Information Security Risk Management Practices: Community-Based Knowledge Sharing

Abstract

Information security risk management (ISRM) is an integral part of the management practice and is an essential element of good corporate governance. ISRM helps to identify and manage potential problems that could undermine key business initiatives or projects. There are several challenges associated with conducting ISRM tasks successfully in an organization. Knowledge sharing is an essential part of an organization in exploiting benefits concerning performance, decision making, and transparency. Thus, it is also important to share knowledge related to ISRM practices. Sharing and reuse of knowledge can improve both quality and the process cost-effectiveness of ISRM. A decision-maker can make a valid decision and reduce risks in an organization by receiving the right information at the right time from different sources. Organizations can be in a better position to counter attacks or risk by sharing knowledge related to attackers and methods of attacks. The thesis aims to enhance knowledge sharing practice to solve the challenges faced by the Information Security Practitioners (ISPs) through the establishment of a working electronic community of practice (eCoP), UnRizkNow. Online questionnaires were designed to understand the factors that affect their participation and willingness to share knowledge on eCoP. ISPs affiliated with Information Security Forum (ISF) and ISACA - Norway chapter were involved in the process of data collection. The responses collected from the ISPs give an insight into their present level of participation in eCoP and the details of various factors that influence them to share or hoard their knowledge on eCoP. The study shows that the members of eCoP are reluctant to participate actively and share knowledge with other community members. Members often fear that they possess valuable and sensitive knowledge in the community and it may ruin their reputation or normal functioning if the other members misuse the knowledge. Several theories were studied to understand the knowledge sharing behavior of an individual and in a community-based knowledge sharing settings. The research revealed that the findings of the initial research comply with the well-known theories such as the social exchange theory, the theory of planned behavior, the social presence theory, and the perceived trust theory. This thesis also explores the theoretical and practical issues in establishing UnRizkNow community for the ISPs. The thesis employs the Design Science Research Method (DSRM) in applying the existing theories and models from the domain of information sharing, information security, behavioral science, and risk management to understand the significant factors that are necessary to establish a working eCoP and encourage the sharing of the knowledge among ISPs. A novel approach of assessing the risk in establishing and maintaining UnRizkNow community was evaluated based on the idea of human factors. Hence, the CIRA method was employed to assess the human-related risks the community may face because of the conflicts in the interests of the involved stakeholders. This study showed how the various incentives of the members and the organizer of UnRizkNow community might conflict with each other and create potential risk in the community. Furthermore, a treatment plan was developed based on the guideline of the CIRA method to mitigate the identified risk. Moreover, the study aims to understand the ISPs perspective concerning the preferred knowledge sharing features on an eCoP. A quantitative approach was employed to carry out the research, and an online questionnaire is created to communicate with the ISPs in Norway. A knowledge sharing model based on the purpose, motivation, preference, and the facilitating condition was developed for UnRizkNow community. Furthermore, an online questionnaire was designed to cover the questions related to the elements and sub-elements of the knowledge sharing model. The participants of the online questionnaire were the ISPs working as a full-time in Norway. The data collection activity revealed various factors that are imperative in establishing UnRizkNow community platform. The features of the UnRizkNow were designed such that the information accessible in the platform will help the members to search the information easily and quickly, get up-to-date information quickly, get more relevant content, establish reputation in the community, identify the members/ post that is trustworthy, and get information in a more collected way. The survey shows that the ISPs were willing to share their knowledge with the members of the electronic community. However, ISPs fear that the community members may misuse the sensitive information shared on the community. The communities that fail to provide a secure way of sharing the knowledge of the member also fail to improve knowledge sharing practices. The study identifies that the present benchmarking system in the information security domain faces several security-related challenges. The benchmarking system does not ensure the confidentiality of the shared information and security during the calculation of benchmarking results. Therefore, a novel approach of encouraging participation on benchmarking task and sharing of knowledge on UnRizkNow platform is proposed in this thesis. A secure benchmarking system was proposed using the electronic voting approach. The concepts of the benchmarking system is mapped to the concepts of the electronic voting system. The secure benchmark system inherits the security properties from the electronic voting system and ensures the confidentiality of the shared information, and the identity of the members. The proposed solution will be helpful to engage UnRizkNow members in sharing sensitive knowledge through the secure benchmarking system.