An Integrated Risk Management Framework: Measuring theiwi.uibk.ac.at/download/downloads/Publikationen/IJKM_Submitted.pdf · (Fadel et al., 2009). Several studies suggest that knowledge

Submitted to the International Journal of Knowledge Management

An Integrated Risk Management Framework: Measuring the Success of Organizational Knowledge Protection1

Stefan Thalmann & Markus Manhart

University of Innsbruck School of Management Innsbruck, Austria

Paolo Ceravolo & Antonia Azzini Università degli Studi di Milano Computer Science Department

Milano, Italy

ABSTRACT Organizational risk management should not only rely on protecting data and information but also on protecting knowledge which is underdeveloped in many cases or measures are applied in an uncoordinated, dispersed way. Therefore, we propose a consistent top-down translation from the organizational risk management goals to implemented controls to overcome these shortcomings. Our approach adopted from the domain of IT security management allow to measure how well knowledge protection is actually pursued in organizations. This affects organizations’ abilities to prove compliance to risk management standards, laws, guidelines, or frameworks and creates transparency throughout the whole knowledge protection processes. After introducing our integrated risk management framework, we demonstrate how the technical part of the framework can be implemented by using process mining in a case study of an Italian aerospace company.

Keywords Knowledge protection, knowledge management, risk management, performance measurement

INTRODUCTION It is no secret that organizations heavily rely on information systems (IS) nowadays, paying increasingly attention to protecting them as consequences of security breaches are heavy (Rees et al., 2003). Recently, companies take on great efforts to protect their data and information, spending a lot of money and resources to implement organizational frameworks such as COBIT and also engage with auditors to verify these frameworks. At the same time knowledge management (KM) literature praise sharing of knowledge and investigates how this sharing could be facilitated. However, even if organizations are aware of the negative impacts on the organizational performance when knowledge protection is neglected, it receives little attention in practice and KM literature so far (Jarvenpaa & Majchrzak, 2010; Väyrynen et al., 2013). Hence, it could happen that global organizational risk management goals are

1 This is a preprint of a paper intended for publication in a journal. Since changes may be made before publication, this preprint is made available with the understanding that it will not be cited or reproduced without the permission of the author.

1


implemented rigidly for protecting data and information, and that these goals are all along neglected or implemented in a non-systematic way from the knowledge perspective. Solid strategy for knowledge protection are missing even if they are needed in today´s world in which the importance of knowledge steadily increases as well as the amount of knowledge threats (Alstete, 2003). An increasing number of communication channels increases intended knowledge transfer, but reduces control of unintended knowledge transfer (Hamel et al., 1989). This problem is exacerbated by recent developments in the field of social media and mobile technologies that seem promising to support organizations in their knowledge sharing (Bruck et al. 2012; Santos and Nagla 2012; Wang and Shen 2011), but creates challenges to protect knowledge for specific reasons: Knowledge sharing happens then when devices can be used at home, in the workplace, during transportation periods and during leisure activities (Wang and Shen 2011), blurring the boarders between work and leisure time as well as knowledge sharing for themselves and for the job (Väyrynen et al., 2013) whilst the vulnerabilities of online knowledge sharing are perceived as second order consequences (Jarvenpaa & Majchrzak, 2010). Although, these trends imply many opportunities like contribution to an organization’s performance and innovativeness (Easterby‐Smith et al., 2008), they rise the need of establishing a framework for managing knowledge risks. Whilst IT security management (ITSM) literature has already recognized the necessity to propose security frameworks, models or guidelines (Rees et al., 2003), KM literature widely neglected this topic so far. Rather, knowledge protection is considered to be a barrier to knowledge sharing (Khamseh & Jolly, 2008) even if empirical research shows that successful knowledge protection significantly enhances organizational performance (Mills & Smith, 2011). However neglecting knowledge protection can hinder innovation or cause replication of ideas by external organizations (Cheung et al., July 2012). Finding a balance between protecting and sharing knowledge is crucial and particularly the concept of sharing needs also be interpreted from a security point of view (Louw & Von Solms, 2013). Underestimating the importance of balancing protection and sharing of knowledge also impacts the performance measurement in KM. Recently the focus of performance measurement is almost exclusively on knowledge sharing and mostly neglects knowledge protection. As the evaluation of security controls based on KPIs has already been discussed in the ITSM literature (Demetz et al., 2011; Sheldon et al., 2008), similar efforts have been missing for measuring and quantifying the success of knowledge protection. This paper aims to approach this lack of research by proposing a holistic organizational framework for risk management, incorporating the ITSM as well as the KM perspective. Furthermore, it aims at highlighting its contribution to performance measurement of security controls for KM. First we describe the related work of each of the concepts. Second, we introduce our integrated risk management framework. Then, we demonstrate how this framework can be implemented by using process mining in a case study of an Italian aerospace company. Finally, we conclude our work and give an outlook.

BACKGROUND Knowledge Sharing KM typically aims at increasing the visibility of knowledge by supporting its codification and structuration and the sharing to improve the knowledge reuse (Maier, 2007). KM literature strongly focuses on the facilitation of knowledge transfer and its barriers. The key assumption is that the successful knowledge transfer in organizations forms the basis for competitive advantages (Argote &

2

https://c437-sp01.uibk.ac.at/IWI1_admin/Work%20in%20Progress/00_OLD/AMCIS_LAYERS2013/AMCIS2013_Paper.doc%23_ENREF_1


Ingram, 2000; Bou-Llusar & Segarra-Cipre´s, 2006). Furthermore, effective knowledge transfer is seen as the ability of an organization to share knowledge and the task of KM is to facilitate this sharing (Goh, 2002). In today’s distributed work environment knowledge transfer increasingly takes place through mediated channels of communication, in which sender and receiver are geographically disconnected (Fadel et al., 2009). Several studies suggest that knowledge is exchanged through social software and Web 2.0 tools (Thalmann et al., 2012), even in situations in which knowledge workers are aware of the dangers they still engage in ambivalent online collaborations (Jarvenpaa & Majchrzak, 2010). Furthermore, knowledge workers are currently equipped with a wide range of different devices, such as tablet PC´s or smart phones, which can be used to share knowledge. These trends are all positively associated with knowledge sharing. However, they imply additional risks from a knowledge protection point of view and lead to less control over knowledge for the organization (Väyrynen et al., 2013) and hence an information security perspective should be taken into account (Louw & Von Solms, 2013). Even if it is obvious that sharing of all organizational knowledge can have negative impacts on the organizational performance as well, knowledge protection got little attention from the KM literature so far and has widely been ignored as KM success factor (Jarvenpaa & Majchrzak, 2010; Jennex & Olfman, 2005). Recently, literature rarely pays attention to this increased need for protecting knowledge, but knowledge protection should not be abandoned or marginalized (Gold et al., 2001). Not or only improperly addressing the knowledge risks leads to lack or non-exclusivity of knowledge (Maier, 2007). Both effects could make knowledge management missing its target (Von Krogh, 2012).

Knowledge Protection Knowledge protection, as one of the three central organizational knowledge management strategies amongst knowledge creation and knowledge transfer (Bloodgood & Salisbury, 2001), is a firm’s efforts to prevent knowledge “from being altered, transferred to other organizations, lost, or becoming obsolete” (Bloodgood & Salisbury, 2001). Hence, the main goal of knowledge protection is to prevent knowledge spill-overs (Ilvonen, 2013) and firms need to establish protective capabilities to secure their strategically relevant knowledge (Von Krogh, 2012). First of all, knowledge itself is understood differently in the context of protection. Yodmongkon (2009) investigates knowledge from a society perspective, i.e. protecting cultural heritage. Other works focus on privacy, i.e. knowledge of private consumers on security (Hui, 2010) or protection of knowledge about personal information (Yassine et al., 2012). However, the majority focuses on knowledge in an organizational context e.g. (Alstete, 2003; Norman, 2001; Olander et al., 2011) which is also the perspective of this work. Considering the amount of literature that matches this scope of knowledge protection, some work focuses on protecting knowledge in a sense of defending it against attackers or industrial espionage (Norman, 2001; Olander et al., 2011) as well as in a sense of retention, i.e. knowledge loss related to leaving employees (Jennex, 2009; Jennex & Durcikova, 2013). Both views are in line with the definition of Bloodgood and Salisbury (2001) and are focus of our work. Last but not least, knowledge protection gains some attention in the context of organizational knowledge and intellectual capital audits with the primary focus on the identification of critical knowledge to subsequently develop a protection strategy (Chan & Lee, 2011). Gerber and Von Solms (2005) recommend to apply an information security perspective on the knowledge transfer. Information security aims at satisfying the need to achieve, maintain and prove compliance to security requirements (Tracy, 2007). According to ITIL, information security is the alignment of security with the management organization (Höne & Eloff, 2002). Security requirements

3


analysis is a top down process considering the business requirements, the legal and regulatory requirements as well as the infrastructure risks (Gerber & von Solms, 2001). Applying information security approaches to knowledge protection requires first the distinction between information and knowledge. According to Tuomi (1999) knowledge must be articulated, verbalized and structured to become information, further data results after fixing the representation and interpretation. Higher formalized structures facilitate the application of IT security approaches. The better a document can be described and classified the better it can be protected by automatic measures. According to this definition, knowledge is less structured. However, it can be externalized and documented (Nonaka & Takeuchi, 1995). Documented knowledge stored in the organizational knowledge base is classified to a certain extend and hence similar to information assets (Desouza & Awazu, 2006). Consequently this kind of knowledge can be protected with information security measures, which have been considerably discussed therefore (Desouza & Vanapalli, 2005). They, however, do not apply fully to explicit knowledge, which is also stored in unclassified forms, such as e-mails, chats or notes. Although Desouza (2006) argues that information security concepts like awareness trainings can be applied to protect tacit knowledge this remains difficult for organizations as tacit knowledge is sticky and complex and is not visible when observed (Nonaka & Takeuchi, 1995). Hence, organizations are often not aware of the whole tacit body of knowledge they embed. Both unclassified explicit knowledge as well as tacit knowledge are communicated via information channels but their detection is challenging, which makes many protection methods inappropriate (Liebeskind, 1996) (see Figure 1).

