Journal of Information System and Technology Auditing

Journal of Information System and Technology Auditing

Risk Assessment in Mega IT Projects Using Fuzzy Logic and Interdependency Modeling

Document Type : Original Article

Authors
Ameneh Khadivar 1
Fatemeh Abbasi 2
1 Associate Professor, Department of Management, Faculty of Social Sciences and Economics, Alzahra University, Tehran, Iran
2 Assistant Professor, Department of Industrial Management and Information Technology, Shahid Beheshti University, Tehrani, Iran
10.22034/jista.2025.543458.1060
Abstract
Mega IT project consist of multiple interrelated projects managed in a coordinated manner throughout the program lifecycle. While program management aligns efforts across projects, it does not directly manage individual ones. One of the key reasons for failure in such programs is the lack of attention to comprehensive risk management. Risks in IT programs are often interdependent, and their cumulative impact can significantly affect program outcomes. This study introduces a methodology for assessing program-level risks by incorporating inter-risk dependencies and uncertainty through fuzzy logic. A multi-level risk classification is proposed, covering project-level, program-level, and aggregate strategic risks. The methodology integrates Decision Structure Matrix (DSM), fuzzy hierarchical analysis, and Shannon entropy to capture expert judgment and quantify risk weights. he proposed framework was implemented in a modernization project within the Iranian Customs Administration, demonstrating its practical effectiveness in prioritizing risks and enhancing strategic decision-making. The results revealed that environmental risks—those beyond the organization's direct control—were the most critical. This research provides a structured approach for IT program managers to evaluate and rank risks under uncertainty, offering a tool for improving program resilience and success.
Keywords
Program Risk Management
Information Technology
Fuzzy Logic
Design Structure Matrix (DSM)
Shannon Entropy
Alhawari, M., & AlShihi, N. (2020). Fuzzy logic-based evaluation of strategic risks in IT governance. Technological Forecasting and Social Change, 157, 120094. https://doi.org/10.1016/j.techfore.2020.120094
Brown, K. (2010). Managing risk in complex programs. McGraw-Hill.
Budzier, A., & Flyvbjerg, B. (2022). Managing complexity and risk in digital transformation projects. MIS Quarterly Executive, 21(3), 45–59.
Faraji, D., & Alirezanajad, M. (2021). Investigating the impact of risk management in IT projects. In International Conference on Knowledge and Technology of the Third Millennium, Mashhad. (In Persian)
Floricel, S., Michela, J. L., & Piperca, S. (2016). Complexity, uncertainty, and performance in large-scale projects. International Journal of Project Management, 34(7), 1360–1383. https://doi.org/10.1016/j.ijproman.2015.11.003
Hajiheydari, N., & Rahmati, F. (2018). Risk analysis of IT projects using system dynamics. Project Management Journal of University of Isfahan, 9(2), 45–60. (In Persian)
Hemmati, N., & Khadivar, A. (2022). A model for prioritizing information technology projects in order to develop e-government. Researches of Management Organizational Resources, 11(3), 173–194. (In Persian)
Hillson, D. (2009). Program risk management: Principles and practices. Routledge.
Khadivar, A. (2023). Information Technology Risks: Turning Business Threats into Competitive Advantage. Tehran: Nazari Publishing. (In Persian)
Khan, M. S., & Yu, H. (2012). A new approach for project scheduling using fuzzy dependency structure matrix. International Journal of Project Management, 30(3), 313–324. https://doi.org/10.1016/j.ijproman.2011.11.003
Khorshidi, S., & Karolux, M. (2004). A fuzzy approach for evaluating and calculating the aggregate risk rate of R&D projects. In 5th Iranian Conference on Fuzzy Systems. (In Persian)
Kwan, T. W., & Leung, H. K. N. (2009). Measuring risks within a program consist of multiple interdependent projects. IEEE.
Kwan, T. W., & Leung, H. K. N. (2019). A risk management methodology for project risk dependencies (Doctoral dissertation, The Hong Kong Polytechnic University).
Kumar, S., & Singh, R. (2021). Multi-level risk assessment in IT programs using entropy-based weighting. Information Systems Frontiers, 23(4), 765–781. https://doi.org/10.1007/s10796-020-10036-3
Lee, J., & Janssen, M. (2025). Strategic risk modeling in government IT megaprojects. Government Information Quarterly, 42(1), 101–115.
Locatelli, G., Invernizzi, D. C., & Brookes, N. J. (2017). Project characteristics and performance in infrastructure megaprojects. International Journal of Project Management, 35(4), 716–733.
Mohammadi, S., & Ghanbari, A. (2022). Evaluation of digital transformation project risks in the public sector. Information Technology Management Quarterly, 13(1), 23–38. (In Persian)
Mousavi, F. S., & Karimi, H. R. (2021). Risk management in large-scale IT projects using hybrid AHP-TOPSIS approach. In National Conference on Industrial Engineering of Iran, Tehran. (In Persian)
Müller, R., & Turner, J. R. (2010). Leadership competency profiles of successful project managers. International Journal of Project Management, 28(5), 437–448.
Project Management Institute. (2013). The standard for program management (3rd ed.). Project Management Institute.
Project Management Institute. (2021). A guide to the project management body of knowledge (7th ed.). Project Management Institute.
Sanchez, H., & Henschel, T. (2020). Strategic risk management in megaprojects: A review of critical success factors. Journal of Risk Research, 23(6), 761–779. https://doi.org/10.1080/13669877.2019.1694964
harma, C., & Routhu, S. C. (2025). The importance of IT risk assessments in mitigating risks: A comparative analysis of standards and supporting technologies. International Journal of Science and Research (IJSR).
Taherdoost, H. (2021). A review on risk management in information systems: Risk policy, control and fraud detection. Electronics, 10(24), 3065. https://doi.org/10.3390/electronics10243065
United States Office of Personnel Management. (2011). IT program management career path guide.
Wu, D., & Zhang, H. (2024). Integrated fuzzy-AHP and DSM for IT program risk prioritization. Expert Systems with Applications, 234, 119876. https://doi.org/10.1016/j.eswa.2023.119876
Yu, J., & Xiao, X. (2025). A cloud service security risk measurement method based on information entropy and Markov chain. Cluster Computing.
Zacharias, T. (2012). Risk breakdown structure for program management. International Journal of Project Management, 30(3), 345–356. https://doi.org/10.1016/j.ijproman.2011.11.004
Zadeh, L. A. (1965). Fuzzy sets. Information and Control, 8(3), 338–353. https://doi.org/10.1016/S0019-9958(65)90241-X
Journal of Information System and Technology Auditing
Volume 1, Issue 1 - Serial Number 1
April 2025
Pages 176-200

  • Receive Date 26 July 2025
  • Revise Date 04 September 2025
  • Accept Date 22 September 2025
  • Publish Date 22 June 2025