a good knowledge about their business processes but less focussed on formal documentation.
Alex Smith is the CEO of SALT. He started the company in partnership with a friend, Brett. Brett is an investor in the company but has a dormant role as far as the business operations are concerned. Mr. Smith is an engineer but he has no modern technical understanding of IT security issues. Alex has had no problems with IT Security until very recently when the Company's network was subject to a series of attacks. In the period of 3 days, the company.s website was defaced, a serious virus infected the company e-mail and large quantities of data were corrupted.
Alex's IT security risk management concerns are wide ranging. He needs to determine whether the same hackers are likely to hack the company again. He believes the recent attacks suggest the hackers were interested to disrupt the reputation of the company through proprietary theft of sensitive information. There is also an evidence of a previous disgruntled employee planning for revenge against the company.

Proposal for Information security team

This report depicts the importance of implementing different risk management components in medium sized software Development Company named as Smart and Living technologies (SALT).  Due to lack of management oriented issues the company is currently facing major risks in their security system. In order to gain effective revenue from the competitive marketplace the software development company is required to implement proper security measures in the management system. This report delivers a proposal for the information security team in terms of organizational chart. Apart from this, it will also provide justification for each of the roles including their job description.

Not only will this, but also SALT will propose information security processes and information security procedure. In addition to this, the major risks that SALT is facing for their usability are also illustrated and   in order to combat the issues proper security measures are also required to be elaborated in this report. Not only this, but also the vulnerabilities and threats that SALT is facing frequently due to lack of risk management measurements are also elaborated in this report. Besides this the issues continuously occurring for the legal and ethical issues are also required to be mitigated. In order to mitigate those issues proper risk register are needed to be incorporated. Lastly, Forensic readiness documentation will be prepared based on the IT infrastructure.

Smart and Living technologies (SALT) is a software solution and consulting services providing company in South Australia. Due to lack of security the company is facing major issues in their business management components. The organizational chart and the description of each of the roles are needed to be served accurately to avoid the management oriented issues.  The proposed organizational structure of Information Security team for Smart and Living technologies (SLAT) is as follows:

Name of the employees	Roles
Chief finance advisor	Will make a project feasibility study to make the employees understand that the finance developed for the project is very much beneficial.
Chief IS manager	The IS manager develops the outline of the information system which is suitable for SALT.
Chief executive officer	The CEO looks for the entire management approach including the risk management and system development.
Senior software architect	The senior software architect develops the architecture of the software hat us suitable for SLAT.
Director of software development	All the software related information are managed, deployed, developed and approved by the director of software development system.
Software engineer	The software engineer will develop and approve the finalized software that will be served by the system developer.
Chief information security officer	The CISO will frame the security measures that must be undertaken for mitigating the security issues.
Application programming manager	The application of software program developed by the software developers are operated accurately by application programming manager.
Contact software engineer	For any kind of changes in the software developed by SALT, the project manager and even the client is required to contact to the software engineer.
Risk mitigation manager	In order to combat the risks proper risk register should be developed by the risk mitigation manager
Software tester	Whether the developed software is working efficiently or not is tested by the software tester
Security management trainers	The security management trainers give training to its fellow for securing the system effectively from the external attackers.
Software implementation specialists	The software implementation specialist helps too control and monitor the entire software that will be implemented by the software implementation specialist.
Quality assurance providers	The quality of the software is whether meeting the requirement of the consumers or not is measured by the quality assurance manager
Prototype developer	Whether the software prototype is beneficial for the company and for the consumers or not is assured by the prototype developers.
Code developer	In order to run the software program proper coding are needed to be framed accurately. In order to assure that the code developers are required.

Name of the employees	Roles
Chief finance advisor	The chief finance manager is responsible to measure the overall budget that is required to develop the software. Even the finance manager should also allot extra budget for the future resource requirements.
Chief IS manager	The Chief IS manager is responsible to ensure that the developed software is absolutely meeting the requirement of both the consumers and of the employees of the software consulting company.
Chief executive officer	The Chief executive officer is responsible to control and monitor the entire usability and features of the developed software.
Senior software architect	The design and model developed by the software developers are assured by the senior software architect.
Director of software development	The director of software development management team is responsible to develop and monitor the features of the newly developed software.
Software engineer	The software engineers are responsible for developing the software as per the requirement of the clients and SALT itself.
Chief information security officer	The chief information security officer is responsible to develop the security measures to keep the software and company secured from the external attackers.
Application programming manager	The application programming manager is responsible to ensure that all the required programs are whether present in the developed software system or not. If any of the features are found to be missing then, the programming manager should incorporate the desired network oriented characteristics in the software system.
Contact software engineer	The contact software engineer is responsible to bring the necessary changes those are required to develop the software system for the software consulting organization.
Risk mitigation manager	The risk mitigation manager should develop different risk management strategies
Software tester	Whether the software is beneficial for the consumers or whether it requires any kind of changes for further improvement or not is measured and monitored by the software tester.
Security management trainers	For improving the security of the Information System and software applications the system developed are required to get enough training and for giving such training to the employees of the organization the security management trainers are responsible.
Software implementation specialists	Before implementing the software in the practical field or in front of the internal consumers the specialist are required to measure its operational as well as functional characteristics.
Quality assurance providers	The quality of the developed software is required to meet the requirement of the clients. Thus, for organizational growth and revenue the quality is referred to as one of the most important factor that must be considered.  For assuring the quality of the system the quality assurance manager is responsible.
Prototype developer	The prototype developers are responsible for checking the operational features of the software prototype model.
Code developer	The codes designed for modeling the software system are checked by the code developer.
Prototype developer	The prototype model is whether meeting the client’s requirement of not is monitored and checked by the prototype developer.

After analyzing the current situation of Smart and Living technologies (SALT) it is found that the company is facing major challenges in the field of internal audit, hardware system, software concern and also even in the risk management strategies. In order to mitigate these issues, the CISO of Smart and Living technologies (SALT) is willing to provide a list of information security processes and information security procedure. Among the large set of information security processes and procedure the most suitable process and procedure are elaborated on this report to assure the approval from the Chief Executive officer (CEO).

Different processes are there those are widely used by the business enterprises for avoiding the security level issues from the core area of management. The process lists are as follows:

• Prevention
• Detection
• Response
• Information security risk management
• Information security incident management

Different sorts of information security procedures are available in Smart and Living technologies (SALT). The list is as follows:

• Administrative procedure
• Using general ownership management
• Security and proprietary data
• Unacceptable usage
• Technical procedure
• Information sensitivity
• Standard operating procedure (SOP ) for TVA
• Transmission encryption methodology
• Access of the websites considering the higher risk information
• Password incorporation procedure
• Security implementation in the Router
• Database security
• Development with the implementation of antivirus

Among these different processes, Smart and Living technologies (SALT) should adopt Smart and Living technologies (SALT) for mitigating the risks of hardware, software and network applications. From the internal audit report it has been found that, the software company has improper operating procedures. Thus, different issues are continuously occurring in the field of the software functionality an operation as well.  The company has vast issues in security awareness and in the common security laziness. Apart from this, due to the presence of lesser amount of standard security procedures the data those are stored in the server of the organization, are not enough secured from the external attacks. Even many such types of equipment are there those are not at all using by the management authority accurately. On the other hand due to in adequate risk management planning the company fails to provide proper backup to the data and disaster recovery approach to both the employees and clients. As most of the organizations fail to turn off the computers at the end of their working hours thus the CISO is willing to develop standard information security processes in Smart and Living technologies (SALT). The technologies are as follows:

Justification for each of the roles

Authentication: Authentication is referred to as one of the most important security aspect that helps to provide enough security to the data server of Smart and Living technologies (SALT). The unauthorized users rather the users who are not certified with proper operational and functional management cannot access any information from the server without accurate permission. Three main components of authentication include confidentiality, integrity and availability. It means that, only the authorized users will be looking for the information regardless of their location and time as well.  At the same time data customization is another important component of system authorization. For software authorization none of the external users will be able to access or utilize the software.

Password improvement: The Smart and Living technologies (SALT) should implement proper password technology in the system to make the system much secured from the external attackers. If properly customized and strong password is provided then the entire system will be found to be as enough secured. If such a source code is not used for a stored file then, just from the immediate file the database name and password could be easily read. In order to mitigate this kind of issues implementation of proper source code and credential source files should be deployed. If strong password is developed then none of the external users will be able to hijack the password easily for accessing data from the server.

Encryption technology development: Encryption is another important technology that is most widely used by the medium to large enterprises. In the encryption technology accurate keys in terms of both public keys and private keys are used by the business developers. If the accurate key is available to the users then they will not be able to decrypt the data server access information. Thus in order to keep the confidentiality the company it is strictly required by the risk management authority to incorporate accurate encryption technology for securing

Software License authorization:  In order to run the software application accurately the system developers are required to consider and buy proper software license for developing the system without any sort of error .  

Among all of these procedures, the most effective procedure is the development of Standard operating procedure (SOP) for TVA (Threats and vulnerability assessment). IT security policies are mostly developed for assessing vulnerabilities and managing them accurately.  Vulnerability scanning is referred to as a tool that helps the business organizations to identify different network and equipment oriented issues. In order to ensure the information level security aspects proper information security are required to be processed by the management authority of the business organization.  The steps for developing the security of the system are as follows:

Identification of cyber security incidents: This is a subtask rather important activity of the initial phase of system development. In this phase, the users are required to identify the cyber security incidents. After identification of this processes proper security measures should be undertaken, by the risk managers of Smart and Living technologies (SALT).

Job description for each of the roles

Risk analysis: After identifying the cyber threats and vulnerabilities the risk management authority is required to analyze those risks properly. After analyzing the risks the management will be able to understand which risk should interrupt the developed software or the network accurately.

Risk ranking: After analyzing the risks properly the system developers are required to rank the risks based on their priority. After prioritizing the risks, proper risk mitigation strategies are needed to be developed by the risk managers. Not only the risk management authority but also the application programming managers are responsible to develop proper risk management programs for mitigating the risks from the core management area of Smart and Living technologies (SALT).

• The primarily identified risks, threats and vulnerabilities are as follows:
• Unauthorized data access from the public internet
• Data damage during running the system application
• Hacker’s penetration
• Operating system disability in the workstation of Smart and Living technologies (SALT)
• DOS attack on the email of Smart and Living technologies (SALT).
• Warehouse attack
• Server attack

 The risks identified for Smart and Living technologies (SALT) are very much broadly categorized in three different components such as hardware risks, software risks and general risks. The reason for this examination is essentially to give you a thought regarding the planning of recuperation, and the planning of your reinforcement, since the planning is critical the distinction of just a few hours could mean last chance for specific organizations if hit by a noteworthy occurrence. For instance, on the off chance that you are a money related establishment, recuperation time of four hours could mean you will presumably survive an interruption, though recuperation time of 12 hours is inadmissible for specific frameworks/exercises in a bank, and disturbance of an entire day would likely mean such a bank could never have the capacity to open its entryways again. What's more, there is no enchantment standard which would give you the planning for your association not just in light of the fact that the planning for each industry is distinctive, additionally on the grounds that the planning for each of your exercises could be distinctive. In this manner, you have to play out the business affect investigation to make adjust conclusions. In order to mitigate the risk a risk register is being developed the register is as below:

Risk Id	Risk description	Risk probability	Risk impact	Proposed mitigation	Risk ownership	Risk trigger
1	Inaccurate operating procedure	Medium	High	In order to mitigate this issue proper operating procedure are required to be adopted by Smart and Living technologies (SALT)	Application programming manager	Monitoring and control
2	Lack of security approaches	High	High	Proper security in terms of authentication and encryption are required to be adopted by the system developers.	Chief information System Manager	Monitoring and control
3	Unattended devices	High	Medium	Many devices are not properly used proper training and development programs are required to be adopted to make proper utilization of the devices.	Hardware manager	Risk management
4	Inadequate operating procedure	High	High	Proper operating procedures should be adopted	Chief information security officer	Monitoring and control
5	Hardware issues	High	Medium	Proper hardware should be installed		Risk management
6	Lack of access restriction	Medium	High	Access control must be implemented so that only authorized users can come and access the information of Smart and Living technologies (SALT)	Chief executive officer
7	Lack of authentication	High	Medium	Authorization in the software and server should be implemented	Chief information security officer	Risk management
8	Lack of access control	High	High	Encryption leys and authentication are required to be adopted	Chief executive officer	Monitoring and control
9	Limited antivirus	Medium	Medium	Adequate antivirus must be installed by Smart and Living technologies (SALT)	Chief information security officer	Risk management

In order to maintain the information security, the organization must prepare a suitable information security policy that will enforce the employees and other users to abide by specific information usage policies and guidelines. Accordingly, the information security policy document is as follows.

User System and Network Access – Normal User Identification

Password must not be found in any English or outside word reference. That is, any regular name, thing, verb, intensifier, or descriptor should not be used. These can be effectively broken utilizing standard "programmer devices". Client records will be solidified after (# of days) fizzled logon endeavors. Logon IDs and passwords will be suspended after (# of days) days without utilize. Passwords ought not be posted on or close work stations or generally be promptly accessible in the territory of the terminal. Password must be changed each (# of days). Clients are not permitted to access password records on any system foundation part. Password records on servers will be checked for access by unapproved clients. Clients who require this level of access to generation frameworks must demand a Special Access account as laid out somewhere else in this record. Replicating, perusing, erasing or changing a password document on any PC framework is restricted. Clients won't be permitted to logon as a System Administrator. Worker Logon IDs and passwords will be deactivated at the earliest opportunity if the representative is fired, terminated, suspended, put on leave, or generally leaves the work of the organization office. The representative must distinguish himself/herself by (e.g. representative number) to the IT office. Representatives will be in charge of all exchanges happening amid Logon sessions started by utilization of the worker's password and ID. Bosses/Managers might promptly and straightforwardly contact the organization IT Manager to report change in worker status that requires firing or adjusting representative logon access benefits. Workers who overlook their password must call the IT office to get another password doled out to their record. Workers should not logon to a PC and after that enable another person to utilize the PC or generally share access to the PC frameworks.

Information security processes

Connecting to Third-Party Networks

This arrangement is set up to guarantee a safe technique for availability given between the organization and all third-party organizations and different elements required to electronically trade data with organization.

"Third-party" alludes to merchants, experts and business accomplices working with organization, and different accomplices that have a need to trade data with the organization. The third-party organization will guarantee that exclusive approved clients will be permitted to access data on the organization arrange. Third-party arrange associations are to be utilized just by the representatives of the third-party, just for the business motivations behind the organization. The third-party will not permit Internet activity or other private system movement to stream into the system. In situations where the current third-party arrange associations do not meet the necessities sketched out in this archive, they will be re-outlined as required. This approach applies to all third-party association demands and any current third-party associations.

Remote Access

Just approved people may remotely access the organization arrange. Remote access is given to those representatives, temporary workers and business accomplices of the organization that have a real business need to trade data, duplicate records or projects, or access PC applications. Approved association can be remote PC to the system or a remote system to organization arranges association. The main satisfactory strategy for remotely interfacing into the interior system is utilizing a protected ID.

 The legal and ethical issues faced by public sector clients of SALT are explained in the following part.

The notoriety and accomplishment of administration relies on the lead of open functionaries and what general society accept about their direct. It is hence of crucial significance that open functionaries act evenhandedly and reasonably to all, paying lip administration to ethical direct as well as guaranteeing that these are obviously and without a doubt seen to be finished. Individual self-intrigue ought to be subordinate to the general population great in all conditions, particularly if conditions emerge where the likelihood of an irreconcilable circumstance may turn into an ethical situation. It is basic that all open functionaries after tolerating government business perceive that they have an extraordinary obligation to be open, reasonable and fair in their dealings with society. The significance of ethics is challenged. The first of these two methods for characterizing ethics is the counter defilement approach and the second is the respectability approach. The counter debasement approach outlines dialog about ethics in negative terms. While a few creators characterize it as far as what it is not, alluding to matters, for example, offense, debasement, extortion and different sorts of unlawful conduct, others allude to thoughts of respectability, genuineness, individual esteems and expert codes. The respectability approach outlines ethics in positive terms. A few scholars contend that ethics can be separated from religion as well as from profound quality however most allude to its religious and philosophical bases. Ethics 'is about what we should do'. However there has all the earmarks of being general assention that ethics is about connections. It requires a judgment be made about a given issue or circumstance. Further, the term, ethics, 'is some of the time used to allude to the arrangement of tenets, standards or ways or believing that guide, or claim expert to control, the activities of a specific gathering'. For example, Codes of Conduct recognize benchmarks of authority lead that workers are required to perform. The absolute most normal ethical quandaries with which open workers are gone up against, rotate around viewpoints, for example,

