Original source publication: Capeça, G. e F. de Sá-Soares (2015). Avaliação da Resiliência de Sistemas de Informação. Proceedings of the 12th International Conference on Information Systems and Technology Management—CONTECSI 2015. São Paulo (Brasil).
The final publication is available here.
Evaluation of Information Systems Resilience
Center ALGORITMI, University of Minho, Guimarães, Portugal
Note: Paper translated from Portuguese to English.
Abstract
Over the past years, information systems have become one of the fundamental components of business organizations. Nowadays, almost no organization can survive without having an information system implemented that aids to fulfill the organizations’ objectives. The use of information systems is associated with the use of technological tools, and the growing need to integrate business processes and technology. Those processes are generally supported by information technology as well as users and both constitute the information system of an organization. Given the importance of information systems an technology for businesses, it is important that organizations can foresee what incidents could happen and if they happen, they should be able to respond to any accident or incident to avoid major harm within the information systems and hence to the operations of the organization. Thus, it is extremely important that the information systems of organizations be resilient.
To verify if an information system is resilient or not, it is important to define metrics to evaluate it. Therefore, this work in progress aims to develop and validate an instrument to measure the resilience of information systems. The creation of this instrument will enable organizations to diagnose their information systems resilience capability, to assist in the design of improvement programs of that capability and to verify the effectiveness of those programs.
Keywords: Resilience of Information Systems; Resilience; Information Systems; Evaluation; Measurement
1. Introduction
In recent times, organizations have been faced with an increasingly complex environment in which their survival is highly dependent on their ability to deal with uncertainties and disruptions of varying magnitudes. Among the challenges that organizations face are technological obsolescence, geopolitical shocks, regulatory and legislative changes and the emergence of new business models. Although organizations are required to demonstrate reactive capabilities in the face of this diversity of challenges, just as important, if not more so, is the need to develop capabilities to anticipate and mitigate risks in an increasingly unpredictable and volatile business environment [Oh and Teo 2009]. This paper argues that one way for organizations to reduce their vulnerabilities to expected or unexpected adverse events is to become resilient organizations. Organizational resilience is understood here as the ability of an organization to recover its basic functions after experiencing any interruption or disruption to its operations [Neaga 2010].
Among the various aspects that contribute to an organization’s resilience, it is worth considering the role played by Information Technology (IT). In fact, the use of IT by organizations has intensified and these technologies have become one of the pillars on which organizations base their business processes. Today, IT supports almost every business strategy, and it is essential that its application be properly aligned with the organization’s strategy [Croteau and Begeron 2001].
Recognizing the potential of IT to achieve success in organizations, whether by improving the flow of information between processes, reducing bureaucracy or creating comparative advantages [Silva and Ferreira 2006], it is therefore important to ensure that these technologies remain operational even in the presence of adverse situations. However, it is argued that the issue of IT resilience should not be approached in isolation from the resilience of Information Systems (IS). This understanding stems from the fact that IS are conceived as systems which, being made up of people, procedures, data and IT, collect, store, process and distribute information with a view to meeting specific objectives [Turban et al. 1999], embodying an organization’s internal and external information flows [Gouveia and Ranito 2004, p. 24].
To ensure that the information system is properly monitored, protected, secure and available to provide its services and support the organization’s business processes, even in the presence of adverse situations, it is necessary to ensure that it is resilient. Just as IT resilience in an organization should not be seen in isolation from information system resilience, it is also argued that information system resilience is not something isolated within the organization. The resilience of the information system must be framed by the organization’s strategy and the decisions arisen therefrom, particularly with regard to choosing the most appropriate technology; defining, designing and redesigning processes, choosing and hiring the best staff; defining and monitoring the desired levels of IS resilience, so that IT and IS help to improve business processes, deliver services effectively and efficiently, mitigate ambiguity and uncertainty in decision-making, and provide ongoing support for the organization’s operations, both in the course of normal situations and in the face of disruptive situations, whether internal or external to the organization.
