The Emerald Research Register for this journal is available at www.emeraldinsight.com/researchregister
The current issue and full text archive of this journal is available at www.emeraldinsight.com/0968-5227.htm
Information systems security from a knowledge management perspective Petros Belsis and Spyros Kokolakis
Information systems security
189
University of the Aegean, Department of Information and Communication Systems Engineering, Samos, Greece, and
Evangelos Kiountouzis Athens University of Economics and Business, Department of Informatics, Athens, Greece Abstract Purpose – Information systems security management is a knowledge-intensive activity that currently depends heavily on the experience of security experts. However, the knowledge dimension of IS security management has been neglected, both by research and industry. This paper aims to explore the sources of IS security knowledge and the potential role of an IS security knowledge management system. Design/methodology/approach – The results of this paper are based on field research involving five organizations (public and private) and five security experts and consultants. A model to illustrate the structure of IS security knowledge in an organization is then proposed. Findings – Successful security management largely depends on the involvement of users and other stakeholders in security analysis, design, and implementation, as well as in actively defending the IS. However, most stakeholders lack the required knowledge of IS security issues that would allow them to play an important role in IS security management. Originality/value – In this paper, the knowledge management aspect of IS security management is highlighted. Moreover, the basic sources of security-related knowledge have been identified and a model of IS security knowledge has been created. Also, the activities to be supported by a security-focused KM system have been identified. Thus, the basis for the development of specialized security KM systems is set. Keywords Knowledge management systems, Information systems, Greece Paper type Research paper
Introduction Information Systems (IS) security has become a major concern for modern enterprises and organizations, as most organizational activities, nowadays, depend heavily on information and communication technologies. In response, a plethora of tools and mechanisms have been developed, covering almost every aspect of IS security. However, the actual effectiveness of current security solutions has been seriously questioned, as the volume of security related incidents and consequent financial losses continues to increase in magnitude, as well as in severity. Security tools and mechanisms have a limited effectiveness for the reason that security is primarily a “people issue”, as well as an “organization issue” (Hinde, 2003). Under this perspective, the importance of IS security management in the context of the organization becomes evident.
Information Management & Computer Security Vol. 13 No. 3, 2005 pp. 189-202 q Emerald Group Publishing Limited 0968-5227 DOI 10.1108/09685220510602013
IMCS 13,3
190
IS security management aims to minimize risks that information systems face in their operation. It involves several activities, such as planning, designing, implementing, monitoring, reviewing, and improving (BSI, 2002). The above activities require specialized expertise and one of the challenges faced by modern organizations is to acquire and manage expert knowledge in the area of IS security. Another important challenge is to effectively communicate vision, rules, and guidelines to employees and other stakeholders. Currently, security policies are used for this purpose. However, policies are static documents that reflect the technical and organizational context at the time of their creation. In addition, eliciting and processing feedback is particularly significant for the activities of monitoring, reviewing, and improving the IS security management system. Currently, most feedback is received through logging mechanisms that produce a large volume of raw data, while management requires information with a high proportion of human value added. Auditors often provide such quality feedback, which, however, is rarely utilized as a valuable knowledge asset. Finally, successful security management largely depends on the involvement of users and other stakeholders in security analysis, design, and implementation, as well as in actively defending the IS. However, most stakeholders lack the required knowledge of IS security issues that would allow them to play an important role in IS security management. The elicitation, processing, and communication of relevant knowledge emerges as a common theme in all the aforementioned IS security management issues. Consequently, resolving the above issues would require the establishment of effective knowledge management (KM) practices. Nevertheless, the KM aspect of IS security has been mostly ignored both by research and industry. Security information lies scattered throughout the organization, knowledge creation and diffusion remain an ad hoc process and tacit knowledge of security experts is in most cases preserved as their personal property. We argue that KM would have a major positive impact on the effectiveness of IS security management. KM systems are used to capture and store organizational actors’ knowledge and make it available to others. A KM system handling IS security knowledge would support IS security managers in strategic planning, tactical decision making, as well as in daily operations. At present, the field of IS security knowledge management remains largely unexplored. This paper aims to: (1) bring to light the knowledge dimension of IS security; (2) determine what constitutes IS security knowledge and where it originates from; and (3) explore the potential of an IS security knowledge management system. After the introduction, the following section presents the current practice in security knowledge acquisition and dissemination and exhibits the aims of our research. In the third section we illustrate the methodology of our research and in sequence we present the results of field research. Then, we introduce a model of IS security knowledge, which has resulted from a secondary analysis of the data collected through field research. Finally, the potentials of an IS security knowledge management system are explored and the conclusions of the paper are presented.
