Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Dynamic Interplay in the Information Security Risk Management Process
Luleå University of Technology, Department of Computer Science, Electrical and Space Engineering, Digital Services and Systems.ORCID iD: 0000-0003-1692-5721
University of Skövde.ORCID iD: 0000-0002-1436-2980
2019 (English)In: International Journal of Risk Assessment and Management, ISSN 1466-8297, E-ISSN 1741-5241, Vol. 22, no 2, p. 212-230Article in journal (Refereed) Published
Abstract [en]

In this paper, the formal processes so often assumed in information security risk management and its activities are investigated. For instance, information classification, risk analysis, and security controls are often presented in a predominantly instrumental progression. This approach, however, has received scholarly criticism, as it omits social and organizational aspects, creating a gap between formal and actual processes. This study argues that there is an incomplete understanding of how the activities within these processes actually interplay in practice. For this study, senior information security managers from four major Swedish government agencies were interviewed. As a result, twelve characteristics are presented that reflect an interplay between activities and that have implications for research, as well as for developers of standards and guidelines. The study’s conclusions suggest that the information security risk management process should be seen more as an emerging process, where each activity interplays dynamically in response to new requirements and organizational and social challenges.

Place, publisher, year, edition, pages
InderScience Publishers, 2019. Vol. 22, no 2, p. 212-230
Keywords [en]
information classification, risk analysis, security controls, interplay, formal processes
National Category
Information Systems Information Systems, Social aspects
Research subject
Information systems; Centre - Centre for Critical Infrastructure and Societal Security (CISS)
Identifiers
URN: urn:nbn:se:ltu:diva-73706DOI: 10.1504/IJRAM.2019.101287Scopus ID: 2-s2.0-85086419939OAI: oai:DiVA.org:ltu-73706DiVA, id: diva2:1305774
Note

Validerad;2019;Nivå 1;2019-08-21 (johcin)

Available from: 2019-04-18 Created: 2019-04-18 Last updated: 2023-09-05Bibliographically approved
In thesis
1. Making the Dead Alive: Dynamic Routines in Risk Management
Open this publication in new window or tab >>Making the Dead Alive: Dynamic Routines in Risk Management
2020 (English)Doctoral thesis, comprehensive summary (Other academic)
Alternative title[sv]
Död eller Levande : Dynamiska Rutiner för Riskhantering
Abstract [en]

Risk management in information security is relevant to most, if not all, organizations. It is perhaps even more relevant considering the opportunities offered by the digitalization era, where reliably sharing, creating, and consuming information has become a competitive advantage, and information has become an asset of strategic concern. The adequate protection of information is therefore important to the whole organization. Determining what to protect, the required level of protection, and how to reach that level of protection is considered risk management, which can be described as the continuous process of identifying and countering information security risks that threaten information availability, confidentiality, and integrity. The processes for performing risk management are typically outlined in a sequence of activities, which describe what organizations should do to systematically manage their information security risks. However, risk management has previously been concluded to be challenging and complex and as something that must be kept alive. That is, routines for performing risk management activities need to be continuously adapted to remain applicable to organizational challenges in specific contexts. However, it remains unclear how such adaptations happen and why they are considered useful by practitioners, as there is a conspicuous absence of empirical studies that examine actual security practices. This issue is addressed in this thesis by conducting empirical studies of governmental agencies and organizations. This was done to contribute to an increased understanding of actual security practices. The analysis used for this study frames formal activities as ‘dead routines,’ since they are constructed as instructions that aid in controlling performance, such as risk management standards. Practitioners’ performance, experience, and understanding are denoted as ‘alive routines,’ as they are flexible and shaped over time. An explanation model was used to elaborate on the contrast between dead— controlling—and alive—shaping—routines of risk management. This thesis found that when dead and alive routines interact and influence each other, they give rise to flexible and emergent processes of adaptations, i.e., dynamic routines. Examples of dynamic routines occurred in response to activities that were originally perceived as too complex and were adapted to simplify or increase their efficiency, e.g., by having a direct relation between security controls and asset types. Dynamic routines also appeared as interactions between activities in response to conflicting expectations that were adjusted accordingly, e.g., the cost or level of complexity in security controls. In conclusion, dynamic routines occur to improve risk management activities to fit new circumstances.

Place, publisher, year, edition, pages
Luleå: Luleå University of Technology, 2020
Series
Doctoral thesis / Luleå University of Technology 1 jan 1997 → …, ISSN 1402-1544
Keywords
Risk management, information security, routine, practice, asset identification, risk analysis, risk treatment, organizational aspects
National Category
Information Systems
Research subject
Information systems; Centre - Centre for Critical Infrastructure and Societal Security (CISS)
Identifiers
urn:nbn:se:ltu:diva-78147 (URN)978-91-7790-563-9 (ISBN)978-91-7790-564-6 (ISBN)
Public defence
2020-05-28, A109, Luleå, 09:00 (English)
Opponent
Supervisors
Available from: 2020-03-24 Created: 2020-03-23 Last updated: 2023-09-05Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Lundgren, Martin

Search in DiVA

By author/editor
Lundgren, MartinBergström, Erik
By organisation
Digital Services and Systems
In the same journal
International Journal of Risk Assessment and Management
Information SystemsInformation Systems, Social aspects

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 523 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf