Information Technology Risk Analysis and Mitigation Using ISO 31000 and House of Risk (HOR) for SIAK in Western Seram Regency

SIAK stands for population administration information system. It is a computerized system that was established according to administrative service regulations to organize the population administration system in Indonesia, more precisely in the Western Seram Regency. Given the critical function of this application in aiding in identifying regional demographic statistics, it is vital to examine potential dangers while also identifying mitigation measures that may be performed to avoid them. ISO 31000 was utilized in the study to map potential hazards for subsequent reduction using the House of Risk (HOR) methodology. According to the findings of this research, there is one danger that falls into the high category, namely the unstable network. Additionally, based on the results of risk mitigation identification, two mitigation steps are identified that can mitigate 60% of existing risks, namely the construction particular resistant to natural disasters for critical equipment storage and collaboration with internet providers to ensure stable internet and network connections


INTRODUCTION
Rapidly evolving and sophisticated information technology and information systems provide dependable options to assist various organizations tasks. The function of information technology applications has evolved into an unavoidable requirement and a resource on which users may depend to address a variety of difficulties. The Population Administration Information System (or Sistem Informasi Administrasi Kependudukan -SIAK) is a web-based information system that built on procedures and specific standards for population administration system. Its purpose to organize the administrative system in the field of the population to achieve administrative order and assist Regional Government officers, particularly those at the Population and Civil Registration Office in Western Seram Regency. In terms of population growth, the development of population administration plays a significant role in making sure that the law is clear and protecting people's individual rights. Protective measures come in the form of public services, such as birth certificates and the Population Identification Number (NIK), as well as documents like the Identity Card (KTP), the Family Card (KK), and the Civil Registration Certificates. The rights and basic needs of citizens will be protected by these administrative services, which can help people get important documents that show who they are, how long they have been alive, and other things. The state must do these things because they are essential and must be done (Dwiyanto, 2010).
The regional governments are responsible for recording population statistics in an area through the population administration information system, which begins with the village and sub-district as the starting point for population data collection. Additionally, the data would be saved in a database that is connect to the internet network on a national scale. Additionally, the SIAK, which is deployed through the internet network, is harmed by the network's sluggish speed. Apart from these impediments, the SIAK program may operate effectively and in compliance with the established regulations. The shortcomings of traditional data processing may be mitigated with online data management. SIAK provides numerous benefits, including the ability to use the results of statistical data calculation and management to develop and improve policies, strategies, and programs for the implementation and implementation of development in the fields of quality, quantity, and population mobility, as well as other development interests (Munarja, 2014).
SIAK plays a critical role mainly because of sensitivity of the data gathered and inventoried, such as demographic statistics, which is crucial information that cannot be accessible by everyone. Web services eliminate the need for direct data access between applications and the database. Due to the mediation procedure through a web service, the database was not immediately accessible to the outside world. If there is a security hole from the application side, the database cannot be accessed directly. Thus, population data is generally secure in this procedure when compared to apps that link directly to the database.
Nevertheless, every application must be subjected to a multitude of potential risks that might cause the application to perform sub optimally or even crash. A variety of internal and external variables to the program might pose a threat to the application's security. The SIAK application is no different; the application, like any other, maybe subjected to potential dangers that may occur in its environment. Based on these issues, more study is required to detail the many potential hazards as well as the importance of each risk to the firm. The ISO 31000 approach, which is commonly utilized for this purpose, is frequently used to examine the risks that may develop. When identifying and categorizing risks, this strategy has been extensively employed in many past research. Several studies have used this method, including Christian and Sitokdana (2022), who conducted a risk analysis of ABC Bank, Manuputty et al. (2022), who conducted a risk analysis on the operational aspects of information technology at PT. Schlumberger Geophysics Nusantara, Ayuningtyas & Tanaem (2022), who conducted a risk analysis of asset security risk management at the Secretariat of the Salatiga City DPRD, and Nuris et al. (2021) which conducted a risk analysis of software development projects, Putri & Syafi'i (2022) who conducted a risk study at PT J&T.
However, the ISO 31000 approach generates very simple outputs and suggestions that are prone to bias; even the recommendations themselves are highly complicated and require a significant cost to implement by the corporation or linked entity. This is because each risk will need a unique risk management strategy. Thus, some researchers prefer to combine the ISO 31000 method with other quantitative methods, such as Hardianto & Dharmawan's (2021); Aprianto et al. (2020); Butarbutar & Tanaamah's (2021) research, which combined ISO 31000 with Cobit 5 and FMEA, Asmarawati & Pangeran (2021); Nugriho & Pangeran (2021); Safitri & Pangeran (2020); Monica & Pangeran (2020) study, which combined ISO 31000 with Balanced Scorecard, and Pribadi & Ernastuti's (2020) research, which combines ISO 31000 with FMEA.
Thus, the approach utilized in this research is not restricted to two methods but incorporates the ISO 31000 analysis findings for additional quantitative calculations to generate to for effective mitigation measures while overcoming ISO 31000's inherent complexity. As a result, this research integrates ISO 31000 with the House of Risk (HOR). HOR, which was initially introduced and Geraldin (2009), is a regenerative technique for risk analysis. The program employs the FMEA (Failure Mode and Effects Analysis) concept to quantify risk and the House of Quality (HOQ) model to identify risk agents that must be prioritized first, followed by the most prioritized action-mitigate the possible hazards caused by risk agents (Purwaningsih et al. 2021;Ikhsan et al. 2021;Utomo & Setiawan, 2021;Munawir et al. 2021).
Furthermore, this paper will be organized as follows. After the introduction, it will be continued with the material and method, then continued with the results and discussion, followed by conclusions and recommendations.

