FUZZY DECISION MAKING OF IT GOVERNANCE
Sung Eui Cho, Sang Hyun Lee
Department of Computer Engineering, Mokpo National University, Jeonnam, Korea
Kyung-Il Moon
Department of Computer Engineering, Honam University, Gwangju, Korea
Keywords: IT Governance, Concerns, Complexity, Fuzzy Logic.
Abstract: IT governance implies a system in which all stakeholders, including the board, internal customers and
related areas such as finance, have the necessary input into the decision making process. IT governance is
the preparation for, making of and implementation of IT-related decisions regarding goals, processes,
people and technology on a tactical or strategic level. But, the concepts of IT governance are broad and
ambiguous which in turn implicate difficult and inaccurate assessments. In particular, the traditional
handling of IT management by board-level executives is that due to limited technical experience and IT
complexity, key decisions are deferred to IT professionals. This paper presents a fuzzy reasoning model for
assessing IT governance complexity based on an extensive literature study. This model can be used for a
good understanding how the concerns of IT governance behave, how they interact and form the behaviour
of the whole system. The model for assessing IT governance is employed to compare how IT governance is
defined in practitioners and Cobit.
1 INTRODUCTION
This paper suggests a collective behaviour model
based on fuzzy reasoning with respect to IT
governance concerns considered important in
literature, and to represent how the concerns should
be really addressed by practitioners and Cobit.
Understanding how the concerns of IT governance
behave, how they interact and form the behaviour of
the whole system can certainly be interesting
through this model. Factors such as concerns (and
the number of them), interaction between concerns,
environment, and IT governance activities can be
equally interesting when studying “self-organized”
IT governance systems, if the aim is understanding.
But when we go about designing, a control system,
we will be guiding its organization and we need to
understand the complexity of the concerns and the
emerging whole. Returning to complex interaction,
we feel a need to attempt relating the system.
2 IT GOVERNANCE
COMPLEXITY PROFILES
Complex system typically has some characteristic
properties, but the extent to which a particular
system exhibits any given property can vary. In this
respect, IT governance complexity is a nonlinear
mapping concept.
2.1 Domain Complexity
The domain complexity denotes a nonlinear function
of what the decisions should consider. It comprises
four complexity variables: goal, processes, people
and technology. Goals include strategy-related
decisions, development and refinement of IT
policies and guidelines, and control objectives used
for performance assessments. Processes include the
implementation and management of IT processes,
e.g. acquisition, service level management, and
incident management. People include the relational
architecture within the organization, and the roles
and responsibilities of different stakeholders. Finally,
IT governance is of course about managing the
132
Eui Cho S., Lee S. and Moon K. (2010).
FUZZY DECISION MAKING OF IT GOVERNANCE.
In Proceedings of the International Conference on e-Business, pages 132-136
DOI: 10.5220/0002984401320136
Copyright
c
SciTePress
technology itself. The complexity variable
technology represents the physical assets that the
decisions consider, such as the actual hardware,
software and facilities.
2.2 Scope Complexity
The scope complexity denotes a nonlinear function
of different impacts implied by each decision. There
is a long term aspect and a short time aspect of every
decision that is made. The scope dimension is used
to differentiate between different levels of decision-
making. Firstly, there are detailed, rapidly carried
out, IT-focused tactic decisions. Examples of tactic
decisions include whether to upgrade a certain
workstation today or tomorrow, how to configure a
user interface that is only used internally, or the
manning of a single IT project.
There also exists top management, low detailed,
business oriented strategic decisions with long
timeline. A strategic decision might consider
whether it is most appropriate to develop an
application in-house or to purchase it off the shelf,
or how the performance of IT processes should be
reported to top management.
2.3 Decision Making Complexity
The decision complexity denotes a nonlinear
function of different steps required to make
decisions within the different domains. This
complexity deals with the relation between IT, and
the models of the reality used for decision making.
Before making any decision regarding e.g. the
outsourcing of a helpdesk function, the organization
must be clearly understood. Facts have to be thought
over and investigated, and transformed into a model.
The model might be a simple cognitive map, present
nowhere else but in the head of the decision-maker,
or a more formalized, abstract model put on print.
This process of analysis and understanding is
denoted the understanding phase. Once the model is
created, the actual decision can be made according
to corporate IT principles, in a timely manner, by the
right individuals, etc. In the IT governance definition,
this is represented by the decision phase, which also
includes planning of how to make the decision.
3 IT GOVERNANCE
COMPLEXITY MODEL
The objective of this section is to understand the
relationship between the complexity profiles and to
construct a fuzzy reasoning model including the
complexity of collective behaviour with respect to
IT governance.
3.1 Relationship between Complexity
Profiles
IT governance is not strict hierarchy. It contains
lateral interactions that enable control to bypass the
hierarchy. However, by focusing on an idealized
control hierarchy it is possible to understand the
nature of this structure. Such a focus will help in
understanding the relationship between this structure
and complex collective behavior. In an idealized
hierarchy all communication, and thus coordination
of activities, is performed through the hierarchy.
Figure 1 denotes a hierarchical network structure. It
describes the content of different statements
identified in literature with respect to IT governance
concerns.
Figure 1: Hierarchical Structure of IT governance.
This structure imposes a limitation (say, network
weight) on the degree of collective behaviours of IT
governance. This can be understood by considering
more carefully the processes of coordination. The
hierarchy is responsible for ensuring coordination of
various concerns of IT governance. Lower levels of
the hierarchy are responsible for locally coordinating
smaller parts of IT governance and higher levels of
the hierarchy are responsible for coordinating the
larger parts of IT governance.
3.2 Fuzzy Reasoning Approach to
Complexity Profiles
Fuzzy rules are usually formulated as IF-THEN
statements, with one or more antecedents connected
to a consequent via operators like AND, OR, etc.
IF (Antecedent
1
) OP (Antecedent
2
) … OP
(Antecedent
n
) THEN (Consequent) (w)
Here n is an integer, OP is standing for operators
like AND, OR, etc., and w
represents a weight value
indicating the importance of a rule. In this study, our
FUZZY DECISION MAKING OF IT GOVERNANCE
133
fuzzy reasoning method is based on two assumptions
as the following.
Every activation of an input fuzzy set is regarded
to be a piece of (fuzzy) concerns supporting the
domain knowledge an expert formulated via
rules and fuzzy sets.
Each piece of concerns should be incorporated
more actively in the decision-making process.
Table 1: Example of 3 steps.
DM
low normal High
Domain 0.86 0.37
Scope 0.77
Accumulation 0.86 1.14
Normalization 0.75 1.00
Decision making DM=DM
normal
/1.00
These assumptions can be implemented in 3 steps,
concerns accumulation, normalization, decision-
making. For example, Table 1 illustrates an
application of 3 steps. The accumulation of the
pieces of concerns produces: DM
low
=0.86, and
DM
normal
=0.37+0.77= 1.14. Normalization of these
values generates: DM
low
=0.75, and DM
normal
=1.00.
The method therefore produces the outcome:
DM=normal. This approach can be also applied to
aggregation of the consequents across the rules, as
there are many different weights indicating the
importance of the rule.
When available computational capabilities are
restricted by equipment size or cost, special attention
should be given to defuzzification process. In these
cases, the computational time must be reduced in
order to improve the system performance. Hence, it
is important to use fast defuzzification methods. As
an alternative, faster and simple methods can be
used such as finding the mean of maxima or by
finding the half-area point. we presents a simple fast
method for computing a centroid approximation by
fitting the fuzzy output area into a triangular shape,
see figure 2.
This approach consists in adapting any output
shape into one single triangle. The computational
time required by this algorithm is reduced with
respect to that of the bisector method. This
approximation gives the exact centroid position for
any cluster shapes having a base length and areas
ratio of 1 to 3. For fuzzy outputs not located at the
origin, the triangular shape maximum position is
located at the maximum output shape position.
When the fuzzy output presents more than one
maximum, the location of the triangle maximum is
computed as the average of maxima.
Figure 2: Output fitting to triangular function.
