Using Business Process Model Awareness to improve Stakeholder Participation in Information Systems Security Risk Management Processes

The present paper examines stakeholders' business process model awareness to measure and improve stakeholder participation in information sys- tems security risk management (ISRM) via a multi-method research study at the organizational level. Organizational stakeholders were interviewed to gain an understanding of their awareness of business processes and related security re- quirements in the context of an ongoing ISRM process. The research model was evaluated in four case studies. The findings indicate that stakeholders' aware- ness of business process models contributed to an improved ISRM process, bet- ter alignment to the business environment and improved elicitation of security requirements. Following current research that considers users as the most im- portant resource in ISRM, this study highlights the importance of involving ap- propriate stakeholders at the right time during the ISRM process and provides risk managers with decision support for the prioritization of stakeholder partici- pation during ISRM processes to improve results and reduce overhead.

[1]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[2]  Simon Parkin,et al.  Learning from "Shadow Security": Why understanding non-compliant behaviors provides the basis for effective security , 2014 .

[3]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[4]  Edward Humphreys,et al.  Information security management system standards , 2011, Datenschutz und Datensicherheit - DuD.

[5]  Daniel J. Ryan,et al.  Quantifying information security risks using expert judgment elicitation , 2012, Comput. Oper. Res..

[6]  Sandeep Purao,et al.  Action Design Research , 2011, MIS Q..

[7]  F. Kohlbacher The Use of Qualitative Content Analysis in Case Study Research , 2006 .

[8]  Ruth Breu,et al.  Quality Matters: Systematizing Quality Deficiencies in the Documentation of Business Security Requirements , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[9]  M. Lynne Markus,et al.  Participation in Development and Implementation - Updating An Old, Tired Concept for Today's IS Contexts , 2004, J. Assoc. Inf. Syst..

[10]  Mikko T. Siponen,et al.  Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice , 2000, Inf. Manag. Comput. Secur..

[11]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[12]  H. Susanto,et al.  Information Security Management System Standards : A Comparative Study of the Big Five , 2011 .

[13]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[14]  Edwin A. Locke,et al.  Participation in decision making: An information exchange perspective. , 1997 .

[15]  Vilhelm Verendel,et al.  Quantified security is a weak hypothesis: a critical survey of results and assumptions , 2009, NSPW '09.

[16]  Harri Oinas-Kukkonen,et al.  A review of information security issues and respective research contributions , 2007, DATB.

[17]  D. Parker Computer Security Management , 1981 .

[18]  J. M. Schepers,et al.  Participation in decision making , 2000 .

[19]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..