Identifying Blind Spots in IS Security Risk Management Processes Using Qualitative Model Analysis

  • Christian SillaberEmail author
  • Ruth Breu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9190)


The present paper examines quality aspects of models created by stakeholders to identify blind spots in information systems security risk management (ISSRM) processes via a multi-method research study at the organizational level. Stakeholders were interviewed to gain an understanding of their awareness of business processes, models of the information system (IS), and related security requirements in the context of an ongoing ISSRM process. During several modeling sessions, stakeholders were asked to model various aspects of the IS under investigation in the form of component, activity and business process diagrams. We then analyzed the created models qualitatively and linked identified inconsistencies to security issues omitted during the ISSRM process (blind spots). The findings indicate that various quality aspects of models created by stakeholders that describe either the IS or related business processes can contribute to an improved ISSRM process, better alignment to the business environment and improved elicitation of security requirements. Following current research that considers users as the most important resource in ISSRM, this study highlights the importance of using and analyzing model diagrams from appropriate stakeholders at the right time during the ISSRM process to identify potential blind spots and avoid unclarity, that might be introduced by verbal communication. The research provides risk managers with a process for identifying blind spots to improve results and reduce overhead.


Information systems security risk management Stakeholder created models Risk management process improvement 



This work was supported by the Austrian Federal Ministry of. Economy (BMWFW), QE LaB - Living Models for Open Systems (FFG 822740).


  1. 1.
    Ernst and Young’s, Into the cloud, out of the fog; Global Information Security Survey, Young, Ernst. Technical report, November 2011 Google Scholar
  2. 2.
    Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 34(1), 1–11 (2011)CrossRefGoogle Scholar
  3. 3.
    Wade, J.: The weak link in IT security. Risk Manag. 51(7), 32–37 (2004)Google Scholar
  4. 4.
    Siponen, M.T.: Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice. Inf. Manag. Comput. Secur. 8(5), 197–209 (2000)Google Scholar
  5. 5.
    Stanton, J., Stam, K., Mastrangelo, P., Jolton, J.: Behavioral information security. In: Human-Computer Interaction and Management Information Systems: Foundations, p. 262. M.E. Sharpe, New York (2006)Google Scholar
  6. 6.
    Spears, J., Barki, H.: User participation in information systems security risk management. MIS Q. 34(3), 503–522 (2010)Google Scholar
  7. 7.
    Vance, A.: Neutralizaiton: new insights into the problem of employee information systems security. MIS Q. 34(3), 487–502 (2010)MathSciNetGoogle Scholar
  8. 8.
    Benbasat, I.: An empirical study of rationality-based beliefs in information systems security. MIS Q. 34(3), 523–548 (2010)Google Scholar
  9. 9.
    Puhakainen, P., Siponen, M.: Improving employees’ compliance through information systems security training: an action research study. MIS Q. 34(4), 757–778 (2010)Google Scholar
  10. 10.
    Siponen, M., Oinas-Kukkonen, H.: A review of information security issues and respective research contributions. ACM Sigmis Database 38(1), 60–80 (2007)CrossRefGoogle Scholar
  11. 11.
    Locke, E.A., Alavi, M., Wagner III, J.A.: Participation in decision making: an information exchange perspective. Res. Pers. Hum. Resour. Manag.: A Res. Ann. 15, 293–332 (1997)Google Scholar
  12. 12.
    Markus, M.L., Mao, J.-Y.: Participation in development and implementation- updating an old, tired concept for today’s IS contexts. J. Assoc. Inf. Syst. 5(11), 14 (2004)Google Scholar
  13. 13.
    CSI, CSI Computer Crime & Security Survey, Computer Security Institute. Technical report (2008)Google Scholar
  14. 14.
    Alavi, R., Islam, S., Mouratidis, H.: A conceptual framework to analyze human factors of information security management system (ISMS) in organizations. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 297–305. Springer, Heidelberg (2014)Google Scholar
  15. 15.
    Spears, J.L., Barki, H.: User participation in information systems security risk management. MIS Q. 34(3), 503–522 (2010)Google Scholar
  16. 16.
    Mejias, R.: An integrative model of information security awareness for assessing information systems security risk. In: 2012 45th Hawaii International Conference on System Science (HICSS), pp. 3258–3267 (2012)Google Scholar
  17. 17.
    Guo, K.H., Yuan, Y., Archer, N.P., Connelly, C.E.: Understanding nonmali- cious security violations in the workplace: a composite behavior model. J. Manag. Inf. Syst. 28(2), 203–236 (2011)CrossRefGoogle Scholar
  18. 18.
    Heath, R.L., O’Hair, H.D.: Handbook of Risk and Crisis Communication. Routledge, London (2010)Google Scholar
  19. 19.
    Steinbart, P.J., Raschke, R.L., Gal, G., Dilla, W.N.: The relationship between internal audit and information security: an exploratory investigation. Int. J. Account. Inf. Syst., Research Symposium on Information Integrity and Information Systems Assurance 13(3), 228–243 (2011)Google Scholar
  20. 20.
    Peltier, T.R.: Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press, Abingdon (2013)Google Scholar
  21. 21.
    Sillaber, C. Breu, R.: Using business process model awareness to improve stakeholder participation in information systems security risk management processes. In: Conference on Wirtschaftsinformatik (2015, in press)Google Scholar
  22. 22.
    Kohlbacher, F.: “The Use of Qualitative Content Analysis in Case Study Research”, Forum Qual. Soc. Res. 7, 31 (2006)Google Scholar
  23. 23.
    Verendel, V.: Quantified security is a weak hypothesis. In: Proceedings of the 2009 workshop on New security paradigms workshop - NSPW 2009, p. 37 (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.University of InnsbruckInnsbruckAustria

Personalised recommendations