www.elsevier.com/locate/dsw
Decision Support Systems 40 (2005) 235–255
Fuzzy decision support system for risk analysis in
e-commerce development
E.W.T. Ngai*, F.K.T. Wat
Department of Management and Marketing, The Hong Kong Polytechnic University, Hung Hom, Kowloon, Hong Kong,
People’s Republic of China
Received 1 December 2001; accepted 1 December 2003
Available online 14 March 2004
Abstract
This paper describes the development of a fuzzy decision support system (FDSS) for the assessment of risk in e-commerce
(EC) development. A Web-based prototype FDSS is designed and developed to assist EC project managers in identifying
potential EC risk factors and the corresponding project risks. A risk analysis model for EC development using a fuzzy set
approach is proposed and incorporated into the FDSS. The results of an evaluation indicate that the prototype performs to
expectations.
D 2004 Elsevier B.V. All rights reserved.
Keywords: Electronic commerce; Fuzzy decision support system; Fuzzy set; Risk analysis
1. Introduction risk. An important step in advancing our knowledge
E-commerce (EC) is ‘‘a modern business method-
ology that addresses the needs of organizations, mer-
chants, and consumers to cut costs while improving
the quality of goods and services and increasing the
speed of service delivery. The term also applies to the
use of computer networks to search and retrieve
information in support of human and corporate deci-
sion making’’ [21]. It has been adopted widely in most
enterprises.
Although EC offers various business opportuni-
ties, EC development is plagued by various kinds of
risk and risk management is necessary to avoid these
problems. Indeed, a task that is critical to the proper
management of EC development is the assessment of
0167-9236/$ - see front matter D 2004 Elsevier B.V. All rights reserved.
doi:10.1016/j.dss.2003.12.002
* Corresponding author. Fax: +86-2765-0611.
E-mail address: [email protected] (E.W.T. Ngai).
requires that we understand and address these risks.
According to Leung et al. [26], most project manag-
ers worry about the time involved in risk management
when it comes to identifying and assessing risks.
However, with the aid of computers and the use of
software systems, the time for risk analysis can be
significantly reduced. Risk analysis can be conducted
by using the theory of probability, which estimates
the likelihood and consequences of any given risk.
EC development is relatively new to most companies,
and only limited information is available on the
associated risks. The application of fuzzy set theory
(FST) to risk analysis seems appropriate, as such
analysis is highly subjective and related to inexact
and vague information. There is a need to design and
develop a fuzzy decision support system (FDSS) to
assist EC practitioners to evaluate the risks associated
with EC development.
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255236
This paper describes the research and development
of a FDSS that can be used to effectively support EC
project managers in conducting risk assessment in EC
development. The motivation for the present work is
the recognized absence and need for such system that
help in the evaluation of a company’s risk level and
provides an overall risk evaluation of EC development.
2. Literature review
2.1. Definitions of risks associated with EC
development
The concept of ‘‘risk’’ became popular in econom-
ics during the 1920s. Since then, it has been success-
fully used in theories of decision making in economics,
finance, and the decision science. The Merriam-Web-
ster [48] dictionary defines risk as the ‘‘possibility of
loss or injury’’ or ‘‘someone or something that creates
or suggests a hazard’’. At present, there is no agreed
upon universal definition of EC risk but information
security is a widely recognized aspect of EC risk [44].
Greenstein [17] views risks associated with EC as the
possibility of loss of confidential data or the destruc-
tion, generation, or use of data or programs that
physically, mentally or financially harms another party,
as well as the possibility of causing harm to hardware.
Mceachern [29] uses the term ‘‘cyber risk’’ to define
any risk associated with EC, including, for example,
Web site destruction and manipulation, unauthorized
access to customer records, Internet fraud, telecommu-
nications theft, copyright infringement and denial of
access. On the other hand, Viehlandm [44] focuses on
managing business risk in EC. He defines EC risk as
the likelihood of a negative impact to organization
itself when developing or operating EC strategy. In this
paper, risks associated with EC development are the
risks of direct or indirect loss to the organization in
development an EC project, which refers to any project
that involves development stages as planning, analysis,
design and implementation of an EC system.
2.2. The significance of fuzzy risk analysis for EC
development
Through using EC, companies are able to connect
with their trading partners for ‘‘just in time produc-
tion’’ and ‘‘just in time delivery’’, which improves
their competitiveness globally. Although EC offers
great opportunities, there is no doubt that EC devel-
opment involves many risks. In this study, we do not
intend to present risks to EC only but also risks that
EC development shares with traditional systems. Ev-
ery EC development is linked to a different degree of
risk. However, most companies do not identify and
assess EC-related risk. EC development has a lot in
common with IT project development. Many IT and
EC development cannot be completed on-time and
on-budget [39]. Proper risk management is an essen-
tial element of project success [39] because without
appropriate risk management it fails to achieve sig-
nificant return on investment or defensive/competitive
purpose. One of the important phases in risk manage-
ment is risk analysis, which involves a process of risk
identification and risk assessment. Proper risk assess-
ment can enhance the chance of successful project
implementation [1]. McDonald [28] and Stoehr [39]
point out that companies need to perform a risk
analysis before engaging EC development.
2.3. Fuzzy risk analysis research
The techniques of risk analysis are powerful tools to
help people manage uncertainty. Thorough risk anal-
ysis estimation and evaluation can provide valuable
support for decision making. There are many risk
analysis techniques currently in use that attempt to
evaluate and estimate risk. These techniques can be
either qualitative or quantitative depending on the
information available and the level of detail that is
required [4]. Quantitative techniques rely heavily on
statistical approaches, which include Monte Carlo
Simulation [49], Fault and Event Tree Analysis
[4,49], Sensitivity Analysis [49], Annual Loss Expec-
tancy [35], Risk Exposure [5], Failure Mode and
Effects Analysis [49], etc. On the other hand, qualita-
tive techniques rely more on judgment than on statis-
tical calculations such as Scenario Analysis [35], FST
[35], etc. Quantitative and qualitative techniques have
their own advantages and disadvantages. Among these
techniques, the application of FST to risk analysis
seems appropriate, as such analysis is highly subjec-
tive and related to inexact and vague information.
Since FST was introduced by Zadeh [51] to deal
with problems in which vagueness was present, lin-
Table 1
Fuzzy risk analysis applications
Research area Description References
Information technology
Database gateway processor Applies basic concepts of fuzzy logic modeling to risk analysis in database gateway systems. [30]
Information security Presents a methodology for the modeling of the risk analysis process within a computing facility. [10]
Software development Applies FST to evaluate the rate of aggregative risk in software development. [23]
Environmental
Natural hazards Employs fuzzy methods to calculate the risk of release, exposure to, and consequence of
natural urban hazards.
[19]
Ground water nitrate
risk management
Presents a nitrate risk-management methodology using fuzzy sets in combination with a
multi-criterion decision-making (MCDM) technique to assist decision makers in evaluating,
with uncertain information, possible regulatory actions along with the various nitrate
risk-management strategies to determine an appropriate strategy.
[25]
Hazardous materials Provides an application of fuzzy logic to the risk assessment of the transport of hazardous
materials by road and pipeline to evaluate the uncertainties that affect both individual and
societal risk estimates.
[7]
Engineering
System failure Presents a fuzzy logic-based technique for prioritizing failures for corrective actions in a
Failure Mode, Effects and Criticality Analysis. The method allows the analyst to evaluate
the risks associated with item failure modes directly by using the linguistic terms employed
in the criticality assessment. Ambiguous, qualitative, or imprecise information, as well as
quantitative data, can be used in the assessment.
[8]
Construction Outlines an approach to the assessment of construction project risk by linguistic analysis
using FST.
[40,50]
Civil Involves fuzzy set representations of structural damage and related safety analyzes in civil
engineering.
[32,36,41]
Others
Bank Develops a fuzzy set approach in planning system for liquidity management in bank industry. [15]
Tourism Applies a fuzzy multiple criteria decision-making method to conduct an evaluation of tourist risks. [42]
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255 237
guistic values have been widely used to approximate
reasoning. Numerous studies of FST in risk assess-
ment have appeared in different areas, and are sum-
marized in Table 1. FST has been effective in such a
variety of areas because it can handle inexact yet
useful information.
2.4. Fuzzy weighted average
An operation commonly used in risk and decision
analysis is the weighted average operation [20], which
takes the following form:
�W ¼
Xni¼1
Wi � Ri
XnWi
i¼1
where W̄ is the weighted average of ratings, Ri is the
rating according to criterion i, and Wi is the weight
assigned to criterion i. When the terms Ri and Wi are
represented by fuzzy sets or fuzzy numbers, the above
operation is referred to as a fuzzy weighted average
(FWA). Bass and Kwakernaak [3] were amongst the
earliest researchers to determine the ranking of mul-
tiple alternatives with this weighted average. Later,
Schmucker [37] used the FWA to propose an approx-
imate numerical method known as the ‘‘Fuzzy Risk
Analyzer’’. Furthermore, many applications such as
Refs. [40,50] follow Schmucker’s procedure, and it is
widely applied in risk analysis, particularly in relation
to construction projects. However, Dong et al. [13]
have shown that Schmucker’s discretization method
can give quite irregular and incorrect membership
functions because information is lost in the process
of ensuring its convexity. They introduced the DSW
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255238
algorithm [13] as an alternative, and dealt with the
problem through interval analysis and alpha-cut rep-
resentations of fuzzy sets. Later, Dong and Wong [12]
employed a simple, efficient, and systemic method to
develop an FWA algorithm based on the DSW algo-
rithm. The FWA algorithm has been widely adopted in
civil engineering, especially in damage assessment
such as [32,36,41].
However, as this algorithm requires O(2n) compar-
isons and arithmetic operations, Liou and Wang [27]
suggested an improved fuzzy weighted average algo-
rithm (IFWA), whilst Lee and Park [24] proposed an
efficient fuzzy weighted average algorithm (EFWA).
In the present study, a risk assessment model based on
the fuzzy weighted average of FST will be used to
calculate the overall risk faced by EC projects. The
EFWA algorithm is used because it can reduce the
number of comparisons and arithmetic operations to
O(n log n) rather than O(n2), as is the case with the
IFWA [27].
Fig. 1. FDSS development methodology framework.
3. System development methodology for the FDSS
The purpose of this study is to design and develop
a FDSS to assist EC project managers in identifying
potential risk factors and evaluating the corresponding
EC development risks. FDSS is constructed following
the five-stage system development methodology,
which is based on a generic IS development [31],
incorporated with the method for fuzzy risk analysis
[37,40,41,46]. Although this system development
methodology is developed for the FDSS, we believe
that other researchers can easily follow as a guideline
to design and develop other FDSS for risk analysis in
other application areas. The system development
process consists of five stages, namely, construction
of fuzzy risk analysis model, development of system
architecture, analyzing and designing of the system,
building of the prototype, and evaluation of the
system. An overview of these five stages of system
development is shown in Fig. 1. First, a fuzzy risk
analysis model was constructed as the kernel of the
system. Second, system architecture was developed.
Third, system design and analysis were carried out in
modularity with defining functionalities of the system
components and an understanding of how they inter-
act with one. Fourth, the prototype system was built in
Table 2
Potential risks associated with EC development
Variables Potential risks associated with EC development
V1 Hacker gaining unauthorized access
V2 Absence of firewall
V3 Lack of using cryptography
V4 Poor ‘‘key’’ management
V5 Malicious code attacks
V6 Disclosure of sensitive information
V7 Loss of audit trail
V8 Natural disaster-caused equipment failure
V9 Human factor-caused equipment failure
V10 Threat of sabotage in internal network
V11 Inadequate backup systems
V12 Software or hardware problem-caused system
failure
V13 Site or network overload and disruption
V14 Poor design, code or maintenance procedure
V15 Wrong functions and properties development
V16 Wrong user interface development
V17 Project complexity
V18 Wrong project size estimation
V19 Technological newness
V20 Continuous change of system requirements
V21 Wrong schedule estimation
V22 Project behind schedule
V23 Project over budget
V24 Inadequate cash flow
V25 Personnel shortfalls
V26 Lack of expertise and experience in e-commerce
V27 Loss of key person
V28 Lack of top management support
V29 Poor project planning
V30 Unclear project objectives
V31 Indefinite project scope
V32 Lack of contingency plans
V33 Business process redesign
V34 Organizational restructuring
V35 Lack of trust between your organization and
merchant or customer
V36 Inappropriate media for the product and service
V37 Lack of international legal standards
V38 New laws, regulations, and judicial decisions
constantly change the online legal landscape
V39 Uncertain legal jurisdiction
V40 Incompletion of contract terms
V41 Difficult to change outsourcing decision/vendor
V42 Loss of data control
V43 Loss of control over vendor
V44 Loss of control over information technology
V45 Hidden cost
V46 Lack of vendor expertise and experience
V47 Lock-in situation
V48 Vendor offers outdated technology skill
V49 Vendor provides poor quality service
Table 2 (continued)
Variables Potential risks associated with EC development
V50 Difference users with different in culture customers,
and business styles
V51 Language barrier
Source: Based on Wat et al. [43].
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255 239
order to learn more about the concepts, framework,
and design through the system-building process. Fi-
nally, the prototype system was evaluated by EC
experts and potential users. Detailed descriptions of
each phase are presented in the following sections.
3.1. Phase 1: construct a fuzzy risk analysis model
Most existing risk analysis models are based on
quantitative techniques such as Monte Carlo Simula-
tion and Annual Loss Expectancy. However, the infor-
mation that is related to most uncertainty factors is not
numerical. FST provides an approximate model for the
evaluation of the risk faced by EC projects through a
linguistic approach. The procedure for fuzzy risk
analysis is based on the works from Refs. [37,40,
41,46] that consisted of five steps: risk identification,
natural language representation, fuzzy assessment ag-
gregation, fuzzy weighted average computation, and
linguistic approximation. The details of each stage are
described in the following sections.
3.1.1. Risk identification
The first step is to conduct risk identification and
compile a list of the most significant uncertainty
factors and their descriptions. Before conducting fuzzy
risk analysis, one must identify the components of
risks associated with EC development. However, little
empirical research has focused on identifying the
potential risk factors that threaten EC development.
In the study of Wat et al. [47], a source-based approach
to categorizing EC development risks is initially used,
with technical, organizational, and environmental risks
as three primary source categories. Then the potential
risks associated with EC development was identified
with 51 risk items (see Table 2) associated with EC
development based on a comprehensive literature
review and interviewed with EC practitioners.
