Title: An action research derived piezoelectric approach for information risk management
Abstract: Managing information risk have been recognized as an important part of business enterprises and government organizations to address related threats and vulnerabilities, ensure compliance with regulations and best practices, demonstrate due diligence to shareholders and customers, and ensure maximum profit with minimum cost. As observed from the past 16 years of practice as an information risk practitioner, however, there has been a lack of strategic and systemic thinking and limited literature providing suitable methodology and approach for achieving the desired outcomes of managing information risk in a changing risk environment.
The purpose of this study was to identify or develop a suitable approach for managing information risk in the changing risk environment of enterprise organizations, taking into consideration the knowledge gaps in the existing literature, and issues and dilemmas observed in the practice.
The social-technical nature of the problem and the use of the workplace as a research context suggested the use of the action research methodology in the study.
Using action research, the study established that existing baseline practices have been mostly control-oriented, focusing on compliance, addressing only known and probably high risk issues that were subjectively identified and assessed. Such approaches could not gain stakeholders‘ commitments to investing and taking proactive actions on risk issues if they were not identified as compliance related. Instead of being prepared and ready to respond, organizations were often surprised when new security events emerged, then reacting to recover from the incidents.
Analyzing the risk management methods and practices adopted, and the changing nature of the risk environment, the study affirmed that information risk in organizations is such that it cannot be completely identified, and accurately risk assessed and managed with existing approaches.
The existing baseline and risk management approaches should be complemented with social-technical tools and processes to gain stakeholders recognition and commitment to actions for information risk management. A selection of action research and systemic thinking tools and techniques were tested in the study as suitable for focusing on the social aspects of information risk management.
In addition to addressing known risks, organizations should be prepared and be responsive to emerging and new security issues and events. The study conceptualized and developed a substantive theory of information security risk management, known as the piezoelectric theory. The piezoelectric theory states that if the design of information security practices of organization systems enables a prompt re-alignment of the systems, satisfying the systemic requirements for the changing risk condition of the systems environment, the potential negative effects of the new risk condition of the systems environment will be balanced or counter-acted by the re-alignment activities. As a result of the piezoelectric behavior in organizational systems, as…
Publication Year: 2008
Publication Date: 2008-01-01
Language: en
Type: article
Access and Citation
AI Researcher Chatbot
Get quick answers to your questions about the article from our AI researcher chatbot