Content uploaded by Atif Ahmad
Author content
All content in this area was uploaded by Atif Ahmad on Aug 21, 2017
Content may be subject to copyright.
Content uploaded by Atif Ahmad
Author content
All content in this area was uploaded by Atif Ahmad on Dec 11, 2014
Content may be subject to copyright.
Protecting organizational competitive
advantage: A knowledge leakage perspective
Atif Ahmad
a,
*, Rachelle Bosua
a
, Rens Scheepers
b
a
Department of Computing and Information Systems, University of Melbourne, Parkville, VIC 3010, Australia
b
School of Information Systems, Deakin University, Australia
article info
Article history:
Received 23 August 2013
Received in revised form
27 November 2013
Accepted 9 January 2014
Keywords:
Knowledge leakage
Information security
Security risk
Sensitive information
Resource-based view
abstract
The strategic management literature emphasizes the importance of protecting organiza-
tional knowledge and information, especially in terms of maintaining competitive
advantage. We synthesized several mechanisms from the literature that organizations
could deploy to protect their knowledge and information. An Australian field study
investigated how and to what extent these mechanisms were deployed in 11 knowledge-
intensive organizations. The study revealed surprising findings: firstly, there was no evi-
dence of a systematic and comprehensive management approach to the identification and
protection of knowledge assets. Approaches were often haphazard, driven in a bottom-up
fashion with much of the responsibility delegated to individual employees and knowledge
owners. Secondly, concerns about confidentiality of organizations’ operational data (e.g.,
client details), often crowded out managerial attention to protecting organizations’ own
knowledge and information assets. Based on these observations, we outline several im-
plications for future research, including the need for more comprehensive frameworks to
address knowledge leakage from a strategic perspective.
ª2014 Elsevier Ltd. All rights reserved.
1. Introduction
In recent years, there has been considerable media coverage
of an increasing number of incidents in which sensitive in-
formation has been disclosed as a result of leakage. Leakage is
becoming a key concern in organizations and also an impor-
tant area of research. For example, a recent special issue of
Information Systems Frontiers was dedicated to the security
management of internal data leakage. This issue highlighted
several important aspects, including “insiders” who leak data
(Farahmand and Spafford, 2013). The leakage of sensitive in-
formation through unidentified channels and conduits is a
particularly challenging management problem. This problem
is exacerbated by the widespread adoption and appropriation
of boundary-spanning information technologies such as mo-
bile devices, cloud computing, social media and networking
technologies.
Leakage can have a variety of impacts on organizations
including reputational damage, loss of revenue, costs arising
from breaches of confidentiality agreements and loss of pro-
ductivity. With considerable restitutional effort, organizations
could recover from such incidents. However, where the
leakage concerns knowledge related to an organization’s
valuable, rare, inimitable and non-substitutable (VRIN) re-
sources that sustain competitive advantage, recovery can be
*Corresponding author. Tel.: þ61 383441396.
E-mail addresses: atif@unimelb.edu.au (A. Ahmad), rachelle.bosua@unimelb.edu.au (R. Bosua), rens.scheepers@deakin.edu.au
(R. Scheepers).
Available online at www.sciencedirect.com
ScienceDirect
journal homepage: www.elsevier.com/locate/cose
computers & security 42 (2014) 27e39
0167-4048/$ esee front matter ª2014 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.cose.2014.01.001
significantly more challenging (VRIN resources are discussed
in Barney (1991, 1996), and Mahoney and Pandian (1992)).
Knowledge is more than just information and data; it can be
described as the ‘fluid mix of framed experiences, values,
contextual information and expert insight’ (Davenport and
Prusak, 1998). Knowledge is indispensable for innovation
and manifests itself in the form of intangible and tangible
knowledge assets. Intangible knowledge assets are embodied
in humans while tangible knowledge assets become
embedded over time in organizational procedures, routines,
processes and documents. Given the highly competitive
business environment and continuing pressure within which
organizations compete, knowledge assets are vital for orga-
nizations to sustain their competitive advantage (Grant, 1996,
1997).
Knowledge leakage occurs when sensitive organizational
knowledge such as strategies, policies, product-knowledge,
and sensitive client information ends up in the hands of un-
authorized parties. Leakage has been defined as ‘.the delib-
erate or accidental loss of knowledge to unauthorized personnel
within or outside of an organizational boundary” (Annansingh,
2005). The definition points out that leakage may occur
deliberately or in an uncontrolled unobtrusive way, for
example due to human error, inferred facts from knowledge
made available through various sources, or poor information
management strategies and practices. Additionally, practices
that include the offshoring and outsourcing of operations by
organizations may lead to the unintentional divulging of
sensitive organizational knowledge to unauthorized parties.
In the realm of information systems security, leakage of
information and data in computers and networks is addressed
through the preservation of ‘confidentiality’. Formal and
informal measures exist to prevent unauthorized access to
information and data (such as security policy, risk manage-
ment, education, training and awareness) (Dhillon, 2006). In
addition, there is a range of technical measures to control
access to information (consider authentication mechanisms
that use passwords, encryption, logging mechanisms, fire-
walls and intrusion detection systems).
The literature on mitigation strategies focused on the
leakage of sensitive knowledge is scant (DeSouza, 2006). A few
literature sources mention the importance of knowledge
protection in organizations (Bloodgood and Salisbury, 2001;
Gold et al., 2001; O’Donoghue and Croasdell, 2009;
Thompson and Kaarst-Brown, 2005), but fail to provide perti-
nent guidance on 1) different types of mechanisms required to
protect sensitive knowledge, and 2) strategic and operational
guidelines on how sensitive organizational knowledge can be
protected.
In this paper we report on a particular set of findings in-
sofar as knowledge leakage mitigation and the challenges
faced by organizations in this regard. As the focus is on or-
ganizations and competitive advantage in particular, we
adopt a knowledge-based view of the organization. Given the
significant sharing and transfer of knowledge at different
levels in knowledge-intensive organizations, we suggest it
may be difficult to reconcile the confidentiality of knowledge
with its availability. As such it is important to investigate how
organizations actually deal with this dilemma. Therefore, this
paper poses the following research question: How can
Organizations protect their Valuable, Rare, Inimitable and
Non-substitutable knowledge assets? From this, two related
sub-questions follow:
-What key mechanisms exist that can be deployed to protect
organizational knowledge assets? and
-What challenges do managers face in deploying the various
knowledge protection mechanisms to prevent the leaking of
sensitive knowledge?
The paper begins with a literature review aimed at identi-
fying broad perspectives on knowledge protection and asso-
ciated mechanisms in organizations. Using four key
perspectives identified from the literature, a qualitative case
study approach was taken whereby managers responsible for
knowledge strategy from eleven knowledge-intensive orga-
nizations were interviewed on organizational approaches to-
wards reconciling the need for knowledge confidentiality with
availability. The findings suggest that organizational knowl-
edge protection is a complex issue that is often overlooked at
the management level and left as the responsibility of
knowledge ‘owners’. Additionally, managerial actions,
appropriate strategies and accompanying mechanisms are
required to distinguish between protection mechanisms of
competitive knowledge as opposed to operational knowledge.
Based on these observations, several implications for future
research are outlined, including the need for more compre-
hensive frameworks to address the problem of knowledge
leakage strategically.
2. Organizational perspectives on securing
knowledge, data and information
2.1. Strategic management view
The Resource-Based View of the firm views knowledge as an
intangible organizational competitive resource that should be
developed and protected in the same manner as other
competitive firm resources (Teece, 2009). The synergy be-
tween knowledge and firm resources often accounts for its
competitive advantage generation potential, in the sense that
such synergies tend to be unique and consequently not easily
imitated by competitors. Indeed, it has been argued that even
though firms may possess similar resources, the ability to
generate premium rents emanates from leading firms’ ability
to better harness their intangible knowledge assets in
conjunction with other firm resources, for example, see the
Creative Arts case in Barney and Hesterly (2006).
