Abstract
Information security risk management (ISRM) is a major concern of organizations worldwide. Although the number of existing ISRM methodologies is enormous, in practice a lot of resources are invested by organizations in creating new ISRM methodologies in order to capture more accurately the risks of their complex information systems. This is a crucial knowledge-intensive process for organizations, but in most cases it is addressed in an ad hoc manner. The existence of a systematic approach for the development of new or improved ISRM methodologies would enhance the effectiveness of the process. In this paper we propose a systematic meta-process for developing new, or improved ISRM methods. We also present the specifications for a collaboration and knowledge-sharing platform supporting a virtual intra-organizational cross-disciplinary team, which aims at improving its ISRM methodologies by adopting the proposed meta-process.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Symantec: IT Risk Management Report 2: Myths and Realities (2008), http://eval.symantec.com/mktginfo/enterprise/other_resources/b-it_risk_management_report_2_01-2008_12818026.en-us.pdf
ISO/IEC 27005: Information Technology – Security Techniques – Information security risk management. Committee Draft (2004)
Parker, X.L.: Information Technology Audits. CCH, USA (2006)
Flood, R.L., Jackson, M.C.: Creative Problem Solving: Total Systems Intervention. Wiley, Chichester (1991)
Brown, J.S., Duguid, P.: Knowledge and organization: A social-practice perspective. Organization Science 12(2), 198–213 (2001)
ISO/IEC 27001:2005: Information technology – Security techniques – Information security management systems – requirements (2005)
Peltier, T.R.: Information Security Risk Analysis. Auerbach (2001)
Papadaki, K., Polemi, D.: Towards a systematic approach for improving information security risk management methods. In: Proc. 18th Annual IEEE International Symposium on Personal, Indoor and Mobile Radio Communication (PIMRC) (2007)
Midgley, G.: Developing the Methodology of TSI: From the Oblique Use of Methods to Creative Design. Systems Practice 10(3), 305–319 (1997)
COSO (Committee of Sponsoring Organizations of the Treadway Commission): Enterprise Risk Management – Integrated Framework (2004)
Dhillon, G., Backhouse, J.: Current Direction in IS Security Research: Towards Socio-Organizational Perspectives. Information Systems Journal 11, 127–153 (2001)
Siponen, M.: Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods. Information and Organization 15, 339–375 (2005)
Gerber, M., von Solms, R.: Management of risk in the information age. Computers & Security 24, 16–30 (2005)
Nonaka, I., Takeuchi, H.: The Knowledge-Creating Company. Oxford University Press, Oxford (1995)
Ghosh, T.: Creating Incentives for Knowledge Sharing. Technical report, MIT Open Courseware. Sloan school of management, Cambridge, Massachusetts, USA (2004)
Haldin-Herrgard, T.: Difficulties in Diffusion of Tacit Knowledge in Organizations. Journal of Intellectual Capital 1(4), 357–365 (2000)
Hansen, M.T., Nohria, N., Tierney, T.: What’s Your Strategy for Managing Knowledge? Harvard Business Review 77(2), 106–116 (1999)
Desouza, K.C., Awazu, Y., Baloh, P.: Managing Knowledge in Global Software Development Efforts: Issues and Practices. IEEE Software 23(5), 30–37 (2006)
van den Brink, P.: Social, Organization, and Technological Conditions that Enable Knowledge Sharing. PhD thesis, Technische Universiteit Delft (2003)
Nardi, B.A., Schiano, D.J., Gumbrecht, M., Swartz, L.: Why We Blog. Communications of the ACM 47(12), 41–46 (2004)
Fan, W., Wallace, L., Rich, S., Zhang, Z.: Tapping the Power of Text Mining. Communications of the ACM 49(9), 77–82 (2006)
Armstrong, H.: Managing information security in healthcare – an action research experience. In: Proceedings of the Sixteen Annual Working Conference on Information Security (2000)
Butler, S., Fischbeck, P.: Multi-Attribute Risk Assessment. In: Proceedings of the Symposium on Requirements Engineering for Information Security (SREIS) (2002)
Stamatiou, Y., Skipenes, E., Henriksen, E., Stathiakis, N., Sikianakis, A., Charalambous, E., Antonakis, N., Stølen, K., den Braber, F., Soldal Lund, M., Papadaki, K., Valvis, G.: The CORAS approach for model-based risk management applied to a telemedicine service. In: Proceedings of the Medical Informatics Europe (MIE 2003), pp. 206–211. IOS Press, Amsterdam (2003)
ENISA (European Network and Information Security Agency): Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools (2006), http://www.enisa.europa.eu/rmra/files/D1_Inventory_of_Methods_Risk_Management_Final.pdf
de Moor, A., Weigand, H.: Formalizing the evolution of virtual communities. Information Systems 32(2), 223–247 (2007)
Hsu, M., Ju, T., Yen, C., Chang, C.: Knowledge sharing behavior in virtual communities: The relationship between trust, self-efficacy, and outcome expectations. International Journal of Human-Computer Studies 65(2), 153–169 (2007)
Chiu, C., Hsu, M., Wang, E.: Understanding knowledge sharing in virtual communities: An integration of social capital and social cognitive theories. Decision Support Systems 42(3), 1872–1888 (2006)
Yangand, S., Chen, I.: A social network-based system for supporting interactive collaboration in knowledge sharing over peer-to-peer network. International Journal of Human-Computer Studies 66(1), 36–50 (2008)
Jablonski, S.: Guide to web application and platform architectures. Springer, Berlin (2004)
Alonso, G.: Web services: concepts, architectures and applications. Springer, Berlin (2004)
Olson, D., Wu, D.: Enterprise Risk Management. World Scientific Publishing, Singapore (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Papadaki, K., Polemi, N., Damilos, D.K. (2008). A Meta-process for Information Security Risk Management. In: Jahankhani, H., Revett, K., Palmer-Brown, D. (eds) Global E-Security. ICGeS 2008. Communications in Computer and Information Science, vol 12. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69403-8_30
Download citation
DOI: https://doi.org/10.1007/978-3-540-69403-8_30
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69402-1
Online ISBN: 978-3-540-69403-8
eBook Packages: Computer ScienceComputer Science (R0)