Högskolan i Skövde

his.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Making the Dead Alive: Dynamic Routines in Risk Management
Luleå University of Technology, Department of Computer Science, Electrical and Space Engineering, Division of Digital Services and Systems.ORCID iD: 0000-0003-1692-5721
2020 (English)Doctoral thesis, comprehensive summary (Other academic)Alternative title
Död eller Levande : Dynamiska Rutiner för Riskhantering (Swedish)
Abstract [en]

Risk management in information security is relevant to most, if not all, organizations. It is perhaps even more relevant considering the opportunities offered by the digitalization era, where reliably sharing, creating, and consuming information has become a competitive advantage, and information has become an asset of strategic concern. The adequate protection of information is therefore important to the whole organization. Determining what to protect, the required level of protection, and how to reach that level of protection is considered risk management, which can be described as the continuous process of identifying and countering information security risks that threaten information availability, confidentiality, and integrity. The processes for performing risk management are typically outlined in a sequence of activities, which describe what organizations should do to systematically manage their information security risks. However, risk management has previously been concluded to be challenging and complex and as something that must be kept alive. That is, routines for performing risk management activities need to be continuously adapted to remain applicable to organizational challenges in specific contexts. However, it remains unclear how such adaptations happen and why they are considered useful by practitioners, as there is a conspicuous absence of empirical studies that examine actual security practices. This issue is addressed in this thesis by conducting empirical studies of governmental agencies and organizations. This was done to contribute to an increased understanding of actual security practices. The analysis used for this study frames formal activities as ‘dead routines,’ since they are constructed as instructions that aid in controlling performance, such as risk management standards. Practitioners’ performance, experience, and understanding are denoted as ‘alive routines,’ as they are flexible and shaped over time. An explanation model was used to elaborate on the contrast between dead— controlling—and alive—shaping—routines of risk management. This thesis found that when dead and alive routines interact and influence each other, they give rise to flexible and emergent processes of adaptations, i.e., dynamic routines. Examples of dynamic routines occurred in response to activities that were originally perceived as too complex and were adapted to simplify or increase their efficiency, e.g., by having a direct relation between security controls and asset types. Dynamic routines also appeared as interactions between activities in response to conflicting expectations that were adjusted accordingly, e.g., the cost or level of complexity in security controls. In conclusion, dynamic routines occur to improve risk management activities to fit new circumstances.

Place, publisher, year, edition, pages
Luleå: Luleå University of Technology , 2020.
Keywords [en]
Risk management, information security, routine, practice, asset identification, risk analysis, risk treatment, organizational aspects
National Category
Information Systems Information Systems, Social aspects
Identifiers
URN: urn:nbn:se:his:diva-22990ISBN: 978-91-7790-563-9 (print)ISBN: 978-91-7790-564-6 (electronic)OAI: oai:DiVA.org:his-22990DiVA, id: diva2:1780646
Public defence
2020-05-28, A109, Luleå, 09:00
Opponent
Supervisors
Available from: 2023-07-06 Created: 2023-07-06 Last updated: 2023-07-06Bibliographically approved
List of papers
1. Rethinking capabilities in information security risk management: a systematic literature review
Open this publication in new window or tab >>Rethinking capabilities in information security risk management: a systematic literature review
2020 (English)In: International Journal of Risk Assessment and Management, ISSN 1466-8297, E-ISSN 1741-5241, Vol. 23, no 2, p. 169-190Article, review/survey (Refereed) Published
Abstract [en]

Information security risk management capabilities have predominantly focused on instrumental onsets, while largely ignoring the underlying intentions and knowledge these management practices entail. This article aims to study what capabilities are embedded in information security risk management. A theoretical framework is proposed, namely rethinking capability as the alignment between intent and knowing. The framework is situated around four general risk management practices. A systematic literature review utilising the framework was conducted, resulting in the identification of eight identified capabilities. These capabilities were grouped into respective practices: integrating various perspectives and values to reach a risk perception aligned with the intended outcome (identify); adapting to varying perspectives of risks and prioritising them in accordance with the intended outcome (prioritise); security controls to enable resources, and integrate/reconfigure beliefs held by various stakeholders (implement); and sustaining the integrated resources and competences held by stakeholders to continue the alignment with the intended outcome (monitor).

Place, publisher, year, edition, pages
InderScience Publishers, 2020
Keywords
information security, risk management, capability, intent, knowing
National Category
Information Systems Information Systems, Social aspects
Identifiers
urn:nbn:se:his:diva-22989 (URN)10.1504/ijram.2020.106978 (DOI)2-s2.0-85084510557 (Scopus ID)
Available from: 2023-07-06 Created: 2023-07-06 Last updated: 2023-07-06Bibliographically approved
2. Dynamic interplay in the information security risk management process
Open this publication in new window or tab >>Dynamic interplay in the information security risk management process
2019 (English)In: International Journal of Risk Assessment and Management, ISSN 1466-8297, E-ISSN 1741-5241, Vol. 22, no 2, p. 212-230Article in journal (Refereed) Published
Abstract [en]

In this paper, the formal processes so often assumed in information security risk management and its activities are investigated. For instance, information classification, risk analysis, and security controls are often presented in a predominantly instrumental progression. This approach, however, has received scholarly criticism, as it omits social and organisational aspects, creating a gap between formal and actual processes. This study argues that there is an incomplete understanding of how the activities within these processes actually interplay in practice. For this study, senior information security managers from four major Swedish government agencies were interviewed. As a result, 12 characteristics are presented that reflect an interplay between activities and that have implications for research, as well as for developers of standards and guidelines. The study's conclusions suggest that the information security risk management process should be seen more as an emerging process, where each activity interplays dynamically in response to new requirements and organisational and social challenges. 

