article

Genre-Based Approach to Assessing Information and Knowledge Security Risks

Authors:

Ali Mohammad Padyab,

Tero Päivärinta,

Dan HarneskAuthors Info & Claims

International Journal of Knowledge Management, Volume 10, Issue 2

Pages 13 - 27

https://doi.org/10.4018/ijkm.2014040102

Published: 01 April 2014 Publication History

Abstract

Contemporary methods for assessing information security risks have adopted mainly technical views on information and technology assets. Organizational dynamics of information management and knowledge sharing have gained less attention. This article outlines a new, genre-based, approach to information security risk assessment in order to orientate toward organization-and knowledge-centric identification and analysis of security risks. In order to operationalize the genre-based approach, we suggest the use of a genre-based analytical method for identifying organizational communication patterns through which organizational knowledge is shared. The genre-based method is then complemented with tasks and techniques from a textbook risk assessment method (OCTAVE Allegro). We discuss the initial experiences of three experienced information security professionals who tested the method. The article concludes with implications of the genre-based approach to analyzing information and knowledge security risks for future research and practice.

References

[1]

Ahmad, A., Ruighaver, A., & Teo, W. T. (2005, November). An information-centric approach to data security in organizations. Paper presented at the TENCON 2005 2005 IEEE Region 10, Melbourne, QLD. 10.1109/TENCON.2005.301322

[2]

Alavi, M., & Leidner, D. E. (2001). Review: Knowledge management and knowledge management systems: Conceptual foundations and research issues. Management Information Systems Quarterly, 25(1), 107—136.

Digital Library

[3]

Alberts, C., & Dorofee, A. (2004). Managing Information Security Risks. Pittsburgh, PA: Mellon Software Engineering Institute.

[4]

Alberts, C., Dorofee, A., Stevens, J., & Woody, C. (2003). Introduction to the OCTAVE Approach (Tech. Rep.). Pittsburgh, PA: Carnegie Mellon University.

[5]

Alberts, C. J., Behrens, S. G., Pethia, R. D., & Wilson, W. R. (1999). Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0 (Tech. Rep. No. CMU/SEI-99-TR-017). Pittsburgh, PA: Carnegie Mellon University

[6]

Antunes, P., & Costa, C. J. (2003, November). From genre analysis to the design of meetingware. Paper presented at the Proceedings of the 2003 International ACM SIGGROUP Conference on Supporting Group Work, Sanibel Island, Florida. 10.1145/958160.958209

[7]

Baskerville, R. (1993). Information systems security design methods: Implications for information systems development. {CSUR}. ACM Computing Surveys, 25(4), 375—414.

Digital Library

[8]

Campbell, P. L., & Stamp, J. E. (2004). A classification scheme for risk assessment methods (Tech. Rep. No. SAND2004-4233). Albuquerque, NM: Sandia National Laboratory.

[9]

Caralli, R., Stevens, J., Young, L., & Wilson, W. (2007). Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process (Tech. Rep. No. CMU/SEI-2007-TR-012). Pittsburgh, PA: Carnegie Mellon University.

[10]

Chen, P. P. (1976). The entity-relationship model — toward a unified view of data. ACM Transactions on Database Systems, 1(1), 9—36.

Digital Library

[11]

Costa, C. J., Antunes, P., & Dias, J. F. (2002, April). Integrating two organizational systems through communication genres. In F. Arbad and C. Talcott (Eds.), COORDINATION '02 Proceedings of the 5th International Conference on Coordination Models and Languages (pp. 125-132). London: Springer-Verlag. 10.1007/3-540-46000-4_13

[12]

Crowston, K., & Williams, M. (2000). Reproduced and emergent genres of communication on the World-Wide Web. The Information Society, 16(3), 201—215.

[13]

Desouza, K. C. (2007). Managing knowledge security: strategies for protecting your company's intellectual assets. London: Kogan Page.

[14]

Dhillon, G., & Backhouse, J. (2000). Technical opinion: Information system security management in the new millennium. Communications of the ACM, 43(7), 125—128.

Digital Library

[15]

Dhillon, G., & Backhouse, J. (2001). Current directions in IS security research: Towards socio-organizational perspectives. Information Systems Journal, 11(2), 127—153.

[16]

Dubois, É., Heymans, P., Mayer, N., & Matuleviččius, R. (2010). A systematic approach to define the domain of information system security risk management. In Nurcan, S., Salinesi, C., Souveyet, C., & Ralytéé, J. (Eds.), Intentional Perspectives on Information Systems Engineering (pp. 289—306). Heidelberg: Springer.

