key: cord-1053331-gnm28s5u
authors: Zieba, Malgorzata; Bongiovanni, Ivano
title: Knowledge management and knowledge security—Building an integrated framework in the light of COVID‐19
date: 2022-03-29
journal: Knowledge and Process Management
DOI: 10.1002/kpm.1707
sha: f80baae37573aa749a19e5c0489f825c5aaafdf2
doc_id: 1053331
cord_uid: gnm28s5u

This paper presents a framework of knowledge risk management in the face of the COVID‐19 crisis, derived from the literature on knowledge management, knowledge security, and COVID‐19. So far, both researchers and practitioners have focused on knowledge as an asset and their efforts have been aimed at the implementation of knowledge management in various organizational contexts. However, with increasing threats related to cyberattacks or hazards associated with knowledge loss (as magnified by the COVID‐19 crisis), there is a growing need to account for knowledge‐related risks. In this conceptual paper, we integrate the contributions from the knowledge management and knowledge security fields, together with research on COVID‐19 to help organizations protect the knowledge they create, store and share. Based on a structured literature review, our investigation provides researchers and managers with a framework for securely handling organizational knowledge in a critical situation. Our framework revolves around two foci: one the one hand, building appropriate knowledge risk measures and controls; on the other hand, holistically tackling knowledge risks as part of knowledge management activities.

customers and providers, and changing working patterns, for example, for example team collaboration (Waizenegger et al., 2020) . At the same time, new threats have risen: increased unemployment due to raising redundancies (Blustein et al., 2020; Gallant et al., 2020) , decreased levels of trust in the economy (Bunker, 2020; Khurshid, 2020; Lovari, 2020) , disrupted supply chains (Aday & Aday, 2020; Ivanov & Das, 2020; Mollenkopf et al., 2020) , etc. In these challenging circumstances, businesses, in particular SMEs, which are usually less resilient than large incumbents, have to find new ways to leverage their knowledge and, where possible, protect it from such new threats.

Since the arise of knowledge management field, knowledge has been perceived as a strategic asset and organizations effectively managing it could benefit from an improved market position (Darroch & Mcnaughton, 2003) or, in the best case scenario, achievement of competitive advantage (Lee & Lan, 2011) . Other benefits of appropriate KM also included: better operational performance (Andreeva & Kianto, 2012; Darroch, 2005; Vaccaro et al., 2010) , improved customer satisfaction (Edvardsson & Durst, 2013; Wei & Wang, 2011) , and production of innovation (Du Plessis, 2007; Junges et al., 2015) . However, recent research has underlined the possibility for significant downsides connected with knowledge, namely the detrimental effects associated with its loss, its capture by competitors or its waste, defined as 'not making use of available and potentially useful knowledge in the organization' (Durst & Zieba, 2019, p. 5 ). This has led to the development of nascent literature on knowledge risks (Bratianu, 2018; Durst et al., 2016; Durst & Zieba, 2019; Zieba & Durst, 2018) . As a new area of study, knowledge risks have not been examined extensively so far and therefore, there is no clear guidance on how organizations should be handling them, especially now, in the face of the COVID-19 pandemics.

In these new settings, KM and knowledge security systems appear to be possibly useful tools for organizations in handling for example, fact disinformation and ensuing over-, or inadequate reactions, lack of reliable knowledge sources, lack of skills for crisis detection and response, increase in information asymmetry, exploitation of general uncertainty by cyber-criminals (e.g., increase in cyber-frauds; Interpol, 2020) , etc.

What benefits could KM and knowledge security mechanisms produce in the light of the COVID-19 crisis? We believe three orders of benefits exist. First, the changing competitive scenario requires companies to better utilize knowledge they collect, store, elaborate, and share to produce competitive advantage. Second, knowledge supports the usage of vital resources in times of crisis (for example, the best allocation of shrinking budgets, the deployment of staff to crucial functional areas or the most effective ways to communicate the crisis externally). Third, organizations that demonstrate superior utilization and protection of knowledge can rebuild trust in customers and other stakeholders, which has the potential to create competitive advantage in times where trust is fast depleting. We offer here a framework to integrate knowledge security as a fundamental organizational activity, an inseparable part of a KM approach, for organizations operating under the challenging circumstances of the global pandemic. Despite an acknowledgement of their importance in the face of crises, research and practice in KM and security are still in their infancy (Ahmad et al., 2014; Manhart & Thalmann, 2015; Obitade, 2019) . In particular, KM researchers do not seem to pay sufficient attention to knowledge security, considering it more like a subcomponent of a broader KM system (Jennex & Zyngier, 2007) . By means of our conceptual framework, we aim at supporting organisations at the mercy of the COVID-19 crisis in better managing and protecting their knowledge. After a concise literature review, we illustrate our methodology. Then we elaborate on our results and discussion and finally, we conclude the paper.

A variety of models and approaches to KM are present in the literature.

For example, Bukowitz and Williams (2000, p. 8 ) developed a KM process framework which aims at helping organizations in generating, keeping, and deploying strategically valid knowledge for value creation. At its core, this cyclical model entails an exchange of knowledge between the organization and the external world, where learning mechanisms derive from knowledge usage and continuous knowledge assessment allows organizations to sustain their KM efforts. Knowledge in this framework may consist of knowledge repositories, information technologies, communications infrastructures, process know-how, external resources, etc. (Dalkir, 2011) . Probst et al. (2000) have proposed a KM framework composed by the following organizational processes: knowledge localization; knowledge acquiring (either from inside the organization or its environment); knowledge development; knowledge sharing and dissemination; knowledge usage; and knowledge retaining (consisting of three stages: choosing knowledge residing in people, events, or processes that is worth preserving, preparing this knowledge for storage, and updating organizational knowledge). Similarly, Alavi and Leidner (2001) have offered a process-based framework in which organizations are involved in four knowledge processes, namely: knowledge creation, knowledge storage/retrieval (organizational memory, where knowledge is kept in different forms and formats), knowledge transfer (which can happen between individuals in the organization, from individuals to other sources, from individuals to groups, among groups or from a group to the overall organization) and knowledge application (the utilization of knowledge for the purpose of creating value and organizational competitive advantage). Finally, Chan and Chao (2008) have proposed a unified KM model in which knowledge is acquired, protected, applied and converted into value, with the support of specific infrastructural capabilities, namely technology, structure and culture.

Processes associated with knowledge can therefore be summarized as follows: (1) Acquiring knowledge from internal and external sources; (2) Searching for, and localizing, organizational knowledge to be managed; (3) Developing and converting knowledge into value;

(4) Sharing and disseminating knowledge within the organization and between the organization and the environment (e.g., clients, collaborators, etc.); (5) Using and applying knowledge in the required settings; and (6) Retaining and sustaining knowledge. In addition, KM processes need to be led by previously established knowledge goals, a step that is preliminary to the ones here identified (Probst et al., 2000) .

In the face of a crisis like COVID-19, knowledge-related processes should be faster and more accurate. On the one hand, the crisis requires companies to quickly acquire knowledge from external sources (e.g., to be kept up-to-date about recent developments in the market) or develop/convert existing knowledge into value; on the other hand, it is crucial to carefully sift accurate knowledge from unreliable one, which seems to abound in times of crises (Pennycook et al., 2020; Renkel et al., 2020; van Bavel et al., 2020) . One also needs to consider the potential negative consequences related to counter-knowledge, which can be defined as "sources of unverified information, gossip, partial truths, or deliberate lies, which can be in certain contexts mistaken for true facts" (Bolisani et al., 2021, p. 517 ). Another challenge related to this new situation is potential knowledge hiding due to defensive routines people might develop. In a study by Cegarra-Navarro, V at am anescu, and Martínez-Martínez (2021), Cegarra-Navarro, Wensley, et al., 2021) , it has been proved that unlearning does not just influences defensive reasoning but also indirectly has an impact on knowledge hiding. These are new challenges organizations must become aware of.

All the knowledge processes revised or implemented from scratch in an organization in the face of COVID-19, in order to be consolidated and accepted by employees, need to be integrated within the organizational fabric, namely organizational culture, structure and technology. Organizations often concentrate only on the technological aspects of KM processes, for example implementing a KM technology solution and neglecting culture and structures necessary to accompany such change. Moreover, organizations might find it difficult to focus on the latter aspects in the new conditions set by the crisis (e.g., due to lack of time and resources, new challenges of emerging working practices, etc.).

In order to unpack the connections that link KM and its processual models with knowledge security, we will now briefly review relevant literature on the latter.