Place, publisher, year, edition, pages
InderScience Publishers, 2019
Keywords
Formal processes, Information classification, Interplay, Risk analysis, Security controls
National Category
Information Systems Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-18624 (URN)10.1504/IJRAM.2019.101287 (DOI)2-s2.0-85086419939 (Scopus ID)
Available from: 2020-06-29 Created: 2020-06-29 Last updated: 2023-07-06Bibliographically approved
3. Revisiting information security risk management challenges: a practice perspective
Open this publication in new window or tab >>Revisiting information security risk management challenges: a practice perspective
2019 (English)In: Information and Computer Security, E-ISSN 2056-4961, Vol. 27, no 3, p. 358-372Article in journal (Refereed) Published
Abstract [en]

Purpose: The study aims to revisit six previously defined challenges in information security risk management to provide insights into new challenges based on current practices. Design/methodology/approach: The study is based on an empirical study consisting of in-depth interviews with representatives from public sector organisations. The data were analysed by applying a practice-based view, i.e. the lens of knowing (or knowings). The results were validated by an expert panel. Findings: Managerial and organisational concerns that go beyond a technical perspective have been found, which affect the ongoing social build-up of knowledge in everyday information security work. Research limitations/implications: The study has delimitation as it consists of data from four public sector organisations, i.e. statistical analyses have not been in focus, while implying a better understanding of what and why certain actions are practised in their security work. Practical implications: The new challenges that have been identified offer a refined set of actionable advice to practitioners, which, for example, can support cost-efficient decisions and avoid unnecessary security trade-offs. Originality/value: Information security is increasingly relevant for organisations, yet little is still known about how related risks are handled in practice. Recent studies have indicated a gap between the espoused and the actual actions. Insights from actual, situated enactment of practice can advise on process adaption and suggest more fit approaches. 

Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2019
Keywords
Asset valuation, Information security, Practice theory, Risk management
National Category
Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-17319 (URN)10.1108/ICS-09-2018-0106 (DOI)000479219900003 ()2-s2.0-85067021789 (Scopus ID)
Available from: 2019-06-27 Created: 2019-06-27 Last updated: 2023-07-06Bibliographically approved
4. Stress Amongst Novice Information Security Risk Management Practitioners
Open this publication in new window or tab >>Stress Amongst Novice Information Security Risk Management Practitioners
2019 (English)In: International Journal on Cyber Situational Awareness, ISSN 2057-2182, Vol. 4, no 1, p. 128-154, article id 28Article in journal (Refereed) Published
Abstract [en]

Today, information is a key asset for many organisations. Reducing risks of information compromise is increasingly prioritised. However, there is an incomplete understanding of how organisations with limited security knowledge and experience manage information security risks in practice. Previous studies have suggested that security-novice employees faced with burdensome, complex, and ambiguous security requirements can experience security-related stress (SRS), and ultimately influence their security decisions. In this study, we further this research stream by suggesting that SRS can similarly be found with security-novice managers responsible for developing and practising information security risk management (ISRM). Two organisations were targeted in the study using a case study approach, to obtain data about their practices, using SRS as an analytical lens. The study found various examples where SRS influenced security-novice managers’ decisions, and identifies several stressors and stress inhibitors in the ISRM process and supporting ISRM tools, and discusses the implications for practitioners.

Place, publisher, year, edition, pages
Centre for Multidisciplinary Research, Innovation and Collaboration (C-MRiC), 2019
Keywords
Security-novice, information security, information security risk management, stress, tools, compliance, management, Information Systems, Social aspects, Systemvetenskap, informationssystem och informatik med samhällsvetenskaplig inriktning
National Category
Information Systems Information Systems, Social aspects
Identifiers
urn:nbn:se:his:diva-18925 (URN)10.22619/IJCSA (DOI)
Note

CC BY 4.0

This paper is a revised and expanded version of Lundgren and Bergström (2019b) presented at the 2019 International Conference on Cyber Science, 3-4 June 2019 in Oxford, UK. We want to thank the anonymous reviewers for their excellent suggestions and valuable insights.

Lundgren, M., & Bergström, E. (2019b). Security-Related Stress: A Perspective on Information Security Risk Management. Paper presented at the 2019 International Conference On Cyber Security and Protection of Digital Services (Cyber Security), Oxford, UK

Available from: 2020-08-17 Created: 2020-08-17 Last updated: 2023-07-06Bibliographically approved

Open Access in DiVA

fulltext(3549 kB)77 downloads
File information
File name FULLTEXT01.pdfFile size 3549 kBChecksum SHA-512
25a6aa0260736f9fb66f51d6eabcb3e82ce541b905ffeffd4724089facfd5a4c000af21a905290650f48af5675f959e5304c2b63dda81135cba1c3f14e77948c
Type fulltextMimetype application/pdf

Authority records

Lundgren, Martin

Search in DiVA

By author/editor
Lundgren, Martin
Information SystemsInformation Systems, Social aspects

Search outside of DiVA

GoogleGoogle Scholar
Total: 77 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 122 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf