Information Security Risk Assessment: Towards a Business Practice Perspective

Information security risk assessments (ISRAs) are of great importance for organisations. Current ISRA methods identify an organisation’s security risks and provide a measured, analysed security risk profile of critical information assets in order to build plans to treat risk. However, despite prevalent use in organisations today, current methods adopt a limited view of information assets during risk identification. In the context of day-to-day activities, people copy, print and discuss information, leading to the ‘leakage’ of information assets. Employees will create and use unofficial assets as part of their day-to-day routines. Furthermore, employees will also possess important knowledge on how to perform their functions within a business process or information system. These are all elements of business ‘practice’, a perspective that would yield a richer and holistic understanding of an organisation’s information assets and vulnerabilities. This perspective is not captured by traditional ISRA methods, leading to an incomplete view of an organisation’s information systems and processes that could prove detrimental and damaging. This paper hence suggests that a business practice perspective be incorporated into ISRA methods in order to identify information leakage, unofficial, critical information assets and critical process knowledge of organisations

Organisational Learning and Incident Response: Promoting Effective Learning Through The Incident Response Process

Effective response to information security incidents is a critical function of modern organisations. However, recent studies have indicated that organisations have adopted a narrow and technical view of incident response (IR), focusing on the immediate concern of detection and subsequent corrective actions. Although some reflection on the IR process may be involved, it is typically limited to technical issues and does not leverage opportunities to learn about the organisational security threat environment and to adapt incident response capabilities. Given the science of incident response is rooted in practice, it is not surprising that the same criticisms can be applied to much of IR literature. However, a review of literature in the area of organisational learning suggests that improvements can be made to the incident response process. This paper proposes that future incident response research must incorporate a learning focus, improve feedback timing on learning activities, facilitate double-loop learning and incorporate an informal learning perspective within both formal, procedural incident response processes as well as unstructured, informal environments

Informal Learning in Security Incident Response Teams

Information security incident response is a critical security process for organisations aiming to provide an effective capability to recover from information security attacks. A critical component of security incident response methodologies is the ability to learn from security incidents on how to improve the incident response process in particular and security management in general. Best-practice methodologies and existing research in this area view the incident response process as highly formal and structured while providing recommendations on learning in formal feedback sessions at the conclusion of the incident investigation. This contrasts with more general organizational learning literature that suggests learning in organizations is frequently informal, incidental and ongoing. This research-in-progress paper describes the first phase of a project. Results from a focus group of experts indicates that response to incidents is largely informal suggesting a new Incident Response model is needed that incorporates informal learning practices

Asset Identification in Information Security Risk Assessment: A Business Practice Approach

Organizations apply information security risk assessment (ISRA) methodologies to systematically and comprehensively identify information assets and related security risks. We review the ISRA literature and identify three key deficiencies in current methodologies that stem from their traditional accountancy-based perspective and a limited view of organizational “assets”. In response, we propose a novel rich description method (RDM) that adopts a less formal and more holistic view of information and knowledge assets that exist in modern work environments. We report on an in-depth case study to explore the potential for improved asset identification enabled by the RDM compared to traditional ISRAs. The comparison shows how the RDM addresses the three key deficiencies of current ISRAs by providing: 1) a finer level of granularity for identifying assets, 2) a broader coverage of assets that reflects the informal aspects of business practices, and 3) the identification of critical knowledge assets

Organisational Learning and Incident Response: Promoting Effective Learning Through The Incident Response Process

Effective response to information security incidents is a critical function of modern organisations. However, recent studies have indicated that organisations have adopted a narrow and technical view of incident response (IR), focusing on the immediate concern of detection and subsequent corrective actions. Although some reflection on the IR process may be involved, it is typically limited to technical issues and does not leverage opportunities to learn about the organisational security threat environment and to adapt incident response capabilities. Given the science of incident response is rooted in practice, it is not surprising that the same criticisms can be applied to much of IR literature. However, a review of literature in the area of organisational learning suggests that improvements can be made to the incident response process. This paper proposes that future incident response research must incorporate a learning focus, improve feedback timing on learning activities, facilitate double-loop learning and incorporate an informal learnin

Incorporating a knowledge perspective into security risk assessments

Purpose &ndash; Many methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information used by organisations. This paper argues that these methodologies have a traditional orientation towards the identification and assessment of technical information assets. This obscures key risks associated with the cultivation and deployment of organisational knowledge. The purpose of this paper is to explore how security risk assessment methods can more effectively identify and treat the knowledge associated with business processes.Design/methodology/approach &ndash; The argument was developed through an illustrative case study in which a well-documented traditional methodology is applied to a complex data backup process. Follow-up interviews were conducted with the organisation&rsquo;s security managers to explore the results of the assessment and the nature of knowledge &ldquo;assets&rdquo; within a business process.Findings &ndash; It was discovered that the backup process depended, in subtle and often informal ways, on tacit knowledge to sustain operational complexity, handle exceptions and make frequent interventions. Although typical information security methodologies identify people as critical assets, this study suggests a new approach might draw on more detailed accounts of individual knowledge, collective knowledge and their relationship to organisational processes.Originality/value &ndash; Drawing on the knowledge management literature, the paper suggests mechanisms to incorporate these knowledge-based considerations into the scope of information security risk methodologies. A knowledge protection model is presented as a result of this research. This model outlines ways in which organisations can effectively identify and treat risks around process knowledge critical to the business.<br /

Towards a knowledge perspective in information security risk assessments - an illustrative case study

Many methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information for a given organisation. We argue that the traditional orientation of these methodologies, towards the identification and assessment of technical information assets, obscures key risks associated with the cultivation and deployment of organisational knowledge. Our argument is developed through an illustrative case study in which a well-documented methodology is applied to a complex data back-up process. This process is seen to depend, in subtle and often informal ways, on knowledge to sustain operational complexity, handle exceptions and make frequent interventions. Although typical information security methodologies identify people as critical assets, we suggest a new approach might draw on more detailed accounts of individual knowledge, collective knowledge, and their relationship to organisational processes. Drawing on the knowledge management literature, we suggest mechanisms to incorporate these knowledge-based considerations into the scope of information security risk methodologies.<br /