Information Systems Frontiers

, Volume 9, Issue 5, pp 481–492

Overcoming organizational challenges to secure knowledge management

Article

Abstract

Incident management systems have the potential to improve security dramatically but often experience problems stemming from organizational, interpersonal and social constraints that limit their effectiveness. These limits may cause underreporting of incidents, leading to erroneous perceptions of the actual safety and security situation of the organization. The true security situation may be better understood and underreporting may be reduced if underlying systemic issues surrounding security incident management are taken into account. A dynamic simulation, based on the parallel experience of industrial incident management systems, illustrates the cumulative effects of rewards, learning, and retributions on the fate of a hypothetical knowledge management system designed to collect information about events and incidents. Simulation studies are part of an ongoing research project to develop sustainable knowledge and knowledge transfer tools that support the development of a security culture.

Keywords

Knowledge management Security Simulation System dynamics Incident management Organizations 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, R. (Ed.) (2001). Why information security is hard—an economic perspective. 17th Annual Computer Security Applications Conference, 2001 (ACSAC 2001); 10–14 December.Google Scholar
  2. Anderson, D. J., & Webster, C. S. (2001). A system approach to the reduction of medication error on the hospital ward. Journal of Advanced Nursing, 35(1), 34–41.CrossRefGoogle Scholar
  3. Barach, P., & Small, S. D. (2000). Reporting and preventing medical mishaps: Lessons from nonmedical near miss reporting systems. British Medical Journal, 320, 759–763.CrossRefGoogle Scholar
  4. Barlas, Y. (1989). Multiple tests for validation of system dynamics type of simulation models. European Journal of Operations Research, 42, 59–87.CrossRefGoogle Scholar
  5. Barlas, Y. (1996). Formal aspects of model validity and validation in system dynamics. System Dynamics Review, 12(3), 183–210.CrossRefGoogle Scholar
  6. Bhatt, G. D. (2001). Knowledge management in organizations: Examining the interaction between technologies, techniques, and people. Journal of Knowledge Management, 5(1), 68–75.CrossRefGoogle Scholar
  7. Campbell, S. (2006).How to think about security failures. Communications of the ACM, 49(1), 37–39 (01).CrossRefGoogle Scholar
  8. Cooke, D. L., & Rohleder, T. R. (2006). Learning from incidents: From normal accidents to high reliability. System Dynamics Review, 22(3), 213–239.CrossRefGoogle Scholar
  9. Damodaran, L., & Olphert, W. (2000). Barriers and facilitators to the use of knowledge management systems. Behaviour & Information Technology, 19(6), 405–413.CrossRefGoogle Scholar
  10. Davenport, T. H. (1997). Information ecology: Mastering the information and knowledge environment. New York: Oxford University Press.Google Scholar
  11. Davenport, T. H., & Prusak, L. (1998). Working knowledge: How organizations manage what they know. Boston: Harvard Business School Press.Google Scholar
  12. Davis, F. D. (1989). Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly, 13(3), 319–340.CrossRefGoogle Scholar
  13. Debar, H., & Viinikka, J. (2005). Intrusion detection: Introduction to intrusion detection and security information management. In A. Aldini, R. Gorrieri, & F. Martinelli (Eds.), Foundations of security analysis and design III (pp. 207–236). Heidelberg: Springer Berlin.CrossRefGoogle Scholar
  14. Debowski, S. (2006). Knowledge management. Australia: John Wiley & Sons.Google Scholar
  15. Forrester, J. W. (1961). Industrial dynamics. Cambridge MA: Productivity Press.Google Scholar
