Information Management & Computer Security Formulating information systems risk management strategies through cultural theory

Purpose – The purpose of this paper is to examine the potential of cultural theory as a tool for identifying patterns in the stakeholders' perception of risk and its effect on information system (IS) risk management.Design/methodology/approach – Risk management involves a number of human activities which are based on the way the various stakeholders perceive risk associated with IS assets. Cultural theory claims that risk perception within social groups and structures is predictable according to group and individual worldviews; therefore this paper examines the implications of cultural theory on IS risk management as a means for security experts to manage stakeholders perceptions.Findings – A basic theoretical element of cultural theory is the grid/group typology, where four cultural groups with differentiating worldviews are identified. This paper presents how these worldviews affect the process of IS risk management and suggests key issues to be considered in developing strategies of risk management acc...

[1]  Rossouw von Solms,et al.  Management of risk in the information age , 2005, Comput. Secur..

[2]  M. Douglas,et al.  Risk and Culture: An Essay on the Selection of Technological and Environmental Dangers , 1983 .

[3]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[4]  M. Douglas Risk and Blame: Essays in Cultural Theory , 1994 .

[5]  Lennart Sjöberg,et al.  World Views, Political Attitudes and Risk Perception , 1998 .

[6]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[7]  C. Marris,et al.  Integrating sociological and psychological approaches to public perceptions of environmental risks: detailed results from a questionnaire survey , 1996 .

[8]  Rosemary J. Day,et al.  Public Perceptions of Health Risks from Polluted Coastal Bathing Waters: A Mixed Methodological Analysis Using Cultural Theory , 2000, Risk analysis : an official publication of the Society for Risk Analysis.

[9]  Åsa Boholm,et al.  Risk perception and social anthropology: Critique of cultural theory* , 1996 .

[10]  M. Lima,et al.  Cultural theory meets the community : Worldviews and local issues , 2005 .

[11]  Gerald Mars,et al.  Human factor failure and the comparative structure of jobs , 1996 .

[12]  Shari Lawrence Pfleeger Risky business: what we have yet to learn about risk management , 2000, J. Syst. Softw..

[13]  Hamish A Deery,et al.  Hazard and Risk Perception among Young Novice Drivers , 1999 .

[14]  Charles Cresson Wood,et al.  Policies alone do not constitute a sufficient awareness effort , 1997 .

[15]  R. Power CSI/FBI computer crime and security survey , 2001 .

[16]  B. Fischhoff,et al.  Facts and Fears: Understanding Perceived Risk , 2005 .

[17]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[18]  Sjoberg Factors in risk perception , 2000, Risk analysis : an official publication of the Society for Risk Analysis.

[19]  Susan D. Hansche Designing a Security Awareness Program: Part 1 , 2001, Inf. Secur. J. A Glob. Perspect..

[20]  Richard Baskerville,et al.  Risk analysis: an interpretive feasibility tool in justifying information systems security , 1991 .

[21]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[22]  M. Douglas Risk and Blame , 2018, A Good Position for Birth.

[23]  Charles Cresson Wood,et al.  Information Security Awareness Raising Methods , 1995 .

[24]  Steve Rayner,et al.  Disagreeing about risk: the institutional cultures of risk management and planning for future generations , 1984 .

[25]  D. Weir,et al.  Communication and cultural distortion during crises , 1999 .

[26]  Cism Thomas R. Peltier Cissp Implementing an Information Security Awareness Program , 2005 .

[27]  Jan H. P. Eloff,et al.  Special Features: A Framework for the Implementation of Socio-ethical Controls in Information Security , 2001 .

[28]  Karl Dake Myths of Nature: Culture and the Social Construction of Risk , 1992 .

[29]  Geoff Walsham,et al.  Interpreting Information Systems in Organizations , 1993 .

[30]  Susanne Rippl Cultural theory and risk perception: a proposal for a better measurement , 2002 .

[31]  R. Kasperson The social amplification of risk: progress in developing an integrative framework of risk’, in S. , 1992 .

[32]  S. Rayner,et al.  How Fair Is Safe Enough? The Cultural Approach to Societal Technology Choice1 , 1987 .

[33]  T. O'riordan,et al.  Cultural theory and risk: A review , 1999 .

[34]  Aaron Wildavsky,et al.  Individual Differences in Risk Perception and Risk-Taking Preferences , 1991 .

[35]  Anthony M. Townsend,et al.  Information Systems Security and the Need for Policy , 2001 .

[36]  Thomas Peltier,et al.  Information Technology: Code of Practice for Information Security Management , 2001 .

[37]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[38]  Yehuda Baruch,et al.  Cultural Theory and Organizations: Analytical Method and Cases , 1998 .

[39]  Lennart Sjöberg,et al.  Explaining risk perception: an empirical evaluation of cultural theory , 1997 .

[40]  David A. Bella,et al.  Organizations and Systematic Distortion of Information , 1987 .

[41]  Steve Rayner,et al.  Management of Radiation Hazards in Hospitals: Plural Rationalities in a Single Institution , 1986 .

[42]  Steven Ney,et al.  Cultural theory as a theory of democracy , 1999 .

[43]  S. Frosdick The techniques of risk analysis are insufficient in themselves , 1997 .

[44]  Steve Rayner,et al.  Cultural theory and risk analysis , 1992 .

[45]  Karl Dake Orienting Dispositions in the Perception of Risk , 1991 .

[46]  Evangelos A. Kiountouzis,et al.  Information systems security policies: a contextual perspective , 2005, Comput. Secur..

[47]  Melissa L. Finucane,et al.  Psychosocial and cultural factors affecting the perceived risk of genetically modified food: an overview of the literature. , 2005, Social science & medicine.