• corruption
• administrative discretion
• nepotism
• information leaks
• administrative secrecy
• policy dilemmas
• public accountability

Information Security Procedure

Open authorities are not only agents of open approach. They settle on choices relating to the lives of individuals, for instance, about charges, survival and the rejection of individuals. In doing as such they practice caution. The reality of the matter is that inside the standards and controls set around enactment and inside the endorsed systems, there is adequate open door for the general population authority to utilize his caution. The question is then how choices are to be made to evade ethical quandaries. As such, the advancement of general welfare depends to a huge degree on the utilization or manhandle of managerial attentiveness. At the point when confronted with choices the decision of people in general authority represents an ethical issue: the decision might be satisfactory to just a little area of society. It could well be that all the recommended tenets, directions and systems are clung to however that the optional decision might be seen as unethical or even degenerate. The issue is that the choice of one way of activity from among a few options is frequently made on the premise of individual inclination, political or different affiliations, or even individual magnification, accordingly neglecting well established certainties and along these lines the likelihood of sound basic leadership.

Forensic Readiness is having a suitable level of capacity with a specific end goal to have the capacity to save, gather, ensure and dissect computerized prove so this proof can be utilized viably : in any legitimate matters; in security examinations; in disciplinary continuing; in a work tribunal; or in an official courtroom. This direction paper has been set up to give NICS associations an underlying reaction to significant episode circumstances where the conservation and securing of advanced confirmation might be required. It gives an arrangement of Do-s and Don't-s for specialists on call. It is not proposed as a complete way to deal with the administration of advanced confirmation. Associations ought to make reference to CESG Good Practice Guide 18, Forensic Readiness,/or look for master help, for instance, from IT Assist.

It is impractical to be complete about what may constitute a noteworthy occurrence; however the accompanying can be viewed as likely situations:

• Denial of Service (DoS) assault;
• Bargained have bringing about unapproved projects or procedures running on the host;
• Uncontained vindictive code – e.g. a worm engendering;
• Misfortune or robbery of a huge sum (>1000 records) of individual data;
• Misfortune or robbery of installment card data;
• Wrong utilization of ICT that may bring about the requirement for disciplinary or lawful activity;
• Dangers or coercion

No ensuing exercises ought to be taken that could modify or annihilate the advanced proof, or offer adapt to present circumstances that it might have been modified. The key rule of this direction is that at whatever point there is a noteworthy occurrence with sensible doubt of interruption, misfortune/burglary of information or abuse of an association's ICT frameworks to the degree that computerized prove should be saved to bolster assist inside and out examinations or activity by the association itself or different specialists, at that point.

On the off chance that, amid the underlying examination of an occurrence, it is likely that advanced proof should be protected, it is fundamental that frameworks containing such confirmation are not changed at all. Basically this implies don't cooperate in any capacity with the host or logging framework however look for master help either from appropriately qualified assets inside your association or from outer specialists – typically by means of IT Assist.

Major Risks and Vulnerabilities

Unless the association has suitably qualified assets to appropriately gather, secure and examine advanced confirmation then master help through IT Assist must be looked for. This is probably going to be the situation in most current conditions. Generation of a Forensic Readiness Policy by Departments is an obligatory necessity of HMG Security Policy Framework (SPF). Departments and Agencies must be able to routinely review data resources and ICT frameworks. This must include: A forensic readiness policy that will expand the capacity to save and investigate information produced by an ICT framework, that might be required for legitimate and administration purposes (Mandatory Requirement 37).

