CRITICAL REVIEW OF RESEARCH PAPER

TITLE OF RESEARCH PAPER:

Asset Identification in Information Security Risk Assessment: A
Business Practice Approach

AUTHOR NAME:
Piya Shedden and Atif Ahmad

YEAR OF PUBLICATION: 2016

JOURNAL NAME:
Communications of the Association for Information Systems

PURPOSE / OBJECTIVE OF RESEARCH:

To sustain competitive advantage in a knowledge economy, organizations need to protect their
knowledge and information assets such as intellectual property (IP), trade secrets, product blueprints
and business strategies (Ahmad, Bosua, & Scheepers, 2014a). A comprehensive and effective
information security management (ISM) strategy begins with an accurate information security risk
assessment (ISRA). An effective ISRA attempts to provide a prioritized estimation of the likelihood and
impact of a range of security scenarios, with each scenario considering potential threats to
organizational assets and existing protective controls.

METHODOLOGY OF RESEARCH:
However, recent studies into the practice of applying ISRA methodologies in organizations report that
they take a limited perspective of organizational “assets”, which ultimately leads to inaccurate security
risk assessments. We can identify two significant deficiencies. First, ISRAs typically adopt a traditional
accountancy-based view of assets that sees them as discrete and relatively static categories of
information that one can enumerate for auditing purposes, which leaves ISRAs with a coarse-grained
view of relevant assets and the related risks. Second, ISRAs tend to be restricted to those assets that are
visible in a formal business process view and do not take a sufficiently social and organizational
perspective that recognizes the informal work practices and workarounds in which assets exist and
evolve.
RESULTS / FINDING:
In our case study, we explored whether a richer analysis of an organization's information security assets
could address limitations in current ISRAs as used in the security industry. The rich description method
(RDM) that we devised and evaluated in the study combined techniques from qualitative field research
and systems analysis methodologies, including semi-structured interviews, richly annotated business
process modelling notation workflows, and scenario writing

FUTURE RESEARCH DIRECTION:

We need further research to extend the current investigation by exploring other rich data-analysis
techniques to chart the assets, vulnerabilities, and risks associated with organizations’ informal side. We
also need to better understand the methodological context in which such techniques are applied. For
example, it would be valuable to establish whether one could devise a self-directed form of the current
RDM such that organizations could apply it by themselves with the same efficacy as we achieved in this
study.