Академический Документы
Профессиональный Документы
Культура Документы
AUTHOR NAME:
Piya Shedden and Atif Ahmad
JOURNAL NAME:
Communications of the Association for Information Systems
METHODOLOGY OF RESEARCH:
However, recent studies into the practice of applying ISRA methodologies in organizations report that
they take a limited perspective of organizational “assets”, which ultimately leads to inaccurate security
risk assessments. We can identify two significant deficiencies. First, ISRAs typically adopt a traditional
accountancy-based view of assets that sees them as discrete and relatively static categories of
information that one can enumerate for auditing purposes, which leaves ISRAs with a coarse-grained
view of relevant assets and the related risks. Second, ISRAs tend to be restricted to those assets that are
visible in a formal business process view and do not take a sufficiently social and organizational
perspective that recognizes the informal work practices and workarounds in which assets exist and
evolve.
RESULTS / FINDING:
In our case study, we explored whether a richer analysis of an organization's information security assets
could address limitations in current ISRAs as used in the security industry. The rich description method
(RDM) that we devised and evaluated in the study combined techniques from qualitative field research
and systems analysis methodologies, including semi-structured interviews, richly annotated business
process modelling notation workflows, and scenario writing