• If not officially created, associations ought to create Forensic Readiness of adequate capacity and coordinated to their business needs. Forensic Readiness includes:
• Particular of a Forensic Readiness Policy that sets out a predictable approach;
• Point by point arranging against run of the mill (and real) case situations that the association faces;
• Recognizable proof of suitably qualified inward or outside assets that can be conveyed as a component of those arrangements;
• Recognizable proof of where and how the related Digital Evidence can be accumulated that will bolster case examination;
• A procedure of consistent change that gains for a fact

Conclusion 

This report depicts the importance of implementing different risk management components in medium sized software Development Company named as Smart and Living technologies (SALT). In order to gain effective revenue from the competitive marketplace the software development company is required to implement proper security measures in the management system. This report delivers a proposal for the information security team in terms of organizational chart. Due to lack of management oriented issues the company is currently facing major risks in their security system. SALT will propose information security processes and information security procedure. In addition to this, the major risks that SALT is facing for their usability are also illustrated and   in order to combat the issues proper security measures are also required to be elaborated in this report. Not only this, but also the vulnerabilities and threats that SALT is facing frequently due to lack of risk management measurements are also elaborated in this report. Besides this the issues continuously occurring for the legal and ethical issues are also required to be mitigated. After analyzing the current situation of Smart and Living technologies (SALT) it is found that the company is facing major challenges in the field of internal audit, hardware system, software concern and also even in the risk management strategies. In order to mitigate these issues, the CISO of Smart and Living technologies (SALT) is willing to provide a list of information security processes and information security procedure. Among the large set of information security processes and procedure the most suitable process and procedure are elaborated on this report to assure the approval from the Chief Executive officer (CEO).

The following recommendations can be suggested regarding the implementation of cyber security policies of SALT.

• Password must not be found in any English or outside word reference. That is, any regular name, thing, verb, intensifier, or descriptor should not be used. These can be effectively broken utilizing standard "programmer devices".
• Passwords must not be posted on or close work stations or generally be promptly accessible in the territory of the terminal.
• Just approved people may remotely access the organization arrange. Remote access is given to those representatives, temporary workers and business accomplices of the organization that have a real business need to trade data, duplicate records or projects, or access PC applications.
• Third-party arrange associations are to be utilized just by the representatives of the third-party, just for the business motivations behind the organization. The third-party will not permit Internet activity or other private system movement to stream into the system.

Ahmad, M.M. and Cuenca, R.P., 2013. Critical success factors for ERP implementation in SMEs. Robotics and Computer-Integrated Manufacturing, 29(3), pp.104-111.

Almorsy, M., Grundy, J. and Müller, I., 2016. An analysis of the cloud computing security problem. arXiv preprint arXiv:1609.01107.

Azhar, S., Khalfan, M. and Maqsood, T., 2015. Building information modelling (BIM): now and beyond. Construction Economics and Building, 12(4), pp.15-28.

Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security: Managing a strategic balance between prevention and response. Information & management, 51(1), pp.138-151.

Becker, C., Walker, D. and McCord, C., 2017. A systematic literature review on intertemporal choice in software engineering-protocol and results. arXiv preprint arXiv:1701.08310.

Braglia, M. and Frosolini, M., 2014. An integrated approach to implement project management information systems within the extended enterprise. International Journal of Project Management, 32(1), pp.18-29.

Mitigate Legal and Ethical issues

Brender, N. and Markov, I., 2013. Risk perception and risk management in cloud computing: Results from a case study of Swiss companies. International journal of information management, 33(5), pp.726-733.

Chance, D.M. and Brooks, R., 2015. Introduction to derivatives and risk management. Cengage Learning.

Chance, D.M. and Brooks, R., 2015. Introduction to derivatives and risk management. Cengage Learning.

Dulkin, A., Kamanovsky, D., Eilat, Y. and Yair, S.A.D.E., Cyber-Ark Software Ltd., 2017. Correlation based security risk identification. U.S. Patent 9,560,067.

Fuggetta, A. and Di Nitto, E., 2014, May. Software process. In Proceedings of the on Future of Software Engineering (pp. 1-12). ACM.

García-Holgado, A. and García-Peñalvo, F.J., 2014, November. Architectural pattern for the definition of eLearning ecosystems based on Open Source developments. In Computers in Education (SIIE), 2014 International Symposium on (pp. 93-98). IEEE.

Heizer, R. and Barry, R., 2013. Operation Management, Sustainability and Supply Chain management (Vol. 11). Pearson, UK.

Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J. and Rao, H.R., 2014. Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service. Information systems journal, 24(1), pp.61-84.

Hu, Y., Zhang, X., Ngai, E.W.T., Cai, R. and Liu, M., 2013. Software project risk analysis using Bayesian networks with causality constraints. Decision Support Systems, 56, pp.439-449.

