Incorporating a knowledge perspective into security risk assessments

Emerald - Tập 41 Số 2 - Trang 152-166 - 2011

Piya Shedden¹, Rens Scheepers¹, Wally Smith¹, Atif Ahmad¹

¹Department of Information Systems, University of Melbourne, Melbourne, Australia

Tóm tắt

PurposeMany methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information used by organisations. This paper argues that these methodologies have a traditional orientation towards the identification and assessment of technical information assets. This obscures key risks associated with the cultivation and deployment of organisational knowledge. The purpose of this paper is to explore how security risk assessment methods can more effectively identify and treat the knowledge associated with business processes.Design/methodology/approachThe argument was developed through an illustrative case study in which a well‐documented traditional methodology is applied to a complex data backup process. Follow‐up interviews were conducted with the organisation's security managers to explore the results of the assessment and the nature of knowledge “assets” within a business process.FindingsIt was discovered that the backup process depended, in subtle and often informal ways, on tacit knowledge to sustain operational complexity, handle exceptions and make frequent interventions. Although typical information security methodologies identify people as critical assets, this study suggests a new approach might draw on more detailed accounts of individual knowledge, collective knowledge and their relationship to organisational processes.Originality/valueDrawing on the knowledge management literature, the paper suggests mechanisms to incorporate these knowledge‐based considerations into the scope of information security risk methodologies. A knowledge protection model is presented as a result of this research. This model outlines ways in which organisations can effectively identify and treat risks around process knowledge critical to the business.

Tài liệu tham khảo

Alavi, M. and Leidner, D.E. (1999), “Knowledge management systems: issues, challenges and benefits”, Communications of the Association for Information Systems, Vol. 1 No. 7. Alavi, M. and Leidner, D.E. (2001), “Knowledge management and knowledge management systems: conceptual foundations and research issues”, MIS Quarterly, Vol. 25 No. 1, pp. 107‐36. Alberts, C. and Dorofee, A. (2004), Managing Information Security Risks, Mellon Software Engineering Institute, Pittsburgh, PA. Alberts, C., Dorofee, A., Stevens, J. and Woody, C. (2003), Introduction to the OCTAVE Approach, Carnegie Mellon Software Engineering Institute, Pittsburgh, PA. AS/NZS (2004), Information Security Risk Management Guidelines, Standards Australia/Standards New Zealand, Sydney/Wellington. Baskerville, R.L. (1991a), “Risk analysis: an interpretive feasibility tool in justifying information systems security”, European Journal of Information Systems, Vol. 1 No. 2, pp. 121‐30. Benbasat, I., Goldstein, D.K. and Mead, M. (1987), “The case research strategy in studies of information systems”, MIS Quarterly, Vol. 11 No. 3, pp. 369‐86. Blakely, B., McDermott, E. and Greer, D. (2002), “Information security is information risk management”, NSFW '01, Cloudcroft, NM. Bloodgood, J.M. and Salisbury, W.D. (2001), “Understanding the influence of organizational change management strategies on information technology and knowledge management strategies”, Decision Support Systems, Vol. 31 No. 1, pp. 55‐69. Brown, J.S. and Duguid, P. (1991), “Organizational learning and communities of practice: toward a unified view of working, learning and innovation”, Organization Science, Vol. 2 No. 1, pp. 40‐57. Davenport, T.H. and Prusak, L. (1998), Working Knowledge: How Organizations Manage What They Know, Harvard Business School Press, Boston, MA. den Braber, F., Hogganvik, I., Lund, S., Stolen, K. and Vrallsen, F. (2007), “Model‐based security analysis in seven steps – a guided tour to the CORAS method”, BT Technology Journal, Vol. 25 No. 1, pp. 101‐17. Dhillon, G. (2007), Principles of Information Systems Security: Text and Cases, Wiley, Hoboken, NJ. Dhillon, G. and Backhouse, J. (2001), “Current directions in IS security research: towards soci‐organizational perspectives”, Information Systems Journal, Vol. 11 No. 2, pp. 127‐53. DSD (2007), Australian Communications‐Electronic Security Instruction 33 ( ACSI 33 ), Handbook 3, RISK MANAGEMENT. Eisenhardt, K.M. (1989), “Building theories from case study research”, The Academy of Management Review, Vol. 14 No. 4, pp. 532‐50. Fischer, G. and Ostwald, J. (2001), “Knowledge management: problems, promises, realities, and changes”, IEEE Intelligent Systems, January/February, pp. 60‐72. Gold, A.H., Malhotra, A. and Segars, A.H. (2001), “Knowledge management: an organizational capabilities perspective”, Journal of Management Information Systems, Vol. 18 No. 1, pp. 185‐214. Hansen, M.T., Nohria, N. and Tierney, T. (1999), “What's your strategy for managing knowledge?”, Harvard Business Review, March/April, pp. 106‐16. Hollan, J., Hutchins, E. and Kirsh, D. (2000), “Distributed cognition: toward a new foundation for human‐computer interaction research”, ACM Transactions on Computer‐Human Interaction, Vol. 7 No. 2, pp. 174‐96. Holsapple, C. and Jones, K. (2005), “Exploring secondary activities of the knowledge chain”, Knowledge and Process Management, Vol. 12 No. 1, pp. 3‐31. Hutchins, E. (1991), “Chapter 13: the social organization of distributed cognition”, in Resnick, L.B., Levine, John M. and Teasley, Stephanie D. (Eds), Perspectives on Socially Shared Cognition, American Psychological Association, Washington, DC. Lichtenstein, S. (1996), “Factors in the selection of a risk assessment method”, Information Management & Computer Security, Vol. 4 No. 4, pp. 20‐5. Maynard, S. and Ruighaver, A.B. (2003), “Development and evaluation of information system security policies”, in Hunter, M.G. and Dhanda, K.K. (Eds), Information Systems: The Challenges of Theory and Practice, The Information Institute, Las Vegas, NV. NARUC (2007), Information Sharing Practices in Regulated Critical Infrastructure States; Analysis and Recommendations, US Department of Homeland Security, Washington, DC. Nonaka, I. (1994), “A dynamic theory of organizational knowledge creation”, Organization Science, Vol. 5 No. 1, pp. 14‐37. Oliveira, S.R.M. and Zaiane, O.R. (2003), “Protecting sensitive knowledge by data sanitization”, Third IEEE International Conference on Data Mining, Melbourne, FL, USA, pp. 613‐16. Otwell, K. and Aldridge, B. (1988), “The role of vulnerability in risk management”, Computer Security Risk Management Model Builders Workshop, Ottawa. Peltier, T.R. (2001), Information Security Risk Analysis, Auerbach, Boca Raton, FL. Polanyi, M. (1962), “Personal knowledge”, in Polanyi, M. and Prosch, H. (Eds), Meaning, University of Chicago Press, Chicago, IL. Polanyi, M. (1967), The Tacit Dimension, Routledge, London. Roper, C.A. (1999), Risk Management for Security Professionals, Butterworth‐Heinemann, Oxford. Salmela, H. (2008), “Analysing business process losses caused by information systems risk: a business process analysis approach”, Journal of Information Technology, Vol. 23 No. 3, pp. 185‐202. Shedden, P. (2005), “Security risk management in organisations”, BIS (Hons) thesis, Department of Information System, University of Melbourne, Melbourne. Shedden, P., Ruighaver, A.B. and Ahmad, A. (2006), “Risk management standards – the perception of ease of use”, paper presented at the 5th Security Conference, Las Vegas, NV. Shedden, P., Scheepers, R., Smith, W. and Ahmad, A. (2009), “Towards a knowledge perspective in information security risk assessments – an illustrative case study”, Proceedings of 20th Australasian Conference on Information Systems ( ACIS 2009 ), Monash University, Melbourne, 2‐4 December. Stair, R.M. and Reynolds, G.W. (1999), Principles of Information Systems, Course Technology, Cambridge, MA. Stoneburner, G., Goguen, A. and Feringa, A. (2002), Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology, Gaithersburg, MD. Tsoukas, H. (1996), “The firm as a distributed knowledge system: a constructionist approach”, Strategic Management Journal, Vol. 17, pp. 11‐25. Tsoukas, H. (2004), Complex Knowledge: Studies in Organizational Epistemology, Oxford University Press, Oxford. Visintine, V. (2003), An Introduction to Information Risk Assessment, SANS Institute, Denver, CO. West, S., Crane, L.S. and Andres, A.D. (2002), OCTAVE‐DITSCAP Comparative Analysis, US Army Medical Research and Material Command, Fort Detrick, Fredrick. Whitman, M.E. and Mattord, H.J. (2005), Principles of Information Security, Thomson Course Technology, Menlo Park, CA. Yazar, Z. (2002), A Qualitative Risk Analysis and Management Tool – CRAMM, SANS Institute, Denver, CO. Yin, R. (2003), Case Study Research, 3rd ed., Sage, Thousand Oaks, CA. Zack, M. (1999), “Developing a knowledge strategy”, California Management Review, Vol. 41 No. 3, pp. 108‐45. Dubin, R. (1969), Theory Building, The Free Press, New York, NY. Grover, V. and Davenport, T.H. (2001), “General perspectives on knowledge management: fostering a research agenda”, Journal of Management of Information Systems, Vol. 18 No. 1, pp. 5‐21. Halliday, S., Badenhorst, K. and von Solms, R. (1996), “A business approach to effective information technology risk analysis and management”, Information Management & Computer Security, Vol. 4 No. 1, pp. 19‐31. Parker, M., Benson, R. and Traynor, H. (1988), Information Economics: Linking Business Performance to Information Technology, Prentice‐Hall, Englewood Cliffs, NJ. Siponen, M.T. (2005), “An analysis of the traditional IS security approaches: implications for research and practice”, European Journal of Information Systems, Vol. 14, pp. 303‐15. Spears, J. (2006), A Holistic Risk Analysis Method for Identifying Information Security Risks, in Security Management, Integrity, and Internal Control in Information Systems, Springer, Boston, MA, pp. 185‐202. Thompson, M.P.A. and Walsham, G. (2004), “Placing knowledge management in context”, Journal of Management Studies, Vol. 41 No. 5, pp. 725‐47. Whetten, D.A. (1989), “What constitutes a theoretical contribution?”, The Academy of Management Review, Vol. 14 No. 4, pp. 490‐5.

Scholar Hub - Công cụ hỗ trợ trích dẫn và phân tích khoa học Việt Nam

Về chúng tôi

Scholar Hub là công cụ hỗ trợ trích dẫn và phân tích các bài báo, công bố khoa học Việt Nam. Công cụ trợ giúp người nghiên cứu, tạp chí, đơn vị nghiên cứu tra cứu, phân tích và thống kê dữ liệu nghiên cứu khoa học tại Việt Nam và quốc tế.
ScholarHub KHÔNG đăng thông tin tổng hợp, KHÔNG đăng lại nội dung từ các trang báo chí Việt Nam hoặc trang thông tin điện tử khác tại Việt Nam.

Thông tin, cập nhật

Đăng ký Tạp chí tham gia vào Scholar Hub

Phản hồi ý kiến về Scholar Hub

Bài viết, nội dung cập nhật

Chủ đề khoa học

Website liên kết

Phần mềm kiểm tra trùng lặp Kiểm Tra Tài Liệu

Phần mềm xuất bản tạp chí điện tử VOJS

Công cụ kiểm tra chính tả và thể thức Viver

Nền tảng trắc nghiệm và đề thi đa lĩnh vực LetQA