Perceptual and Cultural Aspects of Risk Management Alignment: a case study
Full text | |||
Source | Journal of Information Systems Security Volume 4, Number 1 (2008)
Pages 3–20
ISSN 1551-0123 (Print)ISSN 1551-0808 (Online) |
||
Authors | Corey Hirsch — Henley Management College, UK
Jean-Noël Ezingeard — Kingston University, UK
|
||
Publisher | Information Institute Publishing, Washington DC, USA |
Abstract
Understanding how management and functional teams perceive risk, and will decide and act in managing risk, is one cornerstone of an effective enterprise Information Security management strategy. There is evidence in the literature that if managers do not understand the reasons behind an Information Security policy, or do not fully support the rationale behind the strategy, they are unlikely to engage in its development or adhere to it later. Further, if various individuals and management teams in an organisation approach risk management in a non-aligned fashion, their divergent decisions and actions could have the effect of canceling out each other, and rendering the enterprise risk management strategy less effective. Research indicates that a sociological understanding of risk perception as an input to Information Security development is becoming a necessity. We argue this from two strands of literature: the first is the literature in risk assessment in fields other than Information Security. The second strand is the Information Security literature.
How do managers perceive risk in practice? And how might an enterprise foster an aligned approach to risk management? This paper presents the case of LeCroy Corp., a medium size manufacturer of high value electronic testing equipment. We show that whilst there are areas where perceptions toward, and tolerance of, risk are shared within the organization, there are substantial variations between different groups of managers at LeCroy. Groups which routinely work together on information security and risk management related tasks have lower standard deviations in their risk judgments than teams which do not share this working experience, an indication that risk perception alignment is in part a social process. Yet this second group may also have responsibilities that are critical to enterprise risk management. We also find that top executives are “mathematical” in their risk appetite at low and medium stakes, yet highly risk averse when the stakes are higher, such as complete business success or failure, another indication of a social aspect to risk perception and management. The ideal scenario for degree and type of alignment will vary as a function of the type of working team. This case study illustrates one approach for defining and migrating toward a robust enterprise risk culture.
Keywords
Social Aspects of Information Security, Alignment, Case Study, Risk Management
References
Adams, J. (1999), Risk-Benefit Analysis: Who Wants It? Who Needs It? Cost-Benefit Analysis Conference. Yale University.
Adams, J. (2005), "Risk management, it's not rocket science: it's more complicated" (draft paper available from http://www.geog.ucl.ac.uk/~jadams/publish.htm)." (Accessed on 20 January 2005).
Adams, J. and Thompson, M. (2002), Taking account of societal concerns about risk. Framing the problem. London, Health and Safety Executive, Research Report 035.
Ashenden, D. and Ezingeard, J.-N. (2005), The Need for a Sociological Approach to Information Security Risk Management. 4th Annual Security Conference. Las Vegas, Nevada, USA.
Backhouse, J. and Dhillon, G. (1996), "Structures of responsibility and security of information systems." European Journal of Information Systems, 5(1): 2-9.
Baskerville, R. (1991), "Risk analysis: An interpretive feasibility tool in justifying information systems security." European Journal of Information Systems, 1(2): 121-130.
Beck, U. (1992), Risk Society, Sage Publishers, London.
Birchall, D., Ezingeard, J.-N., McFadzean, E., Howlin, N. and Yoxall, D. (2004), Information Assurance: Strategic alignment and competitive advantage, GRIST, London.
CCEVS (2005), Common Criteria - Part 1: Introduction and general model (Draft v3.0, Rev 2), Common Criteria Evaluation and Validation Scheme.
Ciborra, C. (2004), "Digital Technologies and the Duality of Risk." Discussion Paper - Centre for Analysis of Risk and Regulation, London School of Economics, (27).
Dhillon, G. and Backhouse, J. (2001), "Current directions in IS security research: toward socio-organizational perspectives." Information Systems Journal, 11(2): 127-153.
Dhillon, G. and Torkzadeh, G. (2006), "Value-focused assessment of information system security in organizations." Information Systems Journal, 16: 293-314.
Ezingeard, J.-N., McFadzean, E. and Birchall, D. W. (2003), Board of Directors and Information Security: A perception grid. In Parkinson, S. and Stutt, J. (Eds.) British Academy of Management Conference. Harrogate, Paper 222.
Ezingeard, J.-N., McFadzean, E., Howlin, N., Ashenden, D. and Birchall, D. (2004), Mastering alignment: bringing information assurance and corporate strategy together. European and Mediterranean Conference on Information Systems. Carthage.
Gietzmann, M. B. and Selby, M. J. P. (1994), "Assessment of Innovative Software Technology: Developing an End-User-Initiated Interface Design Strategy." Technology Analysis & Strategic Management, 6(4): 473-483.
Hirsch, C. (2005), Do not ship Trojan Horses. In Dowland, P., Furnell, S. and Thuraisingham, B. (Eds.) Security Management, Integrity, and Internal Control in Information Systems. Fairfax, VA, Springer.
Hussin, H., King, M. and Cragg, P. (2002), "IT alignment in small firms." European Journal of Information Systems, 11(2): 108-127.
ISO (2005), ISO/IEC 27001:2005(E) Information technology - Security techniques - Information security management systems - Requirements. BSI, London.
ITGI (2003), IT Control Objectives for Sarbanes-Oxley. Rolling Meadows - IL, Information Technology Governance Institute.
ITGI (2005), COBIT 4.0: Control Objectives and Management Guidelines, Information Technology Governance Institute, Rolling Meadows - IL.
Jahner, S. and Krcmar, H. (2005), Beyond Technical Aspects of Information Security: Risk Culture as a Success Factor for IT Risk Management. Americas Conference on Information Systems.
Loch, K. D., Carr, H. H. and Warkentin, M. E. (1992), "Threats to Information Systems: Today's Reality, Yesterday's Understanding." MIS Quarterly, 16(2): 173-186.
McFadzean, E., Ezingeard, J.-N. and Birchall, D. (2004), Anchoring Information Security Governance Research. In Dhillon, G. and Furnell, S. (Eds.) Third Security Conference. Las Vegas, Nevada, USA.
Oshri, I., Kotlarsky, J. and Hirsch, C. (2005), Security in Networkable Windows-based Operating System Devices. In Dhillon, G., de Sá-Soares, F. and Hu, Q. (Eds.) Softwars 2005 - Issues in protecting intangible organizational assets. The Information Institute, Washington DC, USA.
OST (2004), Cyber Trust and Crime Prevention. London, Office of Science & Technology - UK Department of Trade and Industry.
Peters, T. J. and Waterman, R. H. (1982), In Search Of Excellence: Lessons From America's Best Run Companies, Harper and Row, New York.
Reich, B. H. and Benbasat, I. (1996), "Measuring the Linkage Between Business and Information Technology Objectives." MIS Quarterly, 20(1): 55-81.
Reich, B. H. and Benbasat, I. (2000), "Factors that Influence the Social Dimension of Alignment Between Business and Information Technology Objectives." MIS Quarterly, 24(1): 81-113.
Turnbull, N. (1999), Internal Control: Guidance for Directors on the Combined Code: The Turnbull Report. London, The Institute of Chartered Accountants in England & Wales.
Venkatraman, N. and Camillus, J. C. (1984), "Exploring the Concept of 'Fit' in Strategic Management." Academy of Management Review, 9(3): 513-525.
Whitman, M. E. and Mattord, H. J. (2003) Principles of information security, Thomson Course Technology, Boston, Mass.; London.
Willcocks, L., and Margetts, H. (1994), "Risk assessment and information systems." European Journal of Information Systems, 3(2): 127-138.