For an organization to properly manage its resilience efforts, both organizationally and in terms of its IS, it needs to be able to assess its resilience at any given time. In this way, it will first be able to understand the degree to which its capability to be resilient is present, and from there draw elements on which to support initiatives aimed at maintaining or improving that degree. Subsequently, a new assessment will allow it to know how effective those initiatives have been, by undertaking internal benchmarking exercises or even external benchmarking, comparing itself with partner organizations or competitors. Specifically, this assessment of IS resilience would have to take the form of a process for measuring that organizational capability. However, although there are studies that address the issue of IS resilience and the need to assess IS resilience, none of them address the creation of an instrument to measure IS resilience. In fact, by having such a tool, organizations will be able to take precautions in order to anticipate the resolution of issues that have to do with their normal functioning, namely by identifying aspects that require intervention in order to strengthen their resilience capabilities. Similarly, the existence of such a tool would also help organizations to take certain measures after an incident or disaster has occurred, pointing out ways in which organizations can learn to recover their IS more effectively.
The instrument for measuring IS resilience should bring together the dimensions considered critical to the organization’s survival. This instrument should, based on previously identified objectives, establish specific measurable and achievable targets, as well as defining indicators that provide a management vision to support efforts to make the organization resilient from an IS point of view.
Hence, it is considered that the construction of an instrument to measure the resilience of IS is extremely important at the present time, since through this instrument it will be possible to define metrics to determine the extent to which the IS of a given organization are resilient and, consequently, to measure the resilience of the organization itself, opening up perspectives for its improvement.
The purpose of this study will therefore be to create and validate an instrument for measuring IS resilience. The creation of such an instrument should help organizations to measure, i.e., assess the resilience of their IS, identify their critical systems and verify the weaknesses of their IS. To a certain extent, by applying this tool, organizations should be better equipped to predict the occurrence of adverse situations and try to anticipate the resolution of these situations.
Methodologically, this goal will be achieved by meeting the following specific objectives:
Critical analysis of the existing literature on resilience, organizational resilience and information systems resilience;
Characterization of the concept of resilience, organizational resilience and information systems resilience;
Development of an instrument to measure the resilience of information systems;
Validation of the measuring instrument;
Exploration of the evaluation of the measurement instrument in different organizational and cultural contexts.
This ongoing research aims to understand and describe the relationship between organizational resilience and the resilience of information systems and the way in which information systems recover in the presence of a situation that impairs their normal functioning. It also aims to contribute to increasing knowledge about the resilience of information systems. In particular, the aim is to develop a tool to help assess and improve the resilience of information systems in organizations.
Structurally, this article is organized into four sections. After this introduction, the literature on resilience and information systems is reviewed, focusing on the concept of information system resilience, the competing factors for resilience and the assessment of information system resilience. This is followed by an explanation of the process of building an instrument to measure the resilience of information systems. Finally, a set of concluding remarks on this study is included.
2. Resilience and Information Systems
Resilience is a relatively new topic in the academic world and has sparked various debates, as shown by the existence of several studies on resilience [Barlach et al. 2008; Bhamra et al. 2011; Catalan and Robert 2011; Carpenter et al. 2001; Chabot 2008; Coutu 2002; Erol et al. 2010; Evans and Steven 2009; Folke 2006; Holling 1973; Park and Sharman 2008; Robert 2010; Seville 2008; Starr et al. 2003; Wang et al. 2010].
The need to investigate and deepen studies on resilience, fundamentally on the resilience of information systems, results from the growing importance that IS assume in the strategy of organizations, given that they are a key element in improving business processes. These systems, generally made up of technological infrastructures, data, applications and people, have the daily task of ensuring that the organization’s information needs are met in the manner and within the timeframes defined, thus enabling these systems to meet the objectives for which they were designed.
Although organizations use IS to improve their operations and obtain benefits from exploiting the services provided by those systems, they are also subject to a wide range of risks, such as those arising from the use of malicious programs, human error, intrusions, inadequate security policies, denial of service attacks, physical and natural accidents, system malfunctions or outdated software [Ahmed and Hussain 2007, p. 7]. Given the role that IS plays in organizations, which is to support the business strategy, it is essential that these systems are resilient in order to help the organization survive in the face of adverse conditions.
Given the purpose of this study, it is important to first look at the concept of information systems resilience.
2.1 Concept of Information Systems Resilience
Resilience has been studied in different contexts, such as organizations, communities, ecology, engineering, and information systems. However, there are few studies on IS resilience.
