A Systems Perspective on Security Risk Identification: Methodology and Illustrations from City Councils

In this paper we take a system theoretic perspective to the process of security risk identification in the context of city councils. Based on this approach, we construct a framework that helps to identify risks. We analyze why this methodological framework is suitable for the risk identification process. Research in fifty Flemish city councils reveals the usefulness of our approach of combining a perceived vs. objective perspective with a technical vs. organizational one. We believe such a framework offers a workable tool for dealing with IS security risks in a systems thinking way.

[1]  James T. Reason,et al.  Managing the risks of organizational accidents , 1997 .

[2]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[3]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[4]  Agata Sawicka,et al.  A Framework for Human Factors in Information Security , 2002 .

[5]  K. Weick FROM SENSEMAKING IN ORGANIZATIONS , 2021, The New Economic Sociology.

[6]  Dahl A. Gerberick Security Risk Analysis , 1979 .

[7]  N. Carr IT doesn't matter , 2003, IEEE Engineering Management Review.

[8]  Gurpreet Dhillon,et al.  Value‐focused assessment of information system security in organizations , 2006, Inf. Syst. J..

[9]  Anne-Francoise Rutkowski,et al.  When Stakeholders Perceive Threats and Risks Differently: the Use of Group Support Systems to Develop a Common Understanding and a Shared Response , 2005 .

[10]  J. Forrester Industrial Dynamics , 1997 .

[11]  Douglas J. Landoll,et al.  Security Risk Analysis , 2005 .

[12]  児玉 文雄 Harvard Business Review : 抄録雑誌の概要 , 1987 .

[13]  T Kippenberger,et al.  Best practices I , 1998 .

[14]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[15]  P. Slovic Perception of risk. , 1987, Science.

[16]  Rossouw von Solms,et al.  Management of risk in the information age , 2005, Comput. Secur..

[17]  Anne-Françoise Rutkowski,et al.  The Effect of Group Support Systems on the Emergence of Unique Information in a Risk Management Process: A Field Study , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[18]  Brian S. Butler,et al.  Reliability, Mindfulness, and Information Systems , 2006, MIS Q..

[19]  J Swanson,et al.  Business Dynamics—Systems Thinking and Modeling for a Complex World , 2002, J. Oper. Res. Soc..

[20]  Ortwin Renn Three decades of risk research: accomplishments and new challenges , 1998 .

[21]  Ralph L. Keeney,et al.  Value-Focused Thinking: A Path to Creative Decisionmaking , 1992 .

[22]  Per Oscarson,et al.  Actual and Perceived Information Systems Security , 2007 .

[23]  D. Mccormick Normal Accidents , 1991, Bio/Technology.