An empirical study was conducted with 330 valid
returns used for the analysis. An exploratory factor
analysis (EFA) of the survey data revealed 10 major
Table 3
Results of EFA
Factor Variables Factor
loading
Eigen
value
Percentage
of variance
Cumulative
variance
Factor 1: V21 0.640 11.567 26.900 26.900
Resources V22 0.768
Risk V23 0.758
V24 0.644
V25 0.464
V27 0.416
Factor 2: V14 0.535 3.050 7.094 33.994
Requirements V15 0.506
Risk V16 0.627
V17 0.638
V19 0.699
V20 0.694
Factor 3: V46 0.679 2.349 5.463 39.457
Vendor V47 0.712
Quality V48 0.769
Risk V49 0.749
Factor 4: V1 0.630 2.034 4.730 44.187
Client– V2 0.745
Server V3 0.750
Security V4 0.732
Risk V5 0.445
Factor 5: V37 0.786 1.608 3.739 47.926
Legal Risk V38 0.817
V39 0.796
Factor 6: V28 0.522 1.451 3.375 51.302
Managerial V29 0.648
Risk V30 0.728
V31 0.500
V32 0.605
Factor 7: V40 0.539 1.343 3.124 54.426
Outsourcing V41 0.641
Risk V42 0.698
V43 0.751
V45 0.439
Factor 8: V7 0.519 1.197 2.785 57.210
Physical V8 0.794
Security V9 0.821
Risk V10 0.493
Factor 9: V50 0.804 1.112 2.586 59.796
Cultural
Risk
V51 0.828
Factor 10: V33 0.606 1.075 2.501 62.297
Reengineering
Risk
V34 0.774
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255240
dimensions of risks associated with EC development,
namely: (1) resources risk, (2) requirements risk, (3)
vendor quality risk, (4) client–server security risk, (5)
legal risk, (6) managerial risk, (7) outsourcing risk, (8)
physical security risk, (9) cultural risk, and (10) re-
engineering risk (see Table 3). As a result of the study
[47], the risk classification framework as shown in
Fig. 2 helps in the formulation of ways of accessing
risks to EC development.
3.1.2. Natural language representation
According to Karwowski and Mital [22], tradition-
al approaches to risk assessment obtain their overall
risk scores by calculating the product of exposure,
likelihood, and the consequences of a possible acci-
dent due to the hazard. A simpler approach that is
advocated by some risk experts is to multiply the
severity of consequences by the likelihood of their
occurrence, as the likelihood of occurrence automat-
ically includes exposure [45]. For example, Boehm
[5] defined risk impact as the product of the proba-
bility of an unsatisfactory outcome (Likelihood) and
the loss to the parties affected when the outcome is
unsatisfactory (Severity). Consequently, two linguistic
variables, ‘‘Likelihood’’ and ‘‘Severity’’, are defined
to calculate the overall risk. In FWA, ‘‘Likelihood’’ is
the rating factor (Ri), and ‘‘Severity’’ is the weighting
factor (Wi) that corresponds to rating factor i. Both
linguistic variables have five terms. ‘‘Likelihood’’ is
expressed in terms of ‘‘Very Unlikely’’, ‘‘Unlikely’’,
‘‘Medium’’, ‘‘Likely’’, and ‘‘Very Likely’’ (see Fig.
3). ‘‘Severity’’ is expressed as ‘‘Minimal’’, ‘‘Low’’,
‘‘Moderate’’, ‘‘High’’, and ‘‘Critical’’ (see Fig. 4).
In this study, the membership functions of the
linguistic terms are characterized by triangular fuzzy
numbers, as these are very often used in applications
such as fuzzy controllers, and in managerial decision
making, business and finance, and the social sciences,
etc. [6]. Table 4 shows the membership functions and
the triangular fuzzy numbers of each linguistic term.
3.1.3. Fuzzy assessment aggregation
In this stage, an aggregate of several evaluators’
fuzzy assessment is performed by using the fuzzy
average operation for aggregate method. By allowing
more than one evaluator to assess the risks associated
with an EC project, a more objective and unbiased
result can be obtained. The fuzzy average operation
for aggregate method that is known as the ‘‘Triangular
Average Formula’’ [6] is used to determine the mean
of evaluator opinions. Hence, the fuzzy average of
each risk factor question from the risk assessment
form can be obtained. The Triangular Average For-
mula is as follows:
Fig. 2. A classification framework for risk management in EC development.
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255 241
Fig. 3. Membership function of likelihood.
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255242
Consider n evaluators and let Ai=(a1(i), aM
(i), a2(i)) be
the fuzzy numbers, i=1,. . .,n. Thus, the triangular
average mean:
Aaverage ¼A1 þ : : : þ An
n
¼ ðað1Þ1 ; að1ÞM ; a
ð1Þ2 Þ þ : : : þ ðaðnÞ1 ; a
ðnÞM ; a
ðnÞ2 Þ
n
¼
Xni¼1
aðiÞ1 ;Xni¼1
aðiÞm1;Xni¼1
aðiÞ2
!
n
Fig. 4. Membership fun
Aaverage ¼ ðm1;mm;m2Þ
¼ 1
n
Xni¼1
aðiÞ1 ;
1
n
Xni¼1
aðiÞM ;
1
n
Xni¼1
aðiÞ2
!
3.1.4. Fuzzy weighted average computation
Based on the classification framework in Fig. 2,
overall EC project risk has three dimensions, which
consist of 10 components. The lowest-level node
encompasses a list of risks factors that are associated
with EC development. Having obtained the fuzzy
average with the likelihood and severity of each risk
derived from previous step, the EFWA algorithm (see
ction of severity.
Table 4
Fuzzy set representation for each linguistic terms
Likelihood Severity
Very unlikely minimal =1�4x (0, 0, 0.25) 0VxV0.25Unlikely low =4x (0, 0.25, 0.5) 0VxV0.25
=2(1�2x) 0.25VxV0.5Medium moderate =4x�1 (0.25, 0.5, 0.75) 0.25VxV0.5
=3�4x 0.5VxV0.75Likely high =2x�1 (0.5, 0.75, 1) 0.5VxV0.75
=4(1�x) 0.75VxV1Very likely critical =4x-3 (0.75, 1, 1) 0.75VxV1
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255 243
Appendix A) can be applied. For a better understand-
ing, let us consider an example. Fig. 5 illustrates a
simple hierarchical structure that is designed to iden-
tify the severity of loss for ‘‘Legal Risk’’. There are
three risk factors associated with ‘‘Legal Risk’’, and
the fuzzy weighted average for the severity of loss is
calculated as follows:
W̄ ¼ W1 � R1 þW2 � R2 þW3 � R3
W1 þW2 þW3
A numerical illustration of this calculation is
shown in Appendix B.
3.1.5. Linguistic approximation
As the result of the calculated fuzzy weighted
average is a fuzzy number, it is necessary to translate
it back into linguistic terms for easy interpretation.
Fig. 5. Simple hierarchical s
The goal of linguistic approximation is to find the
linguistic term with the closest possible meaning to
that of a defined fuzzy set. There are three techniques
in linguistic approximation: best fit, successive ap-
proximation, and piecewise decomposition. The dif-
ference between these three techniques was discussed
by Schmucker [37]. In the present study, the best fit
method is adopted because it is easy to understand and
easy to implement on computers [37]. This method is
based on the ‘‘Euclidean distance’’ between two fuzzy
sets, as proposed by Dubois and Prade [14]. Euclidean
distance is defined as:
dðX ;AÞ ¼X1
½X ðiÞ � AðiÞ�2( )1=2
d=Euclidean distance between two fuzzy sets. X=re-
sultant fuzzy set, and A=defined fuzzy set.