  16. Forrester, J. W. (1994). Policies, decisions, and information sources for modeling. In J. D. W. Morecroft, J. D. Sterman (Eds.), Modeling for learning organizations (pp. 51–84). Portland, OR: Productivity Press.Google Scholar
  17. Forrester, J. W., & Senge, P. M. (1981). Tests for building confidence in system dynamics models. TIMS Studies in the Management Sciences, 14, 209–228.Google Scholar
  18. Gal-Or, E., & Ghose, A. (2005). The economic incentives for sharing security information. Information Systems Research, 16(2), 186–208.CrossRefGoogle Scholar
  19. Gold, A. H., Malhotra, A., & Segars, A. H. (2001). Knowledge management: An organizational capabilities perspective. Journal of Management Information Systems, 18(1), 185–214.Google Scholar
  20. Gonzalez, J. J. (2005). Towards a cyber security reporting system—a quality improvement process. In B. A. G. Rune Winther, & G. Dahll (Eds.), Computer safety, reliability, and security. Heidelberg: Springer.Google Scholar
  21. Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5(4), 438–457 (November).CrossRefGoogle Scholar
  22. Gordon, L. A., Loeb, M., & Lucyshyn, W. (2003). Sharing information on computer systems security: An economic analysis. Journal of Accounting Public Policy, 22(6), 461–485.CrossRefGoogle Scholar
  23. Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Richardson, R. (2004). CSI/FBI Computer Crime and Security Survey. Technical Report: Computer Security Institute.Google Scholar
  24. Görling, S. (2006). The myth of user education. Virus Bulletin Conference; 2006 11–13 October; Montréal, Canada.Google Scholar
  25. Halal, G. (1998). The infinite resource. San Francisco: Jossey-Bass Publishers.Google Scholar
  26. Haley, C. B., Moffett, J. D., Laney, R., & Nuseibeh, B. (Eds.) (2005). A framework for security requirements engineering. The 2006 International Workshop on Software Engineering for Secure Systems; Shanghai, China IEEE.Google Scholar
  27. Holzapple, C. W., & Joshi, K. D. (2004). A formal knowledge management ontology: Conduct, activities, resources and influences. Journal of the American Society for Information Science and Technology, 55(7), 593–612 (May).CrossRefGoogle Scholar
  28. ISO/IEC, (2005). Information technology—Security techniques—Evaluation criteria for IT security—Part 1: Introduction and general model. Geneva, October. Standard ISO/IEC 15408-1:2005(E).Google Scholar
  29. James, R. H. (2003). 1000 anaesthetic incidents: Experience to date. Anaesthesia, 58, 856–863.CrossRefGoogle Scholar
  30. Johnson, C. (2003). Failure in safety-critical systems: A handbook of incident and accident reporting. Glasgow, Scotland: Glasgow University Press.Google Scholar
  31. Jones, S., Kirchsteiger, C., & Bjerke, W. (1999). The importance of near miss reporting to further improve safety performance. Journal of Loss Prevention in the Process Industries, 12(1), 59–67.CrossRefGoogle Scholar
  32. Kahneman, D. (1973). Attention and effort. Englewood Cliffs, NJ: Prentice-Hall.Google Scholar
  33. Kahneman, D., & Tversky, A. (2000). Prospect theory: An analysis of decision under risk. In D. Kahneman & A. Tversky (Eds.), Choices, values, and frames. Cambridge, UK: Cambridge University Press.Google Scholar
  34. Kjellén, U. (2000). Prevention of accidents through experience feedback. London and New York: Taylor & Francis.Google Scholar
  35. Lee, P. I., & Weitzel, T. R. (2005). Air carrier safety and culture: An investigation of Taiwan’s adaptation to western incident reporting programs. Journal of Air Transportation, 10(1), 20–37.Google Scholar
  36. March, J. G. (1994). A primer on decision-making: How decisions happen. New York: Free Press.Google Scholar
  37. Moon, H. K., & Park, M. S. (2002). Effective reward systems for knowledge sharing. Knowledge Management Review, 22–25.Google Scholar
  38. National Institute of Standards and Technology. (2000). An introduction to computer security: The NIST handbook. Special Publication 800-12: US Department of Commerce; July.Google Scholar