Sitting at the intersection between KM and information security (Desouza, 2006) , knowledge security is defined by Ilvonen (2013, p. 152) as '…the process of making and keeping the knowledge of people working at a company secure'. According to Bose (2003, p. 70), knowledge security can be defined as 'the measures taken to protect knowledge from accidental or intentional disclosure to unauthorized persons and from unauthorized alteration'. In this definition, the significance of knowledge is highlighted based on the risks associated with its disclosure or alteration; external threats are indicated; and the basic components of a risk management approach to knowledge security are laid.

In the light of the COVID-19 crisis, companies need to account for emerging dynamics in order to secure their knowledge. Ilvonen's definition stems from the very ontology of the concept of security, as deriving from Latin secare (to saw), meaning separating something (of value) from something else (a threat). Global crises like COVID-19 invite us to reconsider the loci of our life, in this case, work. Where does the separation of what is valuable (knowledge) from the threat (the external world) happen? The emergence of practices such as remote or smart working, reliance on cloud computing or the storage of data and information on private devices makes such separation (security) a more challenging task. Organizational boundaries are progressively less effective in ensuring the protection of knowledge, since the current crisis has made organizations more asymmetric. Furthermore, traditionally public and private organizations rely on fragmented initiatives to increase their protection (e.g., knowledge leakage). Even when present, such initiatives are drawn from an information security standpoint, which, alone, is often too technical and too difficult to grasp by employees and board of directors alike (Ahmad et al., 2014) .

Knowledge security has three dimensions: people, products, and processes (Desouza, 2006) . Along these dimensions, several implications can be extracted. First, when the dimension of people is concerned, it can be useful to mix hard and soft measures from information security (e.g., firewalls and employee training). In times of COVID-19, this holds particularly true, as organizations rely on employees working from remote to put in place appropriate practices (e.g., using authorized software on work devices, connecting through Virtual Private Networks, etc.). Second, when products are considered, it might be useful to draw lessons from information security management as well (e.g., the explicit form of knowledge in the form of documents may be protected with confidentiality clauses or security tagging). Smart working practices require digitalisation of such measures. Third, with regard to processes, procedures for knowledge communication, especially in the case of relationships with externals, need to be established. As an example, governments that have invited their citizens to utilize contagion mapping devices in the wake of COVID-19 have promptly responded to users' questions around privacy and security (Australian Government, 2020; Government of Singapore, 2020).

As a complement to these components, and an expansion of the product dimension, Ross and Schulte (2005) suggest that knowledge security should be provided with appropriate technologies for KM. Examples of these technologies can be secure networks, password-protected platforms, multi-factor authentication, etc. A delicate balance exists in these situations: too much access to knowledge, and employees can potentially endanger it; not enough access to knowledge, and the creation of value from knowledge sharing can be hampered. A balance between knowledge sharing and knowledge protection is paramount in a sound knowledge risk management system (Manhart & Thalmann, 2015) .

Besides the aforementioned structural implications for knowledge security, COVID-19 has also the potential to produce indirect implications: an example could be a disgruntled, redundant employee that willingly tampers with organizational knowledge in retaliation. In the next section, we will describe the method adopted in our research. Our aim is to propose a knowledge risk management framework for organizations to identify and overcome their knowledge threats in the wake of COVID-19.

This paper uses structured literature review to analyze three areas:

KM, knowledge security, and the COVID-19 crisis. The output is a framework for knowledge risk management in the wake of the COVID-19 crisis. To perform the analysis, we followed the three-step procedure proposed by Manhart and Thalmann (2015) , that is, first we identified the relevant literature; second we structured the review;

and finally, we proposed the contribution to the theory in the form of the framework for knowledge risk management.

To provide the framework, we first applied the author-centric approach, where we prepared a review of particular publications with regard to the concepts discussed by the author(s), as proposed by Webster and Watson (2002) , namely Author A … concept X, concept Y,…. After analyzing particular publications with regard to the concepts they discussed, we transformed the results into concept-centric, extracting the main outcomes concerning knowledge management and knowledge security. Along the process, we kept in mind the recommendation of Webster and Watson (2002) , who stated that 'a review succeeds when it helps other scholars to make sense of the accumulated knowledge on a topic' (p. xvii). We have provided the following elements of the reviewed literature for this purpose: description, theoretical implications, practical contributions, main contribution for the present paper and synthetic attribution. Table 1 offers a detailed overview of the articles and sources investigated in our review.

The resulting framework is presented in the next section.

Our framework is based on components singled out in the aforementioned pieces of research, in particular in Desouza (2006) , Ross and Schulte (2005) , and (Manhart & Thalmann, 2015) and adapted to cater for the dynamics of the COVID-19 crisis. We illustrate it based on two foci: first, the risk management controls; and second, the risk management process.

As with any knowledge risk management system, our model aims at mitigating the consequences, or reducing the likelihood, of knowledge risks in an organizational setting facing a crisis (e.g., .

Controls and measures are therefore built around knowledge risks, and stem from three types of mechanisms (legal, organizational, and technical) and have three targets (people, processes, and products) ( Figure 1 ). In each specific target, sub-components can be derived as follows: as for people, training and awareness can be improved by 'borrowing' methods from information security management and focusing on the development of soft skills for knowledge risk management; in terms of products, 'hard skills' can be complemented by deploying adequate information security technologies; and finally, in terms of processes, sound stakeholder and communication management capabilities need to be developed. As far as the mechanisms are concerned, they are of three types: legal, organizational and technical.

Legal mechanisms concern laws and regulations available at different levels (e.g., national, international, union) that can help organizations in protecting themselves against knowledge risks, for example, industrial espionage, security breaches or intellectual property theft. Organizational mechanisms concern all types of actions that may be undertaken by various organizational members to mitigate knowledge risks, for example, creation of knowledge sharing culture, implementation of KM initiatives and practices, creation of knowledge maps, undertaking knowledge risks measures (e.g., identifying knowledge at risk and proposing ways of eliminating it). Finally, technical mechanisms are related to all types of technologies and technical solutions that may help organizations in controlling knowledge risks. Those can be tools for knowledge storage and sharing, collaborative tools, antivarious software, verification procedures to limit the access of unauthorized people to knowledge, etc. In general, tools helping in the provision of knowledge security are very useful here. All those mechanisms can concern one or more of three targets, namely people, processes, and products.

Knowledge risk controls alone are not sufficient in the COVID-19 crisis to ensure the security of organizational knowledge and adequate processes for risk management are necessary. Based on our review of the literature, we have singled out the following ones, which built a connection between KM and knowledge security, as a component of the former. From acquisition of knowledge from external and internal sources, to retention and maintenance of knowledge, the steps in this process should not be conceived in a chronological, mono-directional order, but as the phases of a KM process in which knowledge security is integrated with specific activities, and integrated within the organizational culture, technology and structure ( Figure 2 ). It has to be taken into account that COVID-19 pandemic has changed the functioning of organizations, as indicated in the introduction of this paper, and the proposed framework integrates those changes (they are marked in red color in the figure) . First of all, organizations due to problems with selling their products in the pandemic (e.g., megastores, clothing industry, etc.) cannot count on their revenues to the same extent as previously and therefore, they often need to make reductions in investments and they have limited resources (e.g., they might need to fire some employees or limit their operational scale). Managing knowledge is more challenging in such conditions (e.g., organizations might lose some of its knowledge due to reductions in employment). When organizations undertake their knowledge security actions, they also need to address some challenges related to the pandemic. For example, in the face of disinformation and counterknowledge creation, there is a risk of obtaining unreliable knowledge Main contribution for the present paper (and synthetic attribution, see Figure 1 and Figure 2 ) Main contribution for the present paper (and synthetic attribution, see Figure 1 and Figure 2 ) Main contribution for the present paper (and synthetic attribution, see Figure 1 and Figure 2) focus on establishing research gaps and areas for further investigation.

protection phenomena and to associated frameworks, which need to be further developed and tested.

elaborate our framework Contributes the tripartite dimension of legalorganisationaltechnical for existing mechanisms for knowledge protection (legal-organisationaltechnical) facing it. It also offers organizations a tool for analyzing their knowledge management approach in relation to the provision of the knowledge security and management of knowledge risks. Linking these three concepts is novel and at the same time necessary, as it allows to achieve a synergy effect in a better way of handling the COVID-19

crisis. At the same time, KM research can achieve a new level of exploration by the examination of its link with other, related fields and disciplines (e.g., knowledge security).

There are several limitations that affect this paper. First, our framework is of a conceptual character and needs to be empirically tested. Second, our investigation is not based on a systematic (i.e., holistic) literature review, which could have expanded the scope and generalizability of our research. Third, the COVID-19 crisis is an under-explored phenomenon whose social, health-related, and economic impact is yet to be fully seized and therefore, this study should be treated as a preliminary one, not presenting the long-term consequences of the COVID-19 pandemic.

