Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Rethinking capabilities in information security risk management: a systematic literature review
Luleå University of Technology, Department of Computer Science, Electrical and Space Engineering, Digital Services and Systems.ORCID iD: 0000-0003-1692-5721
2020 (English)In: International Journal of Risk Assessment and Management, ISSN 1466-8297, E-ISSN 1741-5241, Vol. 23, no 2, p. 169-190Article, review/survey (Refereed) Published
Abstract [en]

Information security risk management capabilities have predominantly focused on instrumental onsets, while largely ignoring the underlying intentions and knowledge these management practices entail. This article aims to study what capabilities are embedded in information security risk management. A theoretical framework is proposed, namely rethinking capability as the alignment between intent and knowing. The framework is situated around four general risk management practices. A systematic literature review using the framework was conducted, resulting in the identification of eight identified capabilities. These capabilities were grouped into respective practices: integrating various perspectives and values to reach a risk perception aligned with the intended outcome (identify); adapting to varying perspectives of risks and prioritizing them in accordance with the intended outcome (prioritize); security controls to enable resources, and integrate/reconfigure beliefs held by various stakeholders (implement); and sustaining the integrated resources and competences held by stakeholders to continue the alignment with the intended outcome (monitor).

Place, publisher, year, edition, pages
InderScience Publishers, 2020. Vol. 23, no 2, p. 169-190
Keywords [en]
information security, risk management, capability, intent, knowing
National Category
Information Systems, Social aspects
Research subject
Information systems
Identifiers
URN: urn:nbn:se:ltu:diva-75680DOI: 10.1504/IJRAM.2020.106978Scopus ID: 2-s2.0-85084510557OAI: oai:DiVA.org:ltu-75680DiVA, id: diva2:1345392
Note

Validerad;2020;Nivå 1;2020-05-11 (alebob)

Available from: 2019-08-23 Created: 2019-08-23 Last updated: 2020-05-28Bibliographically approved
In thesis
1. Making the Dead Alive: Dynamic Routines in Risk Management
Open this publication in new window or tab >>Making the Dead Alive: Dynamic Routines in Risk Management
2020 (English)Doctoral thesis, comprehensive summary (Other academic)
Alternative title[sv]
Död eller Levande : Dynamiska Rutiner för Riskhantering
Abstract [en]

Risk management in information security is relevant to most, if not all, organizations. It is perhaps even more relevant considering the opportunities offered by the digitalization era, where reliably sharing, creating, and consuming information has become a competitive advantage, and information has become an asset of strategic concern. The adequate protection of information is therefore important to the whole organization. Determining what to protect, the required level of protection, and how to reach that level of protection is considered risk management, which can be described as the continuous process of identifying and countering information security risks that threaten information availability, confidentiality, and integrity. The processes for performing risk management are typically outlined in a sequence of activities, which describe what organizations should do to systematically manage their information security risks. However, risk management has previously been concluded to be challenging and complex and as something that must be kept alive. That is, routines for performing risk management activities need to be continuously adapted to remain applicable to organizational challenges in specific contexts. However, it remains unclear how such adaptations happen and why they are considered useful by practitioners, as there is a conspicuous absence of empirical studies that examine actual security practices. This issue is addressed in this thesis by conducting empirical studies of governmental agencies and organizations. This was done to contribute to an increased understanding of actual security practices. The analysis used for this study frames formal activities as ‘dead routines,’ since they are constructed as instructions that aid in controlling performance, such as risk management standards. Practitioners’ performance, experience, and understanding are denoted as ‘alive routines,’ as they are flexible and shaped over time. An explanation model was used to elaborate on the contrast between dead— controlling—and alive—shaping—routines of risk management. This thesis found that when dead and alive routines interact and influence each other, they give rise to flexible and emergent processes of adaptations, i.e., dynamic routines. Examples of dynamic routines occurred in response to activities that were originally perceived as too complex and were adapted to simplify or increase their efficiency, e.g., by having a direct relation between security controls and asset types. Dynamic routines also appeared as interactions between activities in response to conflicting expectations that were adjusted accordingly, e.g., the cost or level of complexity in security controls. In conclusion, dynamic routines occur to improve risk management activities to fit new circumstances.

Place, publisher, year, edition, pages
Luleå: Luleå University of Technology, 2020
Series
Doctoral thesis / Luleå University of Technology 1 jan 1997 → …, ISSN 1402-1544
Keywords
Risk management, information security, routine, practice, asset identification, risk analysis, risk treatment, organizational aspects.
National Category
Information Systems
Research subject
Information systems
Identifiers
urn:nbn:se:ltu:diva-78147 (URN)978-91-7790-563-9 (ISBN)978-91-7790-564-6 (ISBN)
Public defence
2020-05-28, A109, Luleå, 09:00 (English)
Opponent
Supervisors
Available from: 2020-03-24 Created: 2020-03-23 Last updated: 2020-05-12Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records BETA

Lundgren, Martin

Search in DiVA

By author/editor
Lundgren, Martin
By organisation
Digital Services and Systems
In the same journal
International Journal of Risk Assessment and Management
Information Systems, Social aspects

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 274 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf