Incorporating a knowledge perspective into security risk assessments

Shedden, Piya, Scheepers, Rens, Smith, Wally and Ahmad, Atif 2011, Incorporating a knowledge perspective into security risk assessments, Vine : the journal of information and knowledge management systems, vol. 41, no. 2, pp. 152-166, doi: 10.1108/03055721111134790.

Attached Files
Name Description MIMEType Size Downloads

Title Incorporating a knowledge perspective into security risk assessments
Author(s) Shedden, Piya
Scheepers, RensORCID iD for Scheepers, Rens
Smith, Wally
Ahmad, Atif
Journal name Vine : the journal of information and knowledge management systems
Volume number 41
Issue number 2
Start page 152
End page 166
Total pages 15
Publisher Emerald Group Publishing
Place of publication Bingley, England
Publication date 2011
ISSN 0305-5728
Keyword(s) data security
risk management
information systems
risk assessment
Summary Purpose Many methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information used by organisations. This paper argues that these methodologies have a traditional orientation towards the identification and assessment of technical information assets. This obscures key risks associated with the cultivation and deployment of organisational knowledge. The purpose of this paper is to explore how security risk assessment methods can more effectively identify and treat the knowledge associated with business processes.

Design/methodology/approach – The argument was developed through an illustrative case study in which a well-documented traditional methodology is applied to a complex data backup process. Follow-up interviews were conducted with the organisation’s security managers to explore the results of the assessment and the nature of knowledge “assets” within a business process.

Findings – It was discovered that the backup process depended, in subtle and often informal ways, on tacit knowledge to sustain operational complexity, handle exceptions and make frequent interventions. Although typical information security methodologies identify people as critical assets, this study suggests a new approach might draw on more detailed accounts of individual knowledge, collective knowledge and their relationship to organisational processes.

Originality/value – Drawing on the knowledge management literature, the paper suggests mechanisms to incorporate these knowledge-based considerations into the scope of information security risk methodologies. A knowledge protection model is presented as a result of this research. This model outlines ways in which organisations can effectively identify and treat risks around process knowledge critical to the business.
Language eng
DOI 10.1108/03055721111134790
Field of Research 080699 Information Systems not elsewhere classified
Socio Economic Objective 970108 Expanding Knowledge in the Information and Computing Sciences
HERDC Research category C1.1 Refereed article in a scholarly journal
Copyright notice ©2011, Emerald Group Publishing Limited
Persistent URL

Document type: Journal Article
Collection: School of Information and Business Analytics
Connect to link resolver
Unless expressly stated otherwise, the copyright for items in DRO is owned by the author, with all rights reserved.

Version Filter Type
Citation counts: TR Web of Science Citation Count  Cited 0 times in TR Web of Science
Scopus Citation Count Cited 32 times in Scopus
Google Scholar Search Google Scholar
Access Statistics: 361 Abstract Views, 3 File Downloads  -  Detailed Statistics
Created: Thu, 11 Aug 2011, 10:27:51 EST

Every reasonable effort has been made to ensure that permission has been obtained for items included in DRO. If you believe that your rights have been infringed by this repository, please contact