As a result, we invite fellow researchers to join us in exploring the following directions. First, our knowledge risk management model can be tested in a variety of organizations from different sectors, settings and countries, to test its applicability and usefulness in times of crisis. Second, a systematic literature review can be conducted to elaborate an alternative or more complete model, for example by combining sub-components of KM and knowledge security systems. In this sense, investigations in the literature have already proposed promising avenues, such as the intersection between cybersecurity management and intellectual capital (Renaud et al., 2019) or between intellectual capital and knowledge security (Bongiovanni et al., 2020) . Finally, a quantitative study may follow to examine the perceptions of knowledge security in the COVID-19 crisis among managers of various public and private organizations. 

Data sharing not applicable to this article as no datasets were generated or analysed during the current study. 

Impact of COVID-19 on the food supply chain

Protecting organizational competitive advantage: A knowledge leakage perspective. Computers and Security

Review: Knowledge management and knowledge management systems: Conceptual foundations and research issues

Does knowledge management really matter? Linking knowledge management practices, competitiveness and economic performance

Working from home and COVID-19: The chances and risks for gender gaps

WHO warns virus 'may never go away' as new clusters emerge

Mitigating the COVID economic crisis: Act fast and do whatever it takes

Trade and COVID-19: The WTO's 2020 and 2021 trade forecast

Unemployment in the time of COVID-19: A research agenda

Managing counter-knowledge in the context of a pandemic: Challenges for scientific institutions and policymakers

Securing intellectual capital: An exploratory study in Australian Universities

Knowledge management-enabled health care management systems: Capabilities, infrastructure, and decision-support

A holistic approach to knowledge risk

Toward understanding the complexity of the COVID-19 crisis: A grounded theory approach

COVID-19 induced emergent knowledge strategies. Knowledge and Process Management

The knowledge management fieldbook

Who do you trust? The digital destruction of shared situational awareness and the COVID-19 infodemic

Linking good counter-knowledge with bad counter knowledge: The impact of evasive knowledge hiding and defensive reasoning

A context-driven approach on coping with COVID-19: From hiding knowledge toward citizen engagement. Knowledge and Process Management

Minimizing the effects of defensive routines on knowledge hiding though unlearning

Knowledge management in small and medium-sized enterprises

Knowledge management, innovation and firm performance

Beyond market orientation knowledge management and the innovativeness of New Zealand firms

Knowledge security: An interesting research space

The role of knowledge management in innovation

The management of knowledge risks: What do we really know?

Mapping knowledge risks: towards a better understanding of knowledge management management

The benefits of knowledge management in small and medium-sized enterprises

Temporary unemployment and labor market dynamics during the COVID-19 recession

Growth forecasts and the Covid-19 recession they convey

Knowledge security -A conceptual analysis

Cyberthreats are constantly evolving in order to take advantage of online behaviour and trends. The COVID-19 outbreak is no exception

Coronavirus (COVID-19 / SARS-CoV-2) and supply chain resilience: A research note

Security as a contributor to knowledge management success

Knowledge management, innovation competency and organisational performance: A study of knowledge-intensive organisations in the IT industry

Applying Blockchain technology to address the crisis of trust during the COVID-19 pandemic

The potential impact of the Covid-19 pandemic on occupational status, work from home, and occupational mobility

Toward a unified knowledge management model for SMEs

Spreading (dis)trust: Covid-19 misinformation and government intervention in Italy. Media and Communication

Protecting organizational knowledge: A structured literature review

A transformative supply chain response to COVID-19

Big data analytics: A link between knowledge management capabilities and superior cyber protection

Fighting COVID-19 misinformation on social media: Experimental evidence for a scalable accuracy nudge intervention

Managing knowledge: Building blocks for success

How does intellectual capital align with cyber security

Surge of virus misinformation stumps Facebook and Twitter. The New York Times

Knowledge management in a military enterprise: A pilot case study of the space and warfare systems command

Knowledge management tools, inter-organizational relationships, innovation and firm performance

Using social and behavioural science to support COVID-19 pandemic response

An affordance perspective of team collaboration and enforced working from home during COVID-19

Analyzing the past to prepare for the future: Writing a literature review

Making sense of a market information system for superior performance: The roles of organizational responsiveness and innovation strategy

This is the effect COVID-19 will have on global poverty, according to the World Bank

Knowledge Management in the Sharing Economy: Cross-sectoral insights into the future of competitive advantage

Knowledge management and knowledge security-Building an integrated framework in the light of COVID-19. Knowledge and Process Management