Martin Lundgren's thesis deals with the difficulty of following instructions on risk management for information security when they do not really fit into the context in which they are to be used.
– If you get an instruction to the waltz but the music playing is disco, you can let your feet follow the waltz steps while the upper body makes more cool moves. In risk management and information security, the instructions have a general and standardized form, just like dance steps, but the use must be adapted to benefit the context, Martin Lundgren explains.
– If we continue on the dance analogy: organisations need to develop their own dance style in order for risk management to become a dynamic routine instead of a rigid dito where both tact and sense of context are lacking.
In his doctoral thesis, Martin Lundgren answers the questions how and why organizations adapt their risk management to identify and control different types of threats to the business. How come some do the twist or disco, even though everyone got the instructions to walz?
One conclusion is to include the human aspects of risk management. That is; to be aware that there is a flexible and learning part in all security work.
– It is easy to believe that there is only one practical, "dead", step-by-step approach to risk management. But there is also a very vivid part, the interpersonal part, since interpretation of instructions and practical experiences affect what is done and why, says Martin Lundgren.
The thesis describes the relationship between the dead and the living aspect, and offers an explanation of why reality is in a specific way. Sometimes the dead and living aspect does not match, for example if the instruction is too difficult, too time consuming, too expensive or too complex to follow. This, in turn, can lead to a need to adapt the instruction and dynamic routines arise. Dynamic routines are thus the connection between instructions, the plan and the practice.
If routines become too dynamic, can that in itself be a risk?
– You cannot take into account all situations that may arise, routines are hence limited and therefore sometimes vague in their instructions. On the one hand, dynamic routines may be necessary. It can indicate a very good understanding of information security and risk management if you can adapt, streamline and tailor the process for how the organisation actually works. On the other hand, it may also be a sign of the opposite. There may be inadequate skills that do not understand or can translate the instructions into actual practice and therefore choose to forgo or trim away parts of the process that they do not master. Dynamic routines are thus neither good nor bad, but rather a reflection of the practice that affects the instructions for how we should work.