4 APPLICATION
Table 2 shows the results for these theoretical
complexity variables, i.e. literature’s concerns of IT
governance. The total score for each dimension is
100%. Also, it includes the normalization within
each dimension complexity, explained in previous
section. Related to Domain complexity, twelve rules
are defined in the rule base. We used the normalized
rule weights for fuzzy pieces of IT governance
concerns where many rules apply to the same
conclusion, and used the simple fast defuzzification
method in the previous section.
Table 2: IT Governance concerns according to literature.
Dim. Complexity
Variables
Literature
Concerns
Normal
Domain People 0.37 1.00
Goal 0.26 0.70
Process 0.20 0.54
Technology 0.17 0.46
Scope Strategy 0.70 1.00
Tactics 0.30 0.43
DM
phase
Monitor 0.42 1.00
Decide 0.33 0.79
Understanding 0.25 0.60
The theoretical IT governance concerns show that
the dimensional variables “People”, “Strategic”, and
“Monitor” were most frequently used within the 50
articles and within their dimensions respectively. IT
governance mainly comprises strategic concerns
according to literature. The daily use of IT, all the
operational concerns for bread-and-butter IT are
surely important, but they are not in the scope of IT
governance. Regarding the decision-making phases,
monitoring of IT-related decisions is emphasized.
Technology issues are not the mayor concerns to
ICE-B 2010 - International Conference on e-Business
134
decide upon, and literature rather stresses the
importance of establishing roles and responsibilities,
and an accountability framework that supports the
business goals.
In the Fuzzy DM of IT governance concerns,
there are five parts of the fuzzy DM process:
fuzzification of the input variables, treatment of the
fuzzy pieces evidence, implication from the
antecedent to the consequent, aggregation of the
consequents across the rules, and defuzzification.
Figure 3 only illustrates fuzzy sets for Domain
complexity. The two variables have each been
divided into 3 overlapping sets labeled Low,
Normal, and High. The first vertical line represents a
measurement of Process, which has a membership
level of 0.2 in all the Low, Normal, and High sets,
c.f. (Table 2). The second represents a measurement
of Goal, which has a membership level of 0.26 in all
sets. We can construct fuzzy sets of Scope and DM
complexity in a similar manner. Related to Domain
complexity, 12 rules are defined in the rule base.
Figure 3: Fuzzy sets for Process and Goal in Domain
complexity.
Figure 4 shows the surface plot between input
variables of Domain complexity. Clearly it is
evident from the plot that “People” is more
significant than other input variables. IT governance
concerns in Literature denotes that “Technology” is
less significant than other ones. But, considered as a
whole, “Process” is less significant than other ones,
c.f. (Table 3). In particular, in proportion as “Goal”
rises “Technology” concerns increase. Table 3
illustrates the comparison of values estimated by
using four input variables.
According to the survey with practitioners,
practitioner’s concerns were mainly about IT goal
setting, while IT processes and technology issues
were less stressed. Table 4 illustrates the comparison
of values estimated by our fuzzy model. Here,
“Goal” is more stressed. Table 5 illustrates the
Figure 4: Mapping surface of Domain complexity.
Table 3: Comparison of values by fuzzy model.
Process Goal Technology People Domain
0.2 0.4 0.6 0.8 0.571
0.2 0.6 0.4 0.8 0.571
0.4 0.6 0.2 0.8 0.564
0.4 0.2 0.6 0.8 0.527
0.6 0.4 0.2 0.8 0.564
0.6 0.2 0.4 0.8 0.527
Table 4: Comparison of values by practitioners’ concerns.
Process Goal Technology People Domain
0.2 0.8 0.4 0.6 0.536
0.2 0.8 0.6 0.4 0.536
0.4 0.8 0.2 0.6 0.527
0.6 0.8 0.2 0.4 0.527
comparison of values estimated by our fuzzy model.
The result denotes that there is discrepancy in the
range of the concerns identified in literature. Figure
5 shows the surface plots between input variables of
DM and scope complexity, respectively. For DM
complexity, the nine rules and normalized weights
are included in the fuzzy rule system.