When a firm’s competitive advantage derives from a
knowledge-intensive resource, clearly this advantage could be
eroded when competitors obtain such knowledge. This in turn
contextualizes the problem of knowledge leakage for organi-
zations strategically. Leakage, with potentially devastating
consequences in terms of competitive advantage, could occur
on a number of fronts. First, inadvertent or intentional leakage
of knowledge by disgruntled employees (which could occur
easily in an increasingly networked society) presents one po-
tential risk. Furthermore, alliances between organizations
necessitate some sharing of information between business
computers & security 42 (2014) 27e3928
partners. However, alliances also introduce the potential of
knowledge leakage (an area already indicated as significant
e.g., in IT outsourcing) (Norman, 2001). Last, staff turnover,
especially movement of highly knowledgeable individuals
between competing firms (e.g., in entrepreneurial start-ups,
etc.) represent key implications from a competitiveness
perspective.
Clearly, organizations must develop a capability to deploy
its resources to mitigate leakage of sensitive knowledge. Such
a capability is critical to sustaining business success over the
long-term. The RBV literature describes capabilities as being
internally-focused, firm-specific, socially complex and that
develop over time as a result of organizational learning
(Dierickx and Cool, 1989; Peteraf, 1993). Related to the RBV
literature on capabilities is the literature on Dynamic Capa-
bilities (Eisenhardt and Martin, 2000; Winter, 2003) that con-
siders how these resources/capabilities are reconfigured over
time. Reconfiguration involves the addition and trans-
formation/protection of existing resources/capabilities in
response to environmental opportunities and/or threats
(Teece, 2009). Transforming/protecting dynamic capabilities
are therefore specifically aimed at securing existing competi-
tive advantages in the light of external threats in the broader
environment (i.e., competitive or other threats that can erode
existing competitive advantages).
Given this theoretical underpinning, leakage mitigation
should be considered as part of an organization’s dynamic
capabilities, specifically in terms of protecting its existing
competitive advantage (which in turn, originates from specific
advantage-generating firm resources and capabilities). The
RBV literature does not consider all organizational resources
as instrumental in terms of generating sustainable competi-
tive advantage; some resources are necessary for competitive
parity. For example, it could be argued that the knowledge
forming part of many non-core/ancillary resources are
necessary, but do not warrant the same level of managerial
scrutiny from a competitiveness perspective. This suggests
that the RBV and Dynamic Capabilities provide useful theo-
retical underpinning in terms of prioritizing knowledge pro-
tection activities within the firm.
2.2. Knowledge management view
The knowledge management (KM) literature also views
knowledge as a competitive resource in organizations
(Barney, 1991; Davenport and Prusak, 1998; Earl, 2001; Grant,
1996; Leonard-Barton, 1992) Much of the literature in the
area of KM has focused on how to increase knowledge sharing
between parties (individuals and groups) in the interest of
driving innovation and productivity (Grant, 1996; Hansen
et al., 1999; Marabelli and Newell, 2012; Nonaka, 1994;
Nonaka et al., 2000). Some studies have pointed out that
increasing circulation of knowledge also increases the risk of
leakage (DeSouza, 2006; DeSouza and Vanapalli, 2005;
Easterby-Smith et al., 2008; Trkman and Desouza, 2012). The
need to reconcile preserving confidentiality on the one hand
and increasing the sharing of knowledge on the other is a key
dilemma for organizations. A knowledge perspective on this
discussion frequently revolves around the distinction be-
tween ‘tacit’ and ‘explicit’ knowledge. Tacit knowledge is
perceived to be less susceptible to leakage (compared to
explicit knowledge) because it is difficult to articulate or codify
(Hildreth and Kimble, 2002; Polanyi, 1966). Interestingly, the
KM literature does not specifically address the leakage of
competitively valuable knowledge.
2.3. Information security management view
Traditionally, literature in the area of information security
management (ISM) has not directly engaged with the concept
of ‘knowledge’, but rather information (and data). Information
is viewed as a discrete, and relatively static “asset” that can be
enumerated for security accounting and auditing purposes
(Shedden et al., 2011). Although the ISM literature considers
the practice of information security management to be
aligned with business objectives, these are not typically
framed in terms of competitive advantage. Instead, ‘infor-
mation’ and ‘information systems’ (the latter term includes
the broad spectrum of hardware and software as well as
people and information used for a specific purpose) are
viewed as essential to the organization’s ability to function
(Whitman, 2003; Whitman and Mattord, 2012).
The ISM literature identifies three primary security char-
acteristics of information from which organizations derive
value. These are confidentiality, integrity and availability
otherwise known as the C.I.A. triangle (Denning, 1999; Jones
and Ashenden, 2005; Spears, 2006). Preventing leakage of
competitive information falls under the more general problem
of preserving confidentiality, i.e. the need to preserve autho-
rized access to information from accidental or malicious
disclosure (Whitman, 2003). The ISM literature suggests a
range of formal, informal and technical controls to preserve
confidentiality (as well as integrity and availability) (Dhillon,
2006). Formal controls include risk assessments, audits, and
policies and procedures that provide advice to personnel on
the one hand and outline punitive measures for non-
compliance on the other. Technical controls are firewalls,
intrusion detection systems, and other such devices that
regulate access to resources while informal controls include
training and education that influence security culture.
The discourse around leakage prevention in the ISM liter-
ature focuses on a strategy of compartmentalizing informa-
tion based on sensitivity levels assessed using classification
methodologies (Ahmad et al., 2012; Schneier, 2006 p. 105). For
specific security models see Anderson (2008) on the multilevel
Bell LaPadula model and multilateral Lattice and Chinese Wall
security models. Organizations can apply the concepts and
principles in these models to preserve confidentiality using a
variety of technical solutions (e.g., encryption, passwords,
access control, firewalls and intrusion detection systems).
There is considerable research activity in the computing
domain towards developing new technologies to prevent data
leakage. Much of this effort harnesses social, technical and
socio-technical approaches to address insider threat (see an
historical review of these approaches in a recent editorial of
Information Systems Frontiers by Huth (2013)). Technologies
are more generally directed towards leakage Data Leakage
Prevention (DLP) include solutions that analyze, monitor and
control sensitive information usage across computing sys-
tems (Blasco and Jorge, 2013).
computers & security 42 (2014) 27e39 29
The review of the literature points to the need for a more
consolidated summary of mechanisms for leakage mitigation,
which can accommodate contemporary sources of potential
leakage. Such a summary should also inform how specific
mechanisms (refer to Table 1) should be considered as part of
a more overall strategic risk mitigation approach.
3. Knowledge protection: areas and
mechanisms
This study aimed to identify the context in literature where
knowledge protection has been cited as a significant concern,
the kinds of knowledge deemed sensitive, areas in organiza-
tions where sensitive knowledge typically resides, and
enterprise-wide organizational mechanisms suggested for the
protection of knowledge. Although the literature suggests a
number of mechanisms that vary in terms of scope and
comprehensiveness, there is no specific study that considers
aspects that involve both the breadth and depth of knowledge
protection mechanisms. The study by Norman (2001) groups
knowledge protection into three major areas namely 1)
human resources, 2) legal structure of alliance agreements
and contacts and 3) alliance processes. Considering activities
that involve the flow and transfer of knowledge and accom-
panying potential for knowledge to leak between different
parties and at different levels in organizations, this paper
takes a top-down organizational viewpoint and builds on
Norman’s work to identify four key knowledge protection
areas. This categorization emerges from the bodies of litera-
ture reviewed, namely 1) Strategic-level Management Initia-
tives, 2) Operational-level Knowledge Protection Processes, 3)
Supporting Technology Infrastructure, and 4) Legal Structures
for Knowledge Protection. These mechanisms are not
Table 1 eSynthesis of Knowledge protection areas and mechanisms in the literature.
