Title

Security risk management in the Asia Pacific region: What are security professional using?

Document Type

Conference Proceeding

Publisher

secau, Edith Cowan University

Editor(s)

David Brooks and Craig Valli

Faculty

Faculty of Computing, Health and Science

School

School of Computer and Security Science / Security Research Centre (secAU)

RAS ID

12244

Comments

This article was originally published as: Brooks, D. J., & Cotton, H. S. (2011). Security risk management in the Asia Pacific region: What are security professional using?. Paper presented at the Australian Security and Intelligence Conference. Perth, Western Australia. Original article available here

Abstract

The Asia Pacific (APAC) region encompasses a heterogeneous group of nation-states. Like the APAC region, the security industry operates within a diverse and multi-disciplined knowledge base, with risk management being a fundamental knowledge domain within security. Nevertheless, there has been limited understanding of what security professionals use when applying security risk management. The study was designed to gain a better understanding of risk management practice in place throughout APAC. Questions were generated to gauge an understanding of current practice and levels of implementation of standards and frameworks. Participants were drawn from many industries, using non-probabilistic sampling methods in a “snowball” response to an online survey. Results were collected and analysed to provide interpretations and findings, and where appropriate, weighted factor analysis were conducted. Findings indicated that the majority of APAC nation-states do not have a defined risk management standard, but security practitioners use their own internal framework. Following this approach, security practitioners use ISO 31000 and AS/NZS 4360 standards in parity, even considering their differing age. ISO 28000 Supply Chain Security Management was a popular standard, driven from Singapore. Nevertheless, the use of these standards should still raise concern due to a lack of a directed security risks management frameworks that incorporates threat, vulnerability and criticality. Further study needs to better understand what risk management techniques and frameworks security practitioners are using.

Access Rights

Open Access