[17]

GrimailaM. R.FortsonL. W. (2007). Towards an Information Asset-Based Defensive Cyber Damage Assessment Process. In IEEE Symposium on Computational Intelligence in Security and Defense Applications 2007 (CISDA 2007) (pp. 206-212). Honolulu, HI: IEEE. 10.1109/CISDA.2007.368155

[18]

Haimes, Y. Y. (2001). Risk analysis, systems analysis, and Covey's seven habits. Risk Analysis, 21(2), 217—224. 11414532.

[19]

Haimes, Y. Y. (2004). Risk modeling, assessment, and management (Vol. 30). Hoboken, NJ: John Wiley & Sons Inc.

[20]

Halliday, S., Badenhorst, K., & von Solms, R. (1996). A business approach to effective information technology risk analysis and management. Information Management & Computer Security, 4(1), 19——31.

[21]

Houmb, S. H., Den Braber, F., Lund, M. S., & Støølen, K. (2002). Towards a UML profile for model-based risk assessment. In J. Jurjens, V. Cengarle, E. Fernandez, B. Rumpe, and R. Sandner (Eds.), Critical systems development with UML-Proceedings of the UML'02 workshop (Tech. Rep. No. TUM-I0208) (pp. 79-91). Munich, Bavaria: Munich University of Technology.

[22]

Jennex, M. E. (2014). A proposed method for assessing knowledge loss risk with departing personnel. Vine, 44(2), 185—209.

[23]

Jennex, M. E., & Zyngier, S. (2007). Security as a contributor to knowledge management success. Information Systems Frontiers, 9(5), 493——504.

Digital Library

[24]

Jones, A., & Ashenden, D. (2005). Risk management for computer security: Protecting your network & information assets. Burlington, MA: Butterworth-Heinemann.

[25]

Karjalainen, A., Päivärinta, T., Tyrväinen, P., & Rajala, J. (2000). Genre-based metadata for enterprise document management. In Proceedings of the 33rd Annual Hawaii International Conference on System Sciences, vol. 2 (pp. 3013-3023). Los Alamos, CA: IEEE Computer Society Press.

[26]

Lichtenstein, S. (1996). Factors in the selection of a risk assessment method. Information Management & Computer Security, 4(4), 20——25.

[27]

Lyytinen, K., & Robey, D. (1999). Learning failure in information systems development. Information Systems Journal, 9(2), 85——101.

[28]

Masera, M., & Fovino, I. N. (2006). Modelling information assets for security risk assessment in industrial settings. In 15th EICAR Annual Conference Proceeding (p. 137-149). Cesson: Ecole Superieure et d'Application des Transmissions.

[29]

McEvoy, N., & Whitcombe, A. (2002). Structured risk analysis. In Davida, G., Frankel, Y., & Rees, O. (Eds.), Infrastructure Security (pp. 88——103). Berlin: Springer.

[30]

Merriam-Webster Online Dictionary. (2014). Retrieved August 25, 2014, from http://www.merriam-webster.com/dictionary/genre

[31]

NIST SP 800-39 (2001). Managing Information Security risks, National Institute of Standards and Technology. Retrieved August 21, 2014, from http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf

[32]

Nonaka, I. (1994). A dynamic theory of organizational knowledge creation. Organization Science, 5(1), 14—37.

[33]

Nosworthy, J. D. (2000). A practical risk analysis approach: Managing BCM risk. Computers & Security, 19(7), 596——614.

Digital Library

[34]

Orlikowski, W. J., & Yates, J. (1994). Genre repertoire: The structuring of communicative practices in organizations. Administrative Science Quarterly, 39(4), 541—574.

[35]

Päivärinta, T. (2001). The concept of genre within the critical approach to information systems development. Information and Organization, 11(3), 207—234.

[36]

Päivärinta, T., Halttunen, V., & Tyrvääinen, P. (2001). A genre-based method for information systems planning. In Rossi, M., & Siau, K. (Eds.), Information Modeling in the New Millennium (pp. 70——93). Hershey, PA: Idea Group.

[37]

Peltier, T. R. (2005). Information security risk analysis. Boston, MA: Auerbach Publications.

[38]

Saaren-Seppälä, K. (1997). Seinätekniikka prosessien kehittämisessä. (Using the wall-chart technique in process development, in Finnish) Finland: Kari Saaren-Seppälä Ltd.

