A Data Driven Approach for Information Technology Risk Modelling and Visualization: Integrating ISO 31000 and Monte Carlo Simulation

Authors

  • Rahmania Kumalasari Politeknik Negeri Madiun
  • Lutfiyah Dwi Setia Politeknik Negeri Madiun https://orcid.org/0000-0003-2713-6840
  • Tri Septianto Politeknik Negeri Madiun

DOI:

https://doi.org/10.30996/jitcs.132669

Keywords:

business and cybersecurity continuity, information technology risk management, ISO 31000, Monte Carlo Simulation, quantitative risk analysis, shiny dashboard

Abstract

Information technology (IT) plays a critical role in enhancing organizational efficiency, accelerating decision-making, and strengthening competitiveness. However, as a core infrastructure, IT also introduces various risks that must be managed effectively to ensure business continuity. This study examines IT risk management at Company XYZ by integrating the ISO 31000 framework with the Monte Carlo Simulation method to quantify potential losses from 18 identified risk categories, including system failure, human error, cyberattacks, and natural disasters. To improve the interpretation and communication of risk outcomes, the research employs interactive data visualization using the Shiny dashboard (R). The simulation results show an average expected annual loss of IDR 478 million, with major risks originating from data corruption, backup failures, and cybercrime, while external factors such as earthquakes and fires also have significant impacts. This integrative approach demonstrates how ISO 31000, Monte Carlo Simulation, and interactive visualization can strengthen data-driven and transparent IT risk management for informed organizational decision-making. However, this study is limited to a single organizational case and simulated data assumptions, which may affect the generalizability of the findings.

Downloads

Download data is not yet available.

Author Biographies

Rahmania Kumalasari, Politeknik Negeri Madiun

Department of Information Technology

Lutfiyah Dwi Setia, Politeknik Negeri Madiun

Department of Information Technology

Tri Septianto, Politeknik Negeri Madiun

Department of Information Technology

References

Abdillah, L. A., Alwi, M. H., Simarmata, J., Bisyri, M., Nasrullah, N., Asmeati, A., . . . Bachtiar, E. (2020). Aplikasi Teknologi Informasi: Konsep dan Penerapan. Medan, Indonesia: Kita Menulis.

Anita, S. Y., Kustina, K. T., Wiratikusuma, Y., Sudirjo, F., Sari, D., Nurchayati, N., . . . Ayu, N. L. (2023). Manajemen Risiko. Padang, Indonesia: Global Eksekutif Teknologi.

Ariyandi, I. R., & Purwanti, P. (2025). Strategi Efektif Untuk Meningkatkan Efisiensi Operasional Perusahaan. Journal of Business Economics and Management, 1(3), 328-334. Retrieved January 20, 2026, from https://jurnal.globalscients.com/index.php/jbem/article/view/205

Glette-Iversen, I., Flage, R., & Aven, T. (2023). Extending and improving current frameworks for risk management and decision-making: A new approach for incorporating dynamic aspects of risk and uncertainty. Safety Science, 168. doi:https://doi.org/10.1016/j.ssci.2023.106317

Hojjati, S. N., & Noudehi, N. R. (2015). The use of Monte Carlo simulation in quantitative risk assessment of IT projects. International Journal of Advanced Networking and Applications, 7(1), 2616-2621. Retrieved January 21, 2026

Institute of Risk Management. (2018, February 15). Standard Deviations – A Risk Practitioners Guide to ISO 31000 – 2018. London, England: IRM. Retrieved January 20, 2025, from https://www.theirm.org/media/6884/irm-report-iso-31000-2018-v2.pdf

Jak, S., Jorgensen, T. D., Verdam, M. G., Oort, F. J., & Elffers, L. (2021). Analytical power calculations for structural equation modeling: A tutorial and Shiny app. Behavior Research Methods, 53, 1385–1406. doi:https://doi.org/10.3758/s13428-020-01479-0

Khedr, A., & Hilal, S. (2021). Interactive Visualization for Statistical Modelling through a Shiny App in R. 2021 International Conference on Data Analytics for Business and Industry (ICDABI). Sakheer, Bahrain: IEEE. doi:https://doi.org/10.1109/ICDABI53623.2021.9655841

Kramarz, K., & Korpysa, J. (2023). The evolution of the concept of risk management in IT+ organizations. Procedia Computer Science, 225, 4843-4849. doi:https://doi.org/10.1016/j.procs.2023.10.484

Liu, D., Xu, Z., Zhou, Y., & Fan, C. (2019). Heat map visualisation of fire incidents based on transformed sigmoid risk model. Fire Safety Journal, 109. doi:https://doi.org/10.1016/j.firesaf.2019.102863

Miftakhatun, M. (2020). Analisis Manajemen Risiko Teknologi Informasi pada Website Ecofo Menggunakan ISO 31000. Journal of Computer Science and Engineering (JCSE), 1(2), 129-146. Retrieved January 21, 2026, from https://icsejournal.com/index.php/JCSE/article/view/76

Muryanti, E., & Hartomo, K. D. (2021). Analisis Risiko Teknologi Informasi Aplikasi CATTER PDAM Kota Salatiga Menggunakan ISO 31000. JATISI (Jurnal Teknik Informatika dan Sistem Informasi), 8(3), 1265-1277. doi:https://doi.org/10.35957/jatisi.v8i3.948

Ningsih, S., & Arsal, A. (2022). Penerapan Simulasi Monte Carlo untuk Pengukuran Value at Risk (VaR). Research in the Mathematical and Natural Sciences, 1(2), 8–16. doi:https://doi.org/10.55657/rmns.v1i2.62

Orellano, M., & Gourc, D. (2025). What typology of risks and methods for risk management in innovation projects?: A systematic literature review. International Journal of Innovation Studies, 9(1), 1-15. doi:https://doi.org/10.1016/j.ijis.2024.10.001

Rhamadhani, M. H., & Iswari, L. (2022). Pengembangan Aplikasi Berbasis Web dengan R Shiny untuk Analisis Data Menggunakan Algoritma PCA. Automata, 3(1). Retrieved January 21, 2026, from https://journal.uii.ac.id/AUTOMATA/article/view/21870

Saputra, Y., & Hasanudin, A. I. (2025). The Role of ISO 31000 Risk Management in Moderating the Influence of the Management Control System and Leadership Style on Financial Performance at PT Angkasa Pura I and II (Persero) Period 2020-2023. International Journal of Accounting, Management, Economics and Social Sciences, 3(3), 840-853. doi:https://doi.org/10.61990/ijamesc.v3i3.510

Tanamaah, A. R., & Berliana, L. D. (2021). Information System Risk Management Analysis with ISO 31000 Method at the Industry and Manpower Office. JATISI (Jurnal Teknik Informatika dan Sistem Informasi), 8(3), 1105-1118. doi:https://doi.org/10.35957/jatisi.v8i3.1037

Wibowo, A. (2022). Manajemen Resiko. Semarang, Indonesia: Prima Agus Teknik; Universitas Sains dan Teknologi Komputer.

Zagoto, S. P., & Sitokdana, M. N. (2021). Analisis Risiko Teknologi Informasi di Organisasi XYZ Cabang Salatiga Menggunakan ISO 31000. Jurnal Mnemonic, 4(1), 1-9. doi:https://doi.org/10.36040/mnemonic.v4i1.2877

Downloads

Published

2026-02-04

How to Cite

Kumalasari, R., Setia, L. D., & Septianto, T. (2026). A Data Driven Approach for Information Technology Risk Modelling and Visualization: Integrating ISO 31000 and Monte Carlo Simulation. Journal of Information Technology and Cyber Security, 4(1), 41–53. https://doi.org/10.30996/jitcs.132669

Issue

Vol. 4 No. 1 (2026): January

Section

Research Article

License

Copyright (c) 2026 The Author(s)

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

 

Copyright Notice based on COPE (Committee on Publication Ethics) for JITCS: Journal of Information Technology and Cyber Security

  1. Ownership and Copyright:

    1. JITCS: Journal of Information Technology and Cyber Security respects the intellectual property rights of authors. The copyright for individual articles published in JITCS is retained by the respective authors, unless otherwise specified.
    2. The articles published in JITCS are licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND 4.0), which permits use and distribution in any medium, provided the original work is properly cited, the use is non-commercial, and no modifications or adaptations are made.
    3. JITCS serves as the initial publisher of the articles, providing them with the first publication platform.

  2. Permissions and Usage:

    1. Distribution for Non-Commercial Purposes: Permitted: Users are allowed to distribute the article for non-commercial purposes, provided the original work is properly cited and no modifications or adaptations are made.
    2. Distribution for Commercial Purposes: Not Permitted: The article may not be distributed for any commercial purposes without obtaining prior written permission from the author(s).
    3. Inclusion in a Collective Work (e.g., Anthology) for Non-Commercial Purposes: Permitted: Users are allowed to include the article in a collective work, such as an anthology, as long as the use is non-commercial and the work remains unchanged.
    4. Inclusion in a Collective Work for Commercial Purposes: Not Permitted: The article may not be included in any collective work or anthology intended for commercial purposes without prior permission from the author(s).
    5. Creation and Distribution of Revised Versions, Adaptations, or Derivative Works (e.g., Translation) for Non-Commercial Purposes: Not Permitted: Users may not create or distribute revised versions, adaptations, or derivative works, including translations, for non-commercial purposes.
    6. Creation and Distribution of Revised Versions, Adaptations, or Derivative Works for Commercial Purposes: Not Permitted: Users may not create or distribute revised versions, adaptations, or derivative works, including translations, for commercial purposes.
    7. Text or Data Mining for Non-Commercial Purposes: Permitted: Users are permitted to engage in text or data mining of the article for non-commercial research purposes, provided the original work is properly attributed.
    8. Text or Data Mining for Commercial Purposes: Not Permitted: Users may not engage in text or data mining of the article for commercial purposes without obtaining explicit permission from the author(s).

  3. Attribution and Citation:

    1. Proper attribution and citation of the published work should be provided when using or referring to content from JITCS. This includes clearly indicating the authors, the title of the article, the journal name (JITCS), the volume/issue number, the publication year, and the article's DOI (Digital Object Identifier) when available.
    2. When adapting or modifying the published content, proper attribution to the original source should be given, and the adapted or modified content should be shared under the same CC BY-NC-ND 4.0 license.

  4. Plagiarism and Copyright Infringement:

    1. JITCS considers plagiarism and copyright infringement as serious ethical violations. Authors are responsible for ensuring that their submitted work is original and does not infringe upon the copyright or intellectual property rights of others.
    2. Any allegations of plagiarism or copyright infringement will be investigated promptly and thoroughly. If proven, appropriate actions, including rejection of the manuscript, retraction of the published article, or other corrective measures, will be taken.

  5. Open Access Licensing:

    1. JITCS supports open access publishing and encourages authors to consider publishing their work under the CC BY-NC-ND 4.0 license to promote the dissemination and use of knowledge in the field of information technology and cyber security.
    2. The specific terms and conditions of the CC BY-NC-ND 4.0 license will be clearly indicated on the published articles.

  6. Policy Review: This Copyright Notice will be periodically reviewed and updated to ensure its continued relevance and compliance with copyright laws, ethical standards, and open access principles in scholarly publishing. Any updates or revisions to the notice will be communicated to the relevant stakeholders.

By adhering to this Copyright Notice, JITCS aims to protect the rights of authors, promote proper attribution and citation practices, and facilitate the responsible and legal use of the published content in accordance with the CC BY-NC-ND 4.0 license.