Applying Knowledge Management within the Information Security Domain to Strengthen Policy Development in Developing Countries
摘要
Information security incidents continue to grow exponentially amidst the developing technological solutions. Malicious developers unabatedly introduce sophisticated strategies, while security experts and developers lag in response. Micro and Small Enterprises (MSE) in developing countries struggle to address information security issues effectively as they do not have the required resources, hence the cyber criminals capitalize on their weaknesses. MSE’s account for 90% of business in developing countries. This study investigates how knowledge management systems can strengthen the information security policy development process. It uses design science research methodology to build and evaluate a knowledge acquisition model (KAM) and a knowledge management system (KMS) for developing context-sensitive information security policies. The proposed knowledge acquisition model combines explicit knowledge extracted from the most widely adopted information security governance frameworks, COBIT and ISO/IEC 27005, and tacit knowledge elicited from information security stakeholders. The KMS utilizes the knowledge in the KAM with knowledge management techniques, resulting in a platform that combines expert information security knowledge with the strength of knowledge management. Evaluation exercises were conducted for the proposed knowledge acquisition model and the knowledge management system. The findings show that policies developed using the KMS were more accurate than those developed without the system, and users of the system believe it improved their performance. This study contributes to the literature on the use of knowledge management in the information security domain by integrating explicit and tacit information security knowledge. The prototype developed in this research can support MSEs who have limited (human and financial) resources. Implementation of this protype could strengthen their information security policy development capabilities.