CONTAINING VS AVERTING DAMAGE

Surely, though, it would be better if organisations averted such a crisis in the first place. By the time it was discovered that Impairment Resources had lost control of medical records belonging to the roughly 600 insurance companies it served, the damage was done. The lawsuits quickly piled up and no amount of transparency could have stopped the company’s impending demise [295]. So an ounce of prevention is worth a pound of cure.

The results of this survey showed that new knowledge gained via other models can help security practitioners. The survey showed how the Five Forces can be subdivided into dynamic and static forces and how inadequate security strategy is, with its inordinate focus on static forces. The second important result from the survey showed that new knowledge

item such as the five forces and the value chain model can be borrowed from Porter to enrich current strategy formulation within the BIS domain. According to the survey findings, security misses the mark, typically focusing on the individual activities of the organisation rather than considering the role each activity plays in the wider picture. For instance, security specialists see that their business has relationships with third parties, but seldom recognises these parties as potentially influential forces.

Understanding the value chain and the five forces is a prerequisite for business success [296]. Yet, surprisingly, Porter’s frameworks have yet to take hold in the BIS field.

These following are ranked out of 13 forces as the top five forces which security managers say they recognise the impact of:

1. Legislation (95 percent)

2. Inspection and supervisory agencies (88 percent)

3. Law enforcement (district attorney and police) (69 percent)

4. Partners in the (digital) chain (e.g., freight forwarders, Internet service providers, payment handlers) (64 percent)

5. Public opinion (60 percent).

The top five forces which security managers say they do not recognise the impact of are: 1. Trade unions (79 percent)

2. Social media (uncensored reporting) (57 percent) 3. Criminals (48 percent)

4. Customers (48 percent) 5. Suppliers (43 percent). CONCLUSIONS

It is too easy to say that organisations simply need to get a grasp on the dynamic forces in the chain and all their problems will be solved. However, the problem is that very few management tools, steering mechanisms or key performance indicators (KPIs) are available to deal with these forces.

Dynamic forces can have major consequences. A surprising 71 percent of experts surveyed indicated that these forces are critical to their business and security strategy. They require the attention of every manager, board member and shareholder. The survey shows that strategies based on an awareness of value chains and the five forces can help organisational leaders to:

− Increase preparedness for unforeseen influences

− Better identify risk and establish the organisation's risk appetite − Anticipate crises and remain in control of strategy.

The top five elements for a more holistic BIS strategy, according to the new knowledge insights from the survey, are:

1. Stakeholder approach—When developing a strategy, involve the board of directors, management, business and all external stakeholders in the digital chain. Know the key performance indicators (KPIs), stakeholder expectations, and how to translate these demands, using the right KPIs, into concrete benchmarks for the organisation, management and board.

2. Risk-based approach—Look at the organisation’s critical data (crown jewels) in the context of the entire chain. Start by gaining insight into all digital stakeholders and their potential dependencies, weaknesses and risk—both technologically and legally. 3. Beware of blind spots—Many forces are dynamic. Ensure the organisation is not caught

unaware. No one person can stay abreast of every development in this field, so let others update stakeholders on what they do not know.

4. Do the right things well—It may seem easier to “learn by doing,” but those who prepare a good strategy are less dependent on impromptu solutions.

5. Integrated organisational process—Be aware of the chain of forces that influences the organisation. Make room for addressing these forces in the strategy and policy plans of the entire organisation.

The conclusions of the survey results show that security managers need to zoom in on specific threats and prepare for them; also to zoom out and consider the entire context in which the organisation operates. This is not just a lesson for security managers and officers. It can be argued that the most important decision makers in every organisation need to take ownership of this problem. Information risks are owned by the business data owners, according to ITGI [18] “It is imperative that organisations deliver on the promise, or they will

soon become irrelevant. [265]” Decision makers should give security people a voice in the

formulation of overall business strategy. ICT security policy should be made a core aspect of the whole [56]. Only then can an organisation consider itself ready to face an uncertain and rapidly changing context and future [195].

The entire data set supporting this publication can be accessed via http://dx.doi. org/10.17026/dans-zbu-hfdc

CONTRIBUTION ARGUMENTS

After compiling a set of new knowledge items from the Delphi research we can justify the choices for setting requirements. The gained knowledge items are not directly transferable into artefact functional requirements but they can help influence the stakeholder’s perception or have effect on defining the scope and context in which the artefact operates. Although some items are considerable as functional requirements most of the results from this survey are knowledge items to be considered and addressed in scoping the MBIS

process. We use the Wieringa method to formulate the contribution argument. This is an argument that an artefact that satisfies the requirements would contribute to a stakeholder goal in the problem context. A contribution argument, according to Wieringa [146] has the form:

(Artefact requirements) x (Context assumptions) contribute to (Stakeholder goal)

ARTEFACT REQUIREMENT CANDIDATES

Creating insight into strategic forces and the dependency the organisation has on these forces is necessary to:

− Heighten preparedness for unforeseen influences

− Better identify risk and establish the organisation's risk appetite − Anticipate crises and remain in control of strategy.