Title: Rethinking capabilities in information security risk management: a systematic literature review

Authors: Martin Lundgren

Addresses: Department of Computer Science, Luleå University of Technology, 971 87 Luleå, Sweden

Abstract: Information security risk management capabilities have predominantly focused on instrumental onsets, while largely ignoring the underlying intentions and knowledge these management practices entail. This article aims to study what capabilities are embedded in information security risk management. A theoretical framework is proposed, namely rethinking capability as the alignment between intent and knowing. The framework is situated around four general risk management practices. A systematic literature review utilising the framework was conducted, resulting in the identification of eight identified capabilities. These capabilities were grouped into respective practices: integrating various perspectives and values to reach a risk perception aligned with the intended outcome (identify); adapting to varying perspectives of risks and prioritising them in accordance with the intended outcome (prioritise); security controls to enable resources, and integrate/reconfigure beliefs held by various stakeholders (implement); and sustaining the integrated resources and competences held by stakeholders to continue the alignment with the intended outcome (monitor).

Keywords: information security; risk management; capability; intent; knowing.

DOI: 10.1504/IJRAM.2020.106978

International Journal of Risk Assessment and Management, 2020 Vol.23 No.2, pp.169 - 190

Accepted: 03 Jun 2019
Published online: 29 Apr 2020 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article