Current practice Schools of thought in KM Earl (2001) proposes a typology that distinguishes different KM approaches that can be found in business practice. The main schools, according to Earl, are the systems school, the cartographic school, the process school, the commercial school, the organizational school, the spatial school and the strategic school. In the following, the seven schools are briefly presented: (1) The systems school is the longer established approach to KM. The issue of how to capture knowledge and make it available to others is central in the systems school. So, it is mostly concerned with domain specific knowledge, which is captured by specialists to be used by other specialists. (2) The cartographic school is concerned with mapping organizational knowledge by linking knowledge and people (e.g. knowledge ”yellow pages”). (3) The process school can be seen as an outgrowth of business process reengineering. It is based on two main ideas: business processes can be enhanced by providing operating personnel with task-specific knowledge; management processes are inherently more knowledge intensive than business processes, implying that contextual and ”best-practice” knowledge are important. (4) The commercial school is based on the commercial protection and exploitation of knowledge assets. Such an approach requires a dedicated and specialized team, as well as the development of tools and techniques to manage intellectual property as a routine process. (5) The organizational school emphasises the role of (inter-organizational or intra-organizational) communities in facilitating knowledge exchange and creation. (6) The spatial school focuses on the use of space or spatial design to facilitate knowledge exchange. Co-presence and socialization is used as a means of knowledge exchange and creation. The spatial school seeks to facilitate the creation of social capital by offering sociable spaces. (7) The strategic school sees KM as one of the several dimensions of competitive strategy. The goal is to build, nurture and fully exploit knowledge assets through a variety of possible means. The first three schools adopt a technocratic, as Earl names it, view of KM, as well as an objectivistic one. The underlying belief is that knowledge can be captured, stored, and disseminated, possibly by means of information technology. However, this view of KM fails to consider the subjective perception of any piece of knowledge by various individuals, as well as the social aspect of knowledge creation and communication. These considerations are central in the behavioural view of KM, which is followed by the organizational, spatial, and strategic schools. A distinct, though often complementary, view is the economic view that is adopted by the commercial school. In this view, knowledge is primarily regarded as an asset for the enterprise, an asset to be exploited and to be preserved and protected by the enterprise. This taxonomy does not imply that a school should be followed dogmatically, but rather it delineates different perspectives of KM that can be adopted without
Information systems security
191
IMCS 13,3
192
modification, adapted to the needs of a specific case, further expanded, or combined together. Our work is based on the tradition of the systems school that focuses on capturing and codifying knowledge. However, once captured, knowledge is interpreted uniquely by each individual. Therefore, communities can play an important role in creating, interpreting and propagating knowledge, as the organizational school claims. Our perspective combines elements from these two representative schools of the technocratic and the behavioural viewpoints.
IS security knowledge in modern organizations IS security management is a challenging task, as it demands not only the effective handling of technology related factors, but also dealing with the so-called “human factor”, which adds complexity and makes the goal of securing a system rather difficult to achieve. As a consequence, security management depends primarily on the knowledge of the IS, its organizational context, the technology trends, etc. Though many types of knowledge within the organization have been explored, security knowledge has been largely neglected. Previous attempts to manage IS security knowledge have been limited to the management of security documents (Fung et al., 2001) and the establishment of communities of practice that promote the co-operation of security experts, as well as the collection and dissemination of security information. In this category we find organizations such as CERT (Computer Emergency Response Team) and SAGE (System Administrators Guild; an international organization for professional system administrators). Risk analysis, a common security management practice, has been appraised for its knowledge acquisition potentials (Baskerville, 1991). However, there is no indication how this knowledge could be associated to other security knowledge and how it can be managed within the organization. The above techniques and practices contribute significantly to IS security management and provide pieces of security knowledge. However, a comprehensive appreciation of IS security knowledge has not been provided as yet. In this paper the term knowledge refers to codified information with a high proportion of human value added, including insight, interpretation, context, experience, wisdom and so forth (Davenport and Volpel, 2001). According to Polanyi (1966, 1997), knowledge can be categorised in two types: tacit and explicit. Tacit knowledge is difficult to formalize and communicate (Nonaka et al., 1995). It is transferred through personal interaction, mental models, technical skills, and experience. Explicit knowledge is easy to communicate, but it is rigid and requires frequent update. When associated with the protection of data, the term security refers, mainly, to the preservation of the following key attributes: confidentiality, integrity and availability. In the context of an IS, however, security is a much broader term, referring to the set of principles, regulations, methodologies, measures, techniques and tools we establish to protect an IS from potential threats. IS security-related knowledge and its sources have never been systematically recorded, neither their impact on security expert’s work has been identified. Since there has not been a pre-established hypothesis about what constitutes security knowledge in an IS, we conducted an exploratory field survey, which is presented in the following sections.
Methodology Field research The aim of the field research has been to identify what constitutes IS security knowledge and what may be the sources of this knowledge. Therefore, we addressed organizations with an established IS security management function and independent IS security consultants. Our sample consisted of five organizations (three from the public sector and two private enterprises) and five security experts and consultants (four independent security experts and one consultant from an international consulting firm). The subjects of our research were randomly selected from a pool of professionals with significant experience in the field. Table I illustrates the demographics of the field research. In the first phase of the field research, five organizations were involved. In each organization we interviewed IS security experts and executives with IS security responsibilities. The five organizations are located in Greece. Nevertheless, the inclusion of the local branch of a large multinational software development company has given to the sample an international perspective. We can distinguish three layers of security issues and at each level we can distinguish different kinds of expertise (Tryfonas et al., 2001): (1) Strategic, referring to issues that have an impact on corporate strategy (e.g. corporate IS security policy). (2) Tactical, referring to issues regarding the methodologies/practices used to manage the security of the IS (e.g. developing an awareness program). (3) Operations, referring to the installation and operation of security tools and measures (e.g. administering firewalls, intrusion detection systems etc.).
Information systems security
193
All three levels have been investigated, with the main focus being on the lower layer, i.e. operations, which is considered to be closest to the sources of IS security knowledge. Compared with the global market, our sample is rather small in size. Therefore, pure and hard statistical indices would not be particularly relevant in our case (Tryfonas et al., 2001; Jarvinen, 2001). Quantitative analysis requires representative samples containing an adequately large number of survey subjects. In our case, qualitative research and data analysis are rather appropriate, provided that the fundamental principles of qualitative research will be secured (Flick, 1998; Klein and Myers, 1999). The size of the sample indicated the need for data of high quality and validity. For this purpose, in person interviews were performed. We designed and used as a research instrument an interview agenda with open questions; so as to leave flexibility to the Contacted organizations/experts
Subject’s position
Athens University of Economics and Business National Data Protection Authority Greek banking organization Greek financial organization Multinational software development company Independent security analyst E&Y/TSRS
Network operations center administrators Systems administrators IT auditor Security engineer IT consultant Security expert Manager/security consultant
Table I. Demographics of the field research
IMCS 13,3
194
interviewed to express their personal experience. Initially, we formulated a set of questions with a careful examination of the relevant IS security literature and the recent KM literature. Using the initial version of our agenda, in the first two pilot interviews we experienced deficiencies that resulted in instrument redesign. Through a couple of successive interviews the interview agenda was redesigned and matured to the final version. Our sample consisted of different kinds of organizations, differentiating both in size and security features and implemented measures. Therefore, we have chosen organizations without an explicit security policy (i.e. the Network Operations Center of a Greek university), middle size organizations, the Greek division of a multinational software company and several financial organizations, who were characterized by very strict and clear security policies and who made use of advanced security tools and techniques. In terms of the interviewed subjects, we interviewed primarily technical experts, responsible for implementing measures of a technical nature according to the IS security policy and a few managers with security responsibilities. The second phase of our field research was targeted towards independent IS security experts and consultants. They were able to provide a different and much broader view, since they have been consulting several different organizations and enterprises. Another questionnaire was constructed for this category of interviewees, consisting of open questions that allowed them to express freely their ideas. The sample included four independent experts and the manager of the TSRS (Technology Security and Risk Services) department of the Southeast Europe Division of Ernst & Young International. Security practices and sources of IS security knowledge The outcomes of field research are given in Table II. For each level of abstraction within the organizational boundaries, we identify practices targeting to enhance security and we attempt to identify the possible sources of exploitable knowledge. At this point it is worthwhile to make a distinction between security practices that aim to Level of abstraction Strategic Tactical
Security practice Design and dissemination of security policies Risk analysis
IS audit
Operations Table II. IS security practices and relative sources of security knowledge
Security management tools Network security and firewalls
Potential sources of related knowledge
Target (proactive/reactive security)
Policy document
Proactive security
Risk analysis documentation Documented countermeasures Audit trail reports, automatic logs Audit documentation and audit reports Reports, alerts
Proactive security
Proactive security
Alerts
Reactive security
Logs
Reactive security Proactive security Reactive security
prevent security incidents (proactive security) and those that aim to detect them after they have developed (reactive security). At the most abstract level we have placed the policy document, which represents the IS security policy of the organization and integrates security requirements with business requirements. Security policies are not always recorded in a corresponding security policy document and quite often they are implicit and not strictly expressed. Security policies often emerge from a risk analysis study and the documentation that has been produced in the process of analysing risks includes vital information, especially in cases of emergency, such as recovering after a security incident. Another popular security related practice at the middle organizational layer is IS auditing. In order to conduct an audit, certain data are necessary and also a series of important reports is provided after the audit is completed. Audit reports constitute valuable knowledge assets for a security officer. At the lowest layer, and usually the one that is of prime interest, we identify sources of technically exploitable data, such as firewall access lists, operating system logs and alerts, etc. Table III presents a different view of IS security knowledge that of independent security experts. An independent expert is constantly changing organizational environments, which are often associated with totally different security needs. Gathering information and obtaining knowledge of the organization they are studying is essential for the success of their work. They focus, mainly, on organizational culture, structure, needs, and perception of risk. ISO 17799 (ISO, 2000), the international standard on IS security management, has significantly influenced the perception of IS security issues. The standard defines the main domains of security management and most security experts categorize IS security knowledge according to the relevant security management domain. In order to enhance their knowledge, they use several methods, such as attending seminars and reading relevant scientific articles, and they obtain tacit knowledge (experience) from more experienced experts through on the job training.
