Mapping the consensual knowledge of security risk management experts (original) (raw)
Related papers
Security risk management: A psychometric map of expert knowledge structure
The security industry operates within a diverse and multi-disciplined knowledge base, with risk management as a fundamental knowledge domain within security to mitigate its risks. Nevertheless, there has been limited research in understanding and mapping security expert knowledge structures within security risk management to consider if parts of security risk management are unique from more general risk management. This interpretive study applied a technique of multidimensional scaling (MDS) to develop and present a psychometric map within the knowledge domain of security risk management, validated with expert interviews. The psychometric MDS security risk management concept map presented the expert knowledge structure of security risk management, demonstrating the inclusive and spatial locality of significant security risk concepts, conceptual complexity, uniqueness of the domain and the importance of the concept threat. Understanding security experts ' consensual knowledge of security risk may allow improved understanding of threat-based risk, the issue with applying probabilistic risk analysis against antagonist events, and improved teaching and learning within this knowledge domain.
Key concepts in security risk management: A psychometric concept map to approach to understanding
Risk management is becoming a well established discipline, with its own body of knowledge and domain practitioners. States worldwide now have their own risk management standards and in many, it is the company director’s responsibility to ensure risk management compliance. A subset of risk management is security risk management; however, security risk management is unique from other forms of risk management and many of the more generic risk models lack key concepts necessary for effective design, application and mitigation of security risks. This book defines the key concepts of security risk management and forms these into a conceptual map, based on an interpretative four-phase scientific study. The security risk management map demonstrates the inclusive and spatial locality of the more significant security risk concepts, domain complexity and the central aspect of such concepts as threat, criticality, etc. In addition, the book presents 14 core organisational security knowledge categories, arranged within a framework. Such an approach allows in-depth understanding, improved teaching and learning, system design and application of these areas of security and security risk management.
What is security: Definition through knowledge categorization
There have been a number of studies that have attempted to defi ne the concept of security. However, as past authors have indicated, security is multidimensional in nature and diverse in practice. This diversity leads to diffi culty in providing a single all encompassing definition for the many applied domains of security. Security cannot be considered singular in concept defi nition, as defi nition is dependant on applied context. This study reversed engineered an applied security defi nition through the critique of 104 undergraduate security degrees, resulting in the presentation of 13 core security knowledge categories. These 13 knowledge categories were then integrated into an existing Australian security framework, resulting in the presentation of the science of security framework model. This framework allowed a greater understanding of security through knowledge structure and placed concept defi nition within the applied context domain of organizational security.
Developing contextual understanding of information security risks
Given the uncertainty and complexity of security risk analyses, there is a great need of tools for contextual inquiry supporting assessment of risk with multi-value scales according to different stakeholders' point of view. Such tools can be used at individual level to help develop the understanding of a problem space. At the collective level, they can be used as a mean of communication to support the discussion, comparison and exploration of different understandings. The exploration of multiple perspectives of contextual understanding avoids entrapment in various types of reductionism and eliminates tendencies towards a deterministic reasoning and the pursuit of one optimum solution. A critical challenge is first developing a large spectrum of alternatives and then managing how the differences and similarities between alternatives will be handled to efficiently support decisions in information systems security (ISS). To address the aforementioned challenges, this paper seeks to explore the potential relevance of cognitive maps use in an ISS context to support the exploration of individual understanding leading to richer elaboration of problem spaces.
Incorporating a knowledge perspective into security risk assessments
VINE, 2011
PurposeMany methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information used by organisations. This paper argues that these methodologies have a traditional orientation towards the identification and assessment of technical information assets. This obscures key risks associated with the cultivation and deployment of organisational knowledge. The purpose of this paper is to explore how security risk assessment methods can more effectively identify and treat the knowledge associated with business processes.Design/methodology/approachThe argument was developed through an illustrative case study in which a well‐documented traditional methodology is applied to a complex data backup process. Follow‐up interviews were conducted with the organisation's security managers to explore the results of the assessment and the nature of knowledge “assets” within a business process.FindingsIt was discovered that the backup pr...
Doing Fieldwork in Areas of International Intervention. A Guide to Research in Violent and Closed Contexts , 2020
Scholars conducting ethnographic research in zones with ongoing violent conflict are inevitably faced with the continuous challenge of finding, processing and assessing “security knowledge”. They are confronted with questions such as: who do they consider to be “security experts”? How do these “experts” produce knowledge on “the security situation”? And how to cope with contradictory or incredible risk assessments? During the first stages of field research on the microdynamics of civilian- military interaction in eastern Democratic Republic of the Congo, I frequently consulted foreign security personnel, including UN peacekeepers and other military. This allowed me to discover that those we are socialized into seeing as “security experts” had superficial and at times erroneous readings of security dynamics. Consequently, my understanding of who was a “security expert” and what counts as “security expertise” started to shift. Although initially unsettling, these shifts ultimately enhanced my awareness of how one’s positionality and related biases shape readings of “the security situation”, and how these readings feed into the construction of “security knowledge”.
Security risk management in the Asia Pacific region: what are security professional using?
The Asia Pacific (APAC) region encompasses a heterogeneous group of nation-states. Like the APAC region, the security industry operates within a diverse and multi-disciplined knowledge base, with risk management being a fundamental knowledge domain within security. Nevertheless, there has been limited understanding of what security professionals use when applying security risk management. The study was designed to gain a better understanding of risk management practice in place throughout APAC. Questions were generated to gauge an understanding of current practice and levels of implementation of standards and frameworks. Participants were drawn from many industries, using non-probabilistic sampling methods in a “snowball” response to an online survey. Results were collected and analysed to provide interpretations and findings, and where appropriate, weighted factor analysis were conducted. Findings indicated that the majority of APAC nation-states do not have a defined risk manageme...
Quantifying information security risks using expert judgment elicitation
Computers & Operations Research, 2012
In the information security business, 30 years of practical and theoretical research has resulted in a fairly sophisticated appreciation for how to judge the qualitative level of risk faced by an enterprise. Based upon that understanding, there is a practical level of protection that a competent security manager can architect for a given enterprise. It would, of course, be better to use a quantitative approach to risk management, but, unfortunately, sufficient quantitative data that has been scientifically collected and analyzed does not exist. There have been many attempts to develop quantitative data using traditional quantitative methods, such as experiments, surveys, and observations, but there are significant weaknesses apparent in each approach. The research described in this paper was constructed to explore the utility of applying the well-established method of expert judgment elicitation to the field of information security. The instrument for eliciting the expert judgments was developed by two information security specialists and two expert judgment analysis specialists. The resultant instrument was validated using a small set of information security experts. The final instrument was used to elicit answers to both the calibration and judgment questions through structured interviews. The data was compiled and analyzed by a specialist in expert judgment analysis. This research illustrates the development of prior distributions for the parameters of models for cyber attacks and uses expert judgment results to develop the distributions.
Experimental Evaluations of Expert and Non-expert Computer Users' Mental Models of Security Risks
2000
There is a critical need in computer security to communicate risks and thereby enable informed decisions by naive users. Yet computer security has not been en- gaged with the scholarship of risk communication. While the existence of malicious actors may appear at first to distinguish computer risk from environmental or medi- cal risk, the impersonal un-targeted nature of the exploitation