Kerzner, H., 2013. Project management: a systems approach to planning, scheduling, and controlling. John Wiley & Sons.

Kitchin, R., 2014. The real-time city? Big data and smart urbanism. GeoJournal, 79(1), pp.1-14.

Kshetri, N., 2014. Big data? s impact on privacy, security and consumer welfare. Telecommunications Policy, 38(11), pp.1134-1145.

Laudon, K.C. and Laudon, J.P., 2013. Management Information Systems 13e.

Lehtinen, T.O., Mäntylä, M.V., Vanhanen, J., Itkonen, J. and Lassenius, C., 2014. Perceived causes of software project failures–An analysis of their relationships. Information and Software Technology, 56(6), pp.623-643.

Lehtinen, T.O., Mäntylä, M.V., Vanhanen, J., Itkonen, J. and Lassenius, C., 2014. Perceived causes of software project failures–An analysis of their relationships. Information and Software Technology, 56(6), pp.623-643.

Marcelino-Sádaba, S., Pérez-Ezcurdia, A., Lazcano, A.M.E. and Villanueva, P., 2014. Project risk management methodology for small firms. International Journal of Project Management, 32(2), pp.327-340.

O'Connor, R.V. and Laporte, C.Y., 2014. An innovative approach to the development of an international software process lifecycle standard for very small entities.

Paternoster, N., Giardino, C., Unterkalmsteiner, M., Gorschek, T. and Abrahamsson, P., 2014. Software development in startup companies: A systematic mapping study. Information and Software Technology, 56(10), pp.1200-1218.

Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.

Provos, N., Zhou, Y., Bavor, C.W., Davis, E.L., Palatucci, M., Nigam, K.P., Monson, C.K., Mavrommatis, P. and Nakauchi, R., Google Inc., 2017. Intrusive software management. U.S. Patent 9,563,776.

Punia, S.K., Kumar, A. and Malik, K., 2014. Software development risk management using OODA loop. Int. Journal of Engineering Research and General Science, 2(6).

Rittinghouse, J.W. and Ransome, J.F., 2016. Cloud computing: implementation, management, and security. CRC press.

Rittinghouse, J.W. and Ransome, J.F., 2016. Cloud computing: implementation, management, and security. CRC press.

Šauer, P., Fiala, P. and Dvo?ák, A., 2013, October. Modelling of environmental risk management under information asymmetry. In International Symposium on Environmental Software Systems (pp. 391-402). Springer Berlin Heidelberg.

Schwalbe, K., 2015. Information technology project management. Cengage Learning.

Simchi-Levi, D., Schmidt, W. and Wei, Y., 2014. From superstorms to factory fires: Managing unpredictable supply chain disruptions. Harvard Business Review, 92(1-2), pp.96-101.

Šmite, D., Wohlin, C., Galvi?a, Z. and Prikladnicki, R., 2014. An empirically based terminology and taxonomy for global software engineering. Empirical Software Engineering, 19(1), pp.105-153.

Spillner, A., Linz, T. and Schaefer, H., 2014. Software testing foundations: a study guide for the certified tester exam. Rocky Nook, Inc..

Stol, K.J. and Fitzgerald, B., 2014, May. Two's company, three's a crowd: a case study of crowdsourcing software development. In Proceedings of the 36th International Conference on Software Engineering (pp. 187-198). ACM.

Teller, J. and Kock, A., 2013. An empirical investigation on how portfolio risk management influences project portfolio success. International Journal of Project Management, 31(6), pp.817-829.

Verner, J.M., Brereton, O.P., Kitchenham, B.A., Turner, M. and Niazi, M., 2014. Risks and risk mitigation in global software development: A tertiary study. Information and Software Technology, 56(1), pp.54-78.

Verzuh, E., 2015. The fast forward MBA in project management. John Wiley & Sons.

Völter, M., Stahl, T., Bettin, J., Haase, A. and Helsen, S., 2013. Model-driven software development: technology, engineering, management. John Wiley & Sons.

Zogaj, S., Bretschneider, U. and Leimeister, J.M., 2014. Managing crowdsourced software testing: a case study based insight on the challenges of a crowdsourcing intermediary. Journal of Business Economics, 84(3), pp.375-405.