The significance of securing as a critical component of information security : An Australian narrative. / Burdon, Mark; Coles-Kemp, Lizzie.

In: Computers and Security, Vol. 87, 101601, 11.2019, p. 1-10.

Research output: Contribution to journalArticle

Published

Standard

The significance of securing as a critical component of information security : An Australian narrative. / Burdon, Mark; Coles-Kemp, Lizzie.

In: Computers and Security, Vol. 87, 101601, 11.2019, p. 1-10.

Research output: Contribution to journalArticle

Harvard

APA

Vancouver

Author

BibTeX

@article{cbd2700fd53846178a072d5dcce3e0a7,
title = "The significance of securing as a critical component of information security: An Australian narrative",
abstract = "As information security is called upon to operate in increasingly unstable spaces, the role of the information security practitioner becomes ever more complex. Successful information security practice depends on tactics and strategies that situate the need for protection within organisational goals. These tactics and strategies have become progressively important as organisations are disrupted by digital technology. The locus of control is unpredictably distributed across groups within an organisation. Finding consensus about the need for security thus becomes challenging. Information security controls are an important part of the control structure but increasingly they are negotiated controls, making the process of securing as important as the security mechanisms themselves. We employ broader political and social theories of security, most notably Smith (2005), to analyse data from nine semi-structured interviews of Australian information security practitioners. Our findings delineate the interlinking concepts of securing and security. Security is straightforward. It is a state of being secure. Securing, on the other hand, is complex. It is a consensus-seeking, value-engagement process that enables the attainment of security. Through this analysis, we identify processes and techniques of securing tacitly employed by the participants. Central to effective securing practice is a participant{\textquoteright}s ability to, {\textquoteleft}get the security message right.{\textquoteright} The message is used to create an agreed value consensus across conflict-ridden environments. We contend that securing is often undervalued and not recognised as a distinct theoretical part of the discipline of information security. However, given the complexity and uncertainty of information security practice, we argue that securing needs to be considered as a critical component of being secure.",
author = "Mark Burdon and Lizzie Coles-Kemp",
year = "2019",
month = nov,
doi = "10.1016/j.cose.2019.101601",
language = "English",
volume = "87",
pages = "1--10",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier Limited",

}

RIS

TY - JOUR

T1 - The significance of securing as a critical component of information security

T2 - An Australian narrative

AU - Burdon, Mark

AU - Coles-Kemp, Lizzie

PY - 2019/11

Y1 - 2019/11

N2 - As information security is called upon to operate in increasingly unstable spaces, the role of the information security practitioner becomes ever more complex. Successful information security practice depends on tactics and strategies that situate the need for protection within organisational goals. These tactics and strategies have become progressively important as organisations are disrupted by digital technology. The locus of control is unpredictably distributed across groups within an organisation. Finding consensus about the need for security thus becomes challenging. Information security controls are an important part of the control structure but increasingly they are negotiated controls, making the process of securing as important as the security mechanisms themselves. We employ broader political and social theories of security, most notably Smith (2005), to analyse data from nine semi-structured interviews of Australian information security practitioners. Our findings delineate the interlinking concepts of securing and security. Security is straightforward. It is a state of being secure. Securing, on the other hand, is complex. It is a consensus-seeking, value-engagement process that enables the attainment of security. Through this analysis, we identify processes and techniques of securing tacitly employed by the participants. Central to effective securing practice is a participant’s ability to, ‘get the security message right.’ The message is used to create an agreed value consensus across conflict-ridden environments. We contend that securing is often undervalued and not recognised as a distinct theoretical part of the discipline of information security. However, given the complexity and uncertainty of information security practice, we argue that securing needs to be considered as a critical component of being secure.

AB - As information security is called upon to operate in increasingly unstable spaces, the role of the information security practitioner becomes ever more complex. Successful information security practice depends on tactics and strategies that situate the need for protection within organisational goals. These tactics and strategies have become progressively important as organisations are disrupted by digital technology. The locus of control is unpredictably distributed across groups within an organisation. Finding consensus about the need for security thus becomes challenging. Information security controls are an important part of the control structure but increasingly they are negotiated controls, making the process of securing as important as the security mechanisms themselves. We employ broader political and social theories of security, most notably Smith (2005), to analyse data from nine semi-structured interviews of Australian information security practitioners. Our findings delineate the interlinking concepts of securing and security. Security is straightforward. It is a state of being secure. Securing, on the other hand, is complex. It is a consensus-seeking, value-engagement process that enables the attainment of security. Through this analysis, we identify processes and techniques of securing tacitly employed by the participants. Central to effective securing practice is a participant’s ability to, ‘get the security message right.’ The message is used to create an agreed value consensus across conflict-ridden environments. We contend that securing is often undervalued and not recognised as a distinct theoretical part of the discipline of information security. However, given the complexity and uncertainty of information security practice, we argue that securing needs to be considered as a critical component of being secure.

U2 - 10.1016/j.cose.2019.101601

DO - 10.1016/j.cose.2019.101601

M3 - Article

VL - 87

SP - 1

EP - 10

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

M1 - 101601

ER -