Identifying Blind Spots in IS Security Risk Management Processes Using Qualitative Model Analysis

The present paper examines quality aspects of models created by stakeholders to identify blind spots in information systems security risk management ISSRM processes via a multi-method research study at the organizational level. Stakeholders were interviewed to gain an understanding of their awareness of business processes, models of the information system IS, and related security requirements in the context of an ongoing ISSRM process. During several modeling sessions, stakeholders were asked to model various aspects of the IS under investigation in the form of component, activity and business process diagrams. We then analyzed the created models qualitatively and linked identified inconsistencies to security issues omitted during the ISSRM process blind spots. The findings indicate that various quality aspects of models created by stakeholders that describe either the IS or related business processes can contribute to an improved ISSRM process, better alignment to the business environment and improved elicitation of security requirements. Following current research that considers users as the most important resource in ISSRM, this study highlights the importance of using and analyzing model diagrams from appropriate stakeholders at the right time during the ISSRM process to identify potential blind spots and avoid unclarity, that might be introduced by verbal communication. The research provides risk managers with a process for identifying blind spots to improve results and reduce overhead.

[1]  F. Kohlbacher The Use of Qualitative Content Analysis in Case Study Research , 2006 .

[2]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[3]  H. Dan O'Hair,et al.  Handbook of risk and crisis communication , 2010 .

[4]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[5]  Isabelle Fagnot,et al.  Behavioral Information Security , 2007 .

[6]  Haralambos Mouratidis,et al.  A Conceptual Framework to Analyze Human Factors of Information Security Management System (ISMS) in Organizations , 2014, HCI.

[7]  Mikko T. Siponen,et al.  Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice , 2000, Inf. Manag. Comput. Secur..

[8]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[9]  Ruth Breu,et al.  Using Business Process Model Awareness to improve Stakeholder Participation in Information Systems Security Risk Management Processes , 2015, Wirtschaftsinformatik.

[10]  M. Lynne Markus,et al.  Participation in Development and Implementation - Updating An Old, Tired Concept for Today's IS Contexts , 2004, J. Assoc. Inf. Syst..

[11]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[12]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[13]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[14]  William N. Dilla,et al.  The relationship between internal audit and information security: An exploratory investigation , 2012, Int. J. Account. Inf. Syst..

[15]  Vilhelm Verendel,et al.  Quantified security is a weak hypothesis: a critical survey of results and assumptions , 2009, NSPW '09.

[16]  Harri Oinas-Kukkonen,et al.  A review of information security issues and respective research contributions , 2007, DATB.

[17]  Roberto J. Mejias An Integrative Model of Information Security Awareness for Assessing Information Systems Security Risk , 2012, 2012 45th Hawaii International Conference on System Sciences.

[18]  Thomas Peltier Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management , 2001 .

[19]  Edwin A. Locke,et al.  Participation in decision making: An information exchange perspective. , 1997 .

[20]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .