Public Service Digital Application Risk Assessment

using Symantec-cobit 5 Framework:

Case Study in Sidoarjo Online Parking System Application

Indra Cahyadi

and Erwin Widodo

Department of Industrial Engineering, University of Trunojoyo Madura, Bangkalan, Indonesia

Department of Industrial and System Engineering, Institut Teknologi Sepuluh Nopember Surabaya, Indonesia

Keywords: Digital application, risk assessment, public service

Abstract: One of the main strategies in implementing information technology in government is the digitalization of

public services. Digitalization of public services is carried out through the development of information

technology infrastructure networks, management of electronic-based government information systems and

increasing the ability of public officers to use them. The application of information technology risk

management analysis includes identification, measurement and management of risks. Assessment of risk is a

combined process consisting of risk analysis and risk evaluation. This study implements a public service

digital application risk assessment by classifying risks based on the COBIT 5 definition and risk classification

according to the Symantec model framework. The framework is applied to the risk assessment related to the

technical capabilities of the online parking system in the Sidoarjo Regency in Indonesia. Currently, in the

alpha development stage, the risk assessment of the digital parking application is carried out to evaluate and

estimate the level of each identified risk. Based on the framework, risk management analysis of the digital

application shows a total of 54% of risk items are at a medium-high risk level related to human resource

criteria, infrastructure and data information flow.

1 INTRODUCTION

In many countries, there are many challenges and

problems in delivering satisfactory public services—

no exception in Indonesia. Public satisfaction index

surveys of various state institutions have proven that

deficiencies in the delivery of public services in

Indonesia still occur.

Therefore, innovation in every aspect of public

service must be carried out. Good public services will

certainly support faster growth of the community's

standard of life from an economic, social and

educational perspective. Alternative solutions to

simplify the service process include time, cost,

facilities, even procedures and requirements.

One of them is by utilizing the concept of

digitization. The digital transformation since the early

2000s has made the world change so fast. Moreover,

the Covid-19 pandemic forces everyone to switch

from conventional services to social or physical

distancing by being more digital.

The government is also required to carry out a

digitalization system in all lines of public services.

The government is obliged to build an e-government

system from the command centre and strengthen their

communication technology in order to generate

efficiency, effectiveness and productivity while

adhering to the principles of accountability and

transparency in delivering quality public services.

Various legal laws and regulations have been

issued so that the digitalization of public services in

Indonesia can be optimally implemented. The leading

example of digital technology implementation for

public services is reflected in the implementation of

e-Procurement, or the electronic immigration system.

However, it cannot be denied that the process of

digitizing public services in Indonesia is complicated.

Government organizations need to realize that the

application of digital public service technology has a

negative or positive impact, which is caused by

internal and external factors of the organization. The

application of digital public service technology

requires a risk management framework as a

Cahyadi, I. and Widodo, E.

Public Ser vice Digital Application Risk Assessment using Symantec-cobit 5 Framework: Case Study in Sidoarjo Online Parking System Application.

DOI: 10.5220/0010794800003317

In Proceedings of the 2nd International Conference on Science, Technology, and Environment (ICoSTE 2020) - Green Technology and Science to Face a New Century, pages 90-95

ISBN: 978-989-758-545-6

systematic approach that includes processes,

measurements, structures and culture to determine the

best actions related to risks. Standard risk

management methods are no longer suitable for the

specific requirements of public service digitalization.

Therefore, the research question of this paper is: how

can risk be assessed to ensure a successful digital

public service implementation?

The paper is then organized as follows: In Chapter

2, the literature review of digital application and risk

analysis are explained. Chapter 3 deals with the

framework development of risk analysis of digital

public service implementation. In Chapter 4, an

exemplary application of the framework is conducted.

Chapter 5 summarizes the paper and identifies

additional research needs.

2 RESULTS AND DISCUSSION

2.1 Risk Analysis in Digital Public

Service System

The basis of the risk analysis framework development

should meet the specific requirements for

digitalization in public services. The risks lists for

software development and maintenance, information

and communication technology, ICT, and projects do

not completely fit the digital public service system

because the common frameworks are very general

and do not consider various challenges in public

services organizations. Therefore, it is necessary to

create a framework to measure risks in the digital

public service system.

2.1.1 Innovation in Public Services

Efforts to reform the bureaucracy through innovation

in public services are carried out to create a better

government by the needs of society and the dynamics

of the progress of the times. It is important because the

dynamics of change must be adequately addressed to

create an orderly state and society. The task of the

bureaucracy is to carry out state obligations to its

people.

One form of innovation is information technology

to facilitate, accelerate and increase transparency,

namely the concept of e-government. As seen in

innovative city development projects in Bandung and

Surabaya, the concept of a smart city cannot be

separated from information and technology facilities

(Wijaya, et al., 2019). It takes regulation and good

cooperation between elements by prioritizing

innovative city principles in providing public services

to the community.

The main triggers for the growth of e-government

can be traced from the history of global development

(Silalahi, et al., 2015), namely: First, the era of

globalization which came earlier than expected has

created many issues such as democratization, human

rights, law, transparency, corruption, civil society,

good corporate governance, free trade, open markets,

and so on need attention; Second, advances in

information technology, computers and

telecommunications occur very rapidly in which data,

information, and knowledge can be created very

quickly and distributed to all levels of society; Third,

the increase in the quality of life of the people due to

the improved performance of the private industry.

These three factors trigger the growing need for the

use of information technology in government.

2.1.2 Digital Public Service System

The main issue in this innovation era in government

administration and public services. The main

principles and strategies for innovation in

government include (Sururi, 2017): integrating

services, decentralizing service delivery, leveraging

partnerships, involving citizens and utilizing ICT.

Those five characteristics of utilizing information and

communication technology are necessary along with

global developments, with the so-called disruption

era. The disruption era brings various impacts on the

government (Schwab, 2017):

a. Technology increasingly enables citizens,

providing new ways to voice their opinions,

coordinating their efforts and possibly

circumventing government scrutiny.

b. Governments become public service centres

evaluated on their ability to provide comprehensive

services most efficiently and individually.

c. The government's ability to adapt to their

competitiveness, so that the government needs to be

transformed into a leaner and more efficient one.

Two main strategies in implementing ICT in

public services are direct services and digitalization of

governance. Direct services are carried out through the

socialization of new systems and procedures to realize

open government. There is an openness of public

information, transparency, public participation,

communication and absorption of public aspirations.

The digitalization of government is carried out

through the development of information technology

infrastructure networks, management of electronic-

based government information systems, e-

Public Service Digital Application Risk Assessment using Symantec-cobit 5 Framework: Case Study in Sidoarjo Online Parking System

Application

government, and increasing the ability of government

officials to use them.

Hopefully, the development of digital public

services will realize a complete system of government

administration application services. The digital system

will contain various information and complaint

services, such as agency or service programs, up to the

budget amount. The application system is also

expected to be able to monitor the performance of

government devices. The community can also carry

out direct supervision through the system. This

innovation is expected to increase budget

effectiveness and efficiency, increase supervision, and

minimize corruption. A more transparent system,

tighter and real-time controls, and changes in work

patterns must be carried out by government officials.

However, the migration process from offline to

online encountered various obstacles in terms of

system and equipment readiness, human resource

readiness, and data readiness. The thing that is most

often encountered is the tendency of resistance from

government apparatus (Choi, et al., 2016). It occurs

because of the change in performance patterns from

manual to electronic-based, which requires many

adjustments. There are still many officials who are not

ready to use digital systems due to technical

incompetence. In addition, non-technical obstacles

such as the employee mindset, disturbed particular

interests, and work habits hinder this migration

process. Thus, in the early stages, there were shocks

for the officials who carried out government activities

or tasks, which when viewed from the choked up the

process of digitizing public services (Maulana, et al.,

2019).

This constraint theoretically is closely related

to the mentality of the apparatus, which still has

the characteristics of the old public

administration. The bureaucracy tends to work in

a secure manner, is slow and is not responsive to

the needs of society. Apart from constraints on

the operator side, there were also obstacles on the

digital application and its infrastructure

development side. The digital application has not

been able to anticipate changes or dynamics in

budgeting and its implementation, as is the

manual system. There was also a weakness in the

network on the infrastructure side that supports

the need for data flow.