tacit Rece

iver

classified

unclassified

explicit

X

X

Information security

Voice com municat ion

Collaboration environm ents

Social medi a

Uncl assif ied documents

Send

er

Figure 1: Protection of Tacit and Explicit Knowledge

Performance Measurement in KM Performance measurement is defined as the process of “quantifying the efficiency and effectiveness of action” (Neely et al., 2005). It measures whether an organization achieves its goals defined in the business strategy (Neely et al., 2005). Yet, performance measurement in KM mainly focuses on the knowledge sharing capability (Zack et al., 2009) or on the value of the intellectual capital (Erickson & Rothberg, 2009). As mentioned above, knowledge audits touch knowledge protection in terms of identifying critical knowledge to be protected. Less attention has been paid to measuring the organizational ability to protect knowledge. Only few works has been published on the topic. Jennex (2009) and Jennex and Durcikova (2013) present an engineering approach to assess the risk of knowledge loss. However, performance measurement can be considered as a factor supporting knowledge protection of a firm (Jennex & Zyngier, 2007) and, knowledge protection should be considered when measuring the success of knowledge management (Jennex & Zyngier, 2007).

4


In the literature, knowledge audits are discussed as a means to assess what kind of knowledge is needed, how knowledge can affect the organizational culture, or how it contributes to address business needs (Liebowitz et al., 2000). However, knowledge protection is necessary for effective functioning and control within organizations (Mills & Smith, 2011), therefore, extending knowledge audits to measure the performance of knowledge protection would be necessary to successfully manage knowledge protection. To measure whether and how well an organization achieves its goals, performance metrics need to be related to objectives, i.e. control objectives (Kueng, 2000). Jennex and Zyngier (2007) argue that measurement is a means to align KM processes with organizational strategy. A performance metric quantifies the effectiveness or efficiency of an action, i.e. an implemented control (Neely et al., 2005). Therefore, a performance measurement framework should be closely related to the implementation of top-level risk management goals. Assessing performance metrics by an internal (knowledge) audit for example, the performance of the knowledge protection could be assessed.

TOWARDS AN INTEGRATED FRAMEWORK Nowadays, risk management heavily relies on the individual perception of human beings (Trkman & Desouza, 2012) and demands a solid planning model (Alstete, 2003). In this section we make a first step for such a solid planning model and we outline our integrated risk management framework. Our main assumption is that organizational risks can impact ITSM as well as KM. Organizational ITSM strives to protect data, information, as well as explicit classified knowledge. The latter can be stored in repositories in documented form (Maier & Thalmann, 2008) and is protected by technical controls of ITSM (Desouza, 2006). However, a substantial and steadily increasing part of the (explicit) organizational knowledge is currently not classified as stored in organizational repositories. Rather it is stored in and exchanged via social software and social media and thus is difficult to protect by ITSM controls (Peinl et al., 2013). Besides this challenge, implicit knowledge cannot be secured by such technical measures at all. Hence, organizations have to ensure that their explicit knowledge stored in organizational IT, the transfer pipeline, as well as the implicit knowledge of their employees are properly protected (Alstete, 2003). Our approach strives to portray knowledge protection as a holistic approach taking these dimensions into account. The main objective of risk management is to identify and assess all risks and then to suggest a set of controls that help to reduce these risks (Gerber & von Solms, 2001). Risk management so far mainly concentrated on the natural science paradigm of risk management focusing on tangible assets. However, this approach is not suitable when it comes to intangible assets and hence should be extended by social science perspectives (Gerber & Von Solms, 2005). This however demands a balanced recognition of securing data, information and knowledge simultaneously. The left pillar of Figure 2 shows how the transformation of the requirements from risk management into configurations is performed in ITSM. Organizations also need to specify their unique organization-specific security requirements matching their business activities (Siponen & Willison, 2009). Based on international frameworks, such as COBIT, these security requirements are then translated into controls which are finally enforced by configurations of the IT landscape to reduce risks to an acceptable level as indicated by the assessed measure of risk (Gerber & Von Solms, 2005). Finally, IT Audits commonly validate the adequacy and effectiveness of internal controls (Carlin & Gallegos, 2007; Julisch et al., 2011). These, audits are performed by external IT auditors to attest the organizations’ fit with given regulatory, legal as well as compliance requirements. The explicit goal of this work is to adapt this approach from ITSM to the domain of knowledge protection as illustrated in the right pillar of Figure 2. Similar to ITSM the need for knowledge protection also depends on the industry sector and the organizations themselves and hence needs to be

5


determined for each organization individually (Erickson & Rothberg, 2009). Analog to the translation of information security requirements, organizational risk management requirements should be translated stepwise into knowledge protection requirements, knowledge protection controls and subsequently into configurations and practices to protect knowledge. Organizations would also benefit from implementing controls for knowledge protection in terms of performance measurement. Jennex and Zyngier (2007) also recommend to take the security perspective into account when measuring knowledge management success. Transforming requirements from the risk management into concrete configurations and practices allows organizations to measure performance on a detailed level as high-level and low-level measures are clearly linked. The implementation of controls for knowledge protection also allows organizations to conduct meaningful audits. Then, audit results can be used to determine the performance of practices for knowledge protection, configurations of KM systems, or even the internal knowledge audit processes themselves. In the following, we first describe how our approach could be used for the design and implementation of an organizational risk management taking knowledge protection into account, before outlining how performance measurement can benefit from the framework.

Risk Management

IT SECURITY MANAGEMENT PERFORMANCE MEASUREMENT

Security requirements

Security controls

Knowledge protection requirements

KNOWLEDGE MANAGEMENT

Tran

sfor

mat

ion

Tran

sfor

mat

ion

Selection of control objectives

Control Design

Security Controls

Configurations

Verify control implementation

Selection of control objectives

Knowledge protection controls

Control Design

Verify control implementation

Practices & Configurations

(Internal) IT audits

Definition of performance metrics Definition of performance metrics

Knowledge audits

Figure 2: An Integrated Risk Management Framework Design and implementation: First, top-level risk management requirements have to be defined using the security requirements analysis for example. Three major factors have been identified to play a role in this process: (1) business requirements, (2) legal and regulatory requirements and (3) infrastructure risks (Gerber & von Solms, 2001). Our example for such a high-level business security requirement is “protect customer affairs”, occurring from the risk that disclosure of customer data would usually entail penalties from Service Level Agreements, for example. In the context of ITSM this would mean to

6


protect customer data and all services in which these data are processed, in the context of KM to protect customer knowledge. These requirements are declarative, defining what should be protected, instead of how it is done. As a next step, requirements should be translated into a set of imperative controls. For ITSM this could be among others: “make the customer data base inaccessible from the internet”, for KM: “no customer knowledge should be stored in public accessible parts of the organizational knowledge sharing platforms”. Here the definition of performance metrics for knowledge protection is possible. In the context of ITSM the coverage of access control could be one performance metric. In the case of knowledge protection, the number of fragments of customer knowledge in public accessible parts of the organizational knowledge sharing platforms could be one possible performance metric. Finally, the specified knowledge protection controls should be implemented by means of configurations of the knowledge management system as well as in instructions for knowledge protection. For ITSM, such an abstract configuration of the customer database could be “block all traffic at the firewall between the internet and the customer data base”. For knowledge protection an instruction could be “each employee has to attend at least one knowledge protection awareness training per year”. Performance measurement: The concept of knowledge audits is not completely new to organizations. However, it is often considered as related to assessing what knowledge is needed, culture assessments, or business needs assessment (Liebowitz et al., 2000). This view widely ignores knowledge protection. When translating the top-level risk management requirements into controls and configurations as it is done in ITSM, knowledge audits need to consider the audit from knowledge point of view as well. In ITSM, the controls are assessed according to how they are generally able to satisfy a security requirement and how effectively they are implemented from an ITSM point of view. Knowledge audits do not cover the knowledge protection aspect so far. In our approach, the defined performance metrics are checked for example by internal auditors. They assess whether the previously defined controls are properly designed and implemented. At that point, our approach contributes to enhance the measurability of performance in protecting knowledge. The level of knowledge protection would be transparent to decision makers and improvements could be made pointedly. The following performance measures currently applied were identified within a focus group interview (Thalmann & Manhart, 2013):

• The ratio of positive access checks to the whole number of access tests. • The ratio of suspicious issues related to all issues tracked by an issue-tracking-system. • User awareness for knowledge protection. • User acceptance for knowledge protection initiative.

With respect to the example above: In the context of ITSM the access to the customer database could be assessed by analyzing log files, for example. In the case of knowledge protection, auditors have to (regularly) scan the public accessible parts of the organizational knowledge sharing platform and its versioning history and calculate a value for this performance metric. To put it in a nutshell, organizations should make efforts towards the establishment of internal knowledge audits taking into account the assessment of whether measures for knowledge protection (configurations of KM systems and KM practices) are in place to implement the requirements from risk management.