However, it is necessary to map the resultant fuzzy
interval back to one of the fuzzy numbers that are
defined in Fig. 4. Therefore, a modified Euclidean
approach was proposed by Ross et al. [36]. The
difference measure d is given as follows:
dðX ;AÞ ¼�Xn
i
½fXminðiÞ � AminðiÞg2
þ fXmaxðiÞ � AmaxðiÞg2��1=2
where i is the a value and n is the number of a-cut.
tructure of legal risk.
E.W.T. Ngai, F.K.T. Wat / Decision Sup244
Applying the above equation, the Euclidean
distance between fuzzy set X and predefined natu-
ral language expressions (e.g. low, moderate, and
high) is calculated. The model then assigns the
appropriate natural language expression to the low-
est Euclidian distance associated with fuzzy set X.
For example, if fuzzy set X, which represents the
total risk faced by an EC project, has a low
Euclidian distance with a predefined natural lan-
guage expression of ‘‘high’’, then the model assumes
that fuzzy set X is translated as ‘‘high’’, which
indicates that the total risk faced by the project is
high. Refer to Appendix B for detailed numerical
illustration of the application to the example of
‘‘Legal Risk’’.
3.2. Phase 2: develop system architecture
Good system architecture provides a road map for
the system building process by placing components
into perspective, defining their functionalities, and
demonstrating how they will interact with one an-
other [31]. The Web is the center of activity in
developing decision support systems (DSS) [38]
while client–server architecture has been widely
adopted in the integration of Web-based applications
[9]. The client–server relationship describes the
distribution of tasks between a server and the clients
who access that server. The FDSS is a client–server
system with a two-tiered architecture. On the client
side it is a front-end system that works with Web
clients to obtain service requests and present results.
On the server side, it is a back-end system that
executes a fuzzy risk analysis and access database
for data management. Indeed, such a two-tiered
architecture is suitable when developing non-critical
applications with light transaction loads such as DSS
or departmental applications [11]. Since the FDSS is
a client–server system, it will be executed on the
Web server. Whenever a Web browser (Client) sends
a request for a page to the FDSS, the code is
processed at that time by the Web server. For the
system components contain in the FDSS, it is com-
posed of three interrelated components, which are (1)
database, (2) model base subsystem, and (3) user
interface. These three components are the basic
elements in DSS [33]. Fig. 6 depicts the basic
architecture of the FDSS.
3.3. Phase 3: analyze and design the system
Analysis and design are important aspects of the
system development process. Design involves an
understanding of the domain being studied, the appli-
cation of various alternatives, and the synthesis and
evaluation of proposed solutions. Design specifica-
tions are used as a blueprint for the implementation of
the system [31]. The determination of system compo-
nents and development platform is made during this
phase. The design of DSS can be divided into three
interrelated components, which are database, model
base subsystem, and user interface [33]. The detailed
specifications of these three system components,
structure, and features are determined as follows.
3.3.1. Database
The database system is responsible for the storage
of data and its management. It maintains the necessary
information on each EC project. The data is obtained
from an external source through manual or automated
processes and the results generated by the FDSS. To
manipulate databases on the Web, ActiveX Data
Object (ADO) is used to interface with relational
databases via the Open Database Connectivity
(ODBC) protocol [2]. ADO was chosen as the data
access mechanism due to its high speed, ease of use,
and low memory overheads. The underlying database
can be any application that supports the ODBC
protocol. The current implementation makes use of
Microsoft Access.
3.3.2. Model base subsystem (fuzzy risk analysis
COM component)
The model base performs activities to provide
analytical capabilities for the DSS [43]. Users can
write their own models or use standard models at
times. Fuzzy risk analysis model described in Section
3.1 is employed as a model base subsystem in FDSS.
This model is translated into programming code and is
integrated as the Component Object Model (COM).
COM defines the binary interface between objects. It
is a binary interoperability specification. The two
most common reasons for using components are
breaking up complex applications into manageable
chunks and packaging code for re-use [2]. ASP
scripting is mainly used to implement the FDSS.
ASP script has the ability to interface with COM
port Systems 40 (2005) 235–255
Fig. 6. System architecture.
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255 245
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255246
compliant software components. If functionality is
needed but cannot be provided by scripting, then
ASP components can be used. ASP components are
COM-based, encapsulate a specific functionality, and
are invoked either directly from an ASP page or
indirectly via another ASP component [34].
Fuzzy risk analysis is implemented as the COM
object that is stored in DLL for performing fuzzy risk
analysis. When clients invoke the calculation of the
overall risk faced by the EC project, the fuzzy risk
analysis COM component is called to access neces-
sary information from the database, such as the
likelihood and severity of each risk factor, to perform
fuzzy averaging, calculate the fuzzy weighted aver-
age, and obtain linguistic approximations. Eventually,
the overall risk and risk score of each risk dimension
are obtained.
3.3.3. User interface
The design of the user interface is a key element in
DSS functionality. The DSS interface should provide
easy communication between the user and the system
[43]. Web browser serves as the user interface com-
ponent of the DSS, which make the technology easy
to understand and use [38]. Besides, the FDSS con-
sists mainly of menus and graphics, which are sup-
plemented by natural language. A client invokes the
system by connecting to the Web site through the
standard HTTP protocol, which causes the interface
component to be loaded from the server to the client
station. Pull-down menus allow users to specify their
needs, such the creation of a new project and the
addition of an evaluator record (see Fig. 7).
3.4. Phase 4: build the prototype system
The implementation of a system demonstrates the
feasibility of the design and the utility of the function-
alities that are envisaged [31]. Building a prototype
system is one of the processes that allow insight into
the problems and the complexity of a system during
development research. FDSS is constructed using
various commercial software packages and program-
ming techniques. The detail descriptions of construc-
tion of the FDSS using these software packages and
programming skills are given as below.
The prototype was run on the Windows 2000
Serverk platform. IIS was the Web server which
accepted the ASP request forms that were sent from
client browsers. Internet Explorer 5.0 was selected as
the Web browser in the client computers. Macromedia
Dreamweaverk was selected as the HTML editor for
Web site and page design, and it was incorporated
with Macromedia Fireworksk for the creation and
editing of images, and Macromedia Flashk for the
creation of animated openings.
The main body of the FDSS was written using ASP
script language. VBScript was chosen for the server-
side script because it is the default scripting language
on the IIS server. To create more functional and
interactive Web pages, JavaScript was selected as
the client-side script because it is widely supported,
and some browsers (e.g. Netscape Communicator 4.5)
do not have the capability to interpret VBScript except
with the aid of proprietary add-ons from third-party
vendors. In the FDSS, JavaScript embedded in ASP
code was mainly responsible for HTML form and data
validation, and pull-down menus were used in the
interface design. Microsoft Visual InterDev (VI) was
also used to design dynamic Web applications, as it
provides a development environment and collection of
useful tools and utilities [9].
Visual Basick was selected for development of the
fuzzy risk analysis component. According to Ander-
son et al. [2], there are several advantages of using
Visual Basick to develop COM components. Firstly,
it allows the user to write components quickly without
having to spend much time learning COM. Secondly,
it gives quite respectable performance. Thirdly, it is
often seen as the natural progression for ASP devel-
opers learning to write components. Power [34]
argues that the most common, and the simplest,
component to create is Visual Basic, especially using
an ActiveX DLL that is an in-process component.
The ODBC protocol was selected to communicate
with the Access database because it is compatible with
a variety of database systems. ADO was used to
provide the database connection, as it is a set of
objects that allows programmers to program their data
access logic in languages such as Visual Basic, as well
as in scripting languages [9].
