An exploration of knowledge-centric information security by community of practice


Student thesis: Doctoral Thesis

View graph of relations


  • Sui Leung FUNG


Awarding Institution
Award date3 Oct 2011


Increasing number of enterprises consider information security (InfoSec) as a key success factor whereas threats can originate from any part of the world over internet. The incident of 11th September of 2001 and many hacker horror stories have repeatedly alerted enterprises that they should review their fragile InfoSec mechanisms. Traditionally InfoSec relies heavily on technology for technical reinforcement, by investing large amount of money on software and hardware. In the last decade information security management system (ISMS) such as ISO27001 has been introduced to refine the roles of people, organization and process. Many organizations since then have adopted such ISMS trying to improve their InfoSec competence. Indeed some improvements have been observed that enterprises seem to have equipped with better defined InfoSec policies and procedures nowadays. Nevertheless serious information security incidents continue to be reported by the public and private sectors. Many of these incidents are discovered to be caused by human factors that practitioners either neglect or ignore fundamental InfoSec disciplines or practices. Having an ISO27001 certificate in hand does not directly reflect the InfoSec capability of an organization. Knowledge management (KM) is another management discipline many enterprises employ for creating business value and generating competitive advantage. Knowledge assets can help corporate innovations; as well they can also be vulnerable for espionage activities. There are however few researches about KM and InfoSec interactions. While knowledge assets may be protected by InfoSec mechanism, KM can also act as catalyst to enhance the InfoSec maturity. A knowledge-centric Information Security (KCIS) model is proposed to establish inter-relations between KM and InfoSec, with emphasis on how KM can drive InfoSec to better maturity level. To further explore the applicability of KCIS, a community of practice (CoP) is constructed for inter-organizational InfoSec practitioners to share and reuse the InfoSec related knowledge. The practitioners are expected to improve their InfoSec security knowledge from the CoP, easing their InfoSec planning and operations at work. A conceptual model is referenced from the activity theory which is then refined into a research implementation model, combining the ISMS elements and the Information Security Knowledge Architecture (ISKA) (Kesh & Ratnasingam, 2007). The research results intend to validate whether KM can strengthen the maturity of InfoSec by improving practitioners‟ knowledge level. Moreover the research tries to evaluate what factors may influence the KM and InfoSec interactions. A new mapping between Nonaka SECI model to other business processes, Communication, Quality, Automation, and Learning (CQAL) is developed. This CQAL mapping can help enterprises to redesign their business processes more effectively, when dealing with the InfoSec or similar processes.

    Research areas

  • Knowledge management, Computer security