Knowledge Systems and Risk Management: Towards a Risk and Threat Assessment Framework

Knowledge Systems and Risk Management: Towards a Risk and Threat Assessment Framework

Murray Eugene Jennex (San Diego State University, USA) and Alexandra Durcikova (University of Oklahoma, USA)
DOI: 10.4018/978-1-7998-2189-2.ch015


Knowledge is the most important asset that a company can have. Thus, it is imperative that this asset is safeguarded just like generic information assets. However, knowledge management (KM) and knowledge systems are different than traditional information systems with different threats and different operational requirements. Information security professionals recognize that risk assessment is the cornerstone to information security. The authors build on this perspective and propose that risk assessment techniques need to be applied to KM too to properly safeguard this asset. They discuss risk assessment frameworks and build on a KM/knowledge system specific risk assessment framework with a step-by-step guideline for KM/knowledge system specific threat assessment.
Chapter Preview


Whitman and Mattord (2019) quote Sun Tzu Wu on the importance of knowing yourself and knowing your enemy as a key to success in battle, or in designing and implementing information systems security. To accomplish the knowing of yourself and your enemy the corner stone of information systems/cyber security is the process of risk assessment. Risk assessment is used to know yourself by identifying data/information/ knowledge/technology assets (henceforth simplified to knowledge assets) and assigning. Risk assessment helps organizations know the enemy by determining the threats that could attack the organization’s knowledge assets. Risk management then uses these inputs to analyze the overall risk to the knowledge asset and determine the controls to be used to mitigate or remove the risk. All major security frameworks include a risk assessment and management process. For the United States the Nationals Institute of Standards and Technology (NIST) provides the risk management framework (RMF) as described in special publication, SP 800-12 rev 1 (2012), An Introduction to Information Security, SP 800-37 rev 2 (2018), Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, and SP 800-53 rev 5 (2017) (draft), Security and Privacy Controls for Information Systems and Organizations. A similar process is outlined by the International Standards Organization (ISO). ISO27001:2013 Information technology -- Security techniques -- Information security management systems – Requirements and ISO7005:2018, Information technology -- Security techniques -- Information security risk management.

While these are fine risk frameworks, they are generic in nature and are not tailored specifically to knowledge management, KM, or knowledge systems. We do not claim that KM/knowledge systems are so unique as to require their own risk frameworks or that the above-mentioned risk frameworks are not useful. We are stating that KM/knowledge system managers will do a better job of risk assessment/ management of KM/knowledge systems if they have tailored guidance, specifically in two areas: threat assessment and risk analysis. Why do we think KM/knowledge systems need special guidance? We argue that the purpose of KM and knowledge systems are to support the sharing and application of knowledge by supporting decision making, throughout the organization to achieve organizational goals. Since the purpose is to share knowledge the tenets of information security are inherently at odds with KM/knowledge systems. It is our opinion that information security is still needed but should be applied in ways that recognize the uniqueness of knowledge sharing and decision processes. Jennex and Durcikova (2014) examined the integration of KM and security and found that security was not integrated into the KM job functions. Thus, the purpose of this paper is to provide specific guidance and requirements for KM/knowledge systems threat assessments and risk analysis. In addition, this paper is focusing on the risk of knowledge loss from a human source (we will only focus on this asset). Knowledge loss risk is defined as the expected impact to the organization resulting from the loss of a particular expert or knowledge worker. This is consistent with the NIST SP 800-37 rev 2, (2018) risk definition so the NIST risk algorithm will be used as the basis for determining knowledge loss risk.

This paper first starts with an overview of risk and risk management, threats and threat assessment, risk frameworks, and knowledge management (KM)/knowledge systems risk frameworks. This is followed by a KM/knowledge systems specific threat assessment that is based on literature review followed by a KM/knowledge systems risk framework proposal also based on literature review that incorporates the KM/knowledge systems specific risks. The literature review includes analysis of previous case studies and other research.


Background: Risk And Risk Assessment

The NIST SP 800-37r2 (2018) describes risk as the net negative impact of the exercise of a vulnerability; considering both the probability and the impact of occurrence. Risk is traditionally represented by the following formula:

R(risk) = p(probability of occurrence) x C(consequence of occurrence either represented by some value or by a loss function)

Key Terms in this Chapter

Risk Management: The process of identifying risk, assessing risk and taking steps to manage risk by reducing risks to an acceptable level (NIST SP 800-37 rev 2, 2018).

Threat Analysis: The process of identifying threat sources and the vulnerabilities they can use to exploit/damage a knowledge asset. The purpose of threat assessments is to identify specific threat sources and the vulnerabilities that would be used to attack the organization’s knowledge assets.

Complete Chapter List

Search this Book: