ABSTRACT
This chapter discusses the reflexive analysis and interpretation involved in the final research cycles, validates and refines the concepts, framework, and methodology of a responsive approach for managing information security risk in a constantly changing risk environment. The emergence of responsive learning within a responsive strategy leads to an integrated performance evaluation process. When the responsive security approach was first presented and discussed with information security practitioners outside ALPHA in an effort to seek disconfirming evidence, questions arose about the viability of the approach. An information security program consists of three components. The first is a program for addressing known risks, second is preparation for meeting unknown risks, and third component of the program is to support the assurance action strategies. Risk assessment is part of the criticality alignment identification process and identifies known and perceived risks. The tsunami incident shows the human tendency to assess risk based on past incidents and local experience.