  39. National Institute of Standards and Technology. (2001). Engineering principles for information technology security (A baseline for achieving security). Special Publication 800-27. Gaithersburg, MD: US Department of Commerce; 2001 June.Google Scholar
  40. Nielsen, K. J., Carstensen, O., & Rasmussen, K. (2006). The prevention of occupational injuries in two industrial plants using an incident reporting scheme. Journal of Safety Research, 37(5), 479–486.Google Scholar
  41. Nyssen, A. S., Aunac, S., Faymonville, M. E., & Lutte, I. (2004). Reporting systems in healthcare from a case-by-case experience to a general framework: An example in anaesthesia. European Journal of Anaesthesiology, 10(21), 757–765.CrossRefGoogle Scholar
  42. O’Dell, C., & Grayson, Jr. C. J. (1998). If only we knew what we know. New York: Free Press.Google Scholar
  43. Phimister, J. R., Oktem, U., Kleindorfer, P. R., & Kunreuther, H. (2003). Near-miss incident management in the chemical process industry. Risk Analysis, 23(3), 445–459.CrossRefGoogle Scholar
  44. Randazzo, M. R., Keeney, M. M., Kowalski, E. F., Cappelli, D. M., & Moore, A. P. (2004). Insider threat study: Illicit cyber activity in the banking and finance sector. Technical Report. Pittsburgh, PA: U.S. Secret Service and CERT Coordination Center / Software Engineering Institute; 2004 August.Google Scholar
  45. Reason, J. (2000). Human error models and management. British Medical Journal, (320), 768–770.Google Scholar
  46. Repenning, N., & Sterman, J. (2001). Nobody ever gets credit for fixing defects that didn’t happen: Creating and sustaining process improvement. California Management Review, 43(4), 64–88.Google Scholar
  47. Richardson, G. P., & Pugh, A. L. III. (1981). Introduction to system dynamics modeling with DYNAMO. Cambridge MA: Productivity Press.Google Scholar
  48. Schneier, B. (2000). Secrets & lies: Digital security in a networked world. Wiley.Google Scholar
  49. Stanhope, N., Crowley-Murphy, M., Vincent, C., O’Connor, A. M., & Taylor-Adams, S. E. (1999). An evaluation of adverse incident reporting. Journal of Evaluation in Clinical Practice, 5(1), 5–12.CrossRefGoogle Scholar
  50. Stanton, J. M., & Stam, K. R. (2006). The visible employee. Medford, MA: Information Today.Google Scholar
  51. Sterman, J. D. (2000). Business dynamics: Systems thinking and modeling for a complex world. Boston: Irwin McGraw-Hill.Google Scholar
  52. Stewart, T. A. (1997). Intellectual capital: The new wealth of organizations. New York: Doubleday.Google Scholar
  53. Stoneburner, G. (2006). Toward a unified security/safety model. Computer, 39(8), 96–97.CrossRefGoogle Scholar
  54. Sveiby, K. E. (1997). The new organizational wealth: Managing and measuring knowledge-based assets. San Francisco: Berrett Koehler.Google Scholar
  55. Venkatesh, V., & Davis, F. D. (2000). A theoretical extension of the technology acceptance model: Four longitudinal field studies. Management Science, 46(2), 186–204.CrossRefGoogle Scholar
  56. Winkler, I. (2005). Spies among us: How to stop the spies, terrorists, hackers, and criminals you don’t even know you encounter every day. Indianapolis: Wiley.Google Scholar
  57. Zangwill, W. I., & Kantor, P. B. (1998). Towards a theory of continuous improvement and the learning curve. Management Science, 44(7), 910–920.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2007

Authors and Affiliations

  1. 1.Security and Quality in Organizations, Faculty of engineering and scienceAgder University CollegeGrimstadNorway
  2. 2.Department of Information Technology Management, School of BusinessUniversity at AlbanyAlbanyUSA
  3. 3.College of Computing and InformationUniversity at AlbanyAlbanyUSA
  4. 4.Department of Industrial Management, Faculty of Technology, TECNUNUniversity of NavarraGipuzkoaSpain

Personalised recommendations