Dan Harnesk

Shaping security behaviour through discipline and agility

Purpose – The purpose of this paper is to broaden the understanding about security behaviour by developing a security behaviour typology based on the concepts of discipline and agility.Design/methodology/approach – A case study was designed to analyze security behaviours in one public nursing centre. The inquiry was organized around the themes discipline and agility, culture, and security processes in order to get an in‐depth understanding of the complex relationship between security management, referred to as discipline, and security in use, referred to as agility.Findings – The paper shows that security behaviour can be shaped by discipline and agility and that both can exist collectively if organizations consider the constitutional and existential aspects of information security (IS) management.Practical implications – This research makes a pivotal stand for the issue how security behaviours narrate a broad picture to enhance IS management. In particular, this will improve design of IS training and awa...

Genre-Based Assessment of Information and Knowledge Security Risks

Contemporary methods for assessing information security risks have adopted mainly technical views on the information and technology assets. Organizational dynamics of information management and knowledge sharing have gained less attention. This article outlines how an information security risk assessment method can be elaborated using knowledge-centric analysis of information assets. For this purpose, we suggest the use of a genre-based analysis method for identifying organizational communication patterns, through which organizational knowledge is shared. Initial experiences of the method try-outs by three experienced information security professionals are discussed. The article concludes with a look at the implications of a genre-based analysis of knowledge assets for future research and practice.

A framework for classifying design research methods

Design Science Research (DSR) methods are much debated by the IS community with regard to outcome and research process. This debate creates ambiguity for the novice researchers in terms of selecting appropriate DSR methods. To address this ambiguity, this essay proposes a framework for classifying the DSR methods by providing conceptual clarity about DSR outcome and DSR research process. The proposed framework creates a taxonomy differentiating between outcomes as a priori formulated or emergent through contextual interaction, likewise, viewing the research process as deductive or abductive. The taxonomy provides guidance to the researchers before embarking any DSR projects. The essay contributes to the on-going discussion on utilization of the DSR methods in DSR projects.

A Methodology for Inter-Organizational Emergency Management Continuity Planning

This paper extends emergency management literature by developing a methodology for emergency management continuity planning (EmCP). In particular, the methodology focuses on inter-organizational co ...

Genre-Based Approach to Assessing Information and Knowledge Security Risks

Contemporary methods for assessing information security risks have adopted mainly technical views on information and technology assets. Organizational dynamics of information management and knowledge sharing have gained less attention. This article outlines a new, genre-based, approach to information security risk assessment in order to orientate toward organization-and knowledge-centric identification and analysis of security risks. In order to operationalize the genre-based approach, we suggest the use of a genre-based analytical method for identifying organizational communication patterns through which organizational knowledge is shared. The genre-based method is then complemented with tasks and techniques from a textbook risk assessment method (OCTAVE Allegro). We discuss the initial experiences of three experienced information security professionals who tested the method. The article concludes with implications of the genre-based approach to analyzing information and knowledge security risks for future research and practice.

Rethinking the Information Security Risk Practices: A Critical Social Theory Perspective

There is a lack of theoretical understanding of information security risk practices. For example, the information security risks related literatures are dominated by instrumental approach to protect the information assets. This approach, however, often fails to acknowledge the ideologies and consequences of risks practices. In this paper, through critical analysis, we suggest various perspectives to advance the understanding in this regard. In doing so, we present our argument by reviewing the security risk literature using Habermass concept of four orientations: instrumental, strategic, communicative and discursive. The contribution of this paper is to develop conceptual clarity of the risk related ideologies and its consequences on emancipation.

Materializing Organizational Information Security

In the context of situated elderly care this paper discusses the intertwined relationship between organizational security objectives, technology, and employees’ security behavior. We use findings from a single case study to aid in our understanding of how managers sought to create a secure work environment by introducing behavioral security technology, and how employees appreciated the new security software in everyday routines. Theoretically the case study is informed by sociomateriality in that it employs the notion of technological affordances of behavioral security technology. Findings show that security technology material is an integral part of security management and security in use, and that both the technical actor and human actors contributed to cultivation of the information security practice in the elderly care center.

Multi-layers of information security in emergency response

This paper draws on the socio-technical research tradition in information systems to re-conceptualize the information security in emergency response. A conceptual basis encompassing the three layer ...