2.2 Risk of Digital Public Service

System

The risk analysis of digital application development

can be carried out from various types of

classifications. Risk classification in digital

applications is mostly carried out on user,

communication, market, resource, financial,

technical, managerial risk, application performance,

maintenance, and external factors. In the analysis, the

risk assessment process can be carried out as follows

(Kushagr, et al., 2013):

 A risk classification framework based on the

impact on the organization which is divided into

security risk, availability, performance and risk of

regulatory compliance, requirements and policies.

 A scale assessment that shows gaps between

controls needs, technical issues, and business risks.

The risks identified in this framework are

applications, information, infrastructure and

human resources.

In addition, governance requires innovation in

governance and human resource development as the

driving force of government. The competence of

human resources is regarded as an essential point to

encourage a country to innovate. Apart from the need

for investment and technology, skilled human

resources are also prepared to welcome Industry 4.0

(Hecklau, et al., 2017). The risks of implementing

digital systems in public services can be adequately

mitigated and impact various aspects of life,

including the government sector.

2.3 The Framework of Risk Analysis in

Digitalisation of Public Services

This study employs a digital system risk management

by classifying risks based on the COBIT 5 definition

(ISACA, 2019) and risk classification according to

the Symantec model framework (Fauzi, et al. 2018).

The application of information technology risk

management analysis includes identification,

measurement and management of risks related to

technical capabilities. The

Symantec framework used

in this paper classifies risk in 4 terms, namely:

a. Performance - where the performance is less than

the system, application, personnel, or IT as a

whole, can reduce productivity or business value.

b. Availability - where information or applications

cannot be accessed due to system failure or natural

disaster, including the recovery period.

c. Compliance - where the handling or processing of

information fails to comply with regulatory, IT or

business policy requirements

ICoSTE 2020 - the International Conference on Science, Technology, and Environment (ICoSTE)

d. Security - where information can be changed,

accessed or used by irresponsible parties.

Once the classification is obtained, the analysis

continues by giving a value for each identified risk

based on the frequency of occurrence of an event and

its impact on a system. The likelihood assessment is

use to predict the likelihood of the risk being

analyzed. The impact assessment is employed to

determine the size of the risk to the system.

2.4 Exemplary Application of the

Framework

The framework is implemented to assess the risks in

the online parking system application, SPON, in

Sidoarjo Regency, Province of Jawa Timur,

Indonesia. Risk assessment is a combination process

of risk analysis and risk evaluation. Risk assessment

of the risks that occur in SPON is carried out to

evaluate and estimate the level of risk of each

identified risk.

The framework above is used to assess the risk of

SPON in improving the quality of public services in

Sidoarjo. However, based on the literature study

above, the SPON application can pose risks to

stakeholders and users of parking facilities in

Sidoarjo. To anticipate this risk, it is necessary to

analyze SPON technology's risk management, which

includes hardware, software, and brain ware.

After determining the values for likelihood and

impact, an assessment is carried out on each risk

classification defined in the previous process. Table 1

shows the scores given to the SPON application based

on the defined likelihood and impact levels of risk.

Table 1: Likelihood and Impact Assessment of SPON pre-

Alpha build

Risk

Identification

Occurrenc

Impact

Digital

appli

cation

Threat from

external apps

Rare

Medium

Malicious code Rare

High

Network

congestion

Likely

High

Crashed system Likely

High

Information Database failure Possible

High

Data forgery and

fraud

Possible Medium

Infrastructu

Physical damage Rare

Medium

Hardware failure Rare

Low

Electricity outage Rare

Medium

Force Majeure Rare

High

Users

Unauthorized

access

Unlikely

High

Authorization

position abuse

Rare

High

Human resources

competencies

Likely

High

Risk evaluation is carried out by applying the x

and y graph mapping process that illustrates the

relationship between the likelihood or frequency of

events and the impact caused by each risk that occurs.

The value obtained from table 1 is used for the risk

distribution mapping process of the SPON

application. The spread of risk based on the measured

likelihood and impact can be seen in the following

graph:

Figure 1: Risk Distribution Graph from Applications based

on Likelihood and Impact values

The results of the risk distribution mapped in the

graph above are classified according to the risk

evaluation matrix, which can be seen in Figure 2.

Public Service Digital Application Risk Assessment using Symantec-cobit 5 Framework: Case Study in Sidoarjo Online Parking System

Application

Likelihood

5 R10

R2,

R12

R11 R5

R3,

R4,

R13

R1,

R9,

2 R8

1 2 3 4 5

Impact

Figure 2: Risk Evaluation Matrix of SPON Application

Table 2 below shows the converted matrix based on

the results of risk identification.

