Incorporating a knowledge perspective into security risk assessments

Piya Shedden (Department of Information Systems, University of Melbourne, Melbourne, Australia)
Rens Scheepers (Department of Information Systems, University of Melbourne, Melbourne, Australia)
Wally Smith (Department of Information Systems, University of Melbourne, Melbourne, Australia)
Atif Ahmad (Department of Information Systems, University of Melbourne, Melbourne, Australia)


ISSN: 0305-5728

Publication date: 17 May 2011



Many methodologies exist to assess the security risks associated with unauthorized leakage, modification and interruption of information used by organisations. This paper argues that these methodologies have a traditional orientation towards the identification and assessment of technical information assets. This obscures key risks associated with the cultivation and deployment of organisational knowledge. The purpose of this paper is to explore how security risk assessment methods can more effectively identify and treat the knowledge associated with business processes.


The argument was developed through an illustrative case study in which a well‐documented traditional methodology is applied to a complex data backup process. Follow‐up interviews were conducted with the organisation's security managers to explore the results of the assessment and the nature of knowledge “assets” within a business process.


It was discovered that the backup process depended, in subtle and often informal ways, on tacit knowledge to sustain operational complexity, handle exceptions and make frequent interventions. Although typical information security methodologies identify people as critical assets, this study suggests a new approach might draw on more detailed accounts of individual knowledge, collective knowledge and their relationship to organisational processes.


Drawing on the knowledge management literature, the paper suggests mechanisms to incorporate these knowledge‐based considerations into the scope of information security risk methodologies. A knowledge protection model is presented as a result of this research. This model outlines ways in which organisations can effectively identify and treat risks around process knowledge critical to the business.



Shedden, P., Scheepers, R., Smith, W. and Ahmad, A. (2011), "Incorporating a knowledge perspective into security risk assessments", VINE, Vol. 41 No. 2, pp. 152-166.

Download as .RIS



Emerald Group Publishing Limited

Copyright © 2011, Emerald Group Publishing Limited

Please note you might not have access to this content

You may be able to access this content by login via Shibboleth, Open Athens or with your Emerald account.
If you would like to contact us about accessing this content, click the button and fill out the form.
To rent this content from Deepdyve, please click the button.