Title: Dynamic interplay in the information security risk management process

Authors: Martin Lundgren; Erik Bergström

Addresses: Department of Computer Science, Luleå University of Technology, Sweden ' School of Informatics, University of Skövde, Sweden

Abstract: In this paper, the formal processes so often assumed in information security risk management and its activities are investigated. For instance, information classification, risk analysis, and security controls are often presented in a predominantly instrumental progression. This approach, however, has received scholarly criticism, as it omits social and organisational aspects, creating a gap between formal and actual processes. This study argues that there is an incomplete understanding of how the activities within these processes actually interplay in practice. For this study, senior information security managers from four major Swedish government agencies were interviewed. As a result, 12 characteristics are presented that reflect an interplay between activities and that have implications for research, as well as for developers of standards and guidelines. The study's conclusions suggest that the information security risk management process should be seen more as an emerging process, where each activity interplays dynamically in response to new requirements and organisational and social challenges.

Keywords: information classification; risk analysis; security controls; interplay; formal processes.

DOI: 10.1504/IJRAM.2019.101287

International Journal of Risk Assessment and Management, 2019 Vol.22 No.2, pp.212 - 230

Received: 23 Mar 2018
Accepted: 11 Dec 2018
Published online: 30 Jul 2019 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article