Information systems security
195
A model representing IS security knowledge Empirical findings are of limited value, unless they are supported by a theoretical framework. We will attempt to support our findings by proposing a model to illustrate
Issue
Sources
Expertise development
Seminars Scientific journals, international conferences and specialized websites International standards and guidelines from international organizations On-the-job training ISO 17799 categorization Culture Organizational structure Organizational needs addressed by the IS Perception of risk IS configuration and functionality
Categories of IS security knowledge Organizational knowledge
Table III. Independent security experts’ views of IS security knowledge
IMCS 13,3
196
the structure of IS security knowledge in an organization. In order to delineate the structure of IS security knowledge we will adopt a structured framework with three layers, namely: policy, guidelines, and measures: (1) Policy: A policy may be defined as a set of high-level instructions intended to provide guidance to those assigned the responsibility of decision making. (2) Guidelines: Guidelines are specific operational steps to be followed by members of the organization, so as to implement a policy. (3) Measures: Measures (or security controls) refer to specific actions taken when guidelines are implemented in a specific IS installation. This hierarchical framework is mainly associated with knowledge internal to the organization. There are also other sources of knowledge that are related with the organization and that should be carefully examined; though they cannot be embodied in the aforementioned categories. For example, in the process of conducting a risk analysis review threats and vulnerabilities are measured and documented. This knowledge is vital and significantly affects policy design. The fact that it is related to the structured framework, without being part of it, is represented in Figure 1 with the arrows pointing towards the framework. The term IS-related knowledge refers to several characteristics of the IS that significantly affect IS security, e.g. network configuration. Finally, important knowledge can be extracted from the study of the organizational framework, meaning the study of several parameters associated to the organization (or organizations) in the context of which the IS operates. Figure 1 represents the model that has been derived from our field research. Towards an IS security knowledge management system In the previous paragraphs, we have addressed the first two objectives of the paper, i.e. to bring to light the knowledge dimension of IS security and to determine what
Figure 1. A structural model of IS security knowledge
constitutes IS security knowledge and where it originates from. Next, we attempt to explore the potential of an IS security knowledge management system and to delineate the main functions that such a system should provide. To this aim, we first analyse the knowledge creation process and then we examine knowledge creation and management in the context of an IS security knowledge management system. Knowledge creation Currently, creation of IS security related knowledge within the organization remains an ad hoc process. Organizations either hire expensive external consultants or depend on security experts within the organization that build their own personal knowledge creation processes. In either case organizations are restrained from controlling security knowledge. Nonaka and Takeuchi (1995) developed the influential concept of a knowledge-creating company and later formed the widely cited knowledge creation theory (Gao et al., 2002). A process model of knowledge creation builds on the crucial presupposition that human knowledge is created and enlarged by means of a social interaction between tacit and explicit knowledge. This interaction is called knowledge creation (Beijerse, 1999). This conversion does not take place within discrete individuals, but between individuals within an organization (Nonaka and Takeuchi, 1995). The interaction between tacit and explicit knowledge can appear in four modes (see Figure 2): (1) Socialization. Knowledge is exchanged through person-to-person interaction and while experiences are exchanged. Examples of situations where this happens are trial and error learning, on the job training, direct or indirect communication. In this case, tacit knowledge is exchanged and remains tacit; for example a person acquires experience by working close to a more experienced worker. (2) Externalization. In this case, tacit knowledge is becoming explicit. Metaphors, models and analogies play an important role in this conversion process. Externalization is considered a key process in knowledge conversion because it is here that from tacit knowledge new and explicit knowledge (exploitable) is born.
Information systems security
197
Figure 2. Knowledge creation types
IMCS 13,3
198
(3) Combination. This is the process where knowledge is combined through documents, meetings, and existing knowledge can be better structured, sorted etc. A typical case is the use of information technology. (4) Internalization. This is a process in which explicit knowledge becomes part of tacit knowledge. It is the case when someone expands his/her knowledge about a topic when she becomes involved in a project. Instead of gaining theoretical knowledge, dealing on a daily basis with a subject expands our knowledge about it and the boundaries between documented knowledge and experience start to become unclear. The four kinds of interaction between tacit and explicit knowledge together form a spiral, which interconnects the four types of knowledge transformation (see Figure 3). organizational knowledge creation, as distinct from individual knowledge creation, takes place when all four modes of knowledge creation are ‘‘organizationally’’ managed to form a continual cycle (Nonaka, 1994). This cycle is shaped by a series of shifts between different modes of knowledge conversion. First, socialization mode usually starts with the building of a team. Second, successive rounds of meaningful dialogue trigger the externalization mode. The interactions between tacit and explicit knowledge tend to become larger in scale and faster in speed as more actors in and around the organization become involved. Functional analysis of an IS security knowledge management system Though KM technology has been widely deployed to support several functions within an organization, little if any use of such technology has so far been addressed towards
