A Socio-Technical approach to address the Information security: Using the 27001 Manager Artefact

TL;DR

This paper advocates for a socio-technical approach to information security management, emphasizing the importance of interactions and intangible assets over static technical controls, using the 27001 Manager artifact.

Contribution

It introduces a socio-technical perspective based on Activity Theory to analyze the dynamic interactions in ISMS provision via the 27001 Manager artifact.

Findings

Highlights the limitations of traditional technical controls in ISMS.

Emphasizes the importance of intangible assets and interactions.

Proposes a socio-technical framework for analyzing security management services.

Abstract

In general, the perspective customer / supplier followed by organizations, regarding information security management, is based mainly on management controls based on standards such as ISO / IEC 27001: 2015, resulting in the production of especially technical analysis reports, rather than a socio-technical approach. This leads to the perception by the customer of the delivery of a product instead of a service.The product concerned is reduced to a set of prescriptions, sometimes unrelated, which materialize in a descriptive and static view of client security management. As a result, the client can hardly use the product continuously, following the dynamics of changes in their organization, therefore recognizing value in the provision made by the supplier. The use of the paradigm Service Dominant Logic (LDS), in the development of a range of security management information, helps to change the focus of tangible resources to the intangible assets. The aspects of tangibility, materialized in a document that describes the client's vulnerabilities and attack vectors are referred to a secondary level, given the importance of the intangible aspects, such as the interaction that is established between the customer specialists and supplier. In this article we propose to analyze in the perspective of a socio-technical theory, the Activity Theory, the service provided by an artifact called 27001 Manager, designed to assist the entire cycle of analysis, development and maintenance of an information security management system (ISMS). The analysis aims at observing the existing interaction between customer / supplier, considering that the service is inherently dynamic and inter-subjective, ie the result of a compromise between the customer and the supplier.