DEMONSTRATION CASE Our case study was constructed by running an interview within the Knowledge Management Department of GE Avio S.r.l. a division of General Electric Aviation, operating in the aerospace sector with its head office in Rivalta di Torino, Turin, Italy. Together with the management we selected a restrict set of process

7


instances (N=33) to execute a test on the potential of Process Mining techniques (van der Aalst et al., 2007) in supporting Knowledge protection. In the last decade the design process at AVIO was subject to constant revisions due to the involvement of actors outside the organization, such as sub-contractors of the company or supervisors of the clients2. For this reason AVIO put in place a Data Loss Prevention system (Wuchner & Pretschner, 2012) designed to detect document transmission while in use. The approach implemented involves performing an online analysis of the transmissions with the aim of proving that there is no leak of strategic knowledge. The starting point of the analysis is the classification of documents based on different levels of criticality. In our case, three levels are used: low (L), medium (M) and high (H). Then the system tracks any transmission of documents among users and implements controls to prevent knowledge leak from high level of criticality to lower one. AVIO positively appraised the introduction of this system but recognizes several limitations. The controls implemented on the document management process are, for instance, restricted to classified knowledge. However, intuition suggests that knowledge leak can be correlated with anomalous handling of the document management process that typically bypass or keep uncompleted the classification procedure. For this reason, we investigated log data for inducing novel knowledge on the document management process. In particular, for discovering expected behaviour and by consequence defining anomalous behaviours that, even if not explicitly classified as critical, represent potential situation of knowledge leak. Design and Implementation: The proposed integrated risk management framework was applied to the introduced case and the high level requirement from the organizational risk management is “protection of intellectual capital”. This is particularly important for this company working in a high tech industry with a high competition on innovations. Based on this high level risk management requirement the knowledge protection requirement “protect knowledge developed and exchanged in the AVIO document management system” was established. It turned out the AVIO document management system was used for exchanging knowledge with the Computer Assisted Design process. Knowledge-sharing behaviour can be retrieved via objective measurements using the log data generated by information systems (Suhwan et al., 2011). Hence, we also applied this approach and analyzed the log data of the system using Process Mining techniques (van der Aalst et al., 2007) in order to detect expected as well as anomalous process behavior. Table 1 shows a fragment of a workflow log generated by the AVIO document management system.

2 In particular for military programs that require agreeing to protocols imposing the involvement of military personnel in all the phases of the production.

8


Table 1: Data Loss Log

The system reports all the events that generated a new status on a specific document. In particular, for each event it is specified: (i) the type of event (Create, Update, Share); (ii) the originator of the event, expressed by the email address; (iii) the timestamp, which allow us to chronologically order the events; and (iv) the level of criticality (estimated value) of the file, adopted by the Data Loss Prevention software tracking in-use actions. Process Mining algorithms use this information to discovery a reference model that satisfies some specific criteria such as fitness (the ability to reproduce the log) or simplicity and specificity (Rozinat et al., 2008). However, as they are applying an inductive approach, certain paths through the process model may have a low probability and therefore remain unrepresented in the reference model. Noisy data (i.e., logs containing exceptions) can further complicate matters. For detecting anomalous behaviors it is then necessary to define the expected behavior and this can be done by identifying a constraint that apply on the events sequences that are normally registered in the workflow logs. For instance we may be interested in mining expected behavior in term of process length. Performance Measurement: Applying Process Mining techniques, and in particular running the Fuzzy Miner algorithm (Mans et al., 2009) available in DISCO3, we can deduce for example the process model shown in Figure 3, based on the full version of the log presented in Table 1.

3 http://fluxicon.com/disco/

9


Figure 3: A model representing the information flow detected by the Data Loss Prevention

The model is generated making assumptions about the completeness of the log, i.e. that the log trace contains all the possible dependencies among events. The model extracted shows us the prevalent flow weighing the events and event's dependencies with their absolute frequency. From this model we can for instance understand that any trace starts by an event Create and ends by an event Update. After a Create the process always goes to an Update. An Update leads to Share (confidence: 0.55; support: 0.29), to an Update (confidence: 0.3; support: 0.16), or to the end of the process (confidence: 0.11; support: 0.06). A Share leads to an Update (confidence: 0.6; support: 0.25), to a Share (confidence: 0.26; support: 0.11), or to end of the process (confidence: 0.12; support: 0.05). Confidence can be interpreted as the probability of observing event A subsequent to event B; this probability is much significant when the support is high, as it represent the proportion of observation recording this subsequent relation (Jiawei & Kamber, 2001). During the detection of anomalous behavior in term of process length we discovered that the average process length is 9.31 and the standard deviation is 2.49. We then understand that the last two traces presented in Table 1 are anomalous. In (Azzini et al., 2013) some of us have analyzed the same case study focusing on the expected behavior in terms of the alternation of document transmissions inside or outside the boundaries of the organization. The expected behavior identified shows that before a document is shared externally to the organization it has to pass some internal steps (mean 4.45; standard deviation 1.2). Based on this observation we specified performance measurement to implement the knowledge protection control “prevent knowledge leak”. The measures we described are associated with min and max values defining the expected behavior.

Performance Measure Expected Behavior

Number of transmission in the history of a document Min: 6.82 Max: 11.8

Number of transmission before the document is shared externally Min: 3.25

10


Max: 5.65

Number of unique users involved in the history of a document

Min: 2.75 Max: 4.15

Table 2: Performance measures

The definition of performance measures and the collection of data is a first and crucial step for increasing the awareness about the protection of the intellectual capital. The application of the proposed risk management framework requires however to develop an iterative implementation. This first step of definition of the performance measures, together with the expected behavior associated must subsequently be validated to verify the correlation with prevention of knowledge leak on the whole data set.

DISCUSSION AND OUTLOOK In this paper we highlighted the current imbalance of implementing organizational risk management. It turned out that this implementation is currently rigidly performed for data and information by ITSM and rather superficial or not at all for knowledge. To ensure an overarching and consistent risk management approach, both perspectives need to be aligned. Therefore, we propose to adapt the already established procedures for data and information from ITSM to the domain of knowledge protection. Our framework recommends to transform high level risk management requirements into knowledge protection requirements, knowledge protection controls and finally in concrete measures. This translation process also includes the definition of performance metrics to assess the success of the knowledge protection campaign. Thereby, it should be noted that our framework is not a detailed knowledge protection plan for each organization, rather than a framework guiding the development of an organization-specific risk management approach taking the knowledge protection perspective explicitly into account. A stronger focus on knowledge protection in times of increased product piracy and patent rows seems to be an important aspect for KM as well. Especially current empirical evidence, on the fact that successful knowledge protection significantly enhances organizational performance, underlines this development (Mills & Smith, 2011). This domain is also promising, as the measurement approach in form of audit reports is already known to controllers and accountants responsible for the budgets. Here, the measurement is much more direct and traceable for them compared to measuring the more indirect success of knowledge sharing, for example. In the demonstration case we illustrated how our model can guide the identification of new performance measures that are iteratively refined to improve first the awareness and then the controls on knowledge protection However, the proposed approach is a first step to systematize and coordinate knowledge protection and needs further attention from the KM community. In our future research we first want to investigate the current practices of knowledge protection in an explorative field study. Here our focus will be on organizational networks as the balance of knowledge sharing and protecting is particularly challenging in this context (Trkman & Desouza, 2012). Following, a revised and more detailed framework should be developed on the basis of the empirical results. Our current expectation is that technical solutions known from ITSM could be adapted to the needs of knowledge protection in KM systems. We plan to continue this research by accompanying an implementation project of a KM system. Here, the technical-oriented part of the framework should be implemented and evaluated continuing the research presented in the demonstration case.

11


REFERENCES Alstete, J. (2003). Trends in Corporate Knowledge Asset Protection. Journal of Knowledge Management Practice, 4. Argote, L., & Ingram, P. (2000). Knowledge Transfer: A Basis for Competitive Advantage in Firms. Organizational

Behavior and Human Decision Processes, 82(1), 150-169. Azzini, A., Braghin, C., Damiani, E., & Zavatarelli, F. (2013). Using Semantic Lifting for improving Process Mining: a Data

Loss Prevention System case study. Paper presented at the Third International Symposium on Data-Driven Process Discovery and Analysis, Riva del Garda, Italy.

Bloodgood, J. M., & Salisbury, D. (2001). Understanding the influence of organizational change strategies on information technology and knowledge management strategies. Decision Support Systems, 31(1), 55-69.

Bou-Llusar, J. C., & Segarra-Cipre´s, M. (2006). Strategic knowledge transfer and its implications for competitive advantage: an integrative conceptual framework. JOURNAL OF KNOWLEDGE MANAGEMENT, 10(4), 100 -112.

Carlin, A., & Gallegos, F. (2007). IT audit: A critical business process. Computer, 40(7), 87–89. Chan, P. C. W., & Lee, W. B. (2011). Knowledge Audit with Intellectual Capital in the Quality Management Process: An

Empirical Study in an Electronics Company. The Electronic Journal of Knowledge Management, 9(2), 98-116. Cheung, C., Ma, R., Wong, W., & Tse, Y. (July 2012). Development of an Organizational Knowledge Capabilities

Assessment (OKCA) Method for Innovative Technology Enterprises. World Academy of Science, Engineering and Technology(67), 54-65.

Demetz, L., Thalmann, S., Bachlechner, D., & Maier, R. (2011). Performance Measurement in Cross-Organizational Security Settings. Paper presented at the International Workshop on Security Measurements and Metrics, Alberta, Kanada

Desouza, K. C. (2006). Knowledge Security: An Interesting Research Space. . Journal of Information Science and Technology, 3(1), 1-7.

Desouza, K. C., & Awazu, Y. (2006). Knowledge management at SMEs: five peculiarities. Journal of Knowledge Management, 10(1), 32-43.

Desouza, K. C., & Vanapalli, G. K. (2005). Securing Knowledge in Organizations: Lessons From the Defense and Intelligence Sectors. [case study]. International Journal of Information Management, 25(1), 85-98.

Easterby‐Smith, M., Lyles, M. A., & Tsang, E. W. (2008). Inter‐organizational knowledge transfer: Current themes and future prospects. Journal of Management Studies, 45(4), 677-690.

Erickson, G. S., & Rothberg, H. N. (2009). Intellectual capital in business-to-business markets. Industrial Marketing Management, 38(2), 159–165.

Fadel, K. J., Durcikova, A., & Hoon, S. C. (2009). Information Influence in Mediated Knowledge Transfer: An Experimental Test of Elaboration Likelihood. International Journal of Knowledge Management 5(4), 26-42.

Gerber, M., & von Solms, R. (2001). From Risk Analysis to Security Requirements. Computers & Security, 20(7), 577-584. Gerber, M., & Von Solms, R. (2005). Management of Risk in the Information Age. Computers & Security, 24(1), 16-30. Goh, S. C. (2002). Managing Effective Knowledge Transfer: An Integrative Framework and some Practive Implications.

Journal of Knowldge Management, 6(1), 23-30. Gold, A. H., Malhotra, A., & Segars, A. H. (2001). Knowledge Management: An Organizational Capabilities Perspective.

[Article]. Journal of Management Information Systems, 18(1), 185-214. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=4753208&site=ehost-live

Hamel, G., Doz, Y. L., & Prahalad, C. K. (1989). Collaborate with your Competitors and Win. Harvard Business Review, 67(1), 133-139.

Höne, K., & Eloff, J. H. P. (2002). Information security policy — what do international information security standards say? Computers & Security, 21(5), 402-409. http://www.sciencedirect.com/science/article/pii/S0167404802005047

Hui, W. (2010). Brand, knowledge, and false sense of security. Information Management & Computer Security, 18(3), 162-172.

Ilvonen, I. (2013). Knowledge Security-A Conceptual Analysis. . PhD, Tampere University of Technology. (1175) Jarvenpaa, S. L., & Majchrzak, A. (2010). Research Commentary-Vigilant Interaction in Knowledge Collaboration:

Challenges of Online User Participation Under Ambivalence. Information Systems Research, 21(4), 773-784. Jennex, M., & Olfman, L. (2005). Assessing knowledge management success. International Journal of Knowledge

Management (IJKM), 1(2), 33-49. Jennex, M. E. (2009, August 6th-9th). Assessing knowledge loss risk. Paper presented at the Americas Conference on

Information Systems, San Francisco, California

12

http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=4753208&site=ehost-live

http://www.sciencedirect.com/science/article/pii/S0167404802005047


Jennex, M. E., & Durcikova, A. (2013). Assessing Knowledge Loss Risk. Paper presented at the 46th Hawaii International Conference on System Sciences, HICSS46, Hawaii

Jennex, M. E., & Zyngier, S. (2007). Security as a Contributor to Knowledge Management Success. Information Systems Frontiers, 9(5), 493-504.

Jiawei, H., & Kamber, M. (2001). Data mining: Concepts and techniques.: China Machine Press. Julisch, K., Suter, C., Woitalla, T., & Zimmermann, O. (2011). Compliance by design – Bridging the chasm between auditors

and IT architects. Computers & Security, 30(6-7), 410–426. Khamseh, H. M., & Jolly, D. R. (2008). Knowledge transfer in alliances: determinant factors. Journal of Knowledge

Management, 12(1), 37-50. Kueng, P. (2000). Process performance measurement system: A tool to support process-based organizations. Total Quality

Management, 11(1), 67-85. http://dx.doi.org/10.1080/0954412007035 Liebeskind, J. P. (1996). Knowledge, Strategy and the Theory of the Firm. Strategic Management Journal, 17(Winter Special

Issue), 93-107. Liebowitz, J., Rubenstein-Montano, B., McCaw, D., Buchwalter, J., Browning, C., Newman, B., & Rebeck, K. (2000). The

knowledge audit. Knowledge and Process Management, 7(1), 3-10. Louw, C., & Von Solms, S. H. (2013). Personally Identifiable Information Leakage through Online Social Networks. Paper

presented at the South African Institute for Computer Scientists and Information Technologists Conference, East London, South Africa.

Maier, R. (2007). Knowledge Management Systems: Information and Communication Technologies for Knowledge Management (3rd ed.). Berlin.

Maier, R., & Thalmann, S. (2008). Institutionalised collaborative tagging as an instrument for managing the maturing learning and knowledge resources. International Journal of Technology Enhanced Learning, 1(1/2), 70-84.

Mans, R. S., Schonenberg, M. H., Song, M., van der Aalst, W. M., & Bakker, P. J. (2009). Application of process mining in healthcare-a case study in a dutch hospital. In A. Fred, J. Filipe & H. Gamboa (Eds.), Biomedical Engineering Systems and Technologies (pp. 425-438). Berlin Heidelberg: Springer.

Mills, A. M., & Smith, T. A. (2011). Knowledge Management and Organizational Performance: A Decomposed View. Journal of Knowledge Management, 15(1), 156-171.

Neely, A., Gregory, M., & Platts, K. (2005). Performance measurement system design: A literature review and research agenda. International Journal of Operations & Production Management, 25(12), 1228-1263.

