Information security risk management (ISRM) is a continuous process that integrates identification and analysis of risks to which an organisation is exposed, assessment of likelihood of potential threats and their impact on the business, and deciding what actions need to be taken to eliminate or reduce risk to an acceptable level. Our review of the literature highlights two trends in organizational practice of ISRM: (1) security risks are not analysed and monitored continuously and historically (2) security risks are assessed based on speculation rather than evidence. Business analytics (BA) provides organizations with a unique opportunity to develop specialised capabilities (security analytics) and thereby enable the practice of analytics-driven evidence-based decision making in ISRM. In this study, we utilize a contingent resource based view to develop a research model that explains how security analytics capabilities and ISRM capabilities indirectly influence enterprise security performance through mediating role of analytics-driven ISRM capabilities. Risk assessment complexity moderates the process by which security analytics capabilities and ISRM capabilities influence the enterprise security performance. The model is defined based on an extensive analysis of BA and ISRM literature. The model provides a foundation for future empirical work including multiple case studies and a survey.
Naseer, Humza; Shanks, Graeme; Ahmad, Atif; and Maynard, Sean, (2017). "TOWARDS AN ANALYTICS-DRIVEN INFORMATION SECURITY RISK MANAGEMENT: A CONTINGENT RESOURCE BASED PERSPECTIVE". In Proceedings of the 25th European Conference on Information Systems (ECIS), Guimarães, Portugal, June 5-10, 2017 (pp. 2645-2655). ISBN 978-0-9915567-0-0 Research-in-Progress Papers.