Information Security Risk Management in IT-Based Process Virtualization: A Methodological Design Based on Action Research

Action research is a qualitative research methodology, which leads the researcher to delve into the problems of a community in order to understand its needs in depth and finally, to propose actions that lead to a change of social paradigm. Although this methodology had its beginnings in the human sciences, it has attracted increasing interest and acceptance in the field of information systems research since the 1990s. The countless possibilities offered nowadays by the use of Information Technologies (IT) in the development of different socio-economic activities have meant a change of social paradigm and the emergence of the so-called information and knowledge society. According to this, governments, large corporations, small entrepreneurs and in general, organizations of all kinds are using IT to virtualize their processes, taking them from the physical environment to the digital environment. However, there is a potential risk for organizations related with exposing valuable information without an appropriate framework for protecting it. This paper shows progress in the development of a methodological design to manage the information security risks associated with the IT-based processes virtualization, by applying the principles of the action research methodology and it is the result of a systematic review of the scientific literature. This design consists of seven fundamental stages. These are distributed in the three stages described in the action research methodology: 1) Observe, 2) Analyze and 3) Take actions. Finally, this paper aims to offer an alternative tool to traditional information security management methodologies with a view to being applied specifically in the planning stage of IT-based process virtualization in order to foresee risks and to establish security controls before formulating IT solutions in any type of organization.





References:
[1] Hernández, R., Fernández, C., Baptista, M. (6Ed.). (2014). Metodología de la investigación. México DF, México: McGraw-Hill
[2] Myers, M. D. "Qualitative Research in Information Systems," MIS Quarterly (21:2), June 1997, pp. 241-242. MISQ Discovery, archival version, June 1997, http://www.misq.org/supplements/ Association for Information Systems (AISWorld) Section on Qualitative Research in Information Systems, updated version, last modified: September 15, 2017, www.qual.auckland.ac.nz.
[3] A.C. Salgado, “Quality investigation, designs, evaluation of the methodological strictness and challenges”, Liberabit, vol. 13, no. 14
[4] ISO/IEC/IEEE 24765, (2010). “Systems and software engineering — Vocabulary”.
[5] Overby, E. (2008). Process Virtualization Theory and the Impact of Information.
[6] Dwivedi, Y., Wade, M. and Schneberger, S. (2012). Information Systems Theory. New York, NY: Springer New York, pp.107-124
[7] J Steuer, J. (1992). Defining virtual reality: Dimensions determining telepresence. The Journal of Communication, 42(4), 73–93.
[8] Broadbent, M., Weill, P., Clair, D. S., & Kearney, A. T. (1999). The implications of information technology infrastructure for business process redesign. Management Information Systems Quarterly, 23(2), 159–182
[9] Zuboff, S. (1988). In the age of the smart machine: The future of work and power. New York: Basic Books.
[10] ISO. (2005). ISO/IEC 17799:2005 (E) Information technology - Security techniques - Code of practice for information security management. International Organization for Standardization and International Electrotechnical Commission.
[11] Ministerio de Tecnologías de la Información y las Comunicaciones de Colombia. Manual para la Estrategia de Gobierno en Línea. (En Línea). Disponible en: http://estrategia.gobiernoenlinea.gov.co/623/articles-7941_manualGEL.pdf
[12] ISO. (2016). ISO/IEC 27000:2016 (E) Information technology - Security techniques - Information security management systems - Overview and vocabulary. International Organization for Standardization and International Electrotechnical Commission.
[13] Organización de las Naciones Unidas. (2011). Manual de gestión de riesgos de desastre para comunicadores sociales. (En Línea). Disponible en: http://unesdoc.unesco.org/images/0021/002191/219184s.pdf
[14] Ministerio de hacienda y administraciones públicas de España. (2012). MAGERIT – versión 3.0. Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información. Libro I – Método. (En Línea). Disponible en: https://www.ccncert.cni.es/documentos-publicos/1789-magerit-libro-i-metodo/file.htm
[15] Salgado Lévano, Ana Cecilia. (2007). Investigación cualitativa: diseños, evaluación del rigor metodológico y retos. Liberabit, 13(13), 71-78.
[16] Stringer, E. T. (1999). Action Research (2nd ed.). Thousand Oaks, CA: Sage
[17] Dwivedi, Y., Wade, M. and schneberger, S. (2012). “Information System Theory”