Business process re-engineering and information security planning: Opportunities for integration

Business process re-engineering (BPR) has come to recognize a need for the adoption of socio-technical methodologies and capabilities for knowledge representation of qualitative concerns. Security planning and decision-making has a similar need, and furthermore socio-technical methods common to BPR can be usefully applied in this capacity. The introduction of security models like Defense-in-Depth and similar efforts to recognize the organizational impact of security planning in operational security management serve as an initial step in educating security personnel and provide a more comprehensive view, but unfortunately, security decision-making has traditionally relied almost solely upon quantitative risk assessment, cost/benefit mechanisms, and related, functionalistic methodologies. This greatly limits the representational capacity of the decision process, and with it the possible dimensions of analysis in which to consider security issues. Within this paper, we briefly examine security planning and the relevant techniques of BPR and Socio-technical design, and present a framework for their integration within the context of information security. It is our contention that such methodologies can be utilized in the security decision process to facilitate representation of subjective concerns and broadly-defined issues germane to security policy, within an organizational context.