Table 2. Evaluation of Risk Level of SPON Application

alpha build version

Risk Risk Identification Risk level

Digital

application

Threat from

external apps

Low

Malicious code Low

Network

congestion

High

Crashed system High

Information

Database failure Medium

Data forgery and

fraud

Medium

Infrastructur

Physical damage Low

Hardware failure Low

Electricity outage Low

Force Majeure Medium

Users

Unauthorized

access

Medium

Authorization

position abuse

Low

Human resources

competencies

High

The risk analysis results from table 2 show that of

the 13 risk groups in the SPON application, 23% of

the identified risks have a high-risk level, while 31%

of the risks have a moderate level, and 46% of the

risks have a low level. From the results of the overall

risk analysis, the application has a high

implementation risk. Therefore, it is necessary to

improve all application components, including

hardware, software, and brain ware, to minimize the

SPON’s risk of implementation and ensure SPON

security and sustainability.

The risk management analysis study shows that a

total of 54% of risk items are at medium-high risk

levels related to the criteria for human resources,

infrastructure and data/information flow. Therefore,

the chances of the successful implementation of

SPON at this time depend on the commitment to

develop further aspects of Hardware, Software and

Brain ware.

3 CONCLUSIONS

The current version of the SPON application is

technically still far from feasible. Assessment of the

level of risk that tends to be high requires more

attention from the developer and related stakeholders.

Meanwhile, the preferences of the Sidoarjo people

who tend to accept SPON applications as a substitute

for conventional parking services should be a trigger

for developers to improve the convenience of using

the application. All these aspects must be fulfilled to

improve and provide high-quality public services,

especially the services provided by the Transportation

Agency of Sidoarjo Regency

ACKNOWLEDGEMENTS

If any, should be placed before the references section

without numbering.

REFERENCES

Choi, H., Park, M. J., Rho, J. J., & Zo, H., 2016, Rethinking

The Assessment of E-government Implementation in

Developing Countries from The Perspective of The

Design–reality Gap: Applications in The Indonesian E-

procurement System, Telecommunications Policy, Vol.

40, No. 7, 644-660.

Fauzi, R., Supangkat, S. H., Lubis, M., 2018, The PDCA

Cycle of ISO/IEC 27005: 2008 Maturity Assessment

Framework, International Conference on User Science

and Engineering, Springer, 336-348.

Hecklau, F., Orth, R., Kidschun, F., Kohl, H, 2017, Human

Resources Management: Meta-study-analysis of Future

Competences in Industry 4.0, Proceedings of the

International Conference on Intellectual Capital,

Knowledge Management & Organizational Learning,

163-174.

ISACA, 2013, COBIT 5 for Risk, ISACA, Illinois.

Kakkar, K., Shah, R., Kakkar, M, 2013, Risk Analysis in

Mobile Application Development, Confluence 2013:

The Next Generation Information Technology Summit

(4th International Conference), IET, 429-434.

ICoSTE 2020 - the International Conference on Science, Technology, and Environment (ICoSTE)

Maulana, R. Y., Bafadhal, F., Firmansyah, A., 2019, E-

Government Implementation: The Concept of

Innovative Transformation of Leadership and Public

Officials’ Capacities in Indonesian Open Government

(The Case of Evaluating E-Government Utilization in

Government Information Management in Jambi

Province), SSRN 3497307.

Schwab, K., 2017, The Fourth Industrial Revolution,

Currency.

Silalahi, M., Napitupulu, D., Patria, G., 2015, Kajian

Konsep dan Kondisi E-Government di

Indonesia. Jupiter, Vol. 1, No. 1.

Sururi, A., 2017, Inovasi Kebijakan dalam Perspektif

Administrasi Publik Menuju Terwujudnya Good Public

Policy Governance,

https://osf.io/preprints/inarxiv/6djph/download.

Wijaya, A. A. M., Sa’ban, L. A., Mayunita, S., 2019,

Collaborative Governance to Evolve Smart City in

Local Governments, Proceeding of ICOGISS 2019,

275-286.

Public Service Digital Application Risk Assessment using Symantec-cobit 5 Framework: Case Study in Sidoarjo Online Parking System

Application