Towards an intelligence-driven information security risk management process for organisations

Three deficiencies exist in information security under prevailing practices: organisations tend to focus on compliance over protection; to estimate risk without investigating it; and to assess risk on an occasional (as opposed to continuous) basis. These tendencies indicate that important data is being missed and that the situation awareness of decision-makers in many organisations is currently inadequate. This research-in-progress paper uses Endsley's situation awareness theory, and examines how the structure and functions of the US national security intelligence enterprise—a revelatory case of enterprise situation awareness development in security and risk management—correspond with Endsley’s theoretical model, and how facets of the US enterprise might be adapted to improve situation awareness in the information security risk management process of organisations.

[1]  Mica R. Endsley,et al.  Toward a Theory of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[2]  Daniil M. Utin,et al.  General Misconceptions about Information Security Lead to an Insecure World , 2008, Inf. Secur. J. A Glob. Perspect..

[3]  Sylwia Męcfal Recenzja książki. Robert K. yin, Case Study Research. Design and Methods (fourth Edition), thousand Oaks, CA: Sage Publications, 2009 , 2012 .

[4]  Jackie Rees Ulmer,et al.  The State of Risk Assessment Practices in Information Security: An Exploratory Investigation , 2008, J. Organ. Comput. Electron. Commer..

[5]  Paul M Salmon Distributed situation awareness: Advances in theory, measurement and application to team work , 2008 .

[6]  M. Whitman,et al.  Management Of Information Security , 2004 .

[7]  Mikko T. Siponen,et al.  Information security management standards: Problems and solutions , 2009, Inf. Manag..

[8]  Rolf Moulton,et al.  Operationalizing IT Risk Management , 2003, Comput. Secur..

[9]  Richard Baskerville,et al.  Risk analysis: an interpretive feasibility tool in justifying information systems security , 1991 .

[10]  Atif Ahmad,et al.  Incorporating a knowledge perspective into security risk assessments , 2011 .

[11]  Edward Humphreys,et al.  Information security management standards: Compliance, governance and risk management , 2008, Inf. Secur. Tech. Rep..

[12]  Peter Kugel Toward a theory of intelligence , 2004, Theor. Comput. Sci..

[13]  Loch K. Johnson National Security Intelligence: Secret Operations in Defense of the Democracies , 2011 .

[14]  J. O. Miller,et al.  Modeling the U.S. Military Intelligence Process , 2004 .

[15]  Mica R. Endsley,et al.  Design and Evaluation for Situation Awareness Enhancement , 1988 .

[16]  J. Stuart Broderick ISMS, security standards and security regulations , 2006, Inf. Secur. Tech. Rep..

[17]  Alice M. Johnson Business and Security Executives Views of Information Security Investment Drivers: Results from a Delphi Study , 2009 .

[18]  A. B. Ruighaver,et al.  Incident response teams - Challenges in supporting the organisational security function , 2012, Comput. Secur..

[19]  Mikko T. Siponen,et al.  Information security standards focus on the existence of process, not its content , 2006, CACM.

[20]  Sarah Elrod,et al.  Director of National Intelligence , 2011 .

[21]  A. Matwyshyn CSR and the Corporate Cyborg: Ethical Corporate Information Security Practices , 2009 .

[22]  Atif Ahmad,et al.  Risk Management Standards - The Perception of Ease of Use , 2006 .

[23]  Mica R. Endsley,et al.  Designing for Situation Awareness : An Approach to User-Centered Design , 2003 .

[24]  John C. Windsor,et al.  Empirical Evaluation of Information Security Planning and Integration , 2010, Commun. Assoc. Inf. Syst..

[25]  Kathleen M. Carley Coding Choices for Textual Analysis: A Comparison of Content Analysis and Map Analysis , 1993 .

[26]  Mark M. Lowenthal,et al.  Intelligence: From Secrets to Policy , 2005 .

[27]  Donn B. Parker,et al.  Risks of risk-based security , 2007, Commun. ACM.

[28]  H. Russell Bernard,et al.  Social Research Methods: Qualitative and Quantitative Approaches , 2000 .