Kang, MC 2008, 'An action research derived piezoelectric approach for information risk management', PhD thesis, Southern Cross University, Lismore, NSW.
Copyright MC Kang 2008
Managing information risk have been recognized as an important part of business enterprises and government organizations to address related threats and vulnerabilities, ensure compliance with regulations and best practices, demonstrate due diligence to shareholders and customers, and ensure maximum profit with minimum cost. As observed from the past 16 years of practice as an information risk practitioner, however, there has been a lack of strategic and systemic thinking and limited literature providing suitable methodology and approach for achieving the desired outcomes of managing information risk in a changing risk environment.
The purpose of this study was to identify or develop a suitable approach for managing information risk in the changing risk environment of enterprise organizations, taking into consideration the knowledge gaps in the existing literature, and issues and dilemmas observed in the practice.
The social-technical nature of the problem and the use of the workplace as a research context suggested the use of the action research methodology in the study.
Using action research, the study established that existing baseline practices have been mostly control-oriented, focusing on compliance, addressing only known and probably high risk issues that were subjectively identified and assessed. Such approaches could not gain stakeholders‘ commitments to investing and taking proactive actions on risk issues if they were not identified as compliance related. Instead of being prepared and ready to respond, organizations were often surprised when new security events emerged, then reacting to recover from the incidents.
Analyzing the risk management methods and practices adopted, and the changing nature of the risk environment, the study affirmed that information risk in organizations is such that it cannot be completely identified, and accurately risk assessed and managed with existing approaches.
The existing baseline and risk management approaches should be complemented with social-technical tools and processes to gain stakeholders recognition and commitment to actions for information risk management. A selection of action research and systemic thinking tools and techniques were tested in the study as suitable for focusing on the social aspects of information risk management.
In addition to addressing known risks, organizations should be prepared and be responsive to emerging and new security issues and events. The study conceptualized and developed a substantive theory of information security risk management, known as the piezoelectric theory. The piezoelectric theory states that if the design of information security practices of organization systems enables a prompt re-alignment of the systems, satisfying the systemic requirements for the changing risk condition of the systems environment, the potential negative effects of the new risk condition of the systems environment will be balanced or counter-acted by the re-alignment activities. As a result of the piezoelectric behavior in organizational systems, as evidenced in this study,
the consequences of the emerging or new risk condition of the environment will likely incur a reduced impact to the organization systems. Results of the study also showed that the significance of the consequences relates inversely to the security readiness, and thus, the responsiveness of the organization. Readiness relates to the organization’s preparedness to re-align its activities and take the appropriate actions to balance against the negative effects of the changing risk environment in a timely and systemic manner.
The validity of the substantive piezoelectric theory was supported by case studies of actual practices in an organization, two significant security incidents, and a focusing event during the course of the study, and tested through the development and implementation of a responsive approach to information security risk management in a participating organization and two other projects.
The study resulted in five major contributions to the knowledge and practice of information risk management. They are: (1) the development of a substantive piezoelectric theory as a new approach, providing a new meaning – responsiveness – to the objectives of information risk management, which also resolves a circularity problem in existing security principles; (2) the elaboration of the responsive strategy, including the understanding of the responsive approach through the action research study, leading to the development of a systems model for establishing the desired piezoelectric behavior to achieve responsiveness in information risk management; (3) the successful adaptation and extension of existing methods and tools as tactical means for achieving a responsive strategy in organizations and validating the reliability of the piezoelectric theory; (4) an improved understanding of the issues and dilemmas in managing information risks in organizations; and (5) the application of action research as a meta-methodology and research methodology, resulting in the above contributions to the information risk management knowledge domain, demonstrating another contribution to the methodological literature.
The conclusions of the development and validation of the piezoelectric theory imply that changes are needed to the existing theory, policy, and practice of information risk management. From a theoretical perspective, (1) responsiveness should be one of the key objectives of information security; (2) discourse in information security should include the principle of responsiveness as it provides a means to resolve the circularity problem encountered in existing principles; (3) a responsive strategy is a new addition to the traditional ―Protect-Detect-React‖, and ―Detect-React-Protect‖ strategies, addressing their weaknesses and answering to the calls for more strategic thinking; (4) the notion of ―Responsive Learning‖, a combination of both Single- and Double-loop learning in an organization‘s information risk management system is important for responsiveness; and (5) the study adds to the understanding and knowledge on action research, implying its multiple disciplinary applicability, and flexibility as a meta-methodology for practicing methodological pluralism.
From the policy and practice perspectives, the outcomes imply (1) an opportunity for policy makers to use responsiveness as a new motivation and yardstick for improving information risk management in organizations; (2) a new approach for audit and security assurance professionals to include responsiveness in their assessment to determine an organization or systems readiness; (3) an opportunity for technology innovation for infrastructure systems alignment to the technical needs of a responsive strategy; (4) a possible evolution of existing risk, continuity, and recovery management functions to a new ―readiness‖ group focusing on responsiveness; and (5) a new approach for novice and experienced information risk managers to learn and also manage information risks issues and dilemmas in a changing risk environment.