Knowledge protection area Mechanisms and examples elist of references
Strategic-level Management
Initiatives (STRAT)
1. Identifying Valuable, Rare, Inimitable and Non-Substitutable knowledge assets (i.e. WHAT to protect)
a) Key firm knowledge resources to be identified and associated sensitivity risks
assessed and considered e(Aljafari and Sarnikar, 2009; Liebeskind, 1996; Norman, 2001;
O’Donoghue and Croasdell, 2009; Olander and Hurmelinna-Laukunnen, 2010; Teece, 2009)
2. Developing, implementing and resourcing policies, procedures and guidelines on Knowledge
Protection (i.e. HOW to protect knowledge)
a) Identifying knowledge protection roles e(Gold et al., 2001; Norman, 2001; Olander and
Hurmelinna-Laukunnen, 2010)
b) Implementing protection processes and mechanisms (e.g. monitoring of knowledge flows) e
(Bloodgood and Salisbury, 2001; DeSouza and Vanapalli, 2005; Gold et al., 2001; Holsapple and
Jones, 2005; Liebeskind, 1996; Norman, 2001; Olander and Hurmelinna-Laukunnen, 2010;
Olander et al., 2009)
c) Developing policies, procedures and guidelines (e.g. policies on knowledge sharing,
background screening, acceptable use of collaborative technologies) e(Aljafari and Sarnikar,
2009; Bloodgood and Salisbury, 2001; Ford and Helayne, 2004; Gold et al., 2001; Liebeskind, 1996)
d) Developing a security culture (e.g., raising awareness, training, and education) e
(DeSouza and Vanapalli, 2005; Gold et al., 2001; Hurmelinna-Laukkanen and Puumalainen,
2007; Neville et al., 2003; Norman, 2001; O’Donoghue and Croasdell, 2009; Sveen et al., 2007)
e) Resourcing security initiatives (e.g., specific funding for knowledge protection initiatives) e
(Hurmelinna-Laukkanen and Puumalainen, 2007; Norman, 2001; Sveen et al., 2007)
f) Identification of relevant IP rights and laws for knowledge protection policies e
(Hurmelinna-Laukkanen and Puumalainen, 2007; Liebeskind, 1996; Norman, 2001; O’Donoghue
and Croasdell, 2009; Olander and Hurmelinna-Laukunnen, 2010; Olander et al., 2009)
Operational-level Knowledge
Protection Processes (PROC)
1. Compartmentalization to protect sensitive knowledge (e.g., limiting information flows, specifying
off-limit knowledge) e(Amiri, 2007; Bloodgood and Salisbury, 2001; DeSouza, 2006; DeSouza and
Vanapalli, 2005; Holsapple and Jones, 2005; Liebeskind, 1996; Majchrzak and Jarvenpaa, 2010;
Norman, 2001; O’Donoghue and Croasdell, 2009; Thompson and Kaarst-Brown, 2005)
2. Classification and handling knowledge (e.g. labeling of documents as secure, confidential or
highly confidential, and allocating access rights to employees) e(DeSouza, 2006; DeSouza and
Vanapalli, 2005; Gold et al., 2001; Holsapple and Jones, 2005; Norman, 2001; O’Donoghue and
Croasdell, 2009)
3. Making knowledge explicit to prevent loss (e.g. when employees move on) e(Bloodgood
and Salisbury, 2001; O’Donoghue and Croasdell, 2009)
4. Deliberately keeping knowledge tacit to mitigate leakage e(Bloodgood and Salisbury, 2001;
Gold et al., 2001; Olander and Hurmelinna-Laukunnen, 2010)
Supporting Technology
Infrastructure
(TECHINF)
Identification, configuration and deployment of tools and technologies to authenticate, control
and track access to sensitive information e(Blasco and Jorge, 2013; DeSouza and Vanapalli, 2005;
Gold et al., 2001; Holsapple and Jones, 2005; Huth, 2013; Lee et al., 2005; Majchrzak and Jarvenpaa,
2010; Neville et al., 2003; O’Donoghue and Croasdell, 2009; Olander et al., 2009; Sveen et al., 2007)
Legal Structures for
Knowledge Protection
(LEGAL)
Legal frameworks and mechanisms to protect sensitive knowledge (e.g., Non-Disclosure Agreements
(NDAs), Patents, Contracts) e(Bloodgood and Salisbury, 2001; Chai et al., 2011; De Faria and Sofka,
2010; Gold et al., 2001; Holsapple and Jones, 2005; Liebeskind, 1996; Norman, 2001; O’Donoghue and
Croasdell, 2009; Olander and Hurmelinna-Laukunnen, 2010; Olander et al., 2009).
computers & security 42 (2014) 27e3930
mutually exclusive, but can be combined or complement each
other to provide suitable levels of knowledge protection.
Different knowledge protection mechanisms and examples of
mechanisms for each of the knowledge protection areas
synthesized from the literature are presented in Table 1. Each
of the knowledge protection areas is discussed in the sections
that follow.
3.1. Strategic-level Management Initiatives (STRAT)
This stream of literature identifies a range of Strategic-level
Management Actions to protect sensitive knowledge. Two
key mechanisms are 1) identifying what knowledge needs to be
protected and 2) how sensitive knowledge needs to be pro-
tected. With respect to the RBV of the firm, knowledge that is
valuable, rare, inimitable and non-substitutable (Barney, 1991)
needs to be identified accompanied by the risks that need to be
considered for these assets (DeSouza and Vanapalli, 2005;
Liebeskind, 1996; Olander and Hurmelinna-Laukunnen, 2010).
Examples of valuable and rare assets include key employees,
products, processes, routines or procedures.
Strategic management actions to protect valuable and rare
knowledge assets need to focus on the development, imple-
mentation and resourcing of policies, procedures and guide-
lines to protect sensitive knowledge. For this to occur key roles
need to be identified such as gatekeepers that control the po-
tential leakage of knowledge and management roles to oversee
knowledge protection efforts (Gold et al., 2001; Olander and
Hurmelinna-Laukunnen, 2010). Additionally protection pro-
cesses and mechanisms need to monitor knowledge flows
between individuals and between individuals and ‘containers’
of sensitive knowledge (Bloodgood and Salisbury, 2001;
DeSouza and Vanapalli, 2005). Management need to develop
suitable policies, procedures and guidelines on intra and inter
organizational knowledge sharing, screening of applicants
prior to appointing them in organizations, and acceptable use
of collaborative and communication technologies (e.g., social
media technologies). A knowledge protection culture may need
to be developed to raise employee awareness and training
them about knowledge protection aspects and processes.
Additionally management need to resource security initiatives
by making funds available to develop and implement knowl-
edge protection initiatives (Norman, 2001; Sveen et al., 2007).
Finally, management needs to define suitable knowledge pro-
tection policies in terms of relevant IP rights and laws to protect
sensitive knowledge (Hurmellina-Laukkanen and
Puumalainen, 2007; Liebeskind, 1996; Olander et al., 2009).
3.2. Operational-level Knowledge Protection Processes
(PROC)
The presence of operational-level knowledge protection pro-
cesses is essential to secure sensitive organizational knowl-
edge (Gold et al., 2001). Such processes affect the frequency
and direction of knowledge and information flows and impact
on collaboration and communication activities associated
with intra- and inter-organizational knowledge sharing. Ex-
amples include processes that compartmentalize knowledge
to specify off-limit knowledge and limit information flows
between different parties such as external customers, clients
and partner organizations (DeSouza and Vanapalli, 2005; Lee
et al., 2005).
Knowledge protection processes include mechanisms to
classify knowledge in terms of its sensitivity level as a basis
for allocating access rights to organizational employees
(DeSouza, 2006). Examples of sensitivity levels include ‘confi-
dential’, ‘classified’, ‘secret’ and ‘top secret’ (Thompson and
Kaarst-Brown, 2005). Further, two competing knowledge pro-
cesses play a key role in organizations. On the one hand are
processes that prevent knowledge loss by making knowledge
explicit (increasing the number of copies) and on the other are
those processes that keep knowledge tacit to prevent knowl-
edge leakage (Graf, 2011; Majchrzak and Jarvenpaa, 2010;
Norman, 2001). Organizations must implement both pro-
cesses to reflect their deliberate balance between the need to
prevent loss or destruction with the need to prevent leakage.
