Business Language for Information Security | SpringerLink
Skip to main content
Springer Nature Link
Log in

Business Language for Information Security

  • Conference paper
  • First Online:
Human Aspects of Information Security and Assurance (HAISA 2023)

Part of the book series: IFIP Advances in Information and Communication Technology ((IFIPAICT,volume 674))

Abstract

Prominent standards and frameworks for information security clearly state that business aspects on the one side, and technical aspects on the other, are equally important for the management of cyber security. Organisations with a relatively low maturity level in security management typically consider information security primarily as a technological issue. For those organisations, information security might not get the necessary support from top-level management because they are predominantly focused on business aspects, and are blind to the role information security plays for business. To obtain support from top-level management the information security practitioners need the skills to influence and help relevant stakeholders to understand how information security can support business objectives. In this debate, it is often argued that it is important to speak the language of management. This means that information security practitioners should learn how to translate technical terms to a business context, so top-level management can understand what it means for them. However, this debate has mostly focused on the importance of speaking the “Business Language for Information Security (BLIS)” but has not elaborated on what this language consists of and how to learn it. This paper proposes BLIS and a framework for how to learn it. By mastering BLIS, security professionals can articulate arguments that top-executive management can easily understand and act on. Therefore, we argue that taking a learning module on BLIS will be valuable and useful for the next generation of students in information security. Said briefly, learning BLIS will help students understand how information security can support business, and also how this can be explained to others.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 13727
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 17159
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
JPY 17159
Price includes VAT (Japan)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Ashenden, D., Sasse, A.: CISOs and organisational culture: their own worst enemy? Comput. Secur. 39, 396–405 (2013)

    Article  Google Scholar 

  2. Kolomiets, S., Konoplenko, L.: A model for teaching speaking English for specificpurposes (information security) using business game. Adv. Educ. 3, 58–63 (2015)

    Article  Google Scholar 

  3. Drevin, L., Kruger, H., Bell, A.-M., Steyn, T.: A linguistic approach to information security awareness education in a healthcare environment. In: Bishop, M., Futcher, L., Miloslavskaya, N., Theocharidou, M. (eds.) WISE 2017. IAICT, vol. 503, pp. 87–97. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58553-6_8

    Chapter  Google Scholar 

  4. Alotaibi, Y.: A secure business process modelling for better alignment between business and IT. In: 2016 49th Hawaii International Conference on System Sciences (HICSS), pp. 4793–4802 (2016)

    Google Scholar 

  5. Brucker, A.: Integrating security aspects into business process models. It–Inf. Technol. 55, 239–246 (2013)

    Google Scholar 

  6. Altuhhova, O., Matulevičius, R., Ahmed, N.: Towards definition of secure business processes. In: Bajec, M., Eder, J. (eds.) CAiSE 2012. LNBIP, vol. 112, pp. 1–15. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31069-0_1

    Chapter  Google Scholar 

  7. Schinagl, S., Paans, R.: Communication barriers in the decision-making process: system language and system thinking. In: Proceedings of The 50th Hawaii International Conference On System Sciences (2017)

    Google Scholar 

  8. Abbass, W., Baina, A., Bellafkih, M.: Improvement of information system security risk management. In: 2016 4th IEEE International Colloquium on Information Science and Technology (CiSt), pp. 182–187 (2016)

    Google Scholar 

  9. Sechi, F., Gran, B., Jørgensen, P., Kilyukh, O.: Better security assessment communication: combining ISO 27002 controls with UML sequence diagrams. In: 2022 IEEE/ACM 3rd International Workshop On Engineering and Cybersecurity of Critical Systems (EnCyCriS), pp. 49–56 (2022)

    Google Scholar 

  10. F Moyón D Méndez K Beckers S Klepper 2021 Using process models to understand security standards T Bureš Eds et al SOFSEM 2021: Theory and Practice of Computer Science SOFSEM 2021 47th International Conference on Current Trends in Theory and Practice of Computer Science, SOFSEM 2021, Bolzano-Bozen, Italy, January 25–29, 2021, Proceedings Bolzano-Bozen Italy 2021 01 25 2021 01 29 Lecture Notes in Computer Science LNCS 12607 Springer Cham 458 471 https://doi.org/10.1007/978-3-030-67731-2_34

  11. Rainer, R., Jr., Marshall, T., Knapp, K., Montgomery, G.: Do information security professionals and business managers view information security issues differently? Inf. Syst. Secur. 16, 100–108 (2007)

    Article  Google Scholar 

  12. Whitman, M., Mattord, H.: Information security governance for the non-security business executive (2014)

    Google Scholar 

  13. Karanja, E.: The role of the chief information security officer in the management of IT security. Inf. Comput. Secur. 25, 300–329 (2017)

    Article  Google Scholar 

  14. Jirasek, V.: Practical application of information security models. Inf. Secur. Tech. Rep. 17, 1–8 (2012)

    Article  Google Scholar 

  15. Ashenden, D.: Information Security management: a human challenge? Inf. Secur. Tech. Rep. 13, 195–201 (2008)

    Article  Google Scholar 

  16. Soomro, Z., Shah, M., Ahmed, J.: Information security management needs moreholistic approach: a literature review. Int. J. Inf. Manage. 36, 215–225 (2016)

    Article  Google Scholar 

  17. Johnston, A., Warkentin, M., Dennis, A., Siponen, M.: Speak their language: designing effective messages to improve employees’ information security decision making. Decis. Sci. 50, 245–284 (2019)

    Article  Google Scholar 

  18. AlGhamdi, S., Win, K., Vlahu-Gjorgievska, E.: Information security governance challenges and critical success factors: systematic review. Comput. Secur. 99, 102030 (2020)

    Article  Google Scholar 

  19. Anu, V.: Information security governance metrics: a survey and taxonomy. Inf. Secur. J. Global Perspect. 31, 466–478 (2022)

    Article  Google Scholar 

  20. Fitzgerald, T.: Clarifying the roles of information security: 13 questions the CEO, CIO, and CISO must ask each other. Inf. Syst. Secur. 16, 257–263 (2007)

    Article  Google Scholar 

  21. Whitten, D.: The chief information security officer: an analysis of the skills required for success. J. Comput. Inf. Syst. 48, 15–19 (2008)

    Google Scholar 

  22. Harkins, M.: The 21st Century CISO. Managing Risk and Information Security, pp. 139–153 (2016)

    Google Scholar 

  23. Hooper, V., McKissack, J.: The emerging role of the CISO. Bus. Horiz. 59, 585–591 (2016)

    Article  Google Scholar 

  24. Kayworth, T., Whitten, D.: Effective information security requires a balance of social and technology factors. MIS Q. Exec. 9, 2012–2052 (2010)

    Google Scholar 

  25. Posthumus, S., Von Solms, R.: A framework for the governance of information security. Comput. Secur. 23, 638–646 (2004)

    Article  Google Scholar 

  26. Solms, S., Solms, R.: Information Security Governance. Springer, New York (2008). https://doi.org/10.1007/978-0-387-79984-1

  27. Mintzberg, H.: Managerial work: analysis from observation. Manage. Sci. 18, B97–B110 (1971)

    Article  Google Scholar 

  28. Hersey, P., Blanchard, K., Natemeyer, W.: situational leadership, perception, and the impact of power. Group Organ. Stud. 4, 418–428 (1979)

    Article  Google Scholar 

  29. Mills, J., Bonner, A., Francis, K.: The development of constructivist grounded theory. Int J Qual Methods 5, 25–35 (2006)

    Article  Google Scholar 

  30. Kitchenham, B.: Procedures for performing systematic reviews. Keele, UK, Keele Univ. 33, 1–26 (2004)

    Google Scholar 

  31. Tran, D., Jøsang, A.: Information security posture to organize and communicate the information security governance program. In: Proceedings of the 18th European Conference on Management Leadership And Governance, ECMLG 2022, vol. 18, pp.515–522 (2022)

    Google Scholar 

  32. Crang, M., Cook, I., et al.: Doing Ethnographies. Sage, Thousand Oaks (2007)

    Book  Google Scholar 

  33. Glaser, B.: Basics of Grounded Theory Analysis: Emergence vs Forcing. Sociology press, London (1992)

    Google Scholar 

  34. Strauss, A., Corbin, J.: Basics of Qualitative Research Techniques. Citeseer (1998)

    Google Scholar 

  35. Standardization, I.: Information security, cybersecurity and privacy protection —Information security management systems—Requirements (2022)

    Google Scholar 

  36. Helse, D.: Overordnet risiko- og s˚arbarhetsvurdering for IKT i helse- og omsorgssektoren (2019)

    Google Scholar 

  37. Regjeringen Nasjonal strategi for digital sikkerhet (2019)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Oslo, 0373, Oslo, Norway

    Dinh Uy Tran & Audun Jøsang

Authors
  1. Dinh Uy Tran
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Audun Jøsang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dinh Uy Tran .

Editor information

Editors and Affiliations

  1. University of Nottingham, Nottingham, UK

    Steven Furnell

  2. University of Plymouth, Plymouth, UK

    Nathan Clarke

Rights and permissions

Reprints and permissions

Copyright information

© 2023 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tran, D.U., Jøsang, A. (2023). Business Language for Information Security. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2023. IFIP Advances in Information and Communication Technology, vol 674. Springer, Cham. https://doi.org/10.1007/978-3-031-38530-8_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38530-8_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38529-2

  • Online ISBN: 978-3-031-38530-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships