The first round of the Delphi study was filled in by fourteen out of the fifteen participants on time. One participant was not able to participate because of a lack of time. He noted that he would like to be included in the following round. A summary of the results of this round has been sent to him to provide him the insights gathered during round 1.
32 CHAPTER5. IT RISKSDESCRIBED BYFIELDEXPERTS
The focus of this round is to identify additional risks to the ones that have already been identified in the literature study. The survey of round one was divided into three parts and had a combined total of 11 questions. The first part focused on gaining some more demographic information about the participants. Part two included five questions, one for every risk area as defined in the literature study. Participants got the opportunity to add their own risks and note if they don’t agree with any of the proposed risks in each risk area. Part three of the survey offers the opportunity to comment on the identified risk areas. For each risk area the participant was able to note on a five point Likert scale if they agree with the definition or not. When they do not agree with a definition of a risk area they had the opportunity to propose one themselves. The last question of the survey asks the participant to note on a five point Likert scale if they agree that the list of risk areas is complete or not. The full survey can be found in appendix C, section C.1.
5.4.1 Redefining Risk areas
The participants were asked if they agreed with the defined risk areas and if the proposed risk areas were complete. While half of the participants agreed that the list was complete (7 out of 14), the remaining participants either disagreed or neither disagreed or agreed with the completeness. The comments given with the scores provide some insights as to why participants scored the question low:
“Some risks may overlap, for example: ‘a low number of nodes in a network’ can be classified as a Technology and Security risks.”
“In general they are OK, but I question if this provides any insights based on a lot of the answers as filled in before.”
Based on these comments and other suggestions, the risk areas have been redefined to create less overlap and to be able to provide more insights. In order to achieve this, a new layer has been added to the model. This new layer provides more insights in the topics covered by the different high level risk areas and provide a method to further categorize risks. Furthermore this layer aims to create a more clear divide between the high-level risk areas.
The high-level risk areas have been redefined based on the feedback from the participants. The lowest scoring and most controversial risk area, technology risks, has been replaced by two new risk areas: ‘Development’ and ‘DLT platform selection’. These areas in part cover some of the risks previously categorized in the ‘Technology’ risk area. In figure 5.2 the redefined risk area model is presented with it’s 6 high-level risk areas and 23 newly defined low-level risk areas. These risk areas are proposed to the participants in the second round of the study.
5.4.2 Redefining IT Risks
During the second part of the first round the participants were presented the list of 26 risks as identified in the literature study. They were asked if they agreed with the list of risks and if they had any additional risks which were not mentioned. While the participants did not disagree with the risks already identified, they provided an additional 110 risks bringing the total up to 136. This large increase may partly be explained by the varying abstraction level of the identified risks.
In order to decide an abstraction level for the use in this model, guidelines from De Haes et al. (2009, p. 56) are used. Based on these guidelines it has been decided to use a relatively high level of abstraction for the risks in order to retain a manageable number of risks and to be able to provide
5.5. DELPHIROUND2 33
IT Risks of DLT for IoT
Strategic OperationalRisks Security Risks Legal Risks DLT platform
DLT applicability Vendor risks DLT network participants DLT performance Data management Change management Business continuity Hardware tampering Network attacks Disclosure of sensitive information Identity and Access management Regulatory compliance Contractual compliance Licensing IoT specific fit Consensus mechanism Data structure Inter-DLT operability Smart contract capability Development Integration with existing systems Programmer expertise and skills Code complexity Code verification Change management
Figure 5.2:Redefined two layer model after round 1
the best insights from the model. In order to explain the generalizations a description is added to each risk. This brought down the list of risks form 136 to 66 risks divided over the newly defined 23 low-level risk areas. These risks are again presented for validation in the second round of the Delhpi study.