Vergleich des Risikoverständnisses in den Disziplinen Wirtschaftsinformatik und Soziologie

Comparison of the risk understanding in the disciplines Information Systems and Sociology

Bachelor Thesis, 2010

59 Pages, Grade: 1,3


Table of Content


List of Figures

List of Tabel

List of Abbreviations

1 Introduction and Organization

2 Understanding of Risk in Sociology
2.1 The concept of risk society from Ulrich Beck
2.2 Risk as a Collective Construct from the Culture
2.3 Risk in the Context of Communications and Systems Theory from Luhmann
2.4 Risk and Govermantiality

3 Risks in Information Systems
3.1 Risks in Software Project Management
3.1.1 Definition of Project, Project Risks and Some Categorization
3.1.2 Management Understanding of Risk and their Limitation
3.1.3 Risk Management in Software Projects
3.1.4 Effect of Coordination and Uncertainty on Software Project Performance
3.1.5 Risk Categories and their Effect on Product and Process Performance
3.1.6 Critical Risks in Outsourced IT projects
3.1.7 Risk Factors, Categories and their Observance
3.1.8 Contingency Model of Software Project Risk Management
3.1.9 Risk Perception and Risk Propensity on the Decision to Continue a Project
3.2 Risks in the Field of IT Security
3.2.1 Development and Progress of IT Security: From Past to Present
3.2.2 Categorization of IT Security Threats
3.2.3 Ranking and Perception of IT Threats
3.2.4 Risk Perception: The Technology Threat Avoidance Theory
3.2.5 Risk Perception Amongst Managers
3.2.6 User Participation in IS Security Risk Management
3.2.7 IT Security From an Entrepreneurial Standpoint
3.2.8 Differences in Computer Ethics

4 Comparison of Risk understanding in Information Systems and Sociology
4.1 Comparison of Risk Characteristics
4.2 The Culture Theory in Information Systems
4.3 Risk Perception, Risk Environment and Risk Transformation

5 Discussion and Outlook

List of Cited Literature


In the sociology of risk, there are two different fields of research: risk objectivism and risk constructivism. The former deals with the actual increase of danger due to greater pressures through new technologies. Risk constructivism deals with the conception, perception and evaluation of risks in the social environment. Beck is a representative of objectivism. In his view, risk is produced by modern society itself. New risks are constantly emerging as a result of technological progress. This means that humans create their own risk environment and must now deal with it.

Luhmann sees risk from a systems theory perspective. A social system is a process of social interactions between acting entities. According to Luhmann, risk only arises when there is communication about it. Furthermore, Luhmann sees the distinction between risk and safety as misleading and illusory. He proposes the concept of risk and danger. Douglas and Wildavsky represent neither an objective nor constructive notion of risk. They see risk as a collective construct that is shaped by the social context of the respective actors. The perception of risk is a social process. With the help of the grid-group model, a society can be divided into four cultural forms with specific risk-related characteristics. The cultural forms are individualism, hierarchy, fatalism and egalitarianism.

The understanding of risk in information systems is analyzed based on software project management and IT security.

The challenge in software development is to find the best position between costs and performances in order to satisfy both internal and external stakeholders. This is attempted with four approaches to risk management: risk checklists, an analysis framework, process models and risk response strategies. In this connection, it‘s worth noting that risks are perceived differently. Different risk assessments arise in various countries and different management levels.

In the area of IT security, the ranking of risks varies in different countries. This difference in ranking can be explained with the help of the technology threat avoidance theory. As such, the process of something such as technology risk will be perceived in a clearer manner. The evaluation of the consequences and information plays a role in countering the threat. There are also two sociological components. The first is the informal influence. ―Informal is the quantity of information that makes its environment available. The second, ―normative influence deals with social norms and demands that are used to counter the risk.

When comparing the notions of risk, one notices that Douglas‘ cultural approach to risk is transferable in information systems. The social environment influences the risk understanding of the employee and corporate risk culture. Employee and corporate risk culture influence each other. Furthermore we can found the different culture forms in information systems.

The various perceptions of risks are due to cultural aspects, amongst other things. Social values, ethics and philosophies influence our understanding of risk. If you combine various approaches such as risk management, security policies and strategies as well as employees‘ awareness of business risk management culture, another unique culture is created. This is influenced by and interactive with the surrounding sociological culture.