3.5. Phase 5: evaluate the system
Once the system is developed, the testing and
evaluation of the prototype can be performed.
Fig. 7. Screen for creating new project.
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255 247
Through system evaluation, information can be cap-
tured on what users like and dislike, and what the
system does and does not do to meet their needs.
Firstly, testing and evaluation of the system were
performed. All of the FDSS modules were tested for
accuracy and completeness, and the outputs gener-
ated were checked and validated. These tests en-
sured that the system was performing functions that
would meet the requirements of users by assisting
them in conducting risk management for EC devel-
opment. Secondly, once the FDSS was built, out-
come evaluation was conducted in two phases. The
first phase was domain expert evaluation, and the
second phase was potential user (EC practitioner)
evaluation.
There are a number of approaches to evaluate DSS.
One of the criteria for the evaluation of a DSS is the
measurement of the effectiveness of the system.
Another evaluation criterion is to measuring user
satisfaction. An evaluation form with several sections
was designed. The first section measured the effec-
tiveness and usability of the system with five-point
Likert scales (1=strongly disagree, 3=undecided,
5=strongly agree). Through measuring the effective-
ness of the system, we can see the ability of the
system to accomplish its objectives or mission. Items
to measure the usability of the system reflect the
usefulness and ease of use of the system. We can
therefore assess user satisfaction as one of the poten-
tial indicators of the system’s success. The second
Table 5
Result of prototype evaluations by potential users
Mean S.D. t-test Significant
level
Effectiveness of the system
The system can
(1) Assist in assessing
risks associated with
EC development.
3.59 0.96 2.890 0.009**
(2) Provide an effective
mean to collect,
store and analyze
perception on potential
risk to EC development.
3.64 0.95 3.130 0.005**
(3) Monitor and mitigate risk. 3.55 0.86 2.982 0.007**
Usability of the system
(4) Learning to operate
the system would be
easy for me.
3.32 0.72 2.084 0.050*
(5) My interaction with
the system would be
clear and understandable.
3.86 0.77 5.231 0.000***
(6) I find the system to be
flexible to interact with.
3.18 1.05 0.810 0.427
(7) The system’s commands
are self-explained and
easy to understand.
4.05 0.72 6.789 0.000***
(8) I find the system
easy to use.
3.14 1.21 0.530 0.602
(9) The system is
user friendly.
4.09 0.81 6.308 0.000***
(10) Likely to recommend
to other users.
3.59 0.67 4.161 0.000***
*pV0.05.**pV0.01.***pV0.001.
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255248
section of the evaluation form included several open-
ended questions that were analogous to an interview
in that they gave the respondents an opportunity to
express themselves openly, particularly about the
problems that they encountered and how the prototype
could be improved. The final section collected the
evaluators’ personal information.
3.5.1. Expert evaluation
Evaluations by domain experts help to determine
the accuracy of embedded knowledge [16]. The FDSS
system was validated by a group of six participants
attending the ‘‘Fuzziness and Soft Computing in the
New Millennium’’ session of the 9th International
Fuzzy System Association World Congress and the
20th North American Fuzzy Information Processing
Society International Conference. The FDSS was
demonstrated and an evaluation form was distributed
to the experts who presented papers in the fuzzy
modeling session of the meeting. All experts were
university professors and researchers with average
more than 10 years working experience and good
knowledge of FST. They were asked to evaluate the
prototype from two perspectives: effectiveness and
usability of the FDSS. For the effectiveness of the
system, most respondents agreed that the prototype
system was an effective risk assessment tool, in
particular indicating that it can assist in assessing
risks associated with EC development. For the us-
ability of the system, most respondents considered the
system quite easy to use. User’s interaction with the
system was clear and understandable. They were
likely to recommend the prototype system to other
users.
3.5.2. Potential user evaluation
Evaluations by users help to determine the utility
of a system according to the following criteria: ease
of interaction, the extent of its capabilities, its
efficiency and speed, its reliability and whether it
produces useful results [16]. The evaluation form
was transformed electronically and was integrated in
the FDSS for user to conduct online evaluation. A
total of 50 e-mails were sent to a randomly selected
sample from our mailing list directory of EC practi-
tioners in Hong Kong. Twenty-two responses were
collected and stored in the FDSS database for further
analysis.
The responses from the potential users are summa-
rized in Table 5. The potential users rated the system
highly on ‘‘effectiveness of the system’’ and ‘‘usabil-
ity’’, with a mean score of at least 3.14 on a five-point
scale (1=strongly disagree, 3=undecided, 5=strongly
agree). Based on the results of the evaluation, the
prototype was seen as a promising system for the
management of risk in EC development.
In order to ensure the values of most the mean
responses were statistically significantly different
from the neutral value of the scale, which is ‘‘3—
undecided’’, one-sample t-test using test value ‘‘3’’
was conducted for the 10 items. Results of t-test are
presented in Table 5. Overall, the prototype evalu-
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255 249
ation is satisfactory because items 6 and 8 are not
significant from the value ‘‘3’’, which is ‘‘undecid-
ed’’. The significant level for other items are
smaller than 0.05 and their mean values are larger
than 3.00. The viability of the FDSS in supporting
risk management in EC development has been
ascertained by positive feedback obtained from the
evaluation form.
4. Benefits of using FDSS
FDSS had been implemented and the results of
the system evaluation showed that FDSS can be
applied effectively for managing risks associated
with EC development. The computations involved
in the model of fuzzy risk analysis are tedious if
performed manually. It is an easy task and the time
for risk analysis can be significantly reduced. The
Web-based FDSS automates a questionnaire instru-
ment for risk assessment that helps the EC project
managers to determine the overall risk of EC devel-
opment. The benefits of using the system are as
follows.
� Risks associated with EC development are identi-
fied. These risk items serve as a checklist that cover
possible risks associated with EC development in
technical, organizational, and environmental
dimensions. EC project managers or EC practi-
tioners can be informed and be able to recognize
the risks associated with EC development.� EC project managers can predict the overall risk of
the project before start the implementation. An
overall risk index can be used as early indicators of
project problems or potential difficulties. Evalua-
tors can keep track to evaluate the current risk level
of their EC development.� The system provides an effective, systematic, and
more natural way by using the proposed fuzzy risk
analysis model. Evaluators can just simply use the
risk evaluation checklist and use the linguistic
terms to evaluate the EC development risk level.� Prioritization is necessary to provide focus for
important risks [18]. A list of ranked risk items
associated with EC development will be produced.
Therefore, the most serious risk item will be
addressed first.
5. Conclusions and further enhancements
EC development takes place in a complex and
dynamic environment that includes high levels of risk
and uncertainty. This study has outlined an approach
to the assessment of the risks associated with EC
development using FST. A model of fuzzy risk
analysis was proposed to assist EC project managers
and decision makers in formalizing the types of
thinking that are required in assessing the current risk
environment of their EC development in a more
systematic manner than before.
A Web-based FDSS was designed and developed
to incorporate the proposed risk analysis model.
System evaluation was performed to ascertain
whether the FDSS achieved its designed purpose,
and the results were satisfactory. The feedback and
comments collected from respondents were used to
make necessary adjustments. The results of the
evaluation strongly support the viability of the study
approach to risk analysis using fuzzy sets, and
demonstrated the feasibility of evaluating EC project
risk.
