Knowledge creation

Knowledge creation takes place within a continuous interaction between individuals or individual and their environment, and it always involves both exchanging and combining knowledge. As a result of this continuous knowledge creation, knowledge and its context are constantly changing. Knowledge exchange can take place through socialization, where tacit individual knowledge becomes tacit collective knowledge, and externalization, making tacit knowledge to explicit format.

Knowledge combination assumes that knowledge in its explicit format is combined to form renewed explicit knowledge, but combination also takes place as internalization, when explicit knowledge becomes part of individual or collective tacit

knowledge. (Nonaka 1994; Nahapiet & Ghoshal 1998; Nonaka et al. 2000).

Knowledge exchange and combination require four conditions to be in place: access to knowledge, anticipation of value, motivation, and combination capability.

(Nahapiet & Ghoshal 1998), and elements of all these conditions were identifiable in the research material.

Access to knowledge

Based on the research material, any individual participating in the workshop was not alone able to form a thorough enough understanding on how the system would work or what the potential threats would within the selected scope. However, access to such knowledge was a key success factor for threat modeling; having proper access to knowledge helped the participating team(s) to start with threat mitigation activities after the workshop and not use time for additional clarifications or validations. To ensure adequate access to this knowledge, the facilitator and the owner pre-analyzed the scope and identified the desired participants for the workshop. It is also worth mentioning that – as Nahapiet & Ghoshal (1998) also state – access to knowledge itself does not enable knowledge creation. This was obvious regarding those participants who participated the workshop but did not contribute to the discussions.

Anticipated value and motivation

Anticipated value and motivation were observable in the workshops in the form of participation. Those participants who contributed into the discussion did so as they felt their contribution mattered for reaching either the collective objectives for the workshop, or maybe in some cases also potential individual objectives they had set for themselves. The anticipated value, however, seemed to differ between the participants, and this was also a likely reason why for some participants, the

“motivation” to get engaged meant joining the workshop to get information about the system and the threats. In case 3, this secondary, knowledge sharing objective of the workshop was also clearly stated by the owner. This is again in line with Nahapiet & Ghoshal’s (1998) findings on the importance of all four conditions existing before knowledge creation can take place. Facilitator and owner roles during the workshops included encouraging participation, which could have led into

increased activity but based on the research material, did not have an impact in the analyzed cases. A wider perspective to the anticipated value and motivation could be embedded in organizational policies, that were referred to in the interviews: these policies seem to create certain expectations for the individuals to do threat modeling in the first place, and also to join the workshops in case their knowledge is needed.

Combination capability

Threat modeling tools, approach, and facilitation in all three cases were used for creating a shared context and enhancing combination capability. STRIDE model provided the facilitator and the participants with a shared language (Nahapiet &

Ghoshal 1998) to discuss the potential threats, whereas the data flow diagram also acted as a boundary object (Nahapiet & Ghoshal 1998, Fong 2003) but also as a sounding board during the discussions, as using it jointly and visibly throughout the workshop also showed the participants how the knowledge related to the scope was formed. The connection between the data flow diagram and the notes was complementary, as the diagram described the “movement” (which is the order/flow of the activities) and to some extent also a spatial view (which instances are involved at which stage) of the scope, and the notes then included technical details to fulfil this knowledge.

Shared context

Nonaka (1994, Nonaka et al. 2000) establish their process of organizational knowledge creation on an assumption that knowledge develops through socialization and combination that require a shared context. Blackler (1995) introduces aspects of shared context as part of the encultured knowledge, meaning the social transformation of knowledge that leads to shared, collective understandings. During the data analysis, the significance of shared context as part of knowledge creation in threat modeling workshops was highlighted through many observations.

The facilitation with the help of various clarifying questions supported creating common cognitive ground, and discussing the system with the help of use cases, and considering threats as scenarios where an actor would misuse the system acted as shared narratives, supporting the shared understanding (Nahapiet & Ghoshal

1998). Threat modeling workshop itself can be considered as one form of “ba” or

“shared context in motion”, as it provided the participants with an access to a pre-defined knowledge during pre-agreed period of time and space in order to join their individual context to form a shared context and to create knowledge. (Nahapiet &

Ghoshal 1998, Nonaka et al. 2000).

One key observation was the overall lack of shared understanding between the participants of the potential threats in all three cases, and in case 2, where the participants represented different teams, also of the threat modeling scope itself formed by different solutions. The workshops seemingly had an important role in forming a joint understanding of the scope and the related threats.

In all three cases, the facilitator appeared to have the highest expertise in threat identification, utilizing their already existing knowledge in suggesting potential threat scenarios. In a situation where the facilitator was the only one understanding the

“big picture” of the scope as well (case 2), their responsibility besides taking the team through threat identification was larger and included also ensuring a proper data flow diagram was created. In cases 1 and 3 where both the facilitator and the owner (case 1) and lead architect (case 3) had a solid understanding of the scope, the facilitators seemed to focus more on threat identification. The facilitators aimed at increasing the knowledge (and knowledge overlap) on how to identify potential threats by explaining the threat modeling approach and tools at the beginning of each workshop, as they thought this would improve the participants’ possibilities to identify threats during the workshop but also as part of their daily work.

SECI model

SECI model describes the conversion of knowledge between its different formats.

Knowledge conversion takes place on both individual and collective levels and between explicit and tacit modes simultaneously and as a continuum. (Cook &

Brown 1999; Nonaka et al. 2000). Social interaction ensures the resources of exchange and combination (meaning the tacit and explicit knowledge) takes place (Nahapiet & Ghoshal, 1998). Continuous knowledge conversion was thereby observable only among the active participants who were seemingly participating in social interaction. The workshop itself as well as the STRIDE model were both

supporting the socialization of knowledge through shared meanings (Nonaka et al.

2000), and the role of data flow diagram as a boundary object (Fong 2003) was crucial in enabling the knowledge exchange. Observing the whole spiral of knowledge conversion was based on how the interaction happened: as an item regarding the data flow or a potential threat was brought up, it was recorded in the diagram and – in case of a threat or a clarification need – also into the notes. The next person to discuss usually continued building on what the previous contributor had said, indicating that they had combined and internalized the discussed knowledge into their own knowledge, before sharing this combined knowledge at their turn. The input from different participants was recorded in the data flow diagram as well as the notes.