Abstract
Knowledge Management (KM), Quality Management (QM) and Safety Management (SM) are mature fields that have evolved and improved over time. Information security management (ISM) has aspects of these fields. E.g. tougher customer demands require continuous quality improvement, while new threats create a need for constantly improved security. Information technology brings new opportunities, but also challenges for KM, as it does for security. Organizations must comply with increasingly stricter safety laws, analogous to ISM requirements given by e.g. the Sarbanes-Oxley act. Research and practical experiences in KM, QM and SM have generated valuable insights that the younger, immature field of ISM can learn from. We present ten lessons and apply them to ISM. Key insights include the emphasis of good implementation over selection of model, the necessity of multi disciplinary teams, long term thinking, measurement, visualizing security costs, benchmarking, continuous improvement, collaboration, going beyond compliance and security as a competitive advantage.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Andersen, D.F., et al.: Preliminary System Dynamics Maps of the Insider Cyber-Threat Problem. In: 22nd International Conference of the System Dynamics Society, The System Dynamics Society, Oxford, England (2004)
Anderson, R.: Why information security is hard - an economic perspective. In: 17th Annual Computer Security Applications Conference (2001)
Gonzalez, J.J. (ed.): From Modeling to Managing Security: A System Dynamics Approach. Research Series, vol. 35. Norwegian Academic Press, Kristiansand, Norway (2003)
Putnam, A.: Information Security Management References. In: U.S.H.o. Representatives (eds.) Mapping of Existing Work on Infosec “Best Practices” Subgroup (2004)
Nonaka, I., Takeuchi, H.: The Knowledge-Creating Company. Oxford University Press, New York & Oxford (1995)
Davenport, T.H., Prusak, L.: Working Knowledge: how organizations know what they know. Harvard Business School Press, Boston Massachusetts (1998)
Probst, G., Raub, S., Romhardt, K.: Managing Knowledge: building blocks for success. John Wiley & Sons, Chichester (2000)
Pande, P.S., Neuman, R.P., Cavanagh, R.R.: The Six Sigma Way: how GE, Motorola, and other top companies are honing their performance. McGraw-Hill, New York (2000)
Lee-Mortimer, A.: Six Sigma: Effective Handling of deep rooted quality problems. Assembly Automation 26(3), 200–204 (2006)
Prajogo, D.I., Sohal, A.S.: The Sustainability and Evolution of Quality Improvement Programmes - An Australian Case Study. Total Quality Management 15(2), 205–220 (2004)
Nielsen, K.J., Carstensen, O., Rasmussen, K.: The Prevention of Occupational Injuries in Two Industrial Plants Using an Incident Reporting Scheme. Journal of Safety Research 37(5), 479–486 (2006)
Repenning, N.P., Sterman, J.D.: Nobody ever gets credit for fixing problems that never happened. California Management Review, 43(4) (2001)
Schultz, E.: The human Factor in Security. Computer&Security 24, 425–426 (2005)
Winkler, I.: Spies Among Us: How To Stop The Spies, Terrorists, Hackers, And Criminals You Don’t Even Know You Encounter Every Day. Wiley, Indianapolis (2005)
Mitnick, K.: The Art of Deception. Wiley, Chichester (2002)
Abagnale, F., et al.: FBI 2005 Computer Crime Survey. Federal Bureau of Investigation (2005)
Schneier, B.: Secrets & Lies: Digital Security in a Networked World. Wiley, Chichester (2000)
McElroy, M.W.: The New Knowledge Management. Butterworth Heinemann, Amsterdam (2003)
Yong, J., Wilkinson, A.: The long and winding road: The evolution of quality management. Total Quality Management 13(1), 101–121 (2002)
Collinson, D.L.: Surviving the rigs: Safety and Surveilance on North Sea Oil Platforms. Organization Studies 20(4), 579–600 (1999)
Johnson, C.: Failure in Safety Critical Systems: A Handbook of Incident and Accident Reporting. Glasgow University Press (2003)
Kjellén, U.: Prevention of Accidents Through Experience Feedback, p. 450. Taylor & Francis, London and New York (2000)
Morag, I.: Intel’s Incident-free Culture: A Case Study. Applied Ergonomics 2006(38), 201–211
Phimister, J.R., et al.: Near-Miss Incident Management in the Chemical Process Industry. Risk Analysis 23(3), 445–459 (2003)
Reason, J.: Safety in the operating theatre - Part 2: Human error and organizational failure. Quality and Safety in Health Care 14, 56–61 (2005)
Shaw, E.D.: The role of behavioral research and profiling in malicious cyber insider investigations. Digital Investigation 3, 20–31 (2006)
Campbell, S.: How to Think About Security Failures. Communications of the ACM 49(1), 37–39 (2006)
Fram, E.H.: Not so strange bedfellows: marketing and total quality management. Managing Service Quality 5(1), 50–56 (1995)
Dörner, D.: The Logic of Failure. Perseus Books, Cambridge, Massachusets (1996)
Wiik, J., Gonzalez, J.J., Kossakowski, K.-P.: Limits to Effectiveness in Computer Security Incident Response Teams. In: 23rd International Conference of the System Dynamics Society, Oxford (2004)
Geus, A.d.: The Living Company. Harvard Business School Press, Boston Massachusetts (1997)
Senge, P.: The Fifth Discipline. Bantam Doubleday Dell Publishing Group, London (1990)
Lee, P.I., Weitzel, T.R.: Air Carrier Safety and Culture: An Investigation of Taiwan’s Adaptation to Western Incident Reporting Programs. Journal of Air Transportation 10(1) (2005)
Sveiby, K.-E.: A Knowledge-based theory of the firm to guide strategy formulation. Journal of Intellectual Capital 2(4) (2001)
Gal-Or, E., Ghose, A.: The Economic Incentives for Sharing Security Information. Information Systems Research 16(2), 186–208 (2005)
Gordon, L.A., Loeb, M., Lucyshyn, W.: Sharing information on computer systems security: An economic analysis. Journal of Accounting Public Policy 22(6), 461–485 (2003)
The 9-11 Commision Report (2002)
Rich, E., Sveen, F.O., Jager, M.: Overcoming Organizational Challenges to Secure Knowledge Management. In: Secure Knowledge Management Workshop, New York, US (2006)
Sveiby, K.-E.: The new organizational wealth. In: Managing & measuring knowledge-Based assets, Berret-Koehler Publishers Inc., San Francisco (1997)
Brooking, A.: Intellectual capital: Core asset for the third millennium enterprise. Itp-Intern.Thomson Publishing, London (1997)
Edvinsson, L.: Intellectual capital. Harper Collins Publishers, New York (1997)
Gordon, L.A., Loeb, M.P.: Managing Cyber Security Resources: A cost-benefit analysis. McGraw-Hill, New York (2006)
Davenport, T.H., Probst, G.: Knowledge Management Case Book: Siemens Best Practices, 2nd edn. Publicis Corporate Publishing and John Wiley & Sons, Erlangen (2002)
Harkins, P., Carter, L.L., Timmins, A.J.: Linkage Inc.’s Best Practices in Knowledge Management and Organizational Learning Handbook. Linkage Press, Lexington, Massachusetts (2000)
Vaughan, D.: Autonomy, Interdependence and Social Control: NASA and the Space Shuttle Challenger. Administrative Science Quarterly 35(2), 225–257 (1990)
Tsuchiya, S., et al.: An Analysis of Tokaimura Nuclear Criticality Accident: A Systems Approach. In: The 19th International Conference of the System Dynamics Society, System Dynamics Society, Atlanta, Georgia (2001)
Torres, J.M., et al.: Managing Information Systems Security: Critical Success Factors and Indicators to Measure Effectiveness. In: Katsikas, S.K., Lopez, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 530–545. Springer, Heidelberg (2006)
Gonzalez, J.J., et al.: Helping Prevent Information Security Risks in the Transition to Integrated Operations. Telektronikk 101(1), 29–37 (2005)
Sveen, F.O., et al.: A Dynamic Approach to Vulnerability and Risk Analysis of the Transition to eOperations. In: 24th International System Dynamics Conference, Nijmegen (2006)
Cooke, D.L.: A system dynamics analysis of the Westray mine disaster. System Dynamics Review 19(2), 139–166 (2003)
Pomey, M.-P., et al.: Paradoxes of French Accreditation. Quality and Safety in Health Care 14, 51–55 (2005)
Parkhurst, J., Shaw, B.: Compliance is Not Enough: The Benefits of Advanced Quality Systems Practices. Medical Device & Diagnostic Industry (2004)
Chelsom, J.V.: Performance-driven quality. Logistics Information Management 10(6), 253–258 (1997)
Karapetrovic, S.: ISO 9000: the system emerging from the vicious circle of compliance. The TQM Magazine 11(2), 111–120 (1999)
Caralli, R.A., Wilson, W.R.: The Challenges of Security Management. Networked Systems Survivability Program, SEI. [cited 2007 12th March] (2004)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sveen, F.O., Torres, J.M., Sarriegi, J.M. (2007). Learning from Your Elders: A Shortcut to Information Security Management Success. In: Saglietti, F., Oster, N. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2007. Lecture Notes in Computer Science, vol 4680. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75101-4_21
Download citation
DOI: https://doi.org/10.1007/978-3-540-75101-4_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75100-7
Online ISBN: 978-3-540-75101-4
eBook Packages: Computer ScienceComputer Science (R0)