Skip to main content
SpringerLink
Log in

Learning from Your Elders: A Shortcut to Information Security Management Success

  • Conference paper
Computer Safety, Reliability, and Security (SAFECOMP 2007)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 4680))

Included in the following conference series:

Abstract

Knowledge Management (KM), Quality Management (QM) and Safety Management (SM) are mature fields that have evolved and improved over time. Information security management (ISM) has aspects of these fields. E.g. tougher customer demands require continuous quality improvement, while new threats create a need for constantly improved security. Information technology brings new opportunities, but also challenges for KM, as it does for security. Organizations must comply with increasingly stricter safety laws, analogous to ISM requirements given by e.g. the Sarbanes-Oxley act. Research and practical experiences in KM, QM and SM have generated valuable insights that the younger, immature field of ISM can learn from. We present ten lessons and apply them to ISM. Key insights include the emphasis of good implementation over selection of model, the necessity of multi disciplinary teams, long term thinking, measurement, visualizing security costs, benchmarking, continuous improvement, collaboration, going beyond compliance and security as a competitive advantage.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Andersen, D.F., et al.: Preliminary System Dynamics Maps of the Insider Cyber-Threat Problem. In: 22nd International Conference of the System Dynamics Society, The System Dynamics Society, Oxford, England (2004)

    Google Scholar 

  2. Anderson, R.: Why information security is hard - an economic perspective. In: 17th Annual Computer Security Applications Conference (2001)

    Google Scholar 

  3. Gonzalez, J.J. (ed.): From Modeling to Managing Security: A System Dynamics Approach. Research Series, vol. 35. Norwegian Academic Press, Kristiansand, Norway (2003)

    Google Scholar 

  4. Putnam, A.: Information Security Management References. In: U.S.H.o. Representatives (eds.) Mapping of Existing Work on Infosec “Best Practices” Subgroup (2004)

    Google Scholar 

  5. Nonaka, I., Takeuchi, H.: The Knowledge-Creating Company. Oxford University Press, New York & Oxford (1995)

    Google Scholar 

  6. Davenport, T.H., Prusak, L.: Working Knowledge: how organizations know what they know. Harvard Business School Press, Boston Massachusetts (1998)

    Google Scholar 

  7. Probst, G., Raub, S., Romhardt, K.: Managing Knowledge: building blocks for success. John Wiley & Sons, Chichester (2000)

    Google Scholar 

  8. Pande, P.S., Neuman, R.P., Cavanagh, R.R.: The Six Sigma Way: how GE, Motorola, and other top companies are honing their performance. McGraw-Hill, New York (2000)

    Google Scholar 

  9. Lee-Mortimer, A.: Six Sigma: Effective Handling of deep rooted quality problems. Assembly Automation 26(3), 200–204 (2006)

    Article  Google Scholar 

  10. Prajogo, D.I., Sohal, A.S.: The Sustainability and Evolution of Quality Improvement Programmes - An Australian Case Study. Total Quality Management 15(2), 205–220 (2004)

    Google Scholar 

  11. Nielsen, K.J., Carstensen, O., Rasmussen, K.: The Prevention of Occupational Injuries in Two Industrial Plants Using an Incident Reporting Scheme. Journal of Safety Research 37(5), 479–486 (2006)

    Article  Google Scholar 

  12. Repenning, N.P., Sterman, J.D.: Nobody ever gets credit for fixing problems that never happened. California Management Review, 43(4) (2001)

    Google Scholar 

  13. Schultz, E.: The human Factor in Security. Computer&Security 24, 425–426 (2005)

    Google Scholar 

  14. Winkler, I.: Spies Among Us: How To Stop The Spies, Terrorists, Hackers, And Criminals You Don’t Even Know You Encounter Every Day. Wiley, Indianapolis (2005)

