Towards an Intelligence-Driven Information Security Risk Management Process for Organisations

Abstract

Three deficiencies exist in information security under prevailing practices: organisations tend to focus on compliance over protection; to estimate risk without investigating it; and to assess risk on an occasional (as opposed to continuous) basis. These tendencies indicate that important data is being missed and that the situation awareness of decision-makers in many organisations is currently inadequate. This research-inprogress paper uses Endsley's situation awareness theory, and examines how the structure and functions of the US national security intelligence enterprise—a revelatory case of enterprise situation awareness development in security and risk management—correspond with Endsley..