Development of the ISR3M model for IS risk management evaluation using the Focus Area structure according to the MMDPIS generic process


  • Mina El Maallam
  • Abdelaziz Kriouile



Information system, risk management, Maturity, Maturity model, Focus Area structure.


Risk management (RM) is one of the main IS governance pillars. However, to remain a center of profit and cost optimization for the company, this activity must be evaluated, monitored and improved continuously. Hence the interest to develop an IS risk management maturity model. This paper aims to address this need by providing the ISR3M (Information System Risk Management Maturity Model) model. After a summary of literature review, it presents the design approach, then describes the model and evaluates it.


Salvati, D. (2008). Management of Information System Risks. Zurich: University of Zurich.

Lei, Y. (2011). Minimizing the Cost of Risk with Simulation Optimization Technique. Risk Management and Insurance Review, 14(1), 121-144.

Zhang, Y. (2009, May). A Study on Risk Cost Management. International Journal of Business and Management, 4(5), 145-148.

Bronet, V. (2006, Septembre). Amélioration de la performance industrielle à partir d'un processus Référent Déploiement inter entreprises de bonnes pratiques. Savoie: Université de Savoie.

El maallam, M and Kriouile, A, (2014). A generic process for the development and the implementation of IS maturity models. International Journal of Computer Science Issues (IJCSI), 11(6), pp. 34-42.

Poeppelbuss, J., Niehaves, B., Simons, A., and Becker, J. (2011). Maturity Models in Information Systems Research: Literature Search and Analysis. Communications of the Association for Information Systems (AIS), 29(27), 505-532.

Pfeffer, J., and Sutton, R. I. (1999). Knowing what to do is not enough: turning knowledge into action. California Management Review, 42(1), 83-108.

Mettler, T. (2010). Thinking in Terms of Design Decisions When Developing Maturity Models. International Journal of Strategic Decision Sciences (IJSDS), 1(4), 76-87.

Mettler, T. (2011). Maturity assessment models: a design science research approach. International Journal of Society Systems Science, 3(1/2), 81-98.

Mettler, T., and Rohner, P. (2009). Situational maturity models as instrumental artifacts for organizational design. 4th International Conference on Design Science Research in Information Systems and Technology DESRIST'09. 22, pp. 1-9. New York, NY, USA: ACM.

Benbasat, I., Dexter, A. S., Drury, D. H., and Goldstein, R. C. (1984, May). A critque of the stage hypothesis: theory and empirical evidence. Communications of the ACM, 27(5), 476-485.

De bruin, T., Freeze, R., Kulkami, U., and Rosemann, M. (2005). Understanding the Main Phases of Developing a Maturity Assessment Model. Australasian (ACIS). Autralie, Sydney.

King, J. L., and Kraemer, K. L. (1984, May). Evolution and organizational information systems: an assessment of Nolan's stage model. Communications of the ACM, 27(5), 466-475.

McCormack, K., Willems, J., Bergh, v. d., Deschoolmeester, D., Willaert, P., Stemberger, M. I., et al. (2009). A global investigation of key turning points in business process maturity. Business Process Management Journal, 15(5), 792-815.

Biberoglu, E., and Haddad, H. (2002, Decembre). A survey of industrial experiences with CMM and the teaching of CMM practices. Journal of Computing Sciences in Colleges, 18(2), 143-152.

Montoya-Weiss, M. M., and Calantone, R. (1994). Determinants of New Product Performance: A Review and Meta-Analysis. Journal of Product Innovation Management, 11(5), 397-417.

Becker, J., Knackstedt, R., and Pöppelbuß, J. (2009). Developing Maturity Models for IT Management – A Procedure Model and its Application. Business & Information Systems Engineering (BISE), 1(3), 213-222.

Becker, J., Niehaves, B., Pöppelbuß, J., and Simons, A. (2010). Maturity Models in IS Research. 18th European Conference on Information Systems (ECIS 2010). Pretoria, South Africa.

Iversen, J. H., Nielsen, P. A., and Norbjerg, J. (1999). Situated Assessment of Problems in Software Development. DATA BASE, 30(2), 66-81.

Dey, A. K. (2000). Providing architectural support for building context-aware applications. Atlanta, GA, USA: Georgia Institute of Technology.

Herbsleb, J. D., and Goldenson, D. R. (1996). A systematic survey of CMM experience and results. Proceedings of the 18th international conference on Software engineering (pp. 323-330). Washington, DC, USA: IEEE Computer Society.

Teo, T. S., and King, W. R. (1997). Integration between Business Planning and Information Systems Planning: An Evolutionary-Contingency Perspective. Journal of Management Information Systems, 14(1), 185-214.

Hillson, D. A. (1997). Towards a risk maturity model. The International Journal of Project and Business Risk Management, 1(1), 35-45.

Hopkinson, M. (2011). The Project Risk Maturity Model: Measuring and improving risk management capability. Gower.

Ren, Y. T., and Yeo, K. T. (2009). Risk management capability maturity model for complex product systems (CoPS) projects. Systems Engineering, 12(1), 275-294.

Saito, O., Matsui, T., and Morioka, T. (2007). Organizational Risk Management Maturity Model and Assessment Tool Designed for High-hazard Industries. International Symposium on Symbiotic Nuclear Power Systems for 21st Century (ISSNP), 42-47.

COSO. (2004). The Committee of Sponsoring Organizations of the Treadway Commission - Enterprise Risk Management - Integrated Framework - Executive Summary. New York: AICPA.

Basque, R. (2011). CMMI 1.3 - Guide complet de CMMI-DEV et traduction de toutes les pratiques CMMI-ACQ et CMMI-SVC. Dunod.

Mayer, J., and Fagundes, L. L. (2009). A Model to Assess the MaturityLevel of the Risk Management Process in Information Security. 4rd IFIP/IEEE International Workshop on BDIM. New York.

ISACA. (2010). RISK IT Framework.

Alter, S., and Sherer, S. A. (2004). A General but Readily Adaptable Model of Information System Risk. Communications of the Association for Information Systems (ACM), 14, 1-28.

ISO. ISO 31000:2009 Risk Management. Principles and Guidelines on Implementation. Tech. rep.

Sienou, A. (2009). Proposition d'un cadre méthodologique pour le management intégré des risques et des processus d'entreprise. Thèse doctotale, Institut National Polytechnique de Toulouse, Toulouse.

Wade, M., and Hulland, J. (2004). Review: The resource-based view and information systems research: Review, extension, and suggestions for future research. MIS Quarterly, 28(1), 107-142.

Alter, S., and Sherer, S. A. (2004). A General but Readily Adaptable Model of Information System Risk. Communications of the Association for Information Systems (ACM), 14, 1-28.

Basili, R. V., Caldiera, G., and Rombach, H. D. (1994). Goal/Question /Metric Paradigm. Encyclopedia of Software Engineering, 1, 528-532.




How to Cite

El Maallam, M., & Kriouile, A. (2015). Development of the ISR3M model for IS risk management evaluation using the Focus Area structure according to the MMDPIS generic process. Transactions on Engineering and Computing Sciences, 2(6), 106.