The term resilience is used in various areas of knowledge to address flexibility, the capacity for self-renewal, adaptation to change, among other characteristics related to the aptitude needed to positively overcome adverse and risky situations [Carmona et. al. 2013]. In the context of IS, there are studies that address the resilience of information systems, such as those developed by Ahmed and Hussain [2007], Butler and Gray [2006], Dalziell and Macmanus [2004], Haimes [2009], Leveson [2006], Leveson et al. [2006] Madni and Jackson [2009]; Park and Sharman [2008], Riolli and Savicki [2003] and Wang et al. [2010]. Based on the studies reviewed, various definitions of the concept of IS resilience were isolated and condensed in Table 1.
Table 1: Definitions of Information Systems Resilience
Although the definitions presented by the various authors are different, they all converge on the ability to recover from incidents in order to minimize losses or damage. In a compilation of definitions suggested by various researchers conducted by Erol et. al [2010], the main characteristics of IS resilience are the ability of the system to respond adaptively to a disturbing event in order to avoid losses; the ability to recover quickly in a period of time and at an acceptable cost, allowing the system to continue to function in order to achieve its objectives, maintaining control over its operation and structure, exhibiting a capacity for self-organization, learning and adaptation. In this way, Barlach et. al. [2008] argue that, regardless of the context in which it is used, resilience is related to the ability of an element to return to its normal state after suffering a disruption in its functioning. Thus, although the scope of resilience may vary, its fundamental principle remains the same: the adjustment of an element or system following a disturbance or disruption.
As mentioned, IS resilience is not something isolated within the organization, but must be linked to the organization’s strategy. Given that structure, culture, policy, procedures, the surrounding environment and management decisions are aspects of the organization that can have a direct impact and condition the way in which IT is integrated into the organization [de Sá-Soares 1998, p. 46], and bearing in mind that technologies alone do not add value or contribute to the success of the organization if they are not supporting the organizational systems in an integrated and coherent way with the organization’s objectives and strategy [Foina 2009, p. 19], it is important that the resilience of information systems is seen as one of the constituent and contributory aspects of organizational resilience. For this to happen, a prerequisite is the existence of strategic alignment between Information Systems and Technology (IST) and the organization’s business strategy.
The alignment between IT and the business refers to the application and exploitation of IT, in an appropriate and timely manner, in harmony with the objectives, needs and strategy of the business. To achieve alignment, the organization needs to consider how IT is aligned with the business, as well as how the business could or should be aligned with IT [Lufman 2000]. The search for alignment is a continuous process of adjustments that organizations undertake to achieve the link between business objectives and strategies and IS objectives and strategies, in order to obtain competitive advantages [Affeldt and Vanti 2009].
It follows that it is not enough for IST to be aligned with the business, it is important for the business to understand the importance of IST in helping the organization achieve its objectives. In other words, the business and IST must adapt their strategies together. Therefore, as far as resilience is concerned, it is well-founded that IS resilience will only be useful to the extent that IST is aligned with business strategy, because there would be little or no point in recovering IS following an adverse situation if it contributed little or nothing to the value created by the organization. However, it is also essential to recognize that organizational resilience is largely a function of the resilience of its IS. It is believed that few organizations will be able to show high levels of resilience if they are not able to have an organized aggregate of people, technologies, data and procedures, in other words, an information system, which allows them to respond to interruptions or disruptions in their operation.
Given that the resilience of Information Systems is the ability of IS to adapt to disturbances or adverse conditions and return to their initial state offering the minimum services required for the continuity of the organization’s business, and since the resilience of IS should not be treated in isolation within the organization, or should not be the sole initiative or concern of IT managers, but should be aligned with the business strategy, it is essential that top management is committed to the success of the IS within the organization.
2.2 Contributing Factors for Resilience
As previously pointed out, this paper argues that IS resilience is not something isolated from the resilience of the organization itself. In fact, it is advocated that IS resilience is integrated into organizational resilience, since an organization aims to be resilient in order to guarantee the uninterruptibility of its business operations.
The Australian National Audit Office [2009, p. 3] lists interrelated activities that work together to prevent and manage a significant business interruption event for an organization, namely:
Business Continuity Management (which includes IT disaster recovery);
Risk Management;
Emergency Response Management and
Incident Management.
The integration of these four activities is seen as a success factor for building organizational resilience, as they offer a strategic, tactical and operational response to a business interruption. The relationship between these fundamental activities is illustrated in Figure 1.
Figure 1: Relationship between Risk, Emergency Response, Incident Management and Business Continuity Management
Source: Australian National Audit Office [2009, p. 2]
Business Continuity Management (BCM) is about developing, implementing and maintaining frameworks, policies, procedures and programs to help an organization manage a business interruption, thereby contributing to strengthening its resilience. The tasks included in BCM assist in preventing, preparing for, responding to, managing and recovering from the impact of the disruption event. BCM focuses on dealing with the negative consequences of an event for the organization and creates opportunities for organizational benefits and gains, in that entities that respond satisfactorily to disruption events can position themselves to recover quickly in the short term and improve their business performance in the medium to long term.
One of the components of an organization’s business continuity strategy is IT disaster recovery. This term is used to describe the operational responses associated with the recovery of IT-based resources. Typically, these resources include information processing computer systems and telecommunications. IT disaster recovery involves defining an overall strategy for the recovery of these resources and the activities required to implement that strategy, including the recovery time for each specific technology component as required by the business, the availability of suitably qualified personnel and the provision of specialized equipment.
Emergency Response Management is an activity that is carried out immediately after an incident has occurred, and can be thought of as the tactical management of the situation. The primary concern of emergency response is the safety of people. This can include evacuating buildings, liaising with the emergency services, starting to assess the damage that has occurred and the implications for management.
Incident Management corresponds to the general management of the incident and includes the strategic decision-making process, involving obtaining information about the incident, deciding that the incident is escalated to business interruption and triggering the procedures set out in the business continuity plan, when this proves necessary. It also involves managing communication with stakeholders, staff and other interested parties.
All organizations face a variety of risks. The best organizational risk management practices are based on adopting a structured and systematic process to identify and treat risks and implement appropriate controls that act to mitigate the effects of disruptive events.
Figure 1 shows that the four activities mentioned are organized to form a response cycle to business interruptions, consisting of incident prevention and operational, tactical and strategic response actions.
An alternative view of the factors that contribute to organizational resilience was put forward by Stephenson [2010], who presented a model of integrated functions that suggests that organizational resilience is the result of the combination of the activities in Figure 2.
Figure 2: Integrated Functions Model
Adapted from Stephenson [2010, p. 41]
From this figure, it can be inferred that the functions of security management, business continuity management, emergency management and crisis management are largely interrelated, and that the effective management of these four functions provides the organization with better risk management. Moreover, an organization that improves its risk management becomes more resilient.
The studies reviewed in this section focus on organizational resilience, specifically on the activities that contribute to the development of an organization’s resilience capability. Underlying these expositions is the idea that an organization’s level of resilience will depend on how well it carries out those activities, either each one per se or by articulating them together.
In view of the above, the proposal for the current study is to look for empirical evidence of the relevance of these activities to the resilience of information systems. In other words, we will try to ascertain whether, in the specific case of IS resilience, the activities mentioned by the authors contribute to this capability, whether these activities take different forms in the case of IS or whether there are other activities or factors that can establish the degree of resilience of an organization’s IS. It is thought that the conclusions of this search could be a first important contribution to this work, namely by creating the basis for the process of evaluating the resilience of information systems.
2.3 Assessing the Resilience of Information Systems
The resilience of information systems is perceived in this study as an organizational capability. Since the organization is a dynamic entity, interacting with its environment and with the potential to undertake change, it is argued that this capability could (indeed, should) be managed by the organization itself, with the aim of maintaining or strengthening it. In either case, the organization will have to make it possible to assess its degree of IS resilience, because only then will it be able to diagnose the value of that capability at a given time, isolate areas or competencies that it will need improvement to increase that value and check to what extent those improvement initiatives have been effective or not.
For an organization to be able to assess itself in terms of IS resilience, it will need to know how to measure this capabilitycity. In fact, good administrative practice dictates that all activities carried out should be measured and compared with pre-established targets. The measurement of any complex characteristic usually involves the application of a measuring instrument.
Since the aim of this research is to create an instrument to measure the resilience of information systems, following Madni and Jackson [2009], the development of resilience metrics and indicators is recognized as a fundamental aspect.
The creation of a measuring instrument implies knowledge of the rules for developing this instrument. It also implies knowledge of the subject of measurement.