MATERIALS AND METHOD
This study employs mixed method approach, that this technique used when concerns about outcomes and processes need to be investigated, and involves a mix of quantitative and qualitative methods in one study ( Figure 1).

Data Collecting and Sample
At this stage, data collection was accomplished via various methods, including conducting interviews with the operator and 11 personals and leaders at the population and civil register office in West Seram Regency who utilized directly involved with the SIAK application. The second objective was to spend two months observing business operations and the usage of SIAK software at the population and civil register office in West Seram Regency. Then, utilized data from the SIAK application at West Seram Regency's population and civil register office, the third step is to determine what procedures have transpired.

Analysis Method ISO 31000
ISO 31000 is a standard produced by the International Organization for Standardization (ISO) with the goal of providing universal risk management concepts and practises. According to the International Organization for Standardization (ISO 31000:2009), the risk management process consists of two phases. The first step is risk assessment, which is the process of identifying hazards that might jeopardise the company's ability to achieve its business objectives. There are three steps in the risk assessment stage: risk identification, risk analysis, and risk evaluation. Risk identification is the process of identifying potential risks that could jeopardise the company; risk analysis is the process of determining risks that could prevent the company from achieving its business objectives; and risk evaluation is the process of categorising each potential risk based on its severity level in accordance with established criteria. The next step is risk treatment, during which the researcher narrows down the previously considered dangers. As a result, the potential dangers and their effect might be increased or decreased.

House of Risk (HOR)
The HOR model underpins risk management with a prevention-oriented approach, meaning minimizing the possibility of risk agents occurring. As a result, the first step is to identify risk occurrences and agents. Typically, a single agent may generate many risk events. Adapting the FMEA technique, the risk assessment used is the Risk Priority Number (RPN), which is composed of three factors: chance of occurrence, severity of the resulting effect, and detection. The HOR approach gives probability values to risk agents and severity values to risk events. Due to the possibility of a single risk agent triggering several risk events, it is important to aggregate the risk agent's risk potential.
Priority should be given to adapting the House of Quality (HOQ) model to determine risk agents as a preventative step. Each risk agent is granted an A rating based on its ARPj value. Thus, if a corporation has many risk agents, it might begin by selecting the agent with the highest potential to create a risk event. The model with two distributions is referred to as the House of Risk (HOR), and it is a variant of the House of Quality (HOQ) model (Pujawan & Geraldin, 2009). 1. HOR 1 is used to establish the degree of priority for risk agents that must be administered as a preventative intervention. Stages in HOR1 include: 1) Identify the hazards that may arise in Ei (risk events).
2) Rate the severity of the danger on a scale of 1 to 5. Each risk's intensity is indicated by Si. In this study, severity measure by value of impact on Table 5. 3) Identify risk agents and analyse their probability. Risk agents (Aj) and occurrence (Oj) ( Table  10). 4) Create a correlation matrix for each risk agent. Rij (connection) 0 (no correlation), 1, 3, and 9 (low, moderate, and strong) correlation.
Then compute ARP (Aggregate Risk Potential) using the equation: 2. HOR 2 is a top priority when it comes to implementing activities that are deemed effective. HOR2 attempts to determine mitigation strategies for supply chain risks in the following stages: 1) Pick high-risk agents to follow up on HOR2 (Pareto Diagram for ARPj). The specified risk agents are displayed in the left and right columns (ARPj value). 2) Identify potential risk-prevention activities. This row of HOR2 (Preventive Actions PAk) (Table  11). 3) Correlate each preventative activity with each risk agent (Ejk). Ejk 0 shows no connection, whereas Ejk 1, 3, and 9 imply low, medium, and strong association. EJK also indicates the efficacy of mitigation strategies in minimising risk agent emergence.

