Integrating Knowledge Management into Information Security: From Audit to Practice

Integrating Knowledge Management into Information Security: From Audit to Practice

Cheuk Hang Au (The University of Sydney, Sydney, Australia) and Walter S. L. Fung (The Hong Kong Polytechnic University, Hunghom, Hong Kong)
Copyright: © 2019 |Pages: 16
DOI: 10.4018/IJKM.2019010103


Repeated information security (InfoSec) incidents have harmed the confidence of people on enterprises' InfoSec capability. While most organisations adopt control frameworks such as ISO27001 and COBIT, the role and contribution of knowledge management on InfoSec was inadequately considered. The authors integrated the concepts of knowledge-centric information security and IT Governance (ITG) into an ITG-driven knowledge framework (ITGKF) for reinforcing InfoSec maturity and auditability of enterprises. The authors also tried to assess whether ITG can embrace proper knowledge circulation within the InfoSec community. The authors confirmed the positive influence of IT governance on knowledge-centric information security (KCIS) and information security maturity and audit result (ISMAR), the positive influence of KCIS on ISMAR, and the mediating role of KCIS between ITG and ISMAR. These indicated the significance of KM in InfoSec area. Based on the findings, they proposed possible changes of integrating KM in different InfoSec practices and audit standard.
Article Preview


Recent Information Security (InfoSec) incidents have brought financial loss and haunted the confidences on enterprises' InfoSec. For example, the attack of WannaCry brought an estimated loss of $4 billion (Larson, 2017). These incidents are due to the lack of InfoSec awareness, rather than the lack of InfoSec resources. (Fung, 2011). On the other hand, more innovative InfoSec protection measures are seen in recent days, such as the impedance of the spread of Wannacry made by a co-incidental domain registration (Khomami & Solon, 2017). Such innovative measures may help battling future InfoSec attacks and should be documented for further reference (Delugach, Etzkorn, Carpenter, & Utley, 2016). Knowledge management (KM) may assist such documentation for building InfoSec capacities, the earlier related discussion were scenario-specific and inadequate for others to follow (Spears & San Nicolas-Rocca, 2015; San Nicolas-Rocca, Schooley, & Spears, 2014).

Treating InfoSec Knowledge as a form of cognition (Berkenkotter & Huckin, 2016), we may put InfoSec Knowledge into the social cognitive theory of Bandura (1986), which suggested cognition as one of the factors that affect human functioning. Thus, InfoSec knowledge, as a form of cognition, can impact the behaviour of employees. Yet, its management was not adequately addressed (Fung, 2011). In the light of the inadequate inclusion of KM in InfoSec practices, we have proposed two research questions,

  • RQ1. Is knowledge maturity of the audited company important for information security (InfoSec) audit?

  • RQ2. Should information technology governance (ITG) play a more active role to promote knowledge-centric information security (KCIS)?

The answers can provide directions for developing a new and generic InfoSec audit model and investigate how ITG mediates the influence of InfoSec knowledge on InfoSec audit, as well as a more solid foundation for adopting KM practices in InfoSec protection and audit.


Review Of Information Security

Information security (InfoSec) is the collection of technologies, standards, rules, policies and management practices to keep the information secure (Nozaki & Tipton, 2011). As organizations are now more dependent on their information systems (Rebollo, Mellado, Fernández-Medina, & Mouratidis, 2015), InfoSec risks and may bring increasingly serious consequences (Nigel, 2003). A list of selected InfoSec critical successful factors is listed in Table 1.

Complete Article List

Search this Journal:
Open Access Articles
Volume 16: 4 Issues (2020): 1 Released, 3 Forthcoming
Volume 15: 4 Issues (2019)
Volume 14: 4 Issues (2018)
Volume 13: 4 Issues (2017)
Volume 12: 4 Issues (2016)
Volume 11: 4 Issues (2015)
Volume 10: 4 Issues (2014)
Volume 9: 4 Issues (2013)
Volume 8: 4 Issues (2012)
Volume 7: 4 Issues (2011)
Volume 6: 4 Issues (2010)
Volume 5: 4 Issues (2009)
Volume 4: 4 Issues (2008)
Volume 3: 4 Issues (2007)
Volume 2: 4 Issues (2006)
Volume 1: 4 Issues (2005)
View Complete Journal Contents Listing