Another reason for emphasizing that measurement always concerns a particular attribute is to force us to carefully consider the nature of an attribute before attempting to measure it. One possibility is that the attribute does not exist. Another possibility is that the measurement may concern a mixture of attributes rather than just one attribute. This often occurs in measurement adjustments for questionnaires, which tend to count items related to a number of separable attributes.
Considering the definition of measurement, it should be noted that numbers are used to represent quantities. Quantification is concerned with how much of an attribute is present in an object, and numbers are used to communicate quantities. In the same vein, Viswanathan [2005] notes that scientific measurement is made up of rules that allow numbers to be assigned to objects in order to represent quantities of attributes. Or that measurement consists of rules for assigning symbols that (1) represent numerically scaled quantities or (2) define whether objects fall into the same or different categories in relation to a given attribute (classification). One can see here that when we are measuring something, we are assigning numbers to represent a certain quantity and this assignment has to be made according to predetermined rules. In other words, when it comes to measuring, one has to take into account (i) the attributes of the object and (ii) the rules that will guide the measurement.
Firstly, the attributes of objects are measured, not the objects themselves. In turn, rules refer to everything that needs to be done to measure something. The centrality of numbers in the definition of measurement results from several reasons: (a) numbers are standardized media and facilitate communication in science; (b) numbers can be subjected to statistical analysis, and (c) numbers are precise.
For Zanolli [2007], the best approach for selecting appropriate measures is to first define what the organization needs or wants to know, and then choose the appropriate measures. Based on the strategic objectives, it is possible to set specific, measurable, achievable and time-bound targets and define indicators and measures that will give management visibility to achieve these objectives. Each indicator must have a defined purpose and must answer the following questions:
What is the need for this information?
What do I want to achieve with this information?
According to that author, measurements should be used to compare the current situation with the desired situation. Through a comparison, the trend of these measurements is analyzed and the necessary actions are defined to achieve the established objective. In fact, without facts it is practically impossible to develop an improvement process and make decisions in line with the organization’s objectives. Indicators and measurements can tell you how far the organization is from achieving its goals.
It is important to bear in mind that the benefits obtained from taking measurements are the result of decisions made based on the analysis of the data and not just the action of collecting the data. In addition to collecting and analyzing measurements, they must also be disseminated.
An effective measurement and analysis process is of crucial importance for obtaining knowledge about the organization’s real performance. Through measurement, it is possible to obtain answers that are expected to be sufficiently well founded regarding previously identified problems, as well as to discover and seek solutions to new problems in fairly short periods of time.
Hence, to find out to what extent information systems are resilient, it is essential to build a tool to measure this resilience.
3. Construction of the Information Systems Resilience Measurement Tool
In order to continue this work, it is important to plan the research from a methodological point of view. This study will therefore adopt the method for developing measures proposed by Churchill [1979]. Figure 3 shows a sequence diagram of the specific steps to be followed in developing measures, which embody that method.
Figure 3: Method for Developing Measures
Adapted from Churchill [1979, p. 66]
According to this method, the process of developing a measuring instrument begins by specifying the domain of the construct, in this case the resilience of information systems, characterizing the concept and distinguishing it from other related concepts. Next, a sample of items is generated, which should be organized according to the dimensions (attributes) that are supposed to make up the construct. Subsequently, data is collected on the items and the measures are purified based on data analysis. This activity may require revisiting previous steps in the process (clarifying the construct, discarding dimensions, merging dimensions, adding new dimensions or reworking items, for example).
Once the measurements have been purified, more data will have to be collected to assess the reliability and validity of the measurements, steps that, again, could lead to a review of previous phases of the process. Finally, standards or rules are developed for the measurement process.
From a philosophical point of view, a post-positivist perspective is adopted, as it will allow two different research techniques to be used - quantitative and qualitative - but which are believed to complement each other when collecting data. These two techniques offer different ways of validating results and using them in parallel makes the results more reliable.
Once we have a first version of the questionnaire, a pre-test will be carried out to try to assess the validity of the instrument, namely whether the questions presented in the questionnaire are sufficient to guarantee an effective measurement of Information Systems Resilience. We will also try to assess whether the questions are clear, whether the content of each question is sufficient and what recommendations there are for improvement, if any. The pre-test will be validated by a group of IS researchers and a panel of senior professionals from the IS, Risk Management, Organization and Methods and Internal Audit areas. The questionnaire will then be validated by professionals who have responsibility for IT governance and management, as well as by IS, IT, Risk Management and Compliance and Audit professionals.
