A Process Approach to Information Security: Lessons from Quality Management

摘要

The prevalent approach to analysis of information security is typically event-centric and ad-hoc based primarily on risk management principles. However, we believe that scholars and practitioners in the information security field can benefit significantly from the experiences and principles of quality management, where process orientation dominates and continuous improvement is the essence. This paper reviews some key concepts in quality management and draws lessons for information security management. Based on this, a process-centric framework for managing information security is developed. The framework is then explored in the context of root-cause analysis of realized threats or security breaches. Future research directions are then suggested.