Information System Security Risk Analysis Using the Annual Loss Expectancy (ALE) Method (Case Study: Website of the Information Systems Department, UPN “Veteran” Jawa Timur)

Indi Ariyanti Sardi; Rania Nurbaity Winarno; Riska Febriana Rahmawati; Agung Brastama Putra; Rizka Hadiwiyanti; Amalia Anjani Arifiyanti

doi:10.59934/jaiea.v5i2.2024

Authors

Indi Ariyanti Sardi UPN Veteran Jawa Timur
Rania Nurbaity Winarno UPN Veteran Jawa Timur
Riska Febriana Rahmawati UPN Veteran Jawa Timur
Agung Brastama Putra UPN Veteran Jawa Timur
Rizka Hadiwiyanti UPN Veteran Jawa Timur
Amalia Anjani Arifiyanti UPN Veteran Jawa Timur

DOI:

https://doi.org/10.59934/jaiea.v5i2.2024

Keywords:

Annual Loss Expectancy (ALE), Information Security, Return on Investment (ROI), Risk Analysis, Web Information System

Abstract

The development of information technology in higher education institutions poses significant security risks to digital assets, including the Department of Information Systems website at UPN “Veteran” Jawa Timur. This study aims to identify, analyze, and evaluate information security risks using the quantitative Annual Loss Expectancy (ALE) method. This method measures risk based on the parameters of Asset Value (AV), Exposure Factor (EF), and Annualized Rate of Occurrence (ARO). The analysis was conducted on four main risk categories: service disruption, device damage, data loss, and system security threats. The results of the study show that information system security threats have the highest potential loss of IDR 81,750,000 per year. After simulating mitigation measures, the annual loss value (ALE Projected) decreased dramatically in all categories. The investment feasibility evaluation using Return on Investment (ROI) resulted in a ratio above 2:1 for all categories, with the highest value of 3.10 in handling security threats. This shows that the proposed security investment is very feasible to implement in order to ensure the continuity of academic services and protect the department's information assets.

Downloads

Download data is not yet available.

References

S. Nur Oktaviana, V. Apriliani, W. Nova Novita, S. Mulyeni, and H. Herlina, “Implementasi Sistem Informasi Akademik Dalam Meningkatkan Mutu Pelayanan Kampus,” J. Soshum Insentif, vol. 7, no. 1, pp. 53–62, Apr. 2024, doi: 10.36787/jsi.v7i1.1416.

D. E. N. Hidayah, B. Irawan, and E. Paselle, “EFEKTIVITAS SISTEM INFORMASI AKADEMIK DALAM PENINGKATAN PELAYANAN AKADEMIK PADA FAKULTAS ILMU SOSIAL DAN ILMU POLITIK DI UNIVERSITAS MULAWARMAN,” vol. 7.

I. P. Jovano, I. R. Padiku, and B. Ahaliki, “Analisis Manajemen Risiko dan Keamanan Sistem Informasi Akademik Terpadu (SIAT) Universitas Negeri Gorontalo Menggunakan Framework NIST SP 800-30”.

B. S. Deva and R. Jayadi, “Analisis Risiko dan Keamanan Informasi pada Sebuah Perusahaan System Integrator Menggunakan Metode Octave Allegro,” J. Teknol. Dan Inf., vol. 12, no. 2, pp. 106–117, Sep. 2022, doi: 10.34010/jati.v12i2.6829.

R. K. Devi, D. I. Sensuse, Kautsarina, and R. R. Suryono, “Information Security Risk Assessment (ISRA): A Systematic Literature Review,” J. Inf. Syst. Eng. Bus. Intell., vol. 8, no. 2, pp. 207–217, Oct. 2022, doi: 10.20473/jisebi.8.2.207-217.

I. Kuzminykh, B. Ghita, V. Sokolov, and T. Bakhshi, “Information Security Risk Assessment,” Encyclopedia, vol. 1, no. 3, pp. 602–617, Jul. 2021, doi: 10.3390/encyclopedia1030050.

M. Alim, I. Rasyid Munthe, and A. Putra Juledi, “Evaluasi Keamanan Sistem Informasi dalam Lingkungan Bisnis Digital,” J. Ilmu Komput. Dan Sist. Inf. JIKOMSI, vol. 7, no. 1, pp. 328–332, Mar. 2024, doi: 10.55338/jikomsi.v7i1.3088.

