Article Preview
TopIntroduction
Recent Information Security (InfoSec) incidents have brought financial loss and haunted the confidences on enterprises' InfoSec. For example, the attack of WannaCry brought an estimated loss of $4 billion (Larson, 2017). These incidents are due to the lack of InfoSec awareness, rather than the lack of InfoSec resources. (Fung, 2011). On the other hand, more innovative InfoSec protection measures are seen in recent days, such as the impedance of the spread of Wannacry made by a co-incidental domain registration (Khomami & Solon, 2017). Such innovative measures may help battling future InfoSec attacks and should be documented for further reference (Delugach, Etzkorn, Carpenter, & Utley, 2016). Knowledge management (KM) may assist such documentation for building InfoSec capacities, the earlier related discussion were scenario-specific and inadequate for others to follow (Spears & San Nicolas-Rocca, 2015; San Nicolas-Rocca, Schooley, & Spears, 2014).
Treating InfoSec Knowledge as a form of cognition (Berkenkotter & Huckin, 2016), we may put InfoSec Knowledge into the social cognitive theory of Bandura (1986), which suggested cognition as one of the factors that affect human functioning. Thus, InfoSec knowledge, as a form of cognition, can impact the behaviour of employees. Yet, its management was not adequately addressed (Fung, 2011). In the light of the inadequate inclusion of KM in InfoSec practices, we have proposed two research questions,
RQ1. Is knowledge maturity of the audited company important for information security (InfoSec) audit?
RQ2. Should information technology governance (ITG) play a more active role to promote knowledge-centric information security (KCIS)?
The answers can provide directions for developing a new and generic InfoSec audit model and investigate how ITG mediates the influence of InfoSec knowledge on InfoSec audit, as well as a more solid foundation for adopting KM practices in InfoSec protection and audit.
TopInformation security (InfoSec) is the collection of technologies, standards, rules, policies and management practices to keep the information secure (Nozaki & Tipton, 2011). As organizations are now more dependent on their information systems (Rebollo, Mellado, Fernández-Medina, & Mouratidis, 2015), InfoSec risks and may bring increasingly serious consequences (Nigel, 2003). A list of selected InfoSec critical successful factors is listed in Table 1.