At the same time, semi-structured interviews will be used to collect narratives from previously selected groups of individuals on the subject under study. Given that this is also a qualitative study, it is felt that it would be more advantageous to carry out a survey of a restricted group of individuals who manage organizations on a day-to-day basis and use IS for decision-making purposes.
The semi-structured interview method is based on drawing up a script, with a set of questions, which is used in the interviews and thus guarantees some consistency between them (since the same script is always used). On the other hand, the script also gives the interviewer and the interviewee freedom to bring up other subjects during the interview, or to ask other questions. The interview script is being drawn up based on the literature review, and is a key element in gathering the opinion of a group of professionals working in this field in what concerns the creation of an instrument for measuring the resilience of information systems. For this purpose, a purposive sample, or non-probabilistic sample by judgment, will be formed, since in this type of sample the choice can be restricted to individuals who have knowledge and experience on the research topic.
4. Final Considerations
Given the increased support provided by information systems and technology for business processes and the rapid pace at which these technologies are evolving, it can be concluded that information and the systems that support it have become vital elements for organizations. Consequently, a failure in their operation could result in considerable losses for the organization. Organizations must therefore be aware of the risks associated with their information systems and technology and look for ways to guarantee the operational continuity of their organizations in the presence of adverse conditions.
This guarantee will depend on the organization’s capability in terms of the resilience of its information systems and, at the same time, in terms of organizational resilience. The current research identified the need to develop a valid instrument to assess the degree of resilience of an organization’s information systems. To this end, the literature was reviewed and the work to be carried out was organized with a view to creating this instrument.
It is hoped that the metrics defined for each of the dimensions on which the instrument is structured will make it possible to assess the resilience of information systems and help implementing policies, methods and procedures that make information systems more resilient. To this end, we will try to apply the instrument for measuring the resilience of information systems in different organizational and cultural contexts.
Acknowledgements
This work was supported by FCT—Foundation for Science and Technology under Project Scope UID/CEC/00319/2013.
References
Ahmed, A. and S. Hussain (2007). Meta-Model of Resilient Information System. Master Thesis in Computer Science. Department of Interaction and System Design. School of Engineering. Blekinge Institute of Technology. Sweden.
Affeldt, F. and A. Vanti (2009). Alinhamento Estratégico e Tecnologia da Informação: Análise de Modelos e Propostas para Pesquisas Futuras. Revista de Gestão da Tecnologia e Sistema de Informação 6(2), 203–226.
Australian National Audit Office (2009). Business Continuity Management: Building Resilience in Public Sector Entities, Best Practice Guide. http://www.anao.gov.au/~/media/Uploads/documents/business_continuity_management_.pdf
Barlach, R., P. Curtis, J. Allen, D. White and L. Young (2008). Improving Operational Resilience Process. IEEE International Conference on Social Computing.
Bhamra, R., S. Dani and K. Burnard (2011). Resilience: The Concept, a Literature Review and Future Directions. International Journal of Production Research 49(18), 5375–5393.
Butler, B. and P. Gray (2006). Reliability, Mindfulness and Information Systems. MIS Quarterly 30(2), 211–224.
Carmona, V., Y. Guimarães and L. Rodrigues (2013). Resiliência Organizacional: Uma Meta-Análise da Produção Científica Nacional. Universidade Nove de Julho. Brasil.
Carpenter, S., B. Walker, J. Anderies and N. Abel (2001). From Metaphor to Measurement: Resilience of What to What? Ecosystems 4, 765–781.
Catalan, C. and B. Robert (2011). Evaluation of Organizational Resilience: Application in Quebec. Proceedings of the Fourth Resilience Engineering Symposium, 50–57. Sophia Antipolis(France).
Chabot, P. (2008). An Historical Case Study of Organizational Resiliency within the Arellano-Felix Drug Trafficking Organization. PhD Dissertation. Washington University.
Churchill, G. A. (1979). A Paradigm for Developing Better Measures of Marketing Constructs. Journal of Marketing Research XVI, 64–73.
Coutu, D. L. (2002). How Resilience Works. Harvard Business Review 80(5), 50–52.
