Information Security Assessment of SMEs as Coursework – Learning Information Security Management by Doing

Information security management is an area with a lot of theoretical models. The models are designed to guide practitioners in prioritizing management resources in companies. Information security management education should address the gap between the academic ideals and practice. This paper introduces a teaching method that has been in use as coursework for ten years. In addition to the theoretical lectures on information security management issues, the students of the course perform information security assessments of local small and medium enterprises (SME). The general assessment of the information security status of a company gives the students a view into what the companies have taken into practice and if they have used theoretical models to guide their work. The analysis of the status and suggestions for improvements also teach the students to scale the theory with the size and operations of the company. This is important because usually information security management literature takes the viewpoint of large organizations, whereas the companies that participate in the assessment are small or medium-sized. Course feedback from the students shows that the assignment is perceived to be useful and interesting, and that it works well when paired with the theoretical teaching of the course. The students find working with real companies motivating, and state that they have learned more than they would have learned on a purely theoretical course. The paper discusses experiences from the course to present a teaching and learning method worth experimenting with in other universities

Why should we investigate knowledge risks incidents? - Lessons from four cases.

In a knowledge-based economy, knowledge has become the most important source for competitive advantage. Thus, organizations spend more attention on the protection of knowledge and also research on knowledge protection has gained increasing attention in the past years. However, knowledge protection research mainly focuses on the design of preventive measures and little is published about real incidents or reactive measures. Learning from failure and from incidents is important to improve current practice. This paper reflects on four cases of real knowledge risk incidents. We discuss ways to prevent or delay knowledge spillovers and the importance of knowing the threats in order to prevent them. In addition to preventive measures, we highlight that companies need to have reactive measures in place. Finally, based on our insights we discuss why analyzing incidents in addition to identified threats is important for practice as well as academia

Sharing Competitive Intelligence, Securing Company Knowledge – A Framework

This paper discusses the recognition of critical knowledge residing in companies. Company employees are important sources of competitive knowledge. At the same time the employees have a key role in securing critical knowledge in the company. A framework for recognizing critical knowledge is presented to work for both competitive intelligence and knowledge security perspectives. Employee awareness is essential to both of these perspectives, and the framework is intended to be used in building this awareness

Business orientation in knowledge security risk management – a literature review

This paper examines the information systems literature field from the viewpoint of knowledge security risk management. The review this paper reports was able to identify 7 papers presenting a knowledge security risk management model. The models represent different takes and perspectives on knowledge security risk management. The main finding is that business orientation in the risk management models, and a comprehensive approach that would emphasize also continuous monitoring of the implementation and success of the risk mitigation solutions are not common in the literature. We suggest further theoretical and empirical studies that would address these issues

Knowledge Security - A Conceptual Analysis

Tietämys on arvokasta varallisuutta nykypäivän yrityksissä. Tietämys on ihmisiin sitoutunutta, ja se kehittyy ja sitä luodaan kokemusten ja aiemman tietämyksen kautta. Tietämystä hallitaan yrityksissä esimerkiksi tunnistamisen, luomisen, jakamisen ja strategian näkökulmista. Vaikka tietämyksen turvaamisen näkökulma on mainittu tietämyksenhallinnan kirjallisuudessa, sitä ei ole tietämyksenhallinnan kentässä kovin laajasti otettu huomioon. Tietoturvallisuuden johtamisen lähestymistapa tietoon on turvallisuuden näkökulma, joka korostaa tiedon eheyttä, saatavuutta ja luottamuksellisuutta. Vaikka tietoturvallisuutta monesti pidetään lähinnä teknisenä asiana, voidaan käsitteen tulkita kattavan myös tietämystä. Tämä tutkimus selvittää tietämysturvallisuuden käsitettä, mitä se tarkoittaa, ja miten tietämyksenhallinnan ja tietoturvallisuuden johtamisen kentät voidaan yhdistää. Tutkimus noudattaa käsiteanalyyttista tutkimusotetta. Analyysissa hyödynnetään sekä teoreettista että empiiristä materiaalia. Teoreettisessä analyysissa tutkitaan tietämysturvallisuuden käsitteen käyttöä, sekä tarkastellaan sen lähikäsitteitä. Empiirisessä analyysissa keskitytään selvittämään kuinka yritykset tunnistavat ja turvaavat tietämystä päivittäisessä toiminnassaan, välittämättä siitä kutsutaanko tätä yrityksissä tietämysturvallisuudeksi vai ei. Tutkimuksen lopussa teoreettinen ja empiirinen analyysi yhdistetään, ja tutkimuksen tuloksena rakennetaan malli tietämysturvallisuuden käsitteelle. Tietämysturvallisuus on prosessi joka tähtää yrityksen työntekijöihin sitoutuneen tietämyksen turvaamiseen. Prosessi aloitetaan yrityksissä tunnistamalla yritykselle tärkeä tietämys. Jotta tärkeää tietämystä turvaavat toimenpiteet voidaan valita oikein, tulee myös tunnistaa uhkat, joita tähän tietämykseen kohdistuu. Tietoturvallisuuden johtamisessa käytettyä tiedon ulottuvuuksien, eheyden, saatavuuden ja luottamuksellisuuden, kehikkoa sovelletaan tutkimuksessa tietämyksen kontekstiin. Tietämysturvallisuuden mallia hyödyntämällä yritykset voivat tarkastella tietämyksen ulottuvuuksia, tietämykseen liittyviä uhkia, sekä tietämyksenhallinnan sekä turvaamisen keinoja yhtenäisenä kokonaisuutena. Malli tarjoaa siis työkalun yrityksen johdolle, ja sen sopivuutta työkaluna tulisi jatkossa testata

Knowledge Systems and Risk Management: Threat Lessons Learned from COVID-19 in 2020-21

The year 2020-21 has shown us that the likelihood of extreme events is greater than we would have expected. When organizational resources are stretched to their limits due to extreme events, they are also more vulnerable to cyber-attacks and knowledge risks. Based on the events that took place during the 2020-21 period, we identify five knowledge risks and categorize them as technical, behavioral, and legal risks. We identify possible controls to mitigate these knowledge risks: proper knowledge identification, guidelines for employee knowledge behavior, identification and evaluation of online communication channels, and risk re-assessment to knowledge

Knowledge Protection for Digital Innovations: Integrating Six Perspectives

New ways of combining digital and physical innovations, as well as intensified inter-organizational collaborations, create new challenges to the protection of organizational knowledge. Existing research on knowledge protection is at an early stage and scattered among various research domains. This research-in-progress paper presents a plan for a structured literature review on knowledge protection, integrating the perspectives of the six base domains of knowledge, strategic, risk, intellectual property rights, innovation, and information technology security management. We define knowledge protection as a set of capabilities comprising and enforcing technical, organizational, and legal mechanisms to protect tacit and explicit knowledge necessary to generate or adopt innovations