Information Security Risk Management: An Intelligence-Driven Approach

Three deficiencies exist in the organisational practice of information security risk management: risk assessments are commonly perfunctory, security risks are estimated without investigation; risk is assessed on an occasional (as opposed to continuous) basis. These tendencies indicate that important data is being missed and that the situation awareness of decision-makers in many organisations is currently inadequate. This research-in-progress paper uses Endsley's situation awareness theory, and examines how the structure and functions of the US national security intelligence enterprise—a revelatory case of enterprise situation awareness development in security and risk management—correspond with Endsley’s theoretical model, and how facets of the US enterprise might be adapted to improve situation awareness in the information security risk management process of organisations.

[1]  Richard Baskerville,et al.  Risk analysis: an interpretive feasibility tool in justifying information systems security , 1991 .

[2]  Mica R. Endsley,et al.  Designing for Situation Awareness : An Approach to User-Centered Design , 2003 .

[3]  Mikko T. Siponen,et al.  Information security management standards: Problems and solutions , 2009, Inf. Manag..

[4]  Rachelle Bosua,et al.  Protecting organizational competitive advantage: A knowledge leakage perspective , 2014, Comput. Secur..

[5]  Sean B. Maynard,et al.  Information security strategies: towards an organizational multi-strategy perspective , 2014, J. Intell. Manuf..

[6]  Mica R. Endsley,et al.  Toward a Theory of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[7]  Mark M. Lowenthal,et al.  Intelligence: From Secrets to Policy , 2005 .

[8]  A. B. Ruighaver,et al.  Incident response teams - Challenges in supporting the organisational security function , 2012, Comput. Secur..

[9]  J. Stuart Broderick ISMS, security standards and security regulations , 2006, Inf. Secur. Tech. Rep..

[10]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector , 2008 .

[11]  Atif Ahmad,et al.  Information Security Risk Assessment: Towards a Business Practice Perspective , 2010, AISM 2010.

[12]  Gregory F. Treverton,et al.  Toward a Theory of Intelligence , 2008 .

[13]  Mikko T. Siponen,et al.  Information security standards focus on the existence of process, not its content , 2006, CACM.

[14]  Atif Ahmad,et al.  Towards a knowledge perspective in information security risk assessments - an illustrative case study , 2009 .

[15]  Carl Colwill,et al.  Human factors in information security: The insider threat - Who can you trust these days? , 2009, Inf. Secur. Tech. Rep..

[16]  Loch K. Johnson National Security Intelligence: Secret Operations in Defense of the Democracies , 2011 .

[17]  Paul M Salmon Distributed situation awareness: Advances in theory, measurement and application to team work , 2008 .

[18]  Alice M. Johnson Business and Security Executives Views of Information Security Investment Drivers: Results from a Delphi Study , 2009 .

[19]  Daniil M. Utin,et al.  General Misconceptions about Information Security Lead to an Insecure World , 2008, Inf. Secur. J. A Glob. Perspect..

[20]  Donn B. Parker,et al.  Risks of risk-based security , 2007, Commun. ACM.

[21]  Atif Ahmad,et al.  Risk Management Standards - The Perception of Ease of Use , 2006 .

[22]  Sylwia Męcfal Recenzja książki. Robert K. yin, Case Study Research. Design and Methods (fourth Edition), thousand Oaks, CA: Sage Publications, 2009 , 2012 .

[23]  A. Matwyshyn CSR and the Corporate Cyborg: Ethical Corporate Information Security Practices , 2009 .

[24]  W. Neuman,et al.  Social Research Methods: Qualitative and Quantitative Approaches , 2002 .

[25]  John C. Windsor,et al.  Empirical Evaluation of Information Security Planning and Integration , 2010, Commun. Assoc. Inf. Syst..

[26]  Atif Ahmad,et al.  Incorporating a knowledge perspective into security risk assessments , 2011 .

[27]  Kathleen M. Carley Coding Choices for Textual Analysis: A Comparison of Content Analysis and Map Analysis , 1993 .

[28]  Christine Nadel,et al.  Case Study Research Design And Methods , 2016 .

[29]  Mica R. Endsley,et al.  Design and Evaluation for Situation Awareness Enhancement , 1988 .

[30]  Helmut Krcmar,et al.  Risk Management , 2001 .

[31]  Rolf Moulton,et al.  Operationalizing IT Risk Management , 2003, Comput. Secur..

[32]  M. Whitman,et al.  Management Of Information Security , 2004 .

[33]  Edward Humphreys,et al.  Information security management standards: Compliance, governance and risk management , 2008, Inf. Secur. Tech. Rep..

[34]  Jackie Rees Ulmer,et al.  The State of Risk Assessment Practices in Information Security: An Exploratory Investigation , 2008, J. Organ. Comput. Electron. Commer..

[35]  David Lacey,et al.  Death by a Thousand Facts: Criticising the Technocratic Approach to Information Security Awareness , 2012, Inf. Manag. Comput. Secur..

[36]  J. O. Miller,et al.  Modeling the U.S. Military Intelligence Process , 2004 .