Incorporating a knowledge perspective into security risk assessments
| Autor: | Rens Scheepers, Wally Smith, Atif Ahmad, Piya Shedden |
|---|---|
| Rok vydání: | 2011 |
| Předmět: |
Knowledge management
ITIL security management Information security management Certified Information Security Manager business.industry Standard of Good Practice Security management Business Library and Information Sciences Security information and event management Risk management Computer Science Applications Threat |
| Zdroj: | VINE. 41:152-166 |
| ISSN: | 0305-5728 |
| DOI: | 10.1108/03055721111134790 |
| Popis: | PurposeMany methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information used by organisations. This paper argues that these methodologies have a traditional orientation towards the identification and assessment of technical information assets. This obscures key risks associated with the cultivation and deployment of organisational knowledge. The purpose of this paper is to explore how security risk assessment methods can more effectively identify and treat the knowledge associated with business processes.Design/methodology/approachThe argument was developed through an illustrative case study in which a well‐documented traditional methodology is applied to a complex data backup process. Follow‐up interviews were conducted with the organisation's security managers to explore the results of the assessment and the nature of knowledge “assets” within a business process.FindingsIt was discovered that the backup process depended, in subtle and often informal ways, on tacit knowledge to sustain operational complexity, handle exceptions and make frequent interventions. Although typical information security methodologies identify people as critical assets, this study suggests a new approach might draw on more detailed accounts of individual knowledge, collective knowledge and their relationship to organisational processes.Originality/valueDrawing on the knowledge management literature, the paper suggests mechanisms to incorporate these knowledge‐based considerations into the scope of information security risk methodologies. A knowledge protection model is presented as a result of this research. This model outlines ways in which organisations can effectively identify and treat risks around process knowledge critical to the business. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|