Enhancing Strategic Information Security Management in Organizations through Information Warfare Practices

Today’s organizations use control-centred security management systems as a preventative shield against a broad spectrum of attacks. However, these have proven to be less effective against the customized and innovative strategies and operational techniques used by Advanced Persistent Threats (APTs). In this short paper we argue that to combat APTs, organizations need a strategic-level shift away from a traditional prevention-cantered approach to that of a response-cantered one. Drawing on the information warfare (IW) paradigm in military studies, and using Dynamic Capability Theory (DCT), this research examines the applicability of IW capabilities in the corporate domain. We propose a research framework to argue that conventional prevention-centred response capabilities; such as incident response capabilities and IW-centred security capabilities can be integrated into IW-enabled dynamic response capabilities that improve enterprise security performance.

[1]  José M. Fernandez,et al.  Survey of publicly available reports on advanced persistent threat actors , 2018, Comput. Secur..

[2]  Sean B. Maynard,et al.  Information security strategies: towards an organizational multi-strategy perspective , 2014, J. Intell. Manuf..

[3]  Constance E. Helfat,et al.  Dynamic capabilities : understanding strategic change in organizations , 2007 .

[4]  Kevin C. Desouza,et al.  Strategically-motivated advanced persistent threat: Definition, process, tactics and a disinformation model of counterattack , 2019, Comput. Secur..

[5]  Mohammed H. Almeshekah,et al.  Cyber Security Deception , 2016, Cyber Deception.

[6]  David J. Teece,et al.  Dynamic capabilities as (workable) management systems theory , 2018, Journal of Management & Organization.

[7]  Sean B. Maynard,et al.  SECURITY RISK MANAGEMENT : THE CONTINGENT EFFECT ON SECURITY PERFORMANCE , 2017 .

[8]  Graeme G. Shanks,et al.  A case analysis of information systems and security incident responses , 2015, Int. J. Inf. Manag..

[9]  Graeme G. Shanks,et al.  Towards an Analytics-Driven Information Security Risk Management: a contingent Resource based Perspective , 2017, ECIS.

[10]  A. B. Ruighaver,et al.  Incident response teams - Challenges in supporting the organisational security function , 2012, Comput. Secur..

[11]  M. Dodgson Organizational Learning: A Review of Some Literatures , 1993 .

[12]  Gerald L. Kovacich,et al.  Information Warfare , 2009, Encyclopedia of Information Assurance.

[13]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[14]  Peter Stephenson,et al.  Conducting Incident Post Mortems , 2003 .

[15]  Humza Naseer,et al.  A framework of dynamic cybersecurity incident response to improve incident response agility , 2018 .

[16]  M. Taddeo Information Warfare: A Philosophical Perspective , 2011, Philosophy & Technology.

[17]  J. Edmonstone,et al.  Organisational learning. , 2018, Leadership in health services.

[18]  S. Zahra,et al.  Entrepreneurship and Dynamic Capabilities: A Review, Model and Research Agenda , 2006 .

[19]  D. Teece Explicating dynamic capabilities: the nature and microfoundations of (sustainable) enterprise performance , 2007 .

[20]  A. B. Ruighaver,et al.  Towards Understanding Deterrence: Information Security Managers' Perspective , 2011, ICITCS.

[21]  R. Baskerville Information Warfare: A Comparative Framework for Business Information Security , 2005 .

[22]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[23]  Richard T. Watson,et al.  Analyzing the Past to Prepare for the Future: Writing a Literature Review , 2002, MIS Q..

[24]  D. Teece,et al.  DYNAMIC CAPABILITIES AND STRATEGIC MANAGEMENT , 1997 .

[25]  Richard L. Priem A Consumer Perspective on Value Creation , 2007 .

[26]  Graeme G. Shanks,et al.  Cybersecurity Risk Management Using Analytics: A Dynamic Capabilities Approach , 2018, ICIS.

[27]  Peter J. Denning,et al.  The Profession of IT, Discussing Cyber Attack , 2010 .

[28]  Karin Bernsmed,et al.  Information Security Incident Management: Identified Practice in Large Organizations , 2014, 2014 Eighth International Conference on IT Security Incident Management & IT Forensics.

[29]  Leigh Armistead,et al.  Information Operations Matters: Best Practices , 2010 .