M. K. Sari, Y. Saintika, and W. A. Prabowo, “Penyusunan Manajemen Risiko Keamanan Informasi Dengan Standar ISO 27001 Studi Kasus Institut Teknologi Telkom Purwokerto,” J. Sist. Dan Teknol. Inf. JustIN, vol. 10, no. 4, p. 423, Dec. 2022, doi: 10.26418/justin.v10i4.48977.

A. Nikmat, “ANALISIS MANAJEMEN RISIKO TEKNOLOGI INFORMASI PADA SISTEM INFORMASI AKADEMIK (SIAK) UNIVERSITAS MUHAMMADIYAH SUKABUMI (UMM) MENGGUNAKAN ISO 31000: indo,” J. Manaj. Dan Teknol. Inf., vol. 14, no. 1, pp. 49–58, Apr. 2024, doi: 10.59819/jmti.v14i1.3321.

A. G. R. Padang, A. Ambarwati, and E. Setiawan, “Penilaian Manajemen Risiko TI Menggunakan Quantitative dan Qualitative Risk Analysis,” SISTEMASI, vol. 10, no. 3, p. 527, Sep. 2021, doi: 10.32520/stmsi.v10i3.1340.

A. Rohmani and M. G. Wibisono, “STRATEGI MITIGASI RESIKO KEAMANAN INFORMASI BERDASARKAN ANALISA RETURN ON INVESTMENT PADA BADAN PUSAT STATISTIK DAERAH KOTA SEMARANG”.

T. Soebijono, “ANALISA RESIKO KEAMANAN INFORMASI SEBAGAI STRATEGI MITIGASI RESIKO PADA TOKO ONLINE ‘X’”.

A. N. Fanani, B. T. Hanggara, and A. R. Perdanakusuma, “Manajemen Risiko Keamanan Informasi Menggunakan ISO/IEC 27005 Studi Kasus Pada Dinas Komunikasi dan Informatika Kabupaten Sidoarjo”.

A. Ferdinand, K. Naristi, R. Abdillah, S. D. Walujo, L. D. Fitrani, and A. C. Puspitaningrum, “Pengukuran Manajemen Risiko Keamanan Aset Teknologi Informasi Menggunakan Metode FMEA Dan Framework ISO 27001:2013 pada PT. ABC,” JOINS J. Inf. Syst., vol. 9, no. 1, pp. 23–33, Jul. 2024, doi: 10.33633/joins.v9i1.9059.

Dian Saputra, “ANALISIS DAN PENGELOLAAN RISIKO KEAMANAN INFORMASI PUSKESMAS MENGGUNAKAN METODE OCTAVE ALLEGRO (STUDI KASUS : PUSKESMAS XYZ),” J. Comput. Sci. Inform. JOCSI, vol. 2, no. 1, pp. 12–18, Sep. 2024, doi: 10.69747/jocsi.v2i1.61.

N. Shukla, “A Comparative Study on Information Security Risk Analysis Practices”.

V. Evrin, “Risk Assessment and Analysis Methods: Qualitative and Quantitative,” 2021.

Cynthia Widya Lestari, Nurul Izzah, Puti Tsabita Najwa Arief, Muhammad Ananda Giovanny R, and Agung Brastama Putra, “Analisis Risiko Keamanan Siber Website Peken Surabaya Menggunakan Standar ISO 27005:2019 dan OWASP ZAP,” Saturnus J. Teknol. Dan Sist. Inf., vol. 3, no. 3, pp. 136–154, Aug. 2025, doi: 10.61132/saturnus.v3i3.983.

F. Cremer et al., “Cyber risk and cybersecurity: a systematic review of data availability,” Geneva Pap. Risk Insur. - Issues Pract., vol. 47, no. 3, pp. 698–736, Jul. 2022, doi: 10.1057/s41288-022-00266-6.

H. Z. Artie, M. Hilman, and S. Yazid, “Penilaian Risiko Keamanan Informasi Pusat Data pada Instansi XYZ,” J. Inform. Ekon. Bisnis, pp. 270–276, Jun. 2025, doi: 10.37034/infeb.v7i2.1160.