    Google Scholar 

  15. Mitnick, K.: The Art of Deception. Wiley, Chichester (2002)

    Google Scholar 

  16. Abagnale, F., et al.: FBI 2005 Computer Crime Survey. Federal Bureau of Investigation (2005)

    Google Scholar 

  17. Schneier, B.: Secrets & Lies: Digital Security in a Networked World. Wiley, Chichester (2000)

    Google Scholar 

  18. McElroy, M.W.: The New Knowledge Management. Butterworth Heinemann, Amsterdam (2003)

    Google Scholar 

  19. Yong, J., Wilkinson, A.: The long and winding road: The evolution of quality management. Total Quality Management 13(1), 101–121 (2002)

    Article  Google Scholar 

  20. Collinson, D.L.: Surviving the rigs: Safety and Surveilance on North Sea Oil Platforms. Organization Studies 20(4), 579–600 (1999)

    Article  MathSciNet  Google Scholar 

  21. Johnson, C.: Failure in Safety Critical Systems: A Handbook of Incident and Accident Reporting. Glasgow University Press (2003)

    Google Scholar 

  22. Kjellén, U.: Prevention of Accidents Through Experience Feedback, p. 450. Taylor & Francis, London and New York (2000)

    Google Scholar 

  23. Morag, I.: Intel’s Incident-free Culture: A Case Study. Applied Ergonomics 2006(38), 201–211

    Google Scholar 

  24. Phimister, J.R., et al.: Near-Miss Incident Management in the Chemical Process Industry. Risk Analysis 23(3), 445–459 (2003)

    Article  Google Scholar 

  25. Reason, J.: Safety in the operating theatre - Part 2: Human error and organizational failure. Quality and Safety in Health Care 14, 56–61 (2005)

    Google Scholar 

  26. Shaw, E.D.: The role of behavioral research and profiling in malicious cyber insider investigations. Digital Investigation 3, 20–31 (2006)

    Article  Google Scholar 

  27. Campbell, S.: How to Think About Security Failures. Communications of the ACM 49(1), 37–39 (2006)

    Article  Google Scholar 

  28. Fram, E.H.: Not so strange bedfellows: marketing and total quality management. Managing Service Quality 5(1), 50–56 (1995)

    Article  Google Scholar 

  29. Dörner, D.: The Logic of Failure. Perseus Books, Cambridge, Massachusets (1996)

    Google Scholar 

  30. Wiik, J., Gonzalez, J.J., Kossakowski, K.-P.: Limits to Effectiveness in Computer Security Incident Response Teams. In: 23rd International Conference of the System Dynamics Society, Oxford (2004)

    Google Scholar 

  31. Geus, A.d.: The Living Company. Harvard Business School Press, Boston Massachusetts (1997)

    Google Scholar 

  32. Senge, P.: The Fifth Discipline. Bantam Doubleday Dell Publishing Group, London (1990)

    Google Scholar 

  33. Lee, P.I., Weitzel, T.R.: Air Carrier Safety and Culture: An Investigation of Taiwan’s Adaptation to Western Incident Reporting Programs. Journal of Air Transportation 10(1) (2005)

    Google Scholar 

  34. Sveiby, K.-E.: A Knowledge-based theory of the firm to guide strategy formulation. Journal of Intellectual Capital 2(4) (2001)

    Google Scholar 

  35. Gal-Or, E., Ghose, A.: The Economic Incentives for Sharing Security Information. Information Systems Research 16(2), 186–208 (2005)

    Article  Google Scholar 

  36. Gordon, L.A., Loeb, M., Lucyshyn, W.: Sharing information on computer systems security: An economic analysis. Journal of Accounting Public Policy 22(6), 461–485 (2003)

    Article  Google Scholar 

  37. The 9-11 Commision Report (2002)

    Google Scholar 

  38. Rich, E., Sveen, F.O., Jager, M.: Overcoming Organizational Challenges to Secure Knowledge Management. In: Secure Knowledge Management Workshop, New York, US (2006)

