IS_Risk_Analysis_Review_VincentBlijleven

advertisement
Method engineering paper review table
Read the paper, and rate the criteria below as strong / satisfactory / weak (please check the cell that
applies). Please add comments to clarify.
Topic: IS risk analysis based on a business model
Author: Vincent Boekholtz
Reviewer: Vincent Blijleven
Weak SatisStrong Criteria
factory
Overall
x
Are the basic sections (intro,
example, etc.) adequate? If not,
what is missing?
x
Are there any grammatical or
spelling problems?
Reader’s comments
The author provides an elaborate
introduction and a good overview of the
four stages.
I recommend avoiding the usage of words
such as “they’re” or “it’s” as this is
unscientific. Try to rewrite the relevant
sentences .
The first letter of the first words of each
stage should be capitalized. Stage 1: the
organizational investigation  Stage 1: The
organizational investigation.
In addition, what about creating subsections for each stage? Such as 2.1 The
organizational investigation, 2.2 Asset
identification and evaluation, et cetera?
I recommend to make better use of
commas. For instance this sentence in the
related literature: “Risk analyses usually
consists of several techniques, such as the
Delphi technique, brainstorming, threat
scenario approach and a statistical
approach, which are described by Rainer,
Snyder and Carr (1991), a paired
comparison, Analytic Hierarchy Process
(AHP), reviewing, interviewing and the
divide and conquer approach.” The slight
overkill of commas makes it difficult to
read. Perhaps the author could divide this
sentence in two parts .
x
Is the writer's writing style
clear?
x
Are the figures created by the
author him/herself?
x
Is the example understandable
and informative?
In the related literature: “They do however
mention …”  “The authors do however
mention …”. The usage of they to refer to
authors is not scientific.
The author has a clear writing style. I
would suggest, however, to make use of
indents when starting a new ‘subparagraph’. For instance in the
introduction: “The Information System (IS)
risk analysis … of the business.” A small
indent should be placed in front of the
next sub-paragraph “In the traditional risk
…”.
As far as I can tell, yes.
The author provides an elaborate example.
It contains the most essential information
(not too long & not too short), clearly
getting to the point.
The author also makes good use of
references to other work, such as
Ciechanowicz (1997). This shows the
author possesses the relevant knowledge
of the topic discussed to give a proper
example.
x
Do the authors provide one or
more usable templates with the
example?
x
Is the PDD properly formatted?
I would however mention the role
identified in this method, to know the risk
analyst. This was also explicitly asked for in
the assignment.
Yes.
Yes. However, I recommend not merging
the flows between THREAT, ASSET and
ANNUAL LOSS EXPECTANCY. The reason for
this is as I am not sure whether the
cardinalities (1..*, 0..* & 1..*) are always
applicable, regardless of whether you e.g.
look at ANNUAL LOSS EXPECTANCY from a
THREAT or ASSET perspective.
All activities are properly formatted, the
same goes for the concepts.
x
Does the PDD have a good level
of detail?
x
Are the activity and concept
table informative?
I have one question regarding the role, to
know the ‘risk analyst’. Considering this is
the only role present in this method,
perhaps this role could be removed and
solely mentioned in the beginning of the
third section (PDD), which is what the
author has already done. In other words:
why include information in the PDD if it
doesn’t really make a contribution .
I do not possess a significant amount of
knowledge to decide whether this PDD
contains all the required activities and
deliverables, but as far as I can tell it looks
solid.
Good capitalization of concepts in both
tables.
Proper references in the tables.
I strongly recommend to use either shades
of gray or plain white as colours for the
table. The blue colour does not really
contribute to readability.
The concept table looks how it is supposed
to be, namely starting each definition with
“The MISSION …” or “An ASSET …”.
x
x
Does the writer cite sources
adequately and appropriately?
Note any incorrect formatting.
Are there enough references to
other sources?
Are the references properly
formatted?
Nice draft! Good luck with your final version .
I spotted several mistakes:
(Suh and Han, 2003)  (Suh & Han, 2003)
The minimal amount of references (10) is
given, but suffices for the method
described. I am not sure how much related
literature is available on this topic,
Download