IS Security (ISS) has become a key element of business risk management and can itself create competitive advantage. Thus, organisations seek practical approaches to protect the operation of the business. Protecting the functionality of an organisation is a difficult task but it is the responsibility of both senior management and ISS functions to do so. An analysis of the ISS literature reveals a paucity of research of ISS management, and a need for research to develop a holistic model for managing ISS knowledge to overcome the ever-increasing number of negative security incidents. The ISS research community is restrained by small-scale technical questions as the social aspects of ISS are ignored resulting in fragmented research across the IS field. While several possible methods are scattered throughout the literature – they focus on the development of information systems. ISS professionals require a range of skills encompassing business knowledge, legal awareness, and organisational processes as well as technical security knowledge. Research to date has failed to provide an integrated approach to managing ISS knowledge.
This study investigates how ISS could leverage the concept of knowledge management. It proposes a theoretical model derived from the ISS and KM literatures. Thus to address this gap in research, this study adopts an exploratory interpretive holistic case study approach using interviews and document analysis as data gathering methods. The study will focus on the relationship between ISS and KM and the proposed benefits that an ISS KM initiative would produce. An analysis of the approaches used by these specialised structures in managing knowledge within and across the two case studies facilitated the development of an integrated model. The interplay between the functions provided rich description of the approaches used to manage knowledge. This research builds on previous studies documented in the ISS literature, by providing a much needed model against which practitioners may diagnose problems, plan action and implement solutions. ISS models and standards today do not exhibit much flexibility, therefore managers make ISS decisions in a vacuum. ISS problems can be managed or reduced when the ISS functions and management are aware of the full range of controls available and implement the most effective. Unfortunately, they often lack this knowledge and their subsequent actions to cope with threats are less effective.
The focus of ISS research to date has been technical and grounded in positivism and few, if any, studies utilise a qualitative approach, therefore eliminating holistic, in-depth rich descriptions of core issues within the field. Comparatively little work has taken a managerial point of view, covering broad organisational and social issues. This study acknowledges these issues and provides a solid conceptual foundation for future studies on ISS by answering calls for a theoretical model to guide research in the area. The study also identifies the positive and negative impacts of compliance and describes how organisations can apply the model to overcome these negative effects.
|Date of Award||1 Feb 2010|
|Supervisor||Philip Powell (Supervisor)|