Croteau, A. and F. Bergeron (2001). An Information Technology Trilogy: Business Strategy, Technological Deployment and Organizational Performance. Journal of Strategic Information Systems 10, 77–79.
Dalziell, E. P. and S. T. McManus (2004). Resilience, Vulnerability and Adaptive Capacity: Implications for Systems Performance. International Forum for Engineering Decision Making (IFED). Stoos (Switzerland).
Erol, O., J. Sauser and M. Mansouri (2010): A Framework for Investigation into Extended Enterprise Resilience. Enterprise Information System 4(2), 111–136.
Evans, A. and D. Steven (2009). Risks and Resilience in the New Global Era. Renewal 17(1), 44–52.
Foina, P. (2009). Tecnologias de Informação: Planejamento e Gestão, 2ª edição. São Paulo: Atlas.
Folke, C. (2006). Resilience: The Emergence of a Perspective for Social-Ecological Systems Analyses. Global Environmental Change 16(3), 253–267.
Gouveia, L. and J. Ranito (2004). Sistemas de Informação de Apoio à Gestão. SPI - Sociedade Portuguesa de Inovação. Porto (Portugal).
Haimes, Y. Y. (2009). On the Definition of Resilience in Systems. Risk Analysis 29(4), 498–501.
Holling, C. (1973). Resilience and Stability of Ecological Systems. Institute of Resource Ecology. University of Columbia, Vancouver (Canada).
Leveson, N., N. Dulac, D. Zipkin, J. Cutcher-Gersnenfeld, J. Carrol and B. Barrett (2006). Engineering Resilience into Safety-Critical Systems. Massachusetts Institute of Technology.
Luftman, J. (2000). Assessing Business-IT Alignment Maturity. Communications of Association of Information Systems 4, Article 14.
Madni, A.M. and S. Jackson (2009). Towards a Conceptual Framework for Resilience Engineering. IEEE Systems Journal 3(2), 181–191.
Moresi, E. (2000). Delineando o Valor do Sistema de Informação de uma Organização. Ciência da Informação 29(1), 14–24.
Neaga, I. (2010). Managing Knowledge, Complexity and Resilience in Global Enterprise. In Tome, E. (Ed.), Proceedings of 11th European Conference on Knowledge Management, 717–723. Famalicão (Portugal).
Nunnally, J. (1967). Psychometric Theory. McGraw-Hill.
Oh, L. and H. Teo (2009). An Empirical Study of IT-Enabled Enterprise Risk Management and Organizational Resilience. CONF-IRM—International Conference on Information Resources Management.
Park, I. and R. Sharman (2008). Perceived Risk and Resilience in the Face of Natural Disasters: A Study of Hospital. AMCIS—Americas Conference on Information Systems.
Riolli, L. and V. Savicki (2003). Information System Organizational Resilience. Omega 31(3), 227–233.
Robert, B. (2010). Organizational Resilience—Concepts and Evaluation Method. Presses Internationales Polytechnique, Québec(Canada).
de Sá-Soares, D. (2008). Planeamento de Sistemas de Informação: Estudo de Variáveis que Condicionam a sua Estratégia de Execução. Master Thesis. University of Minho. Portugal.
Seville, E. (2008). Resilience: Great Concept but What Does it Mean? Council on Competitiveness—Risk Intelligence and Resilience Workshop, November.
Silva, W. and L. Ferreira (2006). Importância da Auditoria dos Sistemas de Informação na Conformidade das Demonstrações Contábeis.
Starr, R., J. Newfrock and M. Dulurey (2003). Enterprise Resilience: Managing Risk in Networked Economy. Strategy+Business Magazine.
Stephenson, A. (2010). Benchmarking the Resilience of Organizations. PhD Dissertation. University of Canterbury.
Turban, E., E. McLean and J. Wetherbe (1999). Information Technology for Management—Making Connections for Strategic Advantage, second edition. New York: John Wiley.
Viswanathan, M. (2005). Measurement Error and Research Design. Thousand Oaks: Sage Publications.
Wang, J. W., F. Gao and W. H. Ip (2010). Measurement of Resilience and Its Application to Enterprise Information System. Enterprise Information Systems 4(2), 215–223.
Zanolli, J. (2007). Importância das Medições para a Organização. Administração e Negócios, 8 de Março.