Article Preview
TopIntroduction
Knowledge and its creation are important sources of competitive advantage and business opportunities for most contemporary organizations (Alavi & Leidner, 2001; Choo, 1996; Grant, 1996; Nonaka & Takeuchi, 1995). Although knowledge creation, sharing and management have been researched extensively (e.g. Bolisani & Scarso, 2014; Matayong & Mahmood, 2013; Tzortzaki & Mihiotis, 2014), there is one viewpoint to knowledge that has received less attention: knowledge security (Randeree, 2006; Shedden, Scheepers, Smith, & Ahmad, 2011). Despite the importance of knowledge and the need for knowledge protection, there is little literature on knowledge security (Shedden et al. 2010). In terms of knowledge security and risk analysis, most existing risk analysis methods can be regarded as providing a plain technical view on information and technological assets (Ahmad, Bosua, & Scheepers, 2014; A.M. Padyab, Paivarinta, & Harnesk, 2014; Shedden et al., 2011; Shedden, Smith, & Ahmad, 2010; Spears, 2006), ignoring that knowledge is bound to people (Shedden et al., 2010, 2011; Ilvonen, 2013; A.M. Padyab et al., 2014) and as a consequence people (Ilvonen, 2013; Trkman & Desouza, 2012; Shedden et al., 2011, 2010; Spears, 2006; Siponen, 2000; Spruit & Looijen, 1996) and especially their communication (Ilvonen, 2013; Padyab et al., 2014) are significant sources of knowledge security risks.
Since knowledge security risks have not received extensive attention in the existing literature (M. Jennex, 2014), there is need to look also for parallel fields in order to understand the principles of security risk management. Information security risk assessment (ISRA) methodologies are means by which organizations aim to manage information security risks (Baskerville, 1991; Siponen, 2005; Whitman & Mattord, 2011). However, typical perspectives on information security risk management, including most ISRA methodologies, largely ignore the business context of information systems (Shedden et al., 2010; Spremic, 2012), and are not framed in terms of competitive advantage (Ahmad et al., 2014). When the business perspective is considered (DeLoach, 2004; Siponen, 2005; Von Solms & Von Solms, 2004), it is mainly limited to the evaluation of individual risk mitigation techniques and their cost reasoning, rather than starting from a broad perspective of reasoning the business benefits of an activity compared to the risks connected to it.