If the reader of this article is a security professional, they may not like what is being presented here, chiefly because "better security" is not the goal, but an optimal solution for the organization, based on getting complete information to fuel the risk management decisions. They also may not like this because for years, some security professionals have been trying to keep management out of the security management "loop," and this paper invites them back into that loop. A business manager, though, may like this theory, as they may have been "burned" once or twice in the past because an ill-conceived security measure was implemented without taking full considerations to the trickle down impacts to the business it may cause. Regardless of who is reading this, the problem remains the same. The solution to this problem, should it be proven to be a "real" problem, would be to create "plug in" to the existing methodologies described above, as a sub-process that would take place during each methodology. This would be the so-called PICIR method, to be developed. Going forward, research will be done by contacting organizations and getting feedback on die theory described above, and having users, managers and secu- rity professionals provide information via surveys and other means, in order to show diat this is a real issue that needs to be addressed.
展开▼