Nonaka, I., & Takeuchi, H. (1995). The knowledge-creating company. New York: Oxford University Press. Norman, P. M. (2001). Are Your Secrets Safe? Knowledge Protection in Strategic Alliances. [Article]. Business Horizons,

44(6), 51-60. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=5566293&site=ehost-live Olander, H., Hurmelinna-Laukkanen, P. I. A., & Heilmann, P. I. A. (2011). Do SMEs Benefit From HRM-Related

Knowledge Protection In Innovation Management? [Article]. International Journal of Innovation Management, 15(3), 593-616. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=60808956&site=ehost-live

Peinl, R., Hetmank, L., Bick, M., Thalmann, S., Kruse, P., Pawlowski, J. M., . . . Seeber, I. (2013). Gathering Knowledge from Social Knowledge Management Environments: Validation of an Anticipatory Standard. Paper presented at the 11th International Conference on Wirtschaftsinformatik (WI2013), Leipzig, Germany.

Rees, J., Bandyopadhyay, S., & Spafford, E. H. (2003). PFIRES: A Policy Framework for Information Security. Commuications of the ACM, 46(7), 101-106.

Rozinat, A., de Medeiros, A. K. A., Günther, C. W., Weijters, A., & van der Aalst, W. (2008). The need for a process mining evaluation framework in research and practice. Paper presented at the Business Process Management Workshops.

Sheldon, F. T., Abercrombie, R. K., & Mili, A. (2008). Evaluating Security Controls Based on Key Performance Indicators and Stakeholder Mission. Paper presented at the Cyber Security and Information Intelligence Research Workshop, Oak Ridge, Tennessee

Siponen, M., & Willison, R. (2009). Information Security Management Standards: Problems and Solutions. Information & Management, 46(5), 267–270.

Suhwan, J., Kim, Y. G., & Koh, J. (2011). An integrative model for knowledge sharing in communities-of-practice. Journal of Knowledge Management, 15(2), 251-269.

Thalmann, S., & Manhart, M. (2013). Enforcing Organizational Knowledge Protection: An Investigation of Currently Applied Measures. Paper presented at the pre-ICIS workshop on Information Security and Privacy (SIGSEC), Milan, Italy.

Thalmann, S., Peinl, R., Hetmank, L., Kruse, P., Seeber, I., Maier, R., . . . Bick, M. (2012). Ontology-based Standardization on Knowledge Exchange in Social Knowledge Management Environments. Paper presented at the 12th International Conference on Knowledge Management and Knowledge Technologies, Graz, Austria.

13

http://dx.doi.org/10.1080/0954412007035




Tracy, R. P. (2007). IT Security Management and Business Process Automation: Challenges, Approaches, and Rewards. [Article]. Information Systems Security, 16(2), 114-122. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=24726583&site=ehost-live

Trkman, P., & Desouza, K. C. (2012). Knowledge risks in organizational networks: An exploratory framework. The Journal of Strategic Information Systems, 21(1), 1–17.

Tuomi, I. (1999). Data is more than knowledge: implications of the reversed knowledge hierarchy for knowledge management and organizational memory. Paper presented at the Proceedings of the 32nd Annual Hawaii International Conference on System Sciences.

van der Aalst, W., Reijers, H. A., Weijters, A., Boudewijn, F., van Dongen, W., Alves de Medeiros, A. K., . . . Verbeek, H. M. W. (2007). Business process mining: An industrial application. Information Systems Frontiers, 32(5), 713-732.

Väyrynen, K., Hekkala, R., & Liias, T. (2013). Knowledge Protection Challenges of Social Media Encountered by Organizations. Journal of Organizational Computing and Electronic Commerce, 23(1), 34-55.

Von Krogh, G. (2012). How does Social Software change Knowledge Management? Toward a strategic research agenda. The Journal of Strategic Information Systems, 21(2), 154-164.

Wuchner, T., & Pretschner, A. (2012). Data Loss Prevention Based on Data-Driven Usage Control. Paper presented at the 23th IEEE International Syimposium on Software Reliability Engineering (ISSRE).

Yassine, A., Shirehjini, A. A. N., Shirmohammadi, S., & Tran, T. T. (2012). Knowledge-empowered agent information system for privacy payoff in eCommerce. Knowledge and information systems, 32(2), 445-473.

Yodmongkon, P., & Chakpitak, N. (2009). Applying Intellectual Capital Process Model for Creating a Defensive Protection System to Local Traditional Knowledge: the Case of Mea-hiya Community. Electronic Journal of Knowledge Management, 7(4), 517-534.

Zack, M., McKeen, J., & Singh, S. (2009). Knowledge management and organizational performance: an exploratory analysis. Journal of Knowledge Management, 13(6), 392-409.

14


Documents

An Integrated Risk Management Framework: Measuring theiwi.uibk.ac.at/download/downloads/Publikationen/IJKM_Submitted.pdf · (Fadel et al., 2009). Several studies suggest that knowledge