Rethinking capabilities in information security risk management

a systematic literature review

Document identifier:
Access full text here:10.1504/IJRAM.2020.106978
Keyword: Social Sciences, Media and Communications, Information Systems, Social aspects, Samhällsvetenskap, Medie- och kommunikationsvetenskap, Systemvetenskap, informationssystem och informatik med samhällsvetenskaplig inriktning, Information security, Risk management, Capability, Intent, Knowing, Information systems, Informationssystem
Publication year: 2020
Relevant Sustainable Development Goals (SDGs):
SDG 16 Peace, justice and strong institutionsSDG 3 Good health and wellbeing
The SDG label(s) above have been assigned by


Information security risk management capabilities have predominantly focused on instrumental onsets, while largely ignoring the underlying intentions and knowledge these management practices entail. This article aims to study what capabilities are embedded in information security risk management. A theoretical framework is proposed, namely rethinking capability as the alignment between intent and knowing. The framework is situated around four general risk management practices. A systematic literature review using the framework was conducted, resulting in the identification of eight identified capabilities. These capabilities were grouped into respective practices: integrating various perspectives and values to reach a risk perception aligned with the intended outcome (identify); adapting to varying perspectives of risks and prioritizing them in accordance with the intended outcome (prioritize); security controls to enable resources, and integrate/reconfigure beliefs held by various stakeholders (implement); and sustaining the integrated resources and competences held by stakeholders to continue the alignment with the intended outcome (monitor).


Martin Lundgren

Luleå tekniska universitet; Digitala tjänster och system
Other publications >>

Record metadata

Click to view metadata