The FDSS prototype focused on risk identifica-
tion, analysis, and prioritization. Less attention
was given to the risk management planning, reso-
lution, and monitoring that is associated with EC
development. Further research should be conducted
into such risk management planning. In addition,
risk monitoring should be conducted regularly to
track the status of the identified risks. With such
insight and improvement, the FDSS could be
further enhanced to handle the functionality of risk
management.
Moreover, it was assumed that the ‘‘weighting’’
assigned by each evaluator in the risk evaluation was
the same, but the relative importance placed on
certain factors by individual decision makers and
experts could be widely different. Further research
is needed to develop different ‘‘weightings’’ for
different evaluators.
6. Limitations of this study
Although the prototype comes out with many
advantages, it still has some limitations. The limita-
tions of the prototype are summarized below.
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255250
� In spite of the fact that the prototype evaluation
shows a satisfactory outcome in the effectiveness
and usability of the prototype, but FDSS do not get
the chance to test it with real-life EC projects. The
validity of the system can be established through
in-depth case studies.� The prototype only provides the risk items based
on the risk classification framework shown in Fig.
2. The list of risks shown in Table 2 is not
exhaustive, but it is comprehensive enough for the
purpose of this study.� For simplification, the membership functions were
evenly distributed by triangular fuzzy numbers.
Various membership functions need to be estimat-
ed to be as realistic as possible.
Acknowledgements
The authors are grateful for the constructive
comments of the referees and the Area Editor on an
earlier version of this paper. They wish to thank all the
people who have participated in the evaluation of the
system as well.
e1 þ e2 þ þ en
Appendix A. Algorithm procedure of EFWA
(source: Ref. [24])
1. Sort a’s in non-decreasing order. Let (a1, a2, . . .an) be the resulting sequence. Let first:=1 and
last:=n.
2. Let d�threshold:= t(first +last)/2 b. For each
i=1,2,. . ., d�threshold, let ei:=di and for each
Table 6
Input values of two evaluators
Risk factors Evaluator A
Likelihood
(1) Lack of international legal
standard
likely
(0.5, 0.75, 1)
(2) New laws, regulations, and judicial
decisions constantly change the
online legal landscape
medium
(0.25, 0.5, 0.75)
(3) Uncertain legal jurisdiction medium
(0.25, 0.5, 0.75)
i=d�threshold+1,. . ., n, let ei:=ci. For an n-tuple
S=(e1, e2,. . .,en), evaluate dSd�thresholdand dS(d�threshold+1)
.
3. If dSd�threshold>0 and dS(d�threshold+1)
V0 then L=fL (e1,
e2,. . .,en) and goto Step 4; otherwise execute the
following step.
3.1. If dSd�threshold>0 then first:=d�threshold+1; oth-
erwise last:=d�threshold, and goto Step 2.
4. Sort b’s in non-decreasing order. Let (b1, b2,. . .,bn) be the resulting sequence. Let first:=1 and
last:=n.
5. Let f�threshold:=t(first+last)/2b. For each i=1,
2,. . ., fSf�threshold+1, let ei:=ci and for each i=f�thres-
hold+1,. . ., n, let ei:=di. For an n-tuple S=(e1,
e2, . . ., en), evaluate fSf�thresholdand fSf�threshold+1
.
6. If fSf�threshold>0 and fSf�threshold+1
V0 then U=fU (e1, e2,
. . ., en) and stop; otherwise execute the following
step.
6.1. If fSf�threshold>0, then first:=f�threshold+1; oth-
erwise last:=f�threshold, and goto Step 5.
where
dSi ¼ða1 � aiÞe1 þ ða2 � aiÞe2 þ : : : þ ðan � aiÞen
e1 þ e2 þ : : : þ en
fSi ¼ðb1 � biÞe1 þ ðb2 � biÞe2 þ : : : þ ðbn � biÞen
: : :
Appendix B. Illustrative example of fuzzy risk
analysis
Based on Fig. 5, an illustrative example is de-
scribed below. Suppose that two evaluators assess an
EC project. Table 6 shows the two different evalua-
tors’ perceptions.
Evaluator B
Severity Likelihood Severity
high
(0.5, 0.75, 1)
medium
(0.25, 0.5, 0.75)
critical
(0.75, 1, 1)
high
(0.5, 0.75, 1)
very likely
(0.75, 1, 1)
moderate
(0.25, 0.5, 0.75)
moderate
(0.25, 0.5, 0.75)
medium
(0.25, 0.5, 0.75)
low
(0, 0.25, 0.5)
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255 251
The fuzzy average of the likelihood of risk factor 1
(lack of international legal standard) is:
¼ ð0:25þ 0:5Þ; ð0:5þ 0:75Þ; ð0:75þ 1Þ2
¼ ð0:375; 0:625; 0:875Þ
Whilst the fuzzy average of the severity of risk
factor 1 is:
¼ ðHighþ CriticalÞ=2
¼ ð0:5þ 0:75Þ; ð0:75þ 1Þ; ð1þ 1Þ2
¼ ð0:625; 0:875; 1Þ
Table 7 shows the fuzzy average of all risk factors.
After obtaining the fuzzy average, the FWA can be
calculated with the EFWA algorithm. Consider the
three-term weighted average from Table 7,
y ¼ f ðR1;R2;R3;W1;W2;W3Þ
¼ R1 �W1 þ R2 �W2 þ R3 �W3
W1 þW2 þW3
Two values for a, viz., 0 and 1, are chosen. For
a=0, the intervals of Ri and Wi are:
½a1 ¼ 0:375; b1 ¼ 0:875�; ½a2 ¼ 0:5; b2 ¼ 0:875�;½a3 ¼ 0:25; b3 ¼ 0:75�;
Table 7
Results of fuzzy average
Risk factors Fuzzy average
of likelihood
Fuzzy average
of severity
(1) Lack of international
legal standard
R1 (0.375,
0.625, 0.875)
W1 (0.625,
0.875, 1)
(2) New laws, regulations,
and judicial decisions
constantly change the
online legal landscape
R2 (0.5, 0.75,
0.875)
W2 (0.375,
0.625, 0.875)
(3) Uncertain legal
jurisdiction
R3 (0.25, 0.5,
0.75)
W3 (0.125,
0.375, 0.625)
½c1 ¼ 0:625; d1 ¼ 1�; ½c2 ¼ 0:375; d2 ¼ 0:875�;½c3 ¼ 0:125; d3 ¼ 0:625�
respectively for i=1, 2, 3.
The computational procedure is as follows:
Step 1
Sort a’s into non-decreasing order, and the result-
ing sequence is
½a1 ¼ 0:25; b1 ¼ 0:75�; ½a2 ¼ 0:375; b2 ¼ 0:875�;½a3 ¼ 0:5; b3 ¼ 0:875�; ½c1 ¼ 0:125; d1 ¼ 0:625�;½c2 ¼ 0:625; d2 ¼ 1�; ½c3 ¼ 0:375; d3 ¼ 0:875�ða1; a2; a3Þ ¼ ð0:25; 0:375; 0:5Þ; first:¼ 1; last:¼ 3
Step 2
d�threshold:=t(1+3)/2b=2, S=(0.625, 1, 0.375),
dS2 ¼ð0:25� 0:375Þ � 0:625þ ð0:5� 0:375Þ � 0:375
0:625þ 1þ 0:375
¼ �0:0156
dS3 ¼ð0:25� 0:5Þ � 0:625þ ð0:375� 0:5Þ � 1
0:625þ 1þ 0:375
¼ �0:1406
Step 3
As dS2<0 and dS3<0, execute the following step.
Step 3.1
Let last:=2 and go to Step 2.
Step 2
d�threshold:=t(1+2)/2b=1, S=(0.625, 0.625, 0.375)
dS1 ¼ð0:375� 0:25Þ� 0:625þ ð0:5� 0:25Þ � 0:375
0:625þ 0:625þ 0:375
¼ 0:1058
dS2 ¼ð0:25� 0:375Þ � 0:625þ ð0:5� 0:375Þ � 0:375
0:625þ 0:625þ 0:375
¼ �0:0192
Fig. 8. Risk assessment form.
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255252
Since dS1>0 and dS2<0,
L ¼ fLðc1; d2; d3Þ ¼ a1 þ dS1 ¼ 0:25þ 0:1058
¼ 0:3558
Min fL is 0.3194 and go to Step 4.
Step 4
Sort b’s into non-decreasing order, and the result-
ing sequence is
½a1 ¼ 0:25; b1 ¼ 0:75�; ½a2 ¼ 0:375; b2 ¼ 0:875�;½a3 ¼ 0:5; b3 ¼ 0:875�; ½c1 ¼ 0:125; d1 ¼ 0:625�;½c2 ¼ 0:625; d2 ¼ 1�; ½c3 ¼ 0:375; d3 ¼ 0:875�ðb1; b2; b3Þ ¼ ð0:75; 0:875; 0:875Þ; first:¼ 1; last:¼ 3
Step 5
d�threshold:=t(1+3)/2b=2, S=(0.125, 0.625, 0.875),
dS2 ¼ð0:75� 0:875Þ � 0:125þ ð0:875� 0:875Þ � 0:875
0:125þ 0:625þ 0:875
¼ �0:0096
dS3 ¼ð0:75� 0:875Þ � 0:125þ ð0:875� 0:875Þ � 0:625
0:125þ 0:625þ 0:875
¼ �0:0096
Step 6
As dS2<0 and dS3<0, execute the following step.
Step 6.1
Let last:=2 and go to Step 5.
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255 253
Step 5
d�threshold:=t(1+2)/2b=1, S=(0.125, 1, 0.875),
dS1 ¼ð0:875� 0:75Þ � 1þ ð0:875� 0:75Þ � 0:875
0:125þ 1þ 0:875
¼ 0:1172
dS2 ¼ð0:75� 0:875Þ � 0:125þ ð0:875� 0:875Þ � 0:875
0:125þ 1þ 0:875
¼ �0:0078
As dS1>0 and dS2<0,
U ¼ fU ðd1; c2; c3Þ ¼ b1 þ dS1 ¼ 0:75þ 0:1172
¼ 0:8672
Max fU is 0.8672 and stop.
Accordingly, the interval for a=0 is (0.3558,
0.8672), in which each point corresponds to the end
Fig. 9. Risk assess
points of the triangle that represent the membership
functions. The process is repeated for a=1, and the
result obtained is (0.6417, 0.6417), which corresponds
to the center of the triangle.
As the results are fuzzy numbers, Euclidean dis-
tances are used to map the resultant fuzzy interval
back to linguistic terms.
dðX ;AÞ ¼�Xn
i
½fXminðiÞ � AminðiÞg2 þ fXmaxðiÞ
� AmaxðiÞg2��1=2
where i is the a value and n is the number of a-cut.Based on the results, the Euclidean distances are:
dðX ;MinimalÞ ¼ 0:9588; dðX ;LowÞ ¼ 0:6441;
dðX ;ModerateÞ ¼ 0:2122; dðX ;HighÞ ¼ 0:2240;
dðX ;CriticalÞ ¼ 0:5490
ment result.
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255254
The closest Euclidean distance is 0.2122, which
means the legal risk is considered as moderate.
Appendix C. Illustrative example of the use of the
FDSS for risk assessment in EC development
In this appendix, examples of a dialogue between a
user and the prototype FDSS are shown. Annotations
are added to give a deeper insight into the operation of
the FDSS.
To conduct a risk analysis for a new project, the
evaluator first creates a project evaluation record by
clicking on ‘‘New’’ in the ‘‘Project’’ menu (see Fig.
7). The evaluator can then click on the Assessment
button to start the fuzzy risk analysis. The risk
assessment form is displayed and lists all of the
identified risk factors from the database. Based on
previous project development experience and their
own perception, the evaluator can proceed to define
the likelihood and severity of each risk factor in
natural language. The first page of the risk evaluation
form consists of technical risk factors. The evaluator
can click on the radio button for the risk factor,
‘‘Hacker gaining unauthorized access’’, to indicate
its likelihood (e.g. ‘‘very unlikely’’) and severity
(e.g. ‘‘critical’’). The evaluator can click on the risk
factor for further explanation (see Fig. 8). He/she can
then go to the next risk assessment form by clicking
on the Next button. When all of the risk factors are
evaluated, the fuzzy risk analysis COM component is
invoked and the overall risk faced by the project is
assessed. Fig. 9 shows the results based on inputted
information and other evaluator answers for a partic-
ular project. The FDSS indicates that the overall risk
for the selected project is moderate, and the score for
each risk dimension is represented by an image bar.
References
[1] J. Anderson, R. Narasimhan, Assessing project implementa-
tion risk: a methodological approach, Management Science 25
(6) (1979) 512–521.
[2] R. Anderson, A. Homer, S. Robinson, Beginning Components
for ASP, Wrox Press, Birmingham, 1999.
[3] S.M. Bass, H. Kwakernaak, Rating and ranking of multiple-
aspect alternatives using fuzzy sets, Automatica 1 (1) (1977)
47–58.
[4] J.C. Bennett, G.A. Bohoris, E.M. Aspinwall, R.C. Hall, Risk
analysis techniques and their application to software develop-
ment, European Journal of Operational Research 95 (1996)
467–475.
[5] B.W. Boehm, Software Risk Management, IEEE Computer,
Society Press, Washington, DC, 1989.
[6] G. Bojadziev, M. Bojadziev, Fuzzy Logic for Business, Fi-
nance, and Management, World Scientific, Singapore, 1997.
[7] S. Bonvicini, P. Leonelli, G. Spadoni, Risk analysis of haz-
ardous materials transportation: evaluating uncertainty by
means of fuzzy logic, Journal of Hazardous Materials 62 (1)
(1998) 59–74.
[8] J.B. Bowles, C. Pelaez, Enrique fuzzy logic prioritization of
failures in a system failure mode, effects and criticality anal-
ysis, Reliability Engineering and Systems Safety 50 (2) (1995)
203–213.
[9] D. Buser, J. Kauffman, J.T. Llibre, B. Francis, D. Sussman, C.
Ullman, J. Duckett, Beginning Active Server Page 3.0, Wrox
Press, Birmingham, 1999.
[10] W.G. de Ru, J.H.P. Eloff, Risk analysis modeling with the use
of fuzzy logic, Computer Security 15 (3) (1996) 239–248.
[11] A. Dickman, Two-tier versus three-tier apps, Information
Week 553 (1995) 74–77.
[12] W.M. Dong, F.S. Wong, Fuzzy weighted averages and imple-
mentation of the extension principle, Fuzzy Sets and Systems
21 (1987) 183–199.
[13] W.M. Dong, H.C. Shah, F.S. Wong, Fuzzy computations in
risk and decision analysis, Civil Engineering Systems 2 (1985)
201–208.
[14] D. Dubois, H. Prade, Fuzzy Sets and Systems, Academic
Press, New York, 1980.
[15] F. Gardin, R. Power, E. Martinelli, Liquidity management
with fuzzy qualitative constraints, Decision Support Systems
15 (1995) 147–156.
[16] J. Gasching, P. Klahr, H. Pople, E. Shortliffe, A. Terry,
Evaluation of expert systems: issues and case studies, in:
F. Hayes-Roth, D.A. Waterman, D.B. Lenat (Eds.), Build-
ing Expert Systems, Addison-Wesley, Massachusetts, 1983,
pp. 241–280.
[17] M. Greenstein, Electronic Commerce: Security Risk Manage-
ment and Control, McGraw-Hill, New York, 2000.
[18] E.M. Hall, Managing Risk: Methods for Software Systems
Development, the SEI Series in Software Engineering, Addi-
son Wesley, Massachusetts, 1998.
[19] C. Huang, Fuzzy risk assessment of urban natural hazards,
Fuzzy Sets and Systems 83 (2) (1996) 271–282.
[20] C.H. Junag, X.H. Huang, D.J. Elton, Fuzzy information pro-
cessing by the Monte Carlo simulation technique, Civil Engi-
neering Systems 8 (1) (1991) 19–25.
[21] R. Kalakota, A.B. Whinston, Frontiers of the Electronic Com-
merce, Addison-Wesley, Reading, MA, 1996.
[22] W. Karwowski, A. Mital, Potential applications of fuzzy sets
in industrial safety engineering, Fuzzy Sets and Systems 19
(1986) 105–120.
[23] H.M. Lee, Applying fuzzy set theory to evaluate the rate of
aggregative risk in software development, Fuzzy Sets and
Systems 79 (3) (1996) 323–336.
E.W.T. Ngai, F.K.T. Wat / Decision Support Systems 40 (2005) 235–255 255
[24] D.H. Lee, D. Park, An efficient algorithm for fuzzy weighted
average, Fuzzy Sets and Systems 87 (1997) 39–45.
[25] Y.W. Lee, M.F. Dahab, I. Bogardi, Fuzzy decision making in
ground water nitrate risk management, Water Resources Bul-
letin 30 (1) (1994) 135–148.
[26] H.M. Leung, K.B. Chuah, V.M.R. Tummala, A knowledge-
based system for identifying potential project risks, OMEGA:
International Journal of Management Science 26 (5) (1998)
623–638.
[27] T.J. Liou, M.J.J. Wang, Fuzzy weighted average: an improved
algorithm, Fuzzy Sets and Systems 49 (1992) 307–315.
[28] G. McDonald, http://www.just.how.risky.is.the.internet? Man-
agement Accounting 78 (3) (2000) 74–75.
[29] C. Mceachern, Technology risks: don’t panic. Financial serv-
ices firms seem to have cyber risk under control, Wall Street+
Technology (April 2001) 38.
[30] D.R. Moscato, Database gateway processor risk analysis using
fuzzy logic, Information Management and Computer Security
6 (3) (1998) 138–144.
[31] J.F. Nunamaker, M. Chen, D.M. Purdin, Systems development
in information systems research, Journal of Management In-
formation Systems 7 (1990) 89–106.
[32] P.C. Pandey, S.V. Barai, Sensitivity-based weighted-average in
structural damage assessment, Journal of Performance of Con-
structed Facilities 8 (4) (1994) 243–263.
[33] J.M. Pearson, J.P. Shim, An empirical investigation into DSS
structures and environments, Decision Support Systems 13
(1995) 141–158.
[34] S. Power, Developing ASP Components, O’Reilly, California,
1999.
[35] R.K.J.R. Rainer, C.A. Snyder, H.H. Carr, Risk analysis for
information technology, Journal of Management Information
Systems 8 (1) (1991) 129–147.
[36] T.J. Ross, H.C. Sorensen, S.J. Savage, J.M. Carson, DAPS:
expert system for structural damage assessment, Journal of
Computing in Civil Engineering 4 (4) (1990) 327–348.
[37] K.J. Schmucker, Fuzzy Sets, Natural Language Computations
and Risk Analysis, Computer Science Press, Rockville, MD,
1984.
[38] J.P. Shim, M. Warkentin, J.F. Courtney, D.J. Power, R. Sharda,
C. Carlsson, Past, present, and future of decision support tech-
nology, Decision Support Systems 33 (2002) 111–126.
[39] T. Stoehr, Managing e-Business Projects: 99 Key Success
Factors, Springer, Hamburg, 2002.
[40] J.H.M. Tah, V. Carr, A proposal for construction project risk
assessment using fuzzy logic, Construction Management &
Economics 18 (2000) 491–500.
[41] A.B. Tee, M.D. Bowman, Bridge condition assessment using
fuzzy weighted averages, Civil Engineering Systems 8 (1)
(1991) 49–57.
[42] S.H. Tsaur, G.H. Tzeng, K.C. Wang, Evaluating tourist risks
from fuzzy perspectives, Annals of Tourism Research 24 (4)
(1997) 796–812.
[43] E. Turban, Decision Support and Expert Systems: Management
Support System, 4th ed., Prentice-Hall, New Jersey, 1995.
[44] D.W. Viehlandm, Managing business risk in electronic com-
merce, Americas Conference on Information Systems.
[45] A. Waring, A.I. Glendon, Managing Risk, International
Thomson Business Press, London, 1998.
[46] F.K.T. Wat, E.W.T. Ngai, Risk analysis in electronic commerce
development using fuzzy set, Proceedings of the Joint 9th
IFSAWorld Congress and 20th NAFIPS International Confer-
ence, IEEE, Piscataway, WJ, vol. 2, 2001, pp. 807–811.
[47] F.K.T. Wat, E.W.T. Ngai, T.C.E. Cheng, Potential risks to e-
commerce development using exploratory factor analysis, In-
ternational Journal of Services Technology and Management,
(2004) (in press).
[48] M. Webster, The Merriam-Webster Dictionary, Merriam-Web-
ster, Springfield, MA, 1994.
[49] D. White, Application of systems thinking to risk manage-
ment: a review of the literature, Management Decision 3
(10) (1995) 35–45.
[50] E.N. Wirba, J.H.M. Tah, R. Howes, Risk interdependencies
and natural language computations, Engineering Construction
and Architectural Management 3 (4) (1996) 251–269.
[51] L.A. Zadeh, Fuzzy sets, Information and Control 8 (1965)
338–353.
Dr. Eric W.T. Ngai is currently an Associ-
ate Professor in the Department of Man-
agement and Marketing at The Hong Kong
Polytechnic University. His research inter-
ests are in the areas of e-commerce, deci-
sion support systems, supply chain systems
and knowledge management systems. He
has published in a number of journals
including IEEE Transactions on Systems,
Man and Cybernetics, Information and
Management, Expert Systems and Applica-
tions, Expert Systems, International Journal of Operations and
Production Management, Omega, European Journal of Marketing,
European Journal of Operational Research, International Journal
of Production Economics, Transportation Review and others. Dr.
Ngai serves on the Editorial Board of International Journal of
Production Research.
Mr. Francis K.T. Wat is currently a
Research Associate in the Department
of Management and Marketing at The
Hong Kong Polytechnic University. He
was awarded the degrees of BSc (Hons)
and MPhil from The Hong Kong Poly-
technic University. His current research
interests are in the areas of e-commerce,
management information systems and
fuzzy systems. He has published in
journal such as Information & Manage-
ment, Omega, International Journal of Services Technology and
Management.
Top Related