3.3. Supporting Technology Infrastructure (TECHINF)
A number of sources suggest the importance of a supportive
technology infrastructure to prevent the leakage of knowledge
(DeSouza, 2006; DeSouza and Vanapalli, 2005; Gold et al., 2001;
Norman, 2001; O’Donoghue and Croasdell, 2009). Mechanisms
to achieve this include the identification, configuration and
deployment of tools and technologies that authenticate,
control and track access to sensitive information. Even though
IT forms an integral part to transfer knowledge through
communication and collaboration within and between orga-
nizations, technology infrastructure mechanisms to protect
knowledge should focus on ways in which IT can be designed
to monitor, control and prevent the leakage of knowledge
within and between organizations (Majchrzak and Jarvenpaa,
2010; Neville et al., 2003; Sveen et al., 2007).
3.4. Legal Structures (LEGAL)
Legal frameworks and mechanisms to protect sensitive
knowledge include NDAs (e.g. non-disclosure agreements and
confidentiality agreements), contracts and patents (Norman,
2001). Patents provide legal protection in limited situations
where the knowledge can be argued is an ‘invention’. Norman
(2001) points out that patents are frequently limited in scope
and may not protect all the knowledge deemed sensitive by
organizations. Further, declaration of a patent often requires a
certain amount of disclosure that may increase the exposure
of the knowledge asset(s). NDAs are more flexible in scope and
can be tailored to cover particular knowledge assets. However
Norman (2001) points out their effectiveness is questionable
as the existence of an NDA between partners creates an arti-
ficial environment of comfort that tends to encourage the
indiscriminate sharing of knowledge.
Table 1 summarizes the knowledge protection areas and
accompanying area-related knowledge protection mecha-
nisms for each area.
Having considered the diversity of knowledge protection
mechanisms, the reality of knowledge protection mechanisms
and practices are examined using a number of case organiza-
tions. The methodology and data collection is described in the
next section followed by the actual evidence from the cases in
the Results section.
computers & security 42 (2014) 27e39 31
4. Methodology and data collection
Due to the explorative nature of this study, this research
followed a qualitative research design using different case
organizations. Data collection comprised interviews that
were conducted in eleven knowledge-intensive organizations
as outlined in Table 2. Supplementary documentation pro-
vided by the organizations was examined for triangulation.
Medium to large organizations located in Australia were
approached to participate in this study. The highest-ranking
personnel responsible for knowledge strategy were inter-
viewed. The purpose of each interview was to determine how
each organization encouraged the flow and sharing of
knowledge, while also ensuring that knowledge leakage does
not occur. We chose to interview senior managers, since the
interest was to identify whether managers were concerned
about knowledge leakage and what they thought had to be in
place to prevent the leaking of knowledge. Interviews were
conducted over a period of four months. Each interview las-
ted approximately 1 h and was audio-recorded with the
consent of each interviewee. Following the interviews, each
interview was transcribed verbatim and shared with each
interviewee to check validity and verify the content. Apart
from interviews, key documents were also analyzed to get a
better understanding of knowledge protection mechanisms
used in each of the organizations. Table 2 presents more
detail about each case organization in terms of core business,
its type, size and sensitive knowledge to be protected (*due to
ethical considerations, pseudonyms are used for each
organization).
The transcribed data was analyzed using selective, axial
and thematic content analysis (Krippendorff 1980;Miles &
Huberman 1994) and drawing on the different categories
outlined in Table 1 to classify collected evidence. In particular,
each of the three authors individually assessed the evidence
and compared assessments collectively. In most instances,
there was significant agreement between the authors on how
the different mechanisms were classified. In addition, lists of
observations were developed for each case pointing to subtle
nuances or departures in the approach adopted in a particular
case, from the advice advocated in literature. Findings in
terms of the relevance of the different knowledge protection
areas and mechanisms used are presented in the section that
follows.
5. Findings
The findings draw on the structure of the different knowledge
protection areas, and associated mechanisms as listed in
Table 1. Each area and associated set of mechanisms high-
lights (a) evidence from the field study that confirms the use of
the mechanisms advocated in the research literature, (b) evi-
dence where the case organizations deployed the mecha-
nisms differently compared to advice from the literature, and
(c) mechanisms in literature, for which no empirical evidence
were found in the cases. An overview of the findings is sum-
marized in Table 3.
5.1. Strategic-level Management Initiatives (STRAT)
5.1.1. Identifying Valuable, Rare, Inimitable and Non-
Substitutable (VRIN) knowledge assets (STRAT 1a)
There was no evidence of a comprehensive and systematic
assessment of security risks or sensitivity analysis of knowl-
edge in the organizations either from the interviews con-
ducted or the documentation provided. However, unlike in
government organizations where the focus was on protecting
client information (due to privacy and legislative concerns), in
private organizations (in the consulting/services sector and
those leveraging IP for competitive advantage) there was evi-
dence that there was awareness of some VRIN assets. For
example, when asked about the potential for breaches of
confidentiality, the Knowledge Manager for AuditCo-A
pointed to the consulting services methodology as a partic-
ular asset of concern: “.[if] the loss of intellectual property of
something with our own methodology had been sort of leaked out
and someone gained access to our various internal systems to see
how we do a particular piece of work.”
Where organizations rely heavily on particular knowledge
for competitive advantage, this awareness was even more
pronounced. MediCo is a 150 million dollar business
competing against a single 8 billion dollar competitor. They
are acutely aware of the significance of their knowledge assets
and the need for protection. On the importance of knowledge
confidentiality their Knowledge Manager said: “There are sorts
of areas where we have to be careful about it [knowledge confiden-
tiality] obviously like board meeting minutes and those sorts of
things.Corporate strategy is confidential, so we protect that very
carefully and also a lot of our legislative compliance stuff especially
Table 2 eCase organization details.
Organization* Type Size Sensitive knowledge to be protected
1. AuditCo-A Audit, Tax and Financial consulting Large, global Process, product, client
2. GovHealth State health services Large, statewide Client, process, service
3. ConsultCo Knowledge and Information Management Consulting SME, national Methodology, best practices
4. GovLegal Juristic and legal services Large, statewide Policy, product, process and service
5. StratCo Management Strategy and Leadership consulting SME, national Marketing, tenders (product) and process
6. MediCo Healthcare products manufacturing and services Large, MNC Process, product and project
7. EconGov Economic and financial policy Large, national Process, product, policy, procedural
8. AuditCo-B Audit and Financial Risk Consulting Large, MNC Product, process, procedural,
9. TeleCom Telecommunications Large, national Product, process and service
10. AuditCo-C Audit, Tax and Risk Consulting Large, global Process, product, procedural
11. ResearchEd Research and Education Large, national Process and research findings
computers & security 42 (2014) 27e3932
Table 3 eSummary of Knowledge protection mechanisms observed in field study.
Knowledge protection
area
Mechanisms documented in the literature Evidence from field study
Strategic-level
Management
Initiatives (STRAT)
Identifying Valuable, Rare, Inimitable and
Non-Substitutable knowledge assets
(i.e., WHAT to protect)
a) Key firm knowledge resources and assets
identified and associated risks considered
No evidence of systematic sensitivity analysis or risk
assessment. Some awareness of VRIN assets in private
organizations. In consulting/services firms, this
manifested strongly as protection of client knowledge
and information rather than that of the firm itself.
Developing, implementing and resourcing
policies, procedures and guidelines on
Knowledge Protection (i.e., HOW to
protect knowledge)
Identifying knowledge protection roles
No evidence found
Implementing protection processes and
mechanisms (e.g. monitoring of
knowledge flows)
No evidence of a formal and systematic approach
by management to protect knowledge. Where
significant IP existed, there were some ad-hoc
measures in place. In consulting/services and
government firms, protection processes were
applied to client data by knowledge or
information owners rather than management.
Developing policies, procedures and
guidelines (e.g. policies on knowledge
sharing, background screening, acceptable
use of collaborative technologies)
No evidence of formal policies, procedures
and guidelines from management instituted
for knowledge protection purposes.
Developing a security culture (e.g., raising
awareness, training, and education)
Some evidence of training related to usage
of protection mechanisms, however management
did not institute these or consider them with
knowledge security in mind.
Resourcing security initiatives (e.g., specific
funding for knowledge protection initiatives)
No evidence found.
Identification of relevant IP rights and laws
for knowledge protection policies
No evidence of formal identification and dissemination
information regarding IP and legal issues to the
organization. However, there was evidence of some
managers being aware of IP and legal issues related to the
handling and leakage of knowledge and information.
Operational-level
Knowledge
Protection
Processes
(PROC)
Compartmentalization to protect sensitive
knowledge (e.g., limiting information flows,
specifying off-limit knowledge)
Used in many different ways by a range of organizations
to protect knowledge (as well as information). Typically
applied by knowledge owners in private enterprise to meet
client confidentiality needs. Applied in government at an
information-level to comply with laws on client privacy
and confidentiality.
Classification and handling knowledge
(e.g. labeling of documents as secure,
confidential or highly confidential, and
allocating access rights to employees)
No evidence of classification and handling of
knowledge at the process level in any
organization. Regulation of rights to knowledge
occurs at the technology level.
Making knowledge explicit to prevent loss
(e.g. when employees move on)
Evident only in private enterprise where the preservation
of operational knowledge was considered important.
Employees kept a detailed and ongoing record of
knowledge about the organization’s products and services.
Deliberately keeping knowledge tacit to
mitigate leakage
Evident only where there was awareness of serious
consequences for leakage such as with client
information in consulting/services and Intellectual
Property in other private enterprise.
Supporting
Technology
Infrastructure
(TECHINF)
Identification, configuration and deployment
of tools and technologies to authenticate,
control and track access to sensitive
information
Considerable evidence of computing
technologies being configured and deployed
to regulate access to codified knowledge and
information. Configuration typically carried
out by knowledge and information owners
to support compartmentalization (see PROC (1)).
Legal Structures
for Knowledge
Protection
(LEGAL)
Use of legal frameworks and mechanisms to
protect sensitive knowledge (e.g., Non-
Disclosure Agreements (NDAs), Patents,
Contracts)
Widespread use of NDAs and other legal
frameworks across all case organizations.
Used to protect client confidential knowledge
and information in consulting/services. Used
to mitigate leakage of IP in private enterprise
and to manage conflict-of-interest and client
confidential information in government agencies.
computers & security 42 (2014) 27e39 33
in the US where it is all over the place. There are a number of
different laws we have to comply with. They change in every state, so
a lot of that is shared only within a certain group as well and of
course pricing and that sort of stuff is also held”.
5.1.2. Identifying knowledge protection roles (STRAT 2a)
At a strategic management level, the literature points to the
need to appoint roles in the areas of knowledge protection.
Interestingly, the researchers did not find any evidence from
the interviews or documentation that any of the organizations
had a formal knowledge protection strategy in place in terms
of actual roles, although there were a number of ad-hoc
measures in place (discussed in the following sections).
Further, none of the managers interviewed were originally
appointed or are currently seen as an explicit part of a
management-initiated protection strategy.
5.1.3. Implementing protection processes and mechanisms
(e.g., monitoring of knowledge flows) (STRAT 2b)
There was no evidence of a formal and systematic approach
by management to implement knowledge protection pro-
cesses and mechanisms across the organizations studied. In
the consulting/services protective measures typically take the
form of compartmentalization around client projects. For
example, in MediCo, the most risk-aware enterprise,
employee handling of confidential knowledge may be moni-
tored: “As a business we are concerned about those areas [of
confidential knowledge], so we do track in all those ‘tight’ areas, that
is we do watch employees that deal with that knowledge [but] that is
done on a personal sort of basis.”
5.1.4. Developing policies, procedures and guidelines (e.g.,
policies on knowledge sharing, background screening,
acceptable use of collaborative technologies) (STRAT 2c)
ConsultCo’s Knowledge Manager describes the methodology
applied to their clients indicating how they first use taxon-
omies to assist in the identification of explicit knowledge after
which they determine policies and guidelines on protection.
This helps to control the flow of sensitive knowledge as indi-
cated: “We’ve got a fundamental belief that the taxonomy is the core
of this and by going through your taxonomy you identify pieces of
information and then you can apply your governance to that infor-
mation to who it can be shared with, who it can’t be shared with,
what’s appropriate.[the] next bit of that is to work out the priority
of those taxonomy items in terms of who can see it, who can’t, who
are the author and how much you protect it”.
5.1.5. Developing a security culture (e.g., raising awareness,
training, and education) (STRAT 2d)
MediCo is acutely aware of the risk of knowledge leakage as a
consequence of employee turnover. Given the competitive
environment within which MediCo operates, the organization
has reflected on the security of its sensitive information and
taken security precautions (which influences security culture)
to prevent newcomers from getting access to critical
competitive knowledge: “.they learn more and more about
things like pricing, corporate strategy as they go forward and we
know they’re going to hang around for a while. So we don’t just give
people a big manual with everything we do from the start.”
5.1.6. Resourcing security initiatives (STRAT 2e)
There was no evidence of any security resourcing initiatives in
the area of knowledge protection in any of the case organi-
zations. This is not surprising given there was also no evi-
dence to be found of a formal knowledge protection strategy
or knowledge protection related roles appointed.
5.1.7. Identification of relevant IP rights and laws for
knowledge protection policies (STRAT 2f)
Evidence of formal identification and dissemination of infor-
mation regarding IP and legal issues to the organization was
not found amongst the interviews or documentation. How-
ever, there was evidence of some managers being aware of IP
and legal issues related to the handling and leakage of
knowledge and information. For example, in the case of
AuditCo-A: “I also think that if anyone was found to be using some
of the firm’s methodologies it would become clear so quickly that
something has to happen. And yes we would have a problem and so
would that person.”
5.2. Operational-level Knowledge Protection Processes
(PROC)
5.2.1. Compartmentalization to protect sensitive knowledge
(e.g., limiting information flows, specifying off-limit knowledge)
(PROC 1)
Compartmentalization, or the limiting of access to sensitive
knowledge, was used by some of the case organizations in
different ways for different purposes. Management consul-
tancies typically applied knowledge protection mechanisms
around client projects for the duration of the project. For
example, consultants at AuditCo-A have been known to
refuse the sharing of project and client knowledge as indi-
cated by the Knowledge Manager: “Occasionally within our
transaction group they won’t want to talk about the things they are
doing because they are confidential, but once they are finished it is ok.
So I guess this type of esorry we can’t tell you because this project is
confidential.”
In government organizations like GovHealth, where there
is strict compliance with laws on privacy and client confi-
dentiality, information flow is extremely limited as indicated
by their Knowledge Manager: “Well not much data flows unfor-
tunately, they tend to lock it up. The organization is very risk adverse
because of the industry they deal with and the amount of press
[media exposure] that they get. So when in doubt, lock it up. That’s
part of the nature and culture. As a result there tends to be very little
data sharing within the department.”
5.2.2. Classification and handling of knowledge (e.g., labeling
of documents as secure, confidential or highly confidential, and
allocating access rights to employees) (PROC 2)
The in-depth discussion with all interviewees on the topic of
information sensitivity and control did not yield any reference
to a systematic classification system for knowledge and cor-
responding handling procedures and guidelines. Access to
knowledge was instead governed informally, such as at the
discretion of knowledge owners. The classification or regula-
tion of access rights is handled at the technology level rather
than the process level.
computers & security 42 (2014) 27e3934
5.2.3. Making knowledge explicit to prevent loss (e.g. when
employees move on) (PROC 3)
As mentioned in Section 3.2, making knowledge explicit is a
means of increasing knowledge availability and reducing the
risk of knowledge loss to the organization. Therefore, one
security technique of preventing the loss of tacit knowledge
when employees exit an organization is to have the knowl-
edge routinely codified. MediCo maintains wikis internally as
a means of documenting operational knowledge about its
products and services. These wikis are instrumental in pre-
venting loss and increasing redundancy of knowledge as
indicated by the Knowledge Manager: “So the guy that is in the
current position is now looking back four generations of people to see
what notes he made about the certain project, the certain job or
licensing issue or contract we have with someone and the reasoning
behind how we got to that.”