The theoretical concerns showed that the
dimensional variable “Monitor” was more frequently
used within the DM complexity. But, monitoring the
implementation of decisions already made receives
somewhat less attention from the practitioners,
according to the survey. Also, comparing Cobit’s
concerns of IT governance to literature, it showed
that Cobit does support most needs, but lacks in
providing information on how decision-making
structures should be implemented.
Table 5: Comparison of values by Cobit.
Process Goal Technology People Domain
0.8 0.6 0.2 0.4 0.492
0.8 0.4 0.2 0.6 0.492
0.8 0.2 0.4 0.6 0.460
0.8 0.2 0.6 0.4 0.460
FUZZY DECISION MAKING OF IT GOVERNANCE
135
Applied to our fuzzy model, the dimension
variables of DM complexity are almost uniformly
stressed. The relative concerns for the DM
complexity remain a bit more uncertain. The
difference seems to lie in their interconnection
weights (and interactions) between the concerns of
IT governance. For scope complexity, strategic
concerns are most often dealt with, while tactical
concerns are only briefly discussed. The six rules
and normalized weights are included in the fuzzy
rule system.
IT governance mainly comprises strategic
concerns according to literature. According to the
practitioners responding the survey, IT governance
decision making is mainly a strategy issue while
tactical decisions are less important. Similarly, Cobit
spends more effort in discussing strategic concerns
and less on tactical concerns. But, according to the
mapping surface of Figure 5, strategic and tactical
concerns that make up a large collective behaviour
must be correlated and not independent.
Figure 5: Mapping surface of DM and Scope complexity.
5 CONCLUSIONS
This paper presented a framework to understand the
relationship between the complexity profiles in view
of complexity science, and then developed a fuzzy
reasoning model including the complexity of
collective behaviour with respect to IT governance.
It is necessary to understand the exact nature of the
interconnections and how their weights give some
effects on the behaviour of the whole IT governance.
When there are such interconnections and they are
not simple, a complex system can be used. In
particular, IT governance complexity is a fuzzy
concept. Thus, we suggested a fuzzy model for
analyzing IT governance complexity based on an
extensive literature study. IT governance concerns in
literature were mapped onto the framework for this
model, and a comparison study was carried out.
Results showed that the major differences exist
within the concerns of the domain complexity in the
case of Cobit.
REFERENCES
Dahlberg, T., and Kivijärvi, H., 2006. An Integrated
Framework for IT Governance and the Development
and Validation of an Assessment Instrument.
Proceedings of the 39th Hawaii International
Conference on System Sciences.
De Haes, S., and Van Grembergen, W., 2005. IT
Governance Structures, Processes and Relational
Mechanisms – achieving IT/Business alignment in a
major Belgian financial group. Proceedings of the 38th
Hawaii International Conference on system Sciences.
Holm Larsen, M., Kühn Pedersen, M., and Viborg
Andersen, K., 2006. IT Governance – Reviewing 17
IT Governance Tools and Analysing the Case of
Novozymes A/S. Proceedings of the 39th Hawaii
International Conference on System Sciences.
Johansson, E., 2005. Assessment of Enterprise
Information Security – How to make it Credible and
Efficient. Ph.D. Thesis at the Department of Industrial
Information and Control Systems, Royal Institute of
Technology, Stockholm, Sweden.
Ridley, G., et al., 2004. COBIT and its utilization: A
framework from the literature. Proceedings of the 37th
Hawaii International Conference on System Sciences.
Wang, H. F., and Huang, Z. H., 2002. Top-down fuzzy
decision making with partial preference information.
Fuzzy Optimization and Decision Making 1, 161-176.
Warland, C., and Ridley, G., 2005. Awareness of IT
control frameworks in an Australian state government:
A qualitative case study.
Webb, P., Pollard, C., and Ridley, G., 2006. Attempting to
define IT Governance: Wisdom or Folly. Proceedings
of the 39th Hawaii International Conference on system
Sciences.
Yager, R. R., 2002. On the evaluation of uncertain courses
of action. Fuzzy Optimization and Decision Making 1,
13-41.
ICE-B 2010 - International Conference on e-Business
136