Keywords: Social risk theory, risk sociology, IT security risk, software project risk

List of Figures

Figure 1: Grid-Group Model

Figure 2: General Contingency Model of Software Project Risk Management

Figure 3 : The Categorization of IT Security Threats

Figure 4 : Technology Threat Avoidance Model

Figure 5 : User Participation in SRM

Figure 6 : Comparison of Risk Characteristics

Figure 7 : Culture forms in Information Systems

Figure 8 : Influence of Social and Corporate Risk Culture on the Employee

List of Tabel

Table 1 : Comparison Sociology with Software project and IT Security Risk

Table 2 : IT Security Risk Transformation

List of Abbreviations

illustration not visible in this excerpt

1 Introduction and Organization

Nothing happens without risk, but without risk, nothing happens either. This is how the German politician and Federal President Walter Scheel described the situation regarding risk. Today's society is surrounded by risks. Be it the daily crossing of an intersection, driving or work-related decisions with an uncertain outcome, each person is more or less confronted with significant risks on a daily basis. Businesses must make daily decisions that are associated with risks. Any decision that affects the future is a risk.

In computer sciences, new technologies are developed and existing technologies are further developed. This brings both new opportunities as well as challenges. Hacker attacks, spyware, viruses, spoofing, phishing, social engineering or even greater forces such as fire or lightning surround our information technology (=IT) landscape.

Even in project management - or, more specifically, software project management – there are risks of a much different nature. Software projects are high-risk activities, generating variable performance outcomes (Charette 2005, 1-7).

In the following paper, the understanding of risk in sociology and information systems is identified. It is divided into three main points. First, the understanding of risk in sociology is analyzed. Here, we will look at different concepts of risk sociology. We first consider the cultural approach of Douglas and Wildavsky. The culture forms the basic framework of the risk. We then consider the views of Beck and Luhmann. Both representatives see the risk or the increase in risk as being due to the rising number of problems from new technologies. New technologies are a big challenge in the areas of IT security and software project management. Finally, we will analyze the risk perspective from a socio-political point of view. Foucault sees risk as a government strategy for forceful control that results in the society being monitored and managed according to neoliberalist policies. This societal guidance can be transferred to general risk management in the areas of IT security and project management.

The second main point is the understanding of risk in information systems. We will therefore initially consider the project risks. In doing so, we only observe the software project development. Compared to portfolio projects or program projects, software projects have a unique character and are temporary. Risks can be easily analyzed and directly linked with their effects. The effect of coordinating projects is less complex with unique software projects. The second point of view that we look at is the field of IT Security. Technology poses an especially significant risk in this field.

As a final major point, we compare the two views. In doing so, we try to both transfer sociological concepts to information systems and rediscover sociological ideas in information systems. The cultural risk approach plays an important role in this process.

2 Understanding of Risk in Sociology

Sociological risk research describes the relationship between risk and society. From a scientific standpoint, there are two different perceptions in this regard: risk objectivism and risk constructivism. The former deals with the actual increase of danger. This increase in danger is attributed to rising objective pressure through new technologies. Risk constructivism deals with the conception, perception and evaluation of risks in the social environment. Risk is perceived by means of a social filter and evaluated in a social context (Tacke 2000, 1).

Controversial viewpoints create an area of tension between risk objectivism and risk constructivism, but current risk research is attempting to overcome this hurdle. However, the fact is that both theoretical approaches influence the understanding of risk. We will therefore look at different approaches to the sociological understanding of risk in the following paper. We will examine approaches by Ulrich Beck, Mary Douglas and Aaron Wildavsky as well as Niklas Luhmann. In this connection, Beck represents the risk objectivism approach. Douglas and Wildavsky follow a constructive socio-cultural approach to risk.

Ekberg (Ekberg 2007, 348) distinguishes between real and socially constructed risks. The tangible construed notion of risk sees risk as a daily occurrence. Thus, risks can be identified, measured, classified and reproduced. On the other hand, the socially construed notions of risks assume that there are no risks; only the social analysis of reality comes to light. For example, the cultural theory risk approach as according to Douglas would be valid in this case. The notion of risk society as according to Beck and Giddens contains elements of both approaches.

Ekberg (Ekberg 2007, 3ff) developed a conceptual model that identifies six characteristics of risk society concepts. They include

1. ubiquity of risks and the formation of a collective understanding of risk
2. various understandings of risk
3. various definitions of risk
4. the origin of reflexivity as an individual and institutional answer to risk-related questions.
5. the inverse relationship between risk and trust
6. political dimension of the risk which links risks based on power and knowledge with political values.

2.1 The concept of risk society from Ulrich Beck

Ulrich Beck, Professor of Sociology at the Ludwig Maximilian University of Munich, is the co-founder of the concept of risk society. In his first work, ―Risikogesellschaft (Beck 1986) Beck defined the concept of risk society. He recognizes societies that are being threatened by major risks. Major risks are summarized as being natural risk (natural disasters), radioactivity and social risk (unemployment and globalization). In this connection, the risk of modern society itself is created. Beck describes this process as second or reflexive modernity. Unlike first modernity, which took place during the industrial revolution, second modernity sees risks being self-caused on a global level. This is where established problem solving approaches reach their limits.

This means that humans create their own risk environment and must now deal with it. Due to theological progress, new risks are constantly emerging. Oftentimes, these risks are not even detected by humans. These risks are consciously received and tolerated. However, dangers are viewed as a threat. Beck cites the process of individualization as a reason for the emergence of risks. A component of individualization includes the individual‘s transition from heteronomy to self-determination. This individualization process is divided into three dimensions (Beck 1986, 206ff). They include the dimension.

1. liberation
2. disenchantment
3. control and reintegration

The liberation dimension is reflected in the ―separation from historically prescribed social methods and relationships (Beck 1986, 206). This means that one can break out of the social structures and group relationships that they are born into. The disenchantment dimension describes ―the loss of traditional securities in terms of practical knowledge, beliefs and guiding standards (Beck 1986, 206). The loss of this security creates a new form of freedom for the individual. The tradition‘s functions simultaneously lead to a new form of risk. The third and final dimension, the control and reintegration dimension, is the countermovement to the first two dimensions. It serves a compensating function to keep the social structure balanced.

Modern global risks can be characterized as

- delocalization,
- unpredictable,
- and non-compensable

in the time reflex modernity (Beck 2009, 3f) .

With delocalization, the point of origin and the effect are not geographically bound. Oftentimes, the origin can be local and the effects can be global. Unpredictable describes the unpredictability of risks. This is based on missing information and ignorance. The non- compensable characteristic is the last feature of global risks. Technological progress and dangers could still be compensated in the first modernity. This, for example, was achieved through increased safety standards in vehicles or manufacturing. However, this assumes that these risks are known. In reflexive modernity, the compensation of risks is replaced through preventive measures and obeisance. One deals with risks that neither predictably nor previously lead to losses.

These global risks - such as the financial crisis or global warming - have these attributes. These risks are not limited by space or time (both its start and duration). From a social point of view, this status means that no allocation of cause and consequence can be carried out. Global risks open a new moral and political space that leads to a culture of civil responsibility. The fact that everyone is vulnerable nowadays and that consequences affect us all describes the multidimensionality of these risks. Now add the complexity of it all. The financial crisis or global warming can no longer be regulated by individuals, groups or states. They concern the entire world population and must be solved cooperatively. This cooperation means that we need to work with responsible people that, given different circumstances, we otherwise wouldn‘t have had anything to do with.

Moreover, the concepts of risk / danger and disaster must be differentiated. Risk cannot be put on a level with disaster. Danger is the anticipation of a disaster (Beck 2006, 4). Only when the danger has occurred does it actually become a disaster.

In connection with the new risks, Beck created the ―new cosmopolitanism and ―organized irresponsibility concepts (Beck 2009, 5ff). Under new cosmopolitanism, Beck understands that ―global risks confront us with the others that are excluded (Beck 2007). Cosmopolitanism should describe the transformation process from the first modernity to the second modernity. While in the first modernity, industrial society, an international order and a homogeneous national culture turns to a second modernity, in which the traditional problem solving mechanisms fail (Köhler 2006, 50). With regard to risks, this is how national borders become unimportant and how problems outside of our borders become our own problems. Other people‘s problems no longer exist because these problems affect everyone. This means that problems must be solved in an international context.

