Revisiting information security risk management challenges: a practice perspective

• Published in: Information & Computer Security Vol. 27; no. 3; pp. 358 - 372
• Main Authors: Bergström, Erik, Lundgren, Martin, Ericson, Åsa
• Format: Journal Article
• Language: English
• Published: Bingley Emerald Publishing Limited 2019; Emerald Group Publishing Limited
• Subjects: Asset valuation; Centre - Centre for Critical Infrastructure and Societal Security (CISS); Centrumbildning - Centrum för säkerhet i samhälle och kritiska infrastrukturer (CISS); Empirical analysis; Information management; Information security; Information Systems; Informationssystem; Informationssystem (IS); Knowledge sharing; Practice theory; Public sector; Qualitative research; Researchers; Risk management; Security management; Statistical analysis; Studies; Asset valuation; Practice theory; Risk management; Information security
• ISSN: 2056-4961; 2056-497X
• DOI: 10.1108/ICS-09-2018-0106

Purpose The study aims to revisit six previously defined challenges in information security risk management to provide insights into new challenges based on current practices. Design/methodology/approach The study is based on an empirical study consisting of in-depth interviews with representatives from public sector organisations. The data were analysed by applying a practice-based view, i.e. the lens of knowing (or knowings). The results were validated by an expert panel. Findings Managerial and organisational concerns that go beyond a technical perspective have been found, which affect the ongoing social build-up of knowledge in everyday information security work.. Research limitations/implications The study has delimitation as it consists of data from four public sector organisations, i.e. statistical analyses have not been in focus, while implying a better understanding of what and why certain actions are practised in their security work. Practical implications The new challenges that have been identified offer a refined set of actionable advice to practitioners, which, for example, can support cost-efficient decisions and avoid unnecessary security trade-offs. Originality/value Information security is increasingly relevant for organisations, yet little is still known about how related risks are handled in practice. Recent studies have indicated a gap between the espoused and the actual actions. Insights from actual, situated enactment of practice can advise on process adaption and suggest more fit approaches.