Highlighted Selections from:

Rethinking the Information Security Risk Practices: a Critical Social Theory Perspective

DOI: 10.1109/HICSS.2014.397

Thapa, Devinder, and Dan Harnesk. “Rethinking the Information Security Risk Practices: a Critical Social Theory Perspective.” IEEE International Conference on System Science. 3207–3214. Print.

p.3207: There is a lack of theoretical understanding of information security risk practices. For example, the information security risks related literatures are dominated by instrumental approach to protect the information assets. This approach, however, often fails to acknowledge the ideologies and consequences of risks practices. In this paper, through critical analysis, we suggest various perspectives to advance the understanding in this regard. In doing so, we present our argument by reviewing the security risk literature using Habermas’s concept of four orientations: instrumental, strategic, communicative and discursive. The contribution of this paper is to develop conceptual clarity of the risk related ideologies and its consequences on emancipation. -- Highlighted apr 28, 2014

p.3207: There is a plethora of literature that discusses risks practices under functionalist paradigm and interpretive paradigm. The risks practices in these paradigms are mainly based on the ideology of protection of the object (information assets) through imposition and compliance of security policies. The missing perspective in the existing information security risk practices is emancipation of the subject (human) [4]. -- Highlighted apr 28, 2014

p.3207: To contribute to this missing perspective, the paper proposes to rethink the information ‘security as emancipation’ [5] rather than imposition. Emancipation in the organizational context refers to freeing employees from oppressive conditions, hence enabling them to realize their full potential [6]. This paper, however, is concerned with information security risk practices, hence borrows the definition of emancipation as “freeing the employees from the power structure by increasing the scope and depth of their information access (from [4], page.2)”. The authors [4] also suggested that emancipation of the employee could facilitate information assets protection. -- Highlighted apr 28, 2014

p.3208: The concept of risk ideology rests on the idea that they are the reification of social constructions for the benefit of some groups over some other groups [8]. Ideology is associated with a set of ideals, which explains how a certain practice is expected to function [9]. Moreover, the literature contains assumptions what is believed to represent the truth and legitimacy in actions carried out to fortify the ideology of the security risk practice [10]. The fundamental assumption is that the security risk practice, commonly considered the background for risk management, does not exist unless framed in the action that occurs when risks methods and risk techniques are considered in their deployment [5]. -- Highlighted apr 28, 2014

p.3208: The ideal underpinning the complex and unpredicted policy is advocating for inclusion of different stakeholders perspective on the subject of risk. The advantage of employing stakeholder perspective in the risk practice lies in the recognition that, e.g. computer users bring into risk identification activities. For instance, taking actions based on knowledge about technical and managerial security controls is considered responsive decision-making [13], and falls into risk strategy formulation. Recent research found that stakeholder participation in security risk management creates stronger alignment between risk management and the business context [14]. Similarly, risk awareness studies advocate that socio-organizational factors such as, technical knowledge, organizational impact, and attacker assessment are critical to risk assessment performance [15]. -- Highlighted apr 28, 2014

p.3208: However, these ideals illustrate the means-endoriented research objectives that substantially have influenced the organization of risk practices in order to protect information assets. -- Highlighted apr 28, 2014

p.3208: However, the reach of this functionalist approach is limited to possibility of defining instrumental goals and methods and strategic issues of concern for relevance stakeholders. When this ideology continuously influences the risk practice, there is a significant risk that the ideology itself becomes an illusion, a view that risk factors are under control when indeed they are not [5]. This raises several interesting issues about adherence to risk ideals. For instance, who decides which ideals are important? How to reinforce employees’ loyalty towards the ideology? How should the ideology be justified? And, how could it be evaluated? What are the criteria for evaluation? Are the criteria uniform or varying? -- Highlighted apr 28, 2014

p.3209: This falls back on situations where risk management is seen as a tool rather than an empowering mechanism for employees to reach their full potential as responsible actors. Whereas a tool view reinforces the risk agendas produced by managers, sharing risk conceptions among a wider audience of employees is likely to activate greater participation and generate inflow of risk knowledge from individuals [4]. -- Highlighted apr 28, 2014

p.3209: Furthermore Talib and Dhillon in [4] discuss that lack of participation leads to alienation, which is the result of being isolated from decision processes. A root cause is that organizations often tend to rely on so called key persons, ‘experts’, safeguarding that effective controls are in place to reduce the risk of breaches [14]. These experts become spokesmen for the selected approach or solution via à priori defined communication channels, which leaves little room for the empowerment of employees. This is indeed problematic as such onedimensional thinking about risk practice procedures tends to recursively reinforcing narrow scope risk procedures. In such cases, empowerment does not lead to emancipation of employees [6]. -- Highlighted apr 28, 2014

p.3212: In this paper, we have identified that majority of infoSec literatures argued that the existing InfoSec risk practices perceive that risk is somehow predictable and controllable, which are marked by techno-deterministic or strategic politicization [10]. Consequently, the analysis of its assumptions, implications and the risk practices through which it is acted or enacted is dominated by such perceptions. -- Highlighted apr 28, 2014

p.3212: In the recent years, as literatures suggest, the perception of the InfoSec risk practices are accompanied by a tendency to conceive it as socio-technical phenomena, and advocate that the research should incorporate organizational, technical, social and cultural issues [2, 3]. -- Highlighted apr 28, 2014

p.3212: Finally, the discursive orientation aims at realizing the InfoSec risk practices through logical reasoning and argumentation. For example, the existing infoSec practices can be challenged in terms of its existing ideology. A better understanding of different discourses is required because today’s business risk environment doesn’t stop at the perimeter of the organization. Organizations have to deal with several technology/business discourses. For instance, ubiquitous computing, cloud computing, interorganizational information systems, areas that allows humans to operate information technology and automate data transfer in ways that are not that easy to control. -- Highlighted apr 28, 2014