Organized irresponsibility is the situation in which a society cannot adequately handle unforeseeable events, negative consequences and long-term damage even though suitable institutions and control devices exist (Asselt/Vos 2008, 1-2). Science constantly expands the scope of action through new knowledge and ignorance, yet it has no solutions available on how to handle the resulting increase in risks (Münch 2002, 423). As such, damage to the economy is not taken over by the economy itself. Scientists are only responsible for technological (Yates 2001, 6) opportunities, but not for their implementation. Society is the laboratory for the outcome of the experiment.

Even our modern institutions of science, politics and business are overwhelmed with the new risks. The social perception of these institutions changes from rationally donating expert institutions to suspicious establishments. They are no longer viewed as an institution of risk management but rather as a source of danger. This loss of confidence in the expert system leads to an individualization process. This results in individuals no longer trusting these institutions. However, they have no choice but to trust them.

2.2 Risk as a Collective Construct from the Culture

Douglas and Wildavsky see risk in the context of different groups - this is what fundamentally distinguishes them from Beck. This is expressed in Cultural Theory, where risk is perceived as a collective construct that is shaped by the social context of the respective actors. Thus, the perception of risk is a social process that leads from an objective risk to a subjective perception of risk. Douglas and Wildavsky have a basic assumption that the quantity of risks and potential dangers amongst modern societies are not individually documented. Selected risks are chosen through the social fabric and are only perceived by the individual.

The socio-cultural risk approach involves two lines of research, as discussed below. One is Douglas‘ description of society‘s perception of danger (Douglas 1966, 1-12) while the other is the grid-group model (Douglas 2002, 54-69 ; Douglas 1978).

Douglas understands endangerment as being caused by the cultural view of danger. Culture helps individuals begin to understand risks. Culture purports which consequences and losses from society are assessed in a serious or trivial manner. With this perspective, ethical and moral constructs enter social risk assessment.

The grid-group model (see Figure 1) consists of two dimensions and is used to classify forms of social organization. The grid dimension is the vertical axis and provides information on the regulations of societies. This includes the experience of classifications about set norms, role expectations and functions (Krohn/Krücken 1993, 3). The grid axis provides information regarding the question of whether my social situation is determined by comprehensive rules, or if I have enough freedom to enforce my own behavior.

The horizontal Group axis describes the cohesion in the group. It is a measure of the feeling of togetherness that arises in the group. It provides information on whether an individual belongs to an existing social unit, or if they create their own social network (Caulkins 1999, 4ff). This is where a society‘s degree of differentiation from another society and its distinction in its moral concepts is expressed (Douglas/Wildavsky 1982, 138).

illustration not visible in this excerpt

Figure : Grid-Group Model

Source: Adapted from (Caulkins 1999, 5 ; Schwarz/Thompson 1990, 7 ; Renn 1991, 8)

These two dimensions can each have high or low values. The resulting fields in the cross- classified table describe four ideal types of cultural forms (Vaughan 2002, 4f):

Individualism, hierarchy, egalitarianism, fatalism.

In individualism, there is neither strong group bonding nor control through rules. Questions regarding the coordination and resolving of problems are processed according to a market- based solution, without consideration for the individual person. In this context, market- oriented means that the society decides to search for a solution to the risks and sets self- regulating measures on the market. Specific individuals are trusted more than organizations (Lupton 1999, 51). In doing so, no regulatory or controlling authority is used. Even moral values are not included in the solution.


Excerpt out of 59 pages


Vergleich des Risikoverständnisses in den Disziplinen Wirtschaftsinformatik und Soziologie
Comparison of the risk understanding in the disciplines Information Systems and Sociology
Technical University of Munich
Catalog Number
ISBN (eBook)
ISBN (Book)
File size
1584 KB
Social risk theory, risk sociology, IT security risk, software project risk
Quote paper
Thomas Niedermeier (Author), 2010, Vergleich des Risikoverständnisses in den Disziplinen Wirtschaftsinformatik und Soziologie, Munich, GRIN Verlag,


  • No comments yet.
Read the ebook
Title: Vergleich des Risikoverständnisses in den Disziplinen Wirtschaftsinformatik und Soziologie

Upload papers

Your term paper / thesis:

- Publication as eBook and book
- High royalties for the sales
- Completely free - with ISBN
- It only takes five minutes
- Every paper finds readers

Publish now - it's free