    Google Scholar 

  39. Sveiby, K.-E.: The new organizational wealth. In: Managing & measuring knowledge-Based assets, Berret-Koehler Publishers Inc., San Francisco (1997)

    Google Scholar 

  40. Brooking, A.: Intellectual capital: Core asset for the third millennium enterprise. Itp-Intern.Thomson Publishing, London (1997)

    Google Scholar 

  41. Edvinsson, L.: Intellectual capital. Harper Collins Publishers, New York (1997)

    Google Scholar 

  42. Gordon, L.A., Loeb, M.P.: Managing Cyber Security Resources: A cost-benefit analysis. McGraw-Hill, New York (2006)

    Google Scholar 

  43. Davenport, T.H., Probst, G.: Knowledge Management Case Book: Siemens Best Practices, 2nd edn. Publicis Corporate Publishing and John Wiley & Sons, Erlangen (2002)

    Google Scholar 

  44. Harkins, P., Carter, L.L., Timmins, A.J.: Linkage Inc.’s Best Practices in Knowledge Management and Organizational Learning Handbook. Linkage Press, Lexington, Massachusetts (2000)

    Google Scholar 

  45. Vaughan, D.: Autonomy, Interdependence and Social Control: NASA and the Space Shuttle Challenger. Administrative Science Quarterly 35(2), 225–257 (1990)

    Article  Google Scholar 

  46. Tsuchiya, S., et al.: An Analysis of Tokaimura Nuclear Criticality Accident: A Systems Approach. In: The 19th International Conference of the System Dynamics Society, System Dynamics Society, Atlanta, Georgia (2001)

    Google Scholar 

  47. Torres, J.M., et al.: Managing Information Systems Security: Critical Success Factors and Indicators to Measure Effectiveness. In: Katsikas, S.K., Lopez, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 530–545. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  48. Gonzalez, J.J., et al.: Helping Prevent Information Security Risks in the Transition to Integrated Operations. Telektronikk 101(1), 29–37 (2005)

    Google Scholar 

  49. Sveen, F.O., et al.: A Dynamic Approach to Vulnerability and Risk Analysis of the Transition to eOperations. In: 24th International System Dynamics Conference, Nijmegen (2006)

    Google Scholar 

  50. Cooke, D.L.: A system dynamics analysis of the Westray mine disaster. System Dynamics Review 19(2), 139–166 (2003)

    Article  MathSciNet  Google Scholar 

  51. Pomey, M.-P., et al.: Paradoxes of French Accreditation. Quality and Safety in Health Care 14, 51–55 (2005)

    Article  Google Scholar 

  52. Parkhurst, J., Shaw, B.: Compliance is Not Enough: The Benefits of Advanced Quality Systems Practices. Medical Device & Diagnostic Industry (2004)

    Google Scholar 

  53. Chelsom, J.V.: Performance-driven quality. Logistics Information Management 10(6), 253–258 (1997)

    Article  Google Scholar 

  54. Karapetrovic, S.: ISO 9000: the system emerging from the vicious circle of compliance. The TQM Magazine 11(2), 111–120 (1999)

    Article  Google Scholar 

  55. Caralli, R.A., Wilson, W.R.: The Challenges of Security Management. Networked Systems Survivability Program, SEI. [cited 2007 12th March] (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Tecnun (University of Navarra), Manuel de Lardizábal 13, 20018 San Sebastián, Spain

    Finn Olav Sveen, Jose Manuel Torres & Jose Maria Sarriegi

Authors
  1. Finn Olav Sveen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jose Manuel Torres
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jose Maria Sarriegi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Francesca Saglietti Norbert Oster

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sveen, F.O., Torres, J.M., Sarriegi, J.M. (2007). Learning from Your Elders: A Shortcut to Information Security Management Success. In: Saglietti, F., Oster, N. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2007. Lecture Notes in Computer Science, vol 4680. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75101-4_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-75101-4_21

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-75100-7

  • Online ISBN: 978-3-540-75101-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation