信息安全风险管理过程中的动态相互作用

Q3 Decision Sciences

International Journal of Risk Assessment and Management Pub Date : 2019-07-15 DOI:10.1504/IJRAM.2019.101287

Martin Lundgren, Erik Bergström

{"title":"信息安全风险管理过程中的动态相互作用","authors":"Martin Lundgren, Erik Bergström","doi":"10.1504/IJRAM.2019.101287","DOIUrl":null,"url":null,"abstract":"In this paper, the formal processes so often assumed in information security risk management and its activities are investigated. For instance, information classification, risk analysis, and security controls are often presented in a predominantly instrumental progression. This approach, however, has received scholarly criticism, as it omits social and organisational aspects, creating a gap between formal and actual processes. This study argues that there is an incomplete understanding of how the activities within these processes actually interplay in practice. For this study, senior information security managers from four major Swedish government agencies were interviewed. As a result, 12 characteristics are presented that reflect an interplay between activities and that have implications for research, as well as for developers of standards and guidelines. The study's conclusions suggest that the information security risk management process should be seen more as an emerging process, where each activity interplays dynamically in response to new requirements and organisational and social challenges.","PeriodicalId":35420,"journal":{"name":"International Journal of Risk Assessment and Management","volume":" ","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2019-07-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1504/IJRAM.2019.101287","citationCount":"7","resultStr":"{\"title\":\"Dynamic interplay in the information security risk management process\",\"authors\":\"Martin Lundgren, Erik Bergström\",\"doi\":\"10.1504/IJRAM.2019.101287\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In this paper, the formal processes so often assumed in information security risk management and its activities are investigated. For instance, information classification, risk analysis, and security controls are often presented in a predominantly instrumental progression. This approach, however, has received scholarly criticism, as it omits social and organisational aspects, creating a gap between formal and actual processes. This study argues that there is an incomplete understanding of how the activities within these processes actually interplay in practice. For this study, senior information security managers from four major Swedish government agencies were interviewed. As a result, 12 characteristics are presented that reflect an interplay between activities and that have implications for research, as well as for developers of standards and guidelines. The study's conclusions suggest that the information security risk management process should be seen more as an emerging process, where each activity interplays dynamically in response to new requirements and organisational and social challenges.\",\"PeriodicalId\":35420,\"journal\":{\"name\":\"International Journal of Risk Assessment and Management\",\"volume\":\" \",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-07-15\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://sci-hub-pdf.com/10.1504/IJRAM.2019.101287\",\"citationCount\":\"7\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Journal of Risk Assessment and Management\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1504/IJRAM.2019.101287\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"Decision Sciences\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Risk Assessment and Management","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1504/IJRAM.2019.101287","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"Decision Sciences","Score":null,"Total":0}

引用次数: 7

摘要

本文研究了信息安全风险管理中经常假设的正式过程及其活动。例如，信息分类、风险分析和安全控制通常以主要工具化的方式呈现。然而，这种方法受到了学术界的批评，因为它忽略了社会和组织方面，在正式过程和实际过程之间造成了差距。这项研究认为，对这些过程中的活动在实践中如何相互作用的理解并不完整。在这项研究中，瑞典四大政府机构的高级信息安全管理人员接受了采访。因此，提出了12个特征，这些特征反映了活动之间的相互作用，对研究以及标准和指南的制定者都有影响。该研究的结论表明，信息安全风险管理过程应更多地被视为一个新兴过程，在这个过程中，每项活动都会动态互动，以应对新的需求以及组织和社会挑战。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Dynamic interplay in the information security risk management process

In this paper, the formal processes so often assumed in information security risk management and its activities are investigated. For instance, information classification, risk analysis, and security controls are often presented in a predominantly instrumental progression. This approach, however, has received scholarly criticism, as it omits social and organisational aspects, creating a gap between formal and actual processes. This study argues that there is an incomplete understanding of how the activities within these processes actually interplay in practice. For this study, senior information security managers from four major Swedish government agencies were interviewed. As a result, 12 characteristics are presented that reflect an interplay between activities and that have implications for research, as well as for developers of standards and guidelines. The study's conclusions suggest that the information security risk management process should be seen more as an emerging process, where each activity interplays dynamically in response to new requirements and organisational and social challenges.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

International Journal of Risk Assessment and Management Decision Sciences-Statistics, Probability and Uncertainty

CiteScore

0.70

自引率

0.00%

发文量

期刊介绍： The IJRAM is an interdisciplinary and refereed journal that provides cross learning between: - Different business and economics, as well as scientific and technological, disciplines - Energy industries, environmental and ecological systems - Safety, public health and medical services - Software services, reliability and safety