Revisiting information security risk management challenges : a practice perspective

• Purpose – The study aims to revisit six previously defined challenges in information security risk management to provide insights into new challenges based on current practices.Design/methodology/approach – The study is based on an empirical study consisting of in-depth interviews with representatives from public sector organisations. The data were analysed by applying a practice-based view, i.e. the lens of knowing (or knowings). The results were validated by an expert panel.Findings – Managerial and organisational concerns that go beyond a technical perspective have been . found, which affect the ongoing social build-up of knowledge in everyday information security work.Research limitations/implications – The study has delimitation as it consists of data from four public sector organisations, i.e. statistical analyses have not been in focus, while implying a better understanding of what and why certain actions are practised in their security work.Practical implications – The new challenges that have been identified offer a refined set of actionable advice to practitioners, which, for example, can support cost-efficient decisions and avoid unnecessary security trade-offs.Originality/value – Information security is increasingly relevant for organisations, yet little is still known about how related risks are handled in practice. Recent studies have indicated a gap between the espoused and the actual actions. Insights from actual, situated enactment of practice can advise on process adaption and suggest more fit approaches.

Ämnesord

SAMHÄLLSVETENSKAP  -- Medie- och kommunikationsvetenskap -- Systemvetenskap, informationssystem och informatik med samhällsvetenskaplig inriktning (hsv//swe)

SOCIAL SCIENCES  -- Media and Communications -- Information Systems, Social aspects (hsv//eng)

Nyckelord

Asset valuation

Information security

Practice theory

Risk management

Information systems

Informationssystem

Centrumbildning - Centrum för säkerhet i samhälle och kritiska infrastrukturer (CISS)

Centre - Centre for Critical Infrastructure and Societal Security (CISS)

Information Systems

Publikations- och innehållstyp

ref (ämneskategori)

art (ämneskategori)