5.2.4. Deliberately keeping knowledge tacit to mitigate
leakage (PROC 4)
A technique of preventing knowledge leakage is to disallow
codification thereby keeping knowledge tacit. Unlike PROC3
that increases availability to reduce the risk of loss or
destruction, this process decreases availability to reduce the
risk of leakage. As explained in Section 3.2, the two pro-
cesses reflect the traditional competition between preser-
vation of confidentiality and ensuring availability. In our
field study we found PROC 4 was used where there was a
high level of awareness of the consequences of knowledge
leakage. When asked how MediCo protects it’s competitive
advantage, the Knowledge Manager replied: “We try and keep
it at a fairly tacit level unless it needs to be enacted in a project and
then we try to look after key managers and people so they don’t
leave. That has not always worked; one of our key sales guys in US
went over to the competition and took most of the knowledge with
him.”
Knowledge is kept deliberately tacit in consulting/services
to circumvent client confidentiality provisions where there
was a strong need to share knowledge about consulting
practices across projects. In AuditCo-A client managers act as
conduits arranging an exchange of tacit knowledge between
members of different projects: “I guess another thing within KM
if you know the team involved with a particular client, we will have
a client service partner who will be the primary access point for the
client. You can always ask them anyway, this goes back to the
whole thing:it’s about making sure people know who to talk to.”
5.3. Supporting Technology Infrastructure (TECHINF)
There was considerable evidence of computing technologies
being configured and deployed to regulate access to codified
knowledge and information. Technology mechanisms such as
user authentication, file systems and network drive access
controls, and even document management systems were
commonly used. There was no particular type of technology
or pattern of configuration and deployment distinct to
knowledge as opposed to general information. Further, orga-
nizations often left configuration and deployment of tech-
nology to the discretion of individual employees. “I am sure
some people will set up a folder and lock down the security. The
general approach is to trust people not to have to set up all this
infrastructure, there is all sort of scenarios and contingency you can
set up to reduce the risk of people breaching confidentiality,but we
choose to basically trust our staff” (StratCo) and “We would inform
people about the restrictions we have in government, but also how
we want people to do things like set access controls. So we let them
choose.Lots of people are doing the right thing, but there are also a
lot of people who just lock everything down, they will say ‘I don’t
want anybody to see it.’” (EconGov).
5.4. Legal Structures (LEGAL)
Most organizations used legal frameworks and mechanisms
to mitigate the leakage of sensitive knowledge and informa-
tion. General mechanisms (particularly important in consul-
ting organizations), were NDAs and contracts to control
sharing of sensitive client knowledge. Many organizations
(government and private) required new employees (and third
parties) to sign confidentiality agreements when starting to
work for the organization: “.[when starting to work here] I
signed a confidentiality agreement and also signed as part of that
how to deal with conflict of interest” (GovLegal) and “A lot of the
third party people we deal with are all required to sign confidentiality
agreements before they even work for us.in fact we had a uni-
versity student coming to our plant the other day and he/she had to
sign a confidentiality agreement just to enter the plant, so this is
taken seriously...” (MediCo).
6. Discussion
In summary, the findings from the field study indicate the
following three key observations:
Organizations are indeed acutely aware of their valuable
competitive knowledge and information assets (e.g.,
methodologies in the case of consulting services, compet-
itive knowledge and intellectual property in the case of
other private enterprises, and client-confidential details in
the case of consulting/services and government organiza-
tions). As such, managers in these organizations were
concerned about leakage related to these assets.
We did not observe evidence of a formal, comprehensive
or strategic approach towards leakage mitigation in the
organizations studied. Actually, haphazard or informal
approaches dominated. This may of course be related to
the sample of organizations that we studied. However,
based on discussions with the managers involved, we
strongly suspect this relates to the fragmented nature of
available advice in the both the academic and profes-
sional literature, and the lack of comprehensive strategic-
level frameworks/advice on leakage mitigation in
particular.
Even senior managers tended to conflate the protection of
the organization’s own competitive knowledge with the
protection of operational (client-confidential information),
even to the extent where the latter crowded out managerial
attention to the former. Clearly this situation could have a
significant negative impact on knowledge-intensive orga-
nizations’ competitive advantage in the long run.
computers & security 42 (2014) 27e39 35
In turn, these observations point to the need for further
research towards more comprehensive leakage mitigation
frameworks, which are framed to be more strategically-
relevant and prioritized in the context of the protection of
organizational resources and competitive advantage. In this
regard, we put for several suggestions for further research in
this area.
6.1. The need for a more strategically-focused approach
to leakage mitigation
We suspect the often haphazard, fragmented and informal
approaches observed in the field study, is symptomatic of
the lack of comprehensive, and strategically-focused
frameworks to conceptualize of leakage mitigation. A key
research challenge is therefore to reconcile the discrete
asset-oriented perspective of the information security liter-
ature with the more fluid knowledge perspective adopted by
the strategic management and knowledge management
literature. Given the challenge to leakage mitigation posed
by social media platforms, how knowledge resources are
characterized (i.e., as discrete objects or more fluid entities)
will be critical to the strategic relevance of such leakage
mitigation frameworks.
We suggest that leakage mitigation should be framed as
part of an organization’s broader set of capabilities to protect
its underlying competitive resource/capability base. A fruitful
approach in this regard would be to draw on the literature on
the Resource-Based View (RBV) and Dynamic Capabilities
(Teece, 2009) mentioned earlier, as theoretical underpinning.
RBV emphasizes an organization’s VRIN resources (tangible
and intangible) and capabilities as key determinants of its
competitive advantage. Dynamic capabilities considers how
organizations adapt, transform and protect these resources
and capabilities in order to sustain their competitive advan-
tage over time. In particular, leakage mitigation (when
conceptualized as a dynamic capability), would then be geared
towards the protection of the firm’s competitive resource and
capabilities.
Our field study indicated two intangible organizational
resources, which seem especially vulnerable in terms of
data/information and knowledge leakage: competitive
knowledge (e.g., key consulting methodologies,
manufacturing know-how, etc.), and the firm’s reputation
(which can incur significant harm should confidential details
leak). Indeed, the RBV literature has suggested that
competitive knowledge and reputation should be considered
as intangible organizational resources (refer sources such as
Grant, 1996, Boyd et al., 2010, Rindova et al., 2010). Leakage
mitigation as dynamic capability (as with all firm capabil-
ities) would then integrate capability dimensions (refer
Leonard-Barton, 1992) such as employee skills and expertise
(e.g., knowledge of mitigation mechanisms), technical sys-
tems (e.g., which combinations of mitigation mechanisms
work best), managerial systems (e.g., mitigation policies/
standards and evaluations), and the values and norms
(standard operating procedures, leakage awareness, etc.)).
This would elevate leakage mitigation as a dynamic capa-
bility to protect against the erosion of competitive
knowledge and/or reputational harm, in the context of the
firm’s ongoing competitive survival.
6.2. The need for a more strategically-relevant definition
of leakage
Given the broad perspectives on leakage outlined in our
literature review, it is apparent that another research issue is
an improved definition of leakage.
We have argued for a more strategically-focused concep-
tualization of leakage mitigation, notably in the context of
protecting the firm’s longer-term competitive advantage. At
present, many of the leakage definitions and literature are
typically framed in the context of data, information or
knowledge leaks, without a broader consideration in terms of
the potential impact (especially strategically) of such leakage.
Clearly, not all leaks have the same potential negative impact
on the organization. For example, leakage of staff parking
details would likely have less of an impact on the firm’s
ongoing competitiveness compared to leakage of a key
manufacturing know-how. We suggest that leakage should
therefore be defined in terms of its potential negative impact
(in terms of the erosion of its key resources/capabilities,
notably competitive knowledge and firm reputation). In this
regard, it also important to note that even minimal leakage
could have a devastating negative impact on reputation or
competitiveness.
6.3. The need for an improved focus and prioritization of
leakage mitigation efforts
We observed that even senior managers tend to conflate the
protection of organizational knowledge with the protection of
the firm’s operational (client information and confidentiality)
(refer Table 4). As argued above, leakage from both these areas
could have potentially devastating consequences for the firm.
We suggest it may be more helpful to distinguish between
these different areas, at least to ensure adequate managerial
attention to both. Furthermore, in the present study, we
noticed that many mechanisms could apply to both (I) and (II)
(e.g., compartmentalization and legal), though mechanisms
such as keeping knowledge deliberately tacit apply particu-
larly to (I).
The proposed distinctions will enable a better focus on the
kind of operations and knowledge protection strategies given
Table 4 ePertinent aspects for future studies on
organizational knowledge and information protection.
(I) Protection of the firm’s own competitive knowledge (thus
ultimately protecting the firm’s competitive advantage
against erosion)
(a) Competitive knowledge (e.g. strategy, pricing,
target markets)
(b) Operational knowledge (e.g. know-how, know-when)
(II) Protecting the confidentiality of the firm’s operational
information (e.g. client-related details confidentiality,
privacy) thus ultimately protecting the firm’s reputation
as intangible competitive resource
computers & security 42 (2014) 27e3936
the nature of business of different organizations. Consider
that disclosure of knowledge of competitive advantage can
damage an organization irreparably, compared to leakage of
confidential details (from which organizations could recover
e.g. via restitution of reputation).
The key parameters revolve around the centrality of I (a) i.e.,
for competitive firms this aspect would be highly significant as
compared to the public sector firms where it would be insig-
nificant. The distinction between I (a) and (b) would account for
why some firms are able to secure their competitive strategy
yet have difficulty to control leakage of operational knowledge
(e.g., as a result staff turnover between competitors). Inclusion
of (II) is pertinent for example in some public sector organi-
zations that may have highly confidential information that
warrant protection for privacy/legislative reasons, yet place
less emphasis on the protection of their operational knowl-
edge. On the other hand, other public sector organizations
(such as the police) would have high levels of operational
knowledge to protect (e.g., tactical knowledge of when and
how to conduct specific types of operations) in addition to the
confidentiality of their operational information.
Our findings regarding the relative susceptibility to leakage
(i.e., in terms of organizational competitive advantage and
client confidential information) suggest future research
should focus on three key categories of organizations (see
cells A to C) in Fig. 1. The first category is those organizations
with significant volumes of client-confidential information
that are governed by external laws or regulations. Organiza-
tions that typically fall in this category are government
agencies that provide human services (legal, social, commu-
nity and welfare organizations for example). Clearly the
inadvertent leakage of such information could have a signifi-
cant negative impact on these types of organizations and of
course individuals concerned. However, these types of orga-
nizations tend not to be much concerned about competitive-
ness, given the nature of the sector in which they conduct
their operations. Such organizations therefore would be more
focused on leakage concerns in terms of confidentiality
breaches, which would negatively impact firm reputation. The
second category is organizations such as consulting, tele-
communications and utility firms have both a high degree of
client-confidential and competitively-sensitive data, infor-
mation and knowledge as part of their operations. As such
these organizations face a dual exposure in terms of leakage,
and thus have to consider leakage mitigation on both fronts.
The third category is organizations in sectors such as fast
moving consumer goods, manufacturing and logistics that
operate in highly competitive sectors. However, these orga-
nizations tend to have much lower volumes of client-
confidential details as part of their operations. Conse-
quently, such organizations tend to focus predominantly on
mitigating the exposure to competitively-sensitive knowledge
leakage. Organizations with no significant exposure to either
the leakage of client-confidential, or competitively-sensitive
data, information or knowledge, fall outside the focus of this
research (cell D in Fig. 1).
6.4. Limitations and future research
Our study has the following limitations. First our sample was
specific and relatively small. Hence, as noted earlier the fact
that we did not find specific evidence of a systematic approach
to the mitigation of knowledge leakage might therefore be
sample-related. Despite this we strongly suspect that this
observation is not sample-related but indicative of a larger
phenomenon, given that we spoke to experienced managers
who were responsible for knowledge-related functions at
well-known firms. Still, our findings need to be explored in
larger empirical studies across multiple organizational sec-
tors. This will confirm the extent of the issues highlighted as
problematic in this study.
Second, our main source of information was interviews
with senior-level managers. As such we did not explore
leakage-related behaviors at the operational level in terms of
day-to-day routines. Of course this is where much of the
leakage actually occur, and points to the need for further
studies in terms of actual employee behavior. This is espe-
cially pertinent in the era of wide-spread use of social media
and mobile technologies in organizations.
7. Conclusion
The study makes three key contributions. First, we synthe-
sized the range of mechanisms to protect knowledge and in-
formation assets in organizations from the literature
according to four main knowledge protection areas: Strategic-
level Management Initiatives, Operational Level Knowledge
Protection Processes, Supporting Technology Infrastructure,
and Legal Structures. All the evidence in the field study could
be categorized according to these four main knowledge pro-
tection areas, and as such, this categorization can be valuable
for future research. We conclude that the specific mix of
knowledge and information protection mechanisms that an
Fig. 1 eFocal areas in leakage research design.
computers & security 42 (2014) 27e39 37
organization might choose to deploy, will depend on the na-
ture of their operations and competitive resources, the needs
of knowledge and information owners, specific work pro-
cesses, and the organization’s business environment.
Second, the study highlights the following main empirical
observations: (1) Organizations are indeed acutely aware of
their valuable knowledge and information and were con-
cerned about possible leakage related to these assets. (2) We
did not observe evidence of a formal, comprehensive or
strategic approach towards leakage mitigation in the orga-
nizations studied. Haphazard or informal approaches domi-
nated. (3) Even senior managers tended to conflate the
protection of the organization’s own competitive knowledge
with the protection of operational (e.g. client-confidential)
information.
Based on these observations, we raised the need for a more
comprehensive managerial framework (such as a maturity
model similar to, e.g. CMM or COBIT), to enable organizations
to calibrate their current approaches and manage information
and knowledge protection more strategically. This calls for a
more strategically-focused definition of leakage in the context
of the possible negative impact on firm resources and future
competitiveness.
The empirical observations and suggestions put forth in
this regard point to the need for larger empirical studies and
further theoretical development in the areas of leakage and
leakage mitigation approaches.
references
Ahmad A, Maynard SB, Park S. Information security strategies:
towards an organisational multi-strategy perspective. J Intell
Manuf 2012:1e14.
Aljafari R, Sarnikar S. A framework for assessing knowledge
sharing risks in interorganizational networks. In: Paper
presented at the Americas conference on information systems
(AMCIS) 2009.
Amiri A. Dare to share: protecting sensitive knowledge with data
sanitization. Decis Support Syst 2007;43:181e91.
Anderson R. Security engineering. Vol. 2nd ed. Indiana: John
Wiley and sons; 2008.
Annansingh F. Exploring the risks of knowledge leakage: an
information systems case study approach. Croatia: InTech
Open Science, Open Minds; 2005.
Barney J. Firm resources and sustained competitive advantage. J
Manag 1991;17(1):99e120.
Barney J. The resource-based theory of the firm. Organ Sci
1996;7(5):469e79.
Barney J, Hesterly WS. Strategic management and competitive
advantage: concepts and cases. Boston: Prentice-Hall; 2006.
Blasco A, Jorge X. Bypassing information leakage protection with
trusted applications. Comput Secur 2013;31(4):557e68.
Bloodgood JM, Salisbury WD. Understanding the influence of
organizational change strategies on information technology
and knowledge management strategies. Decis Support Syst
2001;31:55e69.
Boyd BK, Bergh DD, Ketchen DK. Reconsidering the reputation e
performance relationship: a resource-based view. J Manag
2010;36(3):588e609.
Chai H-K, Yap CM, Wang X. Network closure’s impact on
firms’ competitive advantage. J Eng Technol Manag
2011;28:2e22.
Davenport T, Prusak L. Working knowledge: how organizations
manage what they know. Boston: Harvard Business School
Press; 1998.
De Faria P, Sofka W. Knowledge protection strategies of
mutinational firms - a cross-country comparison. Res Policy
2010;39:956e68.
Denning DE. Information, warfare and security. New York:
Addison Wesley; 1999.
DeSouza KC. Knowledge Security: an interesting research space. J
Inf Sci Technol 2006;25:85e98.
DeSouza KC, Vanapalli GK. Securing knowledge in organizations:
lessons from the defense and intelligence sectors. Int J Inf
Manag 2005;3(1):1e7.
Dhillon G. Principles of information systems security. John Wiley
and Sons; 2006.
Dierickx L, Cool K. Asset stock accumulation and sustainability of
competitive advantage. Manag Sci 1989;35(12):1504e11.
Earl M. Knowledge management strategies: towards a taxonomy.
J Manag Inf Syst 2001;18(1):215e33.
Easterby-Smith M, Lyles MA, Tsang EWK. Inter-organizational
knowledge transfer: current themes and future prospects. J
Manag Stud 2008;45(4):677e90.
Eisenhardt KM, Martin JA. Dynamic capabilities: what are they?
Strateg Manag J 2000;21:1105e21.
Farahmand F, Spafford EH. Understanding insiders: an analysis of
risk-taking behaviour. Inf Syst Front 2013;15:5e15.
Ford R, Helayne R. Googling for gold: web crawlers, hacking and
defense explained. Netw Secur 2004;(1):10e3.
Gold AH, Malhotra A, Segars AH. Knowledge management: an
organizational capabilities perspective. J Manag Inf Syst
2001;18(1):185e214.
Graf H. Gatekeepers in regional networks of innovators. Camb J
Econ 2011;35(1):173e98.
Grant RM. Toward a knowledge-based theory of the firm. Strateg
Manag J 1996;17(Winter special issue):109e22.
Grant RM. The knowledge-based view of the firm: implications for
management practice. Long Range Planning 1997;30:450e4.
Hansen M, Nohria N, Tierney T. What’s your strategy for
managing knowledge? Harv Bus Rev 1999;77(2):106e16.
Hildreth PM, Kimble C. The duality of knowledge. Inf Res
2002;8(1).
Holsapple C, Jones K. Exploring secondary activities of the
knowledge chain. Knowl Process Manag 2005;12(1):3e31.
Hurmelinna-Laukkanen P, Puumalainen K. Formation of the
appropriate regime: strategic and practical considerations.
Innovation Manag policy Pract 2007;9:2e13.
Huth CL. Guest editorial: a brief overview of data leakage and
insider threats. Inf Syst Front 2013:1e4.
Jones A, Ashenden D. Risk management for computer security.
Oxford: Elsevier Butterworth-Heineman; 2005.
Krippendorff K. Content analysis: An introduction to its
methodology. Beverly Hills: Sage; 1980.
Lee J, Upadhyaya SJ, Rao HR, Sharman R. Secure knowledge
management and the semantic web. Commun ACM
2005;48(12):48e54.
Leonard-Barton D. Core capabilities and core rigidities: a paradox
in managing new product development. Strateg Manag J
1992;13(Summer special issue):111e26.
Liebeskind JP. Knowledge, strategy, and the theory of the firm.
Strateg Manag J 1996;17(Winter Special Issue):93e107.
Mahoney JT, Pandian JR. The resource-based view within the
conversation of strategic management. Strateg Manag J
1992;13(5):363e80.
Majchrzak M, Jarvenpaa SL. Safe context for Interorganizational
collaborations among homeland security professionals. J
Strateg Inf Syst 2010;27(2):55e86.
Marabelli M, Newell S. Knowledge risksin organizational networks:
the practice perspective. J Strateg Inf Syst 2012;21:18e30.
computers & security 42 (2014) 27e3938
Miles MB, Huberman AM. Qualitative data analysis: An expanded
sourcebook. California, USA: SAGE Publications; 1994.
Neville K, Powell P, Penteli N. Knowledge and security. In: Paper
presented at the Americas conference on information systems
(AMCIS) 2003.
Nonaka I. A dynamic theory of organizational knowledge
creation. Organ Sci 1994;5(1):14e37.
Nonaka I, Toyama R, Konno N. SECI, Ba and Leadership: a unified
model of dynamic knowledge creation. Long Range Plan
2000;33:5e34.
Norman PM. Are your secrets safe? Knowledge protection in
strategic alliances. Bus Horizons Nov-Dec 2001:51e60.
O’Donoghue N, Croasdell DT. Protecting knowledge assets in
multinational enterprises: a comparative case approach. VINE
2009;39(4):298e318.
Olander H, Hurmelinna-Laukunnen P. The effects of HRM-related
mechanisms on communication in R&D Collaboration. Int J
Innovation Manag 2010;14(3):415e33.
Olander H, Hurmelinna-Laukunnen P, Mahonen J. What’s small
size got to do with it? Protection of intellectual assets in SMEs.
Int J Innovation Manag 2009;13(3):349e70.
Peteraf MA. The cornerstones of competitive advantage: a
resource-based view. Strateg Manag J 1993;14(3):179e91.
Polanyi M. The tacit dimension. New York: Doubleday &
Company Inc; 1966.
Rindova VP, Williamson IO, Petkova AP. Reputation as an
intangible asset: reflections on theory and methods in two
empirical studies of business school reputations. J Manag
2010;36(3):610e9.
Schneier B. Beyond fear. New York: Springer; 2006.
Shedden P, Scheepers R, Smith W, Ahmad A. Incorporating a
knowledge perspective into security risk assessment. VINE J
Knowl Manag 2011;41(2):152e66.
Spears JL. A holisticrisk analysis method for identifying information
security risks security management, integrity and internal
control in information systems. Boston: Sprinter Boston; 2006.
Sveen FO, Rich E, Jager M. Overcoming organizational challenges to
secure knowledge management. Inf Syst Front 2007;9:481e92.
Teece D. Dynamic capabilities and strategic management.
Oxford: Oxford University Press; 2009.
Thompson ED, Kaarst-Brown ML. Sensitive Information: a review
and research agenda. J Am Soc Inf Sci Technol
2005;56(3):245e57.
Trkman P, Desouza K. Knowledge risks in organizational
networks: an exploratory framework. J Strateg Inf Syst
2012;21:1e17.
Whitman ME. Enemy at the gate: threats to information security.
Commun ACM 2003;46(8).
Whitman ME, Mattord HJ. Principles of information security.
Boston: Mass: Thomson Course Technology; 2012.
Winter SG. Understanding dynamic capabilities. Strategic Manag
J 2003;24:991e5.
Dr. Atif Ahmad is an academic based at the Department of
Computing and Information Systems, University of Melbourne.
His research interests are in the management of information se-
curity in organizations specifically relating to strategy, risk, cul-
ture, and incident response. In previous years Atif worked as a
consultant for Pinkerton and WorleyParsons where he applied his
expertise to Internet corporations and critical infrastructure in-
stallations. Atif is a Board Certified Protection Professional (CPP)
with the American Society for Industrial Security and holds an
adjunct position at the secau Security Research Centre at Edith
Cowan University.
Rachelle Bosua is an Academic in the Department of Computing
and Information Systems (CIS) at the University of Melbourne.
Since obtaining her PhD from The University of Melbourne in
2008, she researches different areas that involve the modeling,
design, adoption, use and support of IT in different organisational
settings and contexts. Her empirical research expertise involves
mixed methods research in the areas of: Knowledge Sharing and
Innovation, Social Networks and Knowledge Security, Knowledge
Management Information and Knowledge Strategy, Electronic
Content Management Systems (ECMS), Telework/flexible work
and productivity, and the adoption and use of Information and
Communication Technologies (ICTs).
Rens Scheepers currently serves as Associate Dean (Research) in
the Faculty of Business and Law at Deakin University in Victoria,
Australia. Rens has conducted research on topics such as knowl-
edge strategy, and the role of information technology in compet-
itive advantage generation. His publications have appeared in
highly-ranked journals in the Information Systems discipline,
including the European Journal of Information Systems,Journal of In-
formation Technology,Information Systems Journal and Journal of the
Association of Information Systems. He currently serves on the
editorial boards of the Journal of Information Technology,Journal of
Strategic Information Systems and the Australasian Journal of Infor-
mation Systems.
computers & security 42 (2014) 27e39 39
