Knowledge Systems and Risk Management: Towards a Risk and Threat Assessment Framework

Introduction

Whitman and Mattord (2019) quote Sun Tzu Wu on the importance of knowing yourself and knowing your enemy as a key to success in battle, or in designing and implementing information systems security. To accomplish the knowing of yourself and your enemy the corner stone of information systems/cyber security is the process of risk assessment. Risk assessment is used to know yourself by identifying data/information/ knowledge/technology assets (henceforth simplified to knowledge assets) and assigning. Risk assessment helps organizations know the enemy by determining the threats that could attack the organization’s knowledge assets. Risk management then uses these inputs to analyze the overall risk to the knowledge asset and determine the controls to be used to mitigate or remove the risk. All major security frameworks include a risk assessment and management process. For the United States the Nationals Institute of Standards and Technology (NIST) provides the risk management framework (RMF) as described in special publication, SP 800-12 rev 1 (2012), An Introduction to Information Security, SP 800-37 rev 2 (2018), Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, and SP 800-53 rev 5 (2017) (draft), Security and Privacy Controls for Information Systems and Organizations. A similar process is outlined by the International Standards Organization (ISO). ISO27001:2013 Information technology -- Security techniques -- Information security management systems – Requirements and ISO7005:2018, Information technology -- Security techniques -- Information security risk management.

While these are fine risk frameworks, they are generic in nature and are not tailored specifically to knowledge management, KM, or knowledge systems. We do not claim that KM/knowledge systems are so unique as to require their own risk frameworks or that the above-mentioned risk frameworks are not useful. We are stating that KM/knowledge system managers will do a better job of risk assessment/ management of KM/knowledge systems if they have tailored guidance, specifically in two areas: threat assessment and risk analysis. Why do we think KM/knowledge systems need special guidance? We argue that the purpose of KM and knowledge systems are to support the sharing and application of knowledge by supporting decision making, throughout the organization to achieve organizational goals. Since the purpose is to share knowledge the tenets of information security are inherently at odds with KM/knowledge systems. It is our opinion that information security is still needed but should be applied in ways that recognize the uniqueness of knowledge sharing and decision processes. Jennex and Durcikova (2014) examined the integration of KM and security and found that security was not integrated into the KM job functions. Thus, the purpose of this paper is to provide specific guidance and requirements for KM/knowledge systems threat assessments and risk analysis. In addition, this paper is focusing on the risk of knowledge loss from a human source (we will only focus on this asset). Knowledge loss risk is defined as the expected impact to the organization resulting from the loss of a particular expert or knowledge worker. This is consistent with the NIST SP 800-37 rev 2, (2018) risk definition so the NIST risk algorithm will be used as the basis for determining knowledge loss risk.

This paper first starts with an overview of risk and risk management, threats and threat assessment, risk frameworks, and knowledge management (KM)/knowledge systems risk frameworks. This is followed by a KM/knowledge systems specific threat assessment that is based on literature review followed by a KM/knowledge systems risk framework proposal also based on literature review that incorporates the KM/knowledge systems specific risks. The literature review includes analysis of previous case studies and other research.

Background: Risk And Risk Assessment

The NIST SP 800-37r2 (2018) describes risk as the net negative impact of the exercise of a vulnerability; considering both the probability and the impact of occurrence. Risk is traditionally represented by the following formula: