Action Design Research - GBM-OA to fill the gaps in MSB Method support

Sammanfattning: In an initial contact with an organization we learned that they faced challenges in their work with information security. The suggested framework, Swedish Civil Contingency Agency (MSB) Method support, required a lot of pre-knowledge, which made it difficult and complicated for the user. Described as a buffet of options to create flexibility for the user, the organization found it hard to operationalize. By using Action Design Research (ADR) we go through three cycles of building, intervention and evaluation (BIE) to develop an artifact to improve their information security risk assessment work. Together with the organization we defined five goals that could improve the current method and its ease of appliance. After conducting a literature review in the field of information security risk assessment we identified a suitable candidate to complement the MSB Method support. Inside the BIE of ADR we use Situational Method Engineering (SME) to assemble a hybrid of the Genre Based Method - Octave Allegro (GBM-OA) method and the MSB method support. The research contribution from our work is three folded. First we suggest six new design principles for information security risk assessment method development. Secondly we show how GBM-OA can be used inside a large framework for information security risk assessment. Thirdly we show how a method can be changed to support the users in the transition from a traditional, technical view of IT-security towards more modern, information and even knowledge security view.