**6.1 Organisational knowledge leakage**

276 New Research on Knowledge Management Models and Methods

Data analysis of qualitative data begins with the identification of key themes and patterns (Coffey & Atkinson, 1996). Base on the interviews, initial data analysis was conducted via a question by question summary. Following this, open coding was used to identify, name, categorise and describe significant themes and issues found in the interview scripts. The codes emerged from actual terms used by the participants as well as those in existing theory and the literature (Saunders et al., 2009). Consequently, for open coding each sentence in the interview scripts were scrutinised in relation to risks identification and KL risks in VREs, this enabled the

Further to the use of open coding, axial coding was used. Axial coding was used to identify the relationships between the categories of data that emerged from the open coding process. As the relationship between categories were identified they were rearranged based on a hierarchal system with sub-categories emerging (Saunders et al., 2009). Axial coding was used to determine the risks arising from each vulnerability as well as the consequences associated with the risks identified (Coffey & Atkinson, 1996). Here based on the key concepts and the associated risks, the properties or consequences of each were examined via

From these categories, selective coding was used to group the different types of risks into key concepts around KL. Since selective coding was used to identify the main concepts from the sub-categories, a number of key concepts emerged (Saunders et al., 2009). Concepts were used as they provide useful mental images or perceptions. Since concepts are subjective impressions—their understandings may differ from person to person which if measured would cause problems in comparing responses (Kumar, 2011). The decision to assign concepts to the data was done to facilitate data condensation, thus making it more manageable. A number of key concepts were identified from this set of data, namely: organisational KL risks, KL from the KM process and technological KL. From these concepts, relevant phenomena and examples were identified and selected to support such occurrences. Here similarities and differences were identified with a number of emerging patterns and structures, thus facilitating a more diverse analytical scrutiny (Coffey & Atkinson, 1996). Based on the risks and key concepts identified from employing open, axial and selective coding, testing of these phenomena was done via the use of a questionnaire survey.

Having completed the analysis and representation of the data from the interviews a cross sectional survey was sent to companies in the UK. This questionnaire survey was used as a validation tool, that is, it was conducted to validate the findings of the case-study by querying the industry sectors that are involved in the design, development and use of 3D virtual models. This approach was adopted as recommended in De Vaus (1996). The aim was to determine whether risks identified from the case study were a true representation of perceptions in the sector. Postal questionnaires were sent to SMEs and targeted a wide group within the organisation with different job functions. 300 companies were selected as matching the criteria of designing and developing 3D models, 40 however had ceased

The use of descriptive data analysis facilitates the exploration of key issues. Like the questionnaire in the case study, descriptive data analysis is used to analysed the data from

broadening of the research focus while keeping within the exploratory confines.

a combination of inductive and deductive thinking.

trading and 50 useable questionnaires were returned.

*5.1.2.2.1 Data analysis questionnaire* 

*5.1.2.1.1 Data analysis interviews* 

**5.1.2.2 Questionnaires** 

A firm's competitive advantage lies in its ability to prevent the loss of knowledge across the organisation's boundaries (Brown & Duguid 2000). KL occurs when the ideas develop in the originating company – where it is being used -- are leaked to the production line of its competitors. The combination of a virtual reality world with a precise description of construction and operational details has been identified as a possible knowledge exposure risk and a threat to internal KM. The use of VREs therefore is a fantastic tool for competitors and other unauthorised personnel to detect, understand and monitor events in the organisation. This is based on the fact that even though organisations have established formal and bounded structures of practice, informal and fluid networks are constantly evolving. Once instituted, these networks adopt an entirely different role from those formally established in the organisation. Thus as individuals in the organisation "*work collaboratively and vital interstitial communities are continually being formed and reformed"* (Brown & Duguid, 2000), knowledge is being disseminated and shared. The dissemination and sharing of this knowledge can result in KL. Quite often networks are formed and established outside the confines of the regular organisational structure and even outside its boundaries. Therefore, due to these processes and activities KL is not only occurring internally but also externally.

In addition, from the results several risks were identified as being particular to 3D models as well as those generic to IS projects. The fact that the creation of these environments is fairly new, highlights additional problems for developers, outside the regular software development problems, as development of this sort, can result in longer project cycles and a number of generic vulnerabilities which can lead to project and software risks that affected the quality and performance of the system. Thus it was expressed by developer's that customers would experience problems with the expected performance of the system especially with regards to the information retrieval and storage, real time responses, and database response, contentions or access. The probability of these problems occurring was seen as 'high'. This phenomenon was however, not surprising owing to the fact that the use of 3D models to produce VREs is constantly emerging. These applications are then navigated in a PC environment using a variety of 3D viewing packages. These environments create authentic and detailed virtual models of artefacts that are easily navigable and contain comprehensive information which are queried by users or employees at the click of the mouse (Nunes & Annansingh, 2003). Consequently, evidence indicates the following are most likely risks to occur thus leading to KL, theft; data readily interpreted, easy analysis of information; easy accessibility. In addition, due to the verisimilitude nature these environments make it difficult to monitor environmental

Exploring the Risks of Knowledge Leakage: An Information Systems Case Study Approach 279

The ease in which knowledge is transferred – that is leaky knowledge – will depend on whether it is tacit or explicit knowledge. Tacit knowledge is difficult to transfer while explicit knowledge leaves the organisation quite readily (Alavi, 2002). From the models of KM and as seen in Figure 2 (Nunes et al., 2005), one of the primary goals of KM is to share, transfer and disseminate explicit knowledge. The sharing of this knowledge however is sometimes done in an ad hoc manner and can result in KL. Like larger corporation, SMEs need appropriate and current knowledge in order to compete. However, SMEs tend to be more susceptible to problems of high staff turnover and knowledge retention than their larger counterpart. Thus, knowledge within these companies should be appropriately managed, disseminated and retained. Even though KM processes are onerous in terms of both direct and indirect costs, the consequences for a SME of not maintaining those processes can create vulnerabilities to KL and consequently losses in efficiency, productivity

From the case study it was noted that while Company 3D encourage employees to obtain knowledge from external sources, the company lacked an explicit KM strategy to collate, share and disseminate this information once captured. Therefore, a lack of formal mechanisms existed for the identification and protection of strategic knowledge within the organisation. In addition, making this information available to the different employee's increased the probability of KL risks, as security mechanisms were quite often inadequate within the databases to prevent unauthorised access or systematic downloading of

Subsequently, whether these practices were typical of the industry was sought in the questionnaire. From which, it was seen that 41.2% indicated not having an explicit KM strategy, while 32.4% believed such a strategy did not exist. Nonetheless, a low indication of explicit KM strategy in these organisations was not surprising as the majority of participants were from SMEs. For which, studies have shown that SMEs in general, tend not to adopt or implement KM strategy or its principles (Nunes et al., 2005). Even though a number of these companies reported not having an explicit KM strategy, 81.2% had knowledge storage mechanisms in place. While these practices are recommended for the business continuity, integration and dissemination, the protection of this knowledge from KL – both internally and externally— should be considered strategically. The need for the risk and KL assessment cannot be over emphasised, since within any organisation not all knowledge can be or should be shared with all employees, thus it is necessary that employees be given information on a need to know basis. This knowledge should be protected by the organisation from external sources as in fact it is part of its intellectual property. Figure 2 highlights the areas of possible KL risks in organisations. The lightly shaded blue areas of the model indicate where in the KM process KL during activities such as: collaborations, narrations, group discussions and communities of practices. A key is used to symbolise where KL risks is most likely to occur between the different

In addition, the red arrows highlight the areas where knowledge is being shared or transferred from one form to another, and represent the areas in the KM process where KL will most likely occur. Consequently, risk management and security measures should be adapted to prevent such loss. For those areas without a red arrow, this is not an indication for an absence of KL risks but rather that within these areas the probability of

**6.2 Leakage from knowledge management process**

and competitiveness.

information.

processes.

changes which could lead to incorrect decision making. Owing to the fact that there is need for constant update users need to be aware that environments are based on supposition and that information easily is out-dated.

Fig. 2. The Knowledge Intensive KM (KIKoM) Model indicating areas of KL (Nunes et al., 2005)

#### **6.2 Leakage from knowledge management process**

278 New Research on Knowledge Management Models and Methods

changes which could lead to incorrect decision making. Owing to the fact that there is need for constant update users need to be aware that environments are based on supposition and that

Competitor Info Environment Info

**Knowledge and Information Filters** 

**Organizational Environment**

**IT Solution** 

**Knowledge Management** 

**Business Value** 

**Organisational Learning** 

Innovation

**Knowledge Embodiment** 

Fig. 2. The Knowledge Intensive KM (KIKoM) Model indicating areas of KL

**Knowledge Construction** 

Best Practice Reports Formal Documents Internal Memos Training Materials Databases

(Nunes et al., 2005)

Tacit Explicit

Learning Systems - Formal

Discussion, Reflection and Thinking Spaces

Learning Systems - Informal

Communication from the Exterior

Internal Communication

Implicit

Procedural

**Knowledge Use** 

Optimization Growth Decision

**Knowledge Dissemination and Transfer** 

Making

Mgt and Operation Training and Mentoring Procedures

Communities of Practice

Pushed Reports and News

> Guidelines and Procedural Manuals

Expert Knowledge Bases

HRM Frameworks

Leadership and Reward Systems

> Power Structures

> > Organizational Mission and Objectives

> > > Capital

Organizational Culture

> Relationships of Trust

information easily is out-dated.

Informal Networks The ease in which knowledge is transferred – that is leaky knowledge – will depend on whether it is tacit or explicit knowledge. Tacit knowledge is difficult to transfer while explicit knowledge leaves the organisation quite readily (Alavi, 2002). From the models of KM and as seen in Figure 2 (Nunes et al., 2005), one of the primary goals of KM is to share, transfer and disseminate explicit knowledge. The sharing of this knowledge however is sometimes done in an ad hoc manner and can result in KL. Like larger corporation, SMEs need appropriate and current knowledge in order to compete. However, SMEs tend to be more susceptible to problems of high staff turnover and knowledge retention than their larger counterpart. Thus, knowledge within these companies should be appropriately managed, disseminated and retained. Even though KM processes are onerous in terms of both direct and indirect costs, the consequences for a SME of not maintaining those processes can create vulnerabilities to KL and consequently losses in efficiency, productivity and competitiveness.

From the case study it was noted that while Company 3D encourage employees to obtain knowledge from external sources, the company lacked an explicit KM strategy to collate, share and disseminate this information once captured. Therefore, a lack of formal mechanisms existed for the identification and protection of strategic knowledge within the organisation. In addition, making this information available to the different employee's increased the probability of KL risks, as security mechanisms were quite often inadequate within the databases to prevent unauthorised access or systematic downloading of information.

Subsequently, whether these practices were typical of the industry was sought in the questionnaire. From which, it was seen that 41.2% indicated not having an explicit KM strategy, while 32.4% believed such a strategy did not exist. Nonetheless, a low indication of explicit KM strategy in these organisations was not surprising as the majority of participants were from SMEs. For which, studies have shown that SMEs in general, tend not to adopt or implement KM strategy or its principles (Nunes et al., 2005). Even though a number of these companies reported not having an explicit KM strategy, 81.2% had knowledge storage mechanisms in place. While these practices are recommended for the business continuity, integration and dissemination, the protection of this knowledge from KL – both internally and externally— should be considered strategically. The need for the risk and KL assessment cannot