Figure 3. The knowledge spiral
IS security knowledge. KM technology should not be viewed as a single technology, but rather as a broad collection of techniques that need to be adopted and integrated (Davenport and Volpel, 2001). Some of the technologies, e.g. case-based reasoning, rule-based systems, inference engines, and data mining tools, are not new. Some are useful not only for knowledge management, but also for information management and data processing, as is true for intranets and the web. However, technology by itself is not an answer to the issue of developing an effective KM system (Davenport and Prusak, 1998). The necessity to develop organizational culture and infrastructure through which knowledge can be created and diffused is a very important factor towards the goal of creating an effective KM system. So, rather than prescribing technologies, we will focus on the services that a KM system should provide to support IS security management. A KM system may support the following five KM activities (Milton et al., 1999): personalization, codification, discovery, creation/innovation, and capture/monitor. Personalization. Personalization is the activity of knowledge sharing through person-to-person contact. On-line forums, chat systems and argumentation systems are examples of technologies that support personalization activities within an organization. The personalization function of the system should support communication with the people in the organization that have expertise in IS security or a special interest in IS security. Communication should be direct and open. The use of a common language is an issue, as security terms may have multiple interpretations. The development of a standard ontology would be a solution to the common language issue in most cases. Codification. Codification is the activity of capturing existing knowledge and placing it in structured repositories. Codification requires specialised software tools that will support knowledge extraction, storage and dissemination. Therefore, tools, such as the following, are required: . knowledge repositories based on a common ontology; . data mining tools; . web-based tools that will facilitate the access to the knowledge repository; and . advanced knowledge representation techniques. In the case of IS security, a plethora of data exist in log files, incident reports, audit files, etc. Extracting knowledge from these sources is a challenge and it may require advanced technologies, such as data mining tools. Discovery. Discovery is the activity of searching and retrieving knowledge from repositories and databases, such as using the WWW and intranet systems. Knowledge discovery requires easy access to knowledge resources. Therefore, it is required that specialized search engines are developed. Moreover, specialized thematic indices that will point to quality information may be helpful. In the case of IS security knowledge, the discovery function of the system should be extended to reach knowledge that lies outside the organization, since there are several organizations and groups that produce useful material, though this material is not organized. Moreover, discovering and rendering up-to-date security knowledge is very important, since security knowledge becomes obsolete very rapidly.
Information systems security
199
IMCS 13,3
200
Creation/innovation. Creation/innovation is the activity of generating new knowledge, which is vital if an organization is to remain competitive. The role of humans is essential and there is almost no indication that they can be substituted by technology, at least in the near future. To achieve innovation forming teams of people with security expertise is required. Incentives are also required for employees to provide the system with knowledge. Innovation may also result from structured methodologies, used in IS security analysis and design, as it is the case of risk analysis. Risk analysis is a methodology aiming to identify and evaluate IS assets, business impact of asset loss or damage, threats and vulnerabilities and thus assess the risk that is inherent in the operation of the IS. Knowledge creation has been considered a by-product of risk analysis. Nevertheless, it would be the most valuable outcome of risk analysis, if it were integrated in a comprehensive knowledge management system. Capture/monitor. Capture/monitor is the activity of capturing knowledge as people carry on their normal tasks such as interacting with other people. Logging and automatic auditing should be incorporated to the KM system. Security experts usually act under time pressure, as they are facing an incident in development and in many cases a swift opponent. At that time, it is practically infeasible to demand from security experts to document their actions and methods. Therefore, the knowledge capturing function of the system should be able to document and analyse incident handling, without interfering to the work of the security experts. The above five functions of the KM system are directly mapped to the four knowledge creation processes described in the previous section, as shown in Table IV. Conclusions In this paper, the knowledge management aspect of IS security management has been highlighted. Moreover, the basic sources of security related knowledge have been identified and a model of IS security knowledge has been created. Also, the activities to be supported by a security focused KM system have been identified. Thus, the basis for the development of specialized security KM systems has been set. In addition, it is important to note that both technical factors and organizational factors have to be taken under consideration. Knowledge creation is primarily a social process and a KM system should support groups in the social activities that foster knowledge creation and dissemination. An IS security KM system is expected to support IS security management in all strategic, tactical and operational levels. Moreover, it would be a valuable tool in resolving specific IS security management issues:
Socialization Table IV. Mapping of functions to knowledge creation processes
Personalization Codification Discovery Creation/innovation Capture/monitor
Externalization
Combination
Internalization
U U
U
U
U U
.
.
.
.
it would diminish the dependence on expensive security consultants, as knowledge creation occurs within the organization; it would provide users and other stakeholders with access to security knowledge and, thus, enable their participation in the IS security effort; it would enable management guidelines to be effectively communicated to users of the IS; and It would support monitoring, reviewing, and amending the IS security management system by means of reinforcing the feedback process.
References Baskerville, R. (1991), “Risk analysis: an interpretive feasibility tool in justifying information systems security”, European Journal of Information Systems, Vol. 1 No. 2, pp. 121-30. Beijerse, R. (1999), “Questions in knowledge management”, Journal of Knowledge Management, Vol. 3 No. 2, pp. 94-109. BSI (2002), Information Security Management – Part 2: Specification for Information Security Management Systems, BS 7799-2:2002, British Standards Institute, London. Davenport, T. and Prusak, L. (1998), Working Knowledge: How Organizations Manage What They Know, Harvard Business School Press, Cambridge, MA. Davenport, T. and Volpel, S. (2001), “The rise of knowledge towards attention management”, Journal of Knowledge Management, Vol. 5 No. 3, pp. 212-21. Earl, M. (2001), “Knowledge management strategies: toward a taxonomy”, Journal of Management Information Systems, Vol. 18 No. 1, pp. 215-33. Flick, U. (1998), An Introduction to Qualitative Research, Sage Publications, London. Fung, P., Kwok, L. and Longley, D. (2001), “Electronic information security documentation”, Proceedings of the 8th Information Security Management and Small Systems Security Conference, Las Vegas, NV, September 27-28. Gao, F., Meng, L. and Nakamori, Y. (2002), “Systems thinking on knowledge management”, Journal of Knowledge Management, Vol. 6 No. 1, pp. 7-17. Hinde, S. (2003), “The law, cybercrime, risk assessment and cyber protection”, Computers and Security, Vol. 22 No. 2, pp. 90-5. ISO (2000), “Information technology – code of practice for information security management”, ISO 17799, International organization for Standardisation, Geneva. Jarvinen, P.H. (2001), “Research questions guiding selection of an appropriate research method”, Proceedings of the 8th Information Security Management and Small Systems Security Conference, Las Vegas, NV, September 27-28. Klein, H. and Myers, M. (1999), “A set of principles for conducting and evaluating interpretive field studies in information systems”, MIS Quarterly, Vol. 23 No. 1, pp. 67-94. Milton, N., Shadbolt, N., Cottam, H. and Hammersley, M. (1999), “Towards a knowledge technology for knowledge management”, International Journal of Human-computer Studies, Vol. 51 No. 3, pp. 615-41. Nonaka, I. (1994), “A dynamic theory of organizational knowledge creation”, Organization Science, Vol. 5 No. 1, pp. 14-37.
Information systems security
201
IMCS 13,3
202
Nonaka, I. and Takeuchi, H. (1995), The Knowledge-Creating Company, Oxford University Press, Oxford. Polanyi, M. (1966), The Tacit Dimension, Routledge & Kegan Paul, London. Polanyi, M. (1997), “The tacit dimension”, in Prusak, L. (Ed.), Knowledge in Organizations, Butterworth-Heinemann, Boston, MA, pp. 135-46. Tryfonas, T., Kiountouzis, E. and Poulymenakou, A. (2001), “Embedding practices in contemporary information systems development approaches”, Information Management & Computer Security, Vol. 9 No. 4, pp. 183-97.