ISO 31000
The risk assessment stage, or risk assessment, is the first step in accordance with the ISO 31000 principles for risk management analysis. Three steps will be carried out at this stage: risk identification, risk analysis, and risk assessment. These three procedures must be completed in order to proceed to the next step. Identifying potential risks to SIAK caused by a variety of elements such as nature/environment, people, systems, and infrastructure. And don't forget that each potential danger would be assigned a unique identifier (Table 1).
The risk identification approach identified 18 potential hazards arising from natural/environmental, human, system, and infrastructural variables that might harm the business.
Then, the identified risks are evaluated for their effect on the business. Thus, the effect of each potential risk may be detected throughout this procedure (Table 2).
Following identifying potential risks and their associated consequences, the risk analysis process begins. A table of probability criteria and a table of impact criteria are included in this method as a reference for the risk analysis process. Table 3 contains the likelihood criterion or the computed probability value. The likelihood evaluation is split into five categories, each of which indicates the probability of a risk occurring during a certain time period. Table 4 contains the effect values that would occur if the potential risks materialised in the business. Five impact factors are used in the evaluation. The five criteria range from having no influence to having the greatest impact on the company's success. The discovered risks will be included into the specified impact value one by one for each effect.  The risk does not interfere with existing business processes and the company's activities 2 Minor The risk slightly hinders the company's activities 3 Moderate The risk of hindering some of the company's activities 4 Major The risk starts to disrupt service processes and hampers almost all company activities 5 Catastrophic The risk is very disruptive to overall service processes and stops the company's activities By establishing the likelihood and effect numbers, the next step is to examine each potential risk individually. The chance and effect values for each of the 18 potential hazards are calculated one by one using the table referenced above, which is shown in Table 5.
The risk evaluation stage is the final phase in the risk assessment stage. A reference is employed in this procedure in the form of a risk assessment matrix. The matrix is split into three risk categories: low, medium, and high. The risk possibilities identified in the previous phase using probability and impact values will be distinguished again using the current matrix. The risk categories in Table 6 have been mapped according to their probability and effect.

House of Risk (HOR)
Each potential risk will be added into the risk assessment matrix based on its probability and effect, using the mapping from the preceding risk evaluation matrix table. Each probable danger is put into parameters in the identity risk assessment matrix table according to the probability and effect criteria established before. Then, after entering all possible hazards into the risk assessment matrix in tables 6, the 18 potential risks are classified as high, medium, or low risk based on probability and impact criteria.
The results of the risk evaluation process can be seen in table 7, which is from 18 possible 17 (Earthquake, Flooding, Thunder, Heavy Wind, Landslide, Hurricane, Lack of competence and knowledge, Human error, Limited number of operators, No job description, Absent ( Lazinesss) , Server down, Power outage, Inadequate computers, System maintenance, Restriction access, LAN connection down) which is included in the medium level of risk. Whereas, 1 risk namely unstable network which is included in the high level of risk. Furthermore, the results of ISO 31000 will be used as a reference for the House of Risk (HOR) process. Where, for the severity value on the HOR, the impact value in table 5 is the source for calculating the HOR1. The Aggregate Risk Potential (ARP) value for each risk source may be determined from the calculation results at the HOR1 stage (Table 5). The greatest value is at risk with code A7 (Unstable connection), followed by A8 (lack of system infrastructure); A5 (inadequate equipment); A9 (inactive role of NGOs, research institutions, and universities); and A1 (low active involvement of NGOs, research institutions, and universities) (Geographical location). As seen in Figure 2, these four dangers account for 74% of the risks associated with the usage of the SIAK application in Western Seram Regency (Table 8). The HOR2 stage of the (HOR) strategy focuses on identifying financially feasible measures and committed to being done to address increasing supply chain risk sources (Pujawan and Geraldin, 2009). The HOR2 calculation findings in Table 9 and Table 11 indicate that the most cost-effective and efficient risk reduction approach is PA1 in this scenario is to construct a specific chamber resistant to natural catastrophes for the storage of critical equipment, followed by PA4 which is to collaborate with internet providers to ensure the stability of internet connections and networks.

CONCLUSIONS AND SUGGESTION
Users may rely on information technology apps to help them solve several problems, as well as an inescapable need. Procedures and standards are adhered to in the Population Administration Information System (SIAK), which is a web-based system. For the sake of administrative order and to help Regional Government officials, those at the Population and Civil Registration Office in Western Seram Regency, it has been designed to organise the administrative system in the population field. It is important to assess possible risks and develop mitigation steps that may be taken to minimise them, given the application's crucial role in producing area demographic information. The House of Risk (HOR) technique was used in the research to identify possible risks that may be reduced using ISO 31000. This study found that the unstable network poses a serious threat, putting it in the "high" hazard category.
Construction of infrastructure and facilities to handle large volumes of data fast, including computers, operators, and their associated equipment, as well as the SIAK Server and e-KTP Recording and Printing Equipment. In conjunction with Telkom, for the internet network. This infrastructure affects not only the performance of operators, but also the level of happiness in the surrounding community. Organizers and implementation agencies may work together as a single unit to handle population administration data with the help of SIAK, which is an information system that makes use of modern information and communication technology. Service beneficiaries, in this context, are the focus of the Population Administration Information System's administration. This system's success or failure is directly tied to how well users perceive the advantages they get because of SIAK. Ensuring that data and information about the outcomes of population registration and civil registration on a national and regional scale are accurate, complete, current, and easily accessible; realising systemically exchanged data through a single identifying system while guaranteeing confidentiality.