Making the Dead Alive

Making the Dead Alive

DOCTORAL T H E SIS Department of Computer Science, Electrical and Space Engineering Division of Digital Services and Systems ISSN 1402-1544 ISBN 978-91-7790-563-9 (print) Making the Dead Alive ISBN 978-91-7790-564-6 (pdf) Dynamic Routines in Risk Management Luleå University of Technology 2020 Martin Lundgren Making the Dead Alive Martin Lundgren Making the Dead Martin Lundgren Information Systems Making the Dead Alive Dynamic Routines in Risk Management Martin Lundgren Luleå University of Technology Department of Computer Science, Electrical and Space Engineering Division of Digital Services and Systems Printed by Luleå University of Technology, Graphic Production 2020 ISSN 1402-1544 ISBN 978-91-7790-563-9 (print) ISBN 978-91-7790-564-6 (pdf) Luleå 2020 www.ltu.se Martin Lundgren, Making the Dead Alive Acknowledgments As I am sitting here, during a global pandemic, staring out over a rainy Gothenburg where I have been stranded for well over a month, what remains is the daunting task of formulating my acknowledgments. Daunting, mostly because it neatly boils down roughly a decade of work, colleagues, and friends to a few heartwarming, honest—albeit slightly cheesy—gratitudes. Now, who to blame? First and foremost, I would like to express my warmest gratitude to my supervisors, colleagues, and friends Prof. Åsa Ericson and Dr. Johan Lugnet, whose guidance, insights, and feedback have been invaluable in stitching this dissertation together. Thanks for putting up with me, your energy and patience has been nothing short of impressive. I count myself lucky to have had you there by my side, engaging (with) me in my area of research, making this journey possible, and securing relevant projects, such as the Interreg Nord project CYNIC which has provided a good platform to interact with companies, and to disseminate the results to a wider audience. Somehow, along the way, I am pretty sure I have managed to peek your interests in information security… erm, sorry about that. While on the topic on making things possible, I must thank all of my friends and colleagues—both old and new—for making this journey so much more enjoyable. I look forward to continue spending time—hopefully more so hereafter—and working with you all. But this journey also started long before I enrolled in the doctoral program at Luleå University of Technology, and before I took my Master’s or even Bachelor’s degree. Indeed, it has—especially at times—been quite a long adventure, complete with people seemingly set on making it clear that school perhaps is not something for me. Luckily, I have had family and loved ones in my life to support me all the way. Therefore, finally, I would like to dedicate this work to those closest to me in life— and should you be reading this and wonder if you are one of them, you probably are. Thank you …………………. (insert name here) 28 April 2020, Martin Lundgren i Martin Lundgren, Making the Dead Alive ii Martin Lundgren, Making the Dead Alive Abstract Risk management in information security is relevant to most, if not all, organizations. It is perhaps even more relevant considering the opportunities offered by the digitalization era, where reliably sharing, creating, and consuming information has become a competitive advantage, and information has become an asset of strategic concern. The adequate protection of information is therefore important to the whole organization. Determining what to protect, the required level of protection, and how to reach that level of protection is considered risk management, which can be described as the continuous process of identifying and countering information security risks that threaten information availability, confidentiality, and integrity. The processes for performing risk management are typically outlined in a sequence of activities, which describe what organizations should do to systematically manage their information security risks. However, risk management has previously been concluded to be challenging and complex and as something that must be kept alive. That is, routines for performing risk management activities need to be continuously adapted to remain applicable to organizational challenges in specific contexts. However, it remains unclear how such adaptations happen and why they are considered useful by practitioners, as there is a conspicuous absence of empirical studies that examine actual security practices. This issue is addressed in this thesis by conducting empirical studies of governmental agencies and organizations. This was done to contribute to an increased understanding of actual security practices. The analysis used for this study frames formal activities as ‘dead routines,’ since they are constructed as instructions that aid in controlling performance, such as risk management standards. Practitioners’ performance, experience, and understanding are denoted as ‘alive routines,’ as they are flexible and shaped over time. An explanation model was used to elaborate on the contrast between dead— controlling—and alive—shaping—routines of risk management. This thesis found that when dead and alive routines interact and influence each other, they give rise to flexible and emergent processes of adaptations, i.e., dynamic routines. Examples of dynamic routines occurred in response to activities that were originally perceived as too complex and were adapted to simplify or increase their efficiency, e.g., by having a direct relation between security controls and asset types. Dynamic routines also appeared as interactions between activities in response to conflicting expectations that were adjusted accordingly, e.g., the cost or level of complexity in security controls. In conclusion, dynamic routines occur to improve risk management activities to fit new circumstances. Keywords Risk management, information security, routine, practice, asset identification, risk analysis, risk treatment, organizational aspects. iii Martin Lundgren, Making the Dead Alive iv Martin Lundgren, Making the Dead Alive Thesis This thesis comprises an introductory part and the following appended papers: Paper A Lundgren, M. (2020) ‘Rethinking capabilities in information security risk management: a systematic literature review,’ Int. J. Risk Assessment and Management, Vol. 23, No. 2, pp.169–190. Paper B Lundgren, M. and Bergström, E. (2019) ‘Dynamic interplay in the information security risk management process,’ Int. J. Risk Assessment and Management, Vol. 22, No. 2, pp.212–230. Paper C Bergström, E., Lundgren, M., and Ericson, Å. (2019) ‘Revisiting information security risk management challenges: a practice perspective,’ Information & Computer Security, Vol. 27, Issue: 3, pp.358–372. Paper D Bergström, E., Lundgren, M. (2019) ‘Stress Amongst Novice Information Security Risk Management Practitioners,’ Int. Journal on Cyber Situational Awareness, Vol. 4, No. 1, pp.128–154. The following papers are related to this thesis, but not included: Lundgren, M. (2016, August) ‘What's in the box? – A Review on Risk Management Routines and Capabilities in Information Security,’ In 39th Information Systems Research Conference in Scandinavia (IRIS), Ljungskile, Sweden Lundgren, M. (2018, April) ‘Making Information Security Research Great Again: Assumptions and Practical Aspects of Case-Study Research in Information Security,’ In 2nd International Symposium on Small-scale Intelligent Manufacturing Systems (SIMS), IEEE, Cavan, Ireland. Lundgren, M., and Bergström, E. (2019, June) ‘Security-Related Stress: A Perspective on Information Security Risk Management,’ In 2019 International Conference On Cyber Security and Protection of Digital Services (Cyber Security), IEEE, pp.273-280, Oxford, UK. v Martin Lundgren, Making the Dead Alive vi Martin Lundgren, Making the Dead Alive Contents 1 Introduction................................................................................................................1 1.1 Importance and Problem..................................................................................................................................1 1.2 Purpose............................................................................................................................................................2 1.3 Delimitation.....................................................................................................................................................2 2 Theoretical Domain.....................................................................................................3 2.1 Information Security........................................................................................................................................3 2.2 Risk Management............................................................................................................................................3 2.2.1 Assets, threats, vulnerabilities, risks, and controls......................................................................................................3 2.2.2 Formalized processes.......................................................................................................................................4 2.2.3 Challenges..................................................................................................................................................7 2.3 Dead and Alive Routines..................................................................................................................................8 3 Research Approach.....................................................................................................11

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    145 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us