[39]

Shedden, P., Ahmad, A., & Ruighaver, A. B. (2006, April). Risk Management Standard-the Perception of Ease of Use. Paper presented at the 5th Annual Security Conference, Las Vegas, NV.

[40]

Shedden, P., Scheepers, R., Smith, W., & Ahmad, A. (2011). Incorporating a knowledge perspective into security risk assessments. Vine, 41(2), 152——166.

[41]

SheddenP.SmithW.AhmadA. (2010). Information Security Risk Assessment: Towards a Business Practice Perspective. Proceedings of the 8th Information Security Management Conference (pp. 127-138). Perth: Edith Cowan University.

[42]

Spears, J. L. (2006). A holistic risk analysis method for identifying information security risks. In Dowland, P., Furnell, S., Thuraisingham, B., & Wang, X. S. (Eds.), Security Management, Integrity, and Internal Control in Information Systems (pp. 185——202). NY: Springer.

[43]

Strauss, A., & Corbin, J. (1990). Basics of Qualitative Research: Grounded Theory Procedures and Techniques. London, UK: Sage.

[44]

TyrväinenP. (2003). Estimating applicability of new mobile content formats to organizational use. In Proceedings of the 36th Annual Hawaii International Conference on System Sciences, vol. 9 (pp. 295-305). Washington DC: IEEE Computer Society. 10.1109/HICSS.2003.1174838

[45]

Visintine, V. (2003). An Introduction to Information Risk Assessment, SANS Institute, 8.

[46]

Yates, J., & Orlikowski, W. J. (1992). Genres of organizational communication: A structurational approach to studying communication and media. Academy of Management Review, 17(2), 299—326.

[47]

Yourdon, E. (1989). Modern structured analysis. Upper Saddle River, NJ: Yourdon Press.

Cited By

Nehari-Talet AAlhawari SKaradsheh LHunaiti H(2021)The Importance of Knowledge-Based Risk Processes to Risk AnalysisInternational Journal of Knowledge Management10.4018/IJKM.202101010317:1(1-19)Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.4018/IJKM.2021010103
Kärkkäinen HIlvonen IJussila J(2015)Towards a Business-Driven Process Model for Knowledge Security Risk ManagementInternational Journal of Knowledge Management10.4018/IJKM.201510010111:4(1-18)Online publication date: 1-Oct-2015
https://dl.acm.org/doi/10.4018/IJKM.2015100101

Recommendations

Genre-Based Assessment of Information and Knowledge Security Risks
HICSS '14: Proceedings of the 2014 47th Hawaii International Conference on System Sciences

Contemporary methods for assessing information security risks have adopted mainly technical views on the information and technology assets. Organizational dynamics of information management and knowledge sharing have gained less attention. This article ...
Taxonomy of information security risk assessment (ISRA)

Information is a perennially significant business asset in all organizations. Therefore, it must be protected as any other valuable asset. This is the objective of information security, and an information security program provides this kind of ...
Assessment of potential security risks in advanced metering infrastructure using the OCTAVE Allegro approach
Abstract
One of the crucial components of a smart grid is the advanced metering infrastructure (AMI), which integrates information and communication technologies with a conventional electricity grid. Due to the importance of an AMI system and the vital ...
Graphical abstract

Display Omitted
Highlights
- Analysis of risk assessment and advanced metering infrastructure (AMI) is presented.
- An appropriate risk assessment method for the AMI system is identified and selected.
- The Octave Allegro (OA) risk assessment approach is applied ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image International Journal of Knowledge Management

International Journal of Knowledge Management Volume 10, Issue 2

April 2014

78 pages

ISSN:1548-0666

EISSN:1548-0658

Issue’s Table of Contents

Publisher

IGI Global

United States

Publication History

Published: 01 April 2014

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Nehari-Talet AAlhawari SKaradsheh LHunaiti H(2021)The Importance of Knowledge-Based Risk Processes to Risk AnalysisInternational Journal of Knowledge Management10.4018/IJKM.202101010317:1(1-19)Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.4018/IJKM.2021010103
Kärkkäinen HIlvonen IJussila J(2015)Towards a Business-Driven Process Model for Knowledge Security Risk ManagementInternational Journal of Knowledge Management10.4018/IJKM.201510010111:4(1-18)Online publication date: 1-Oct-2015
https://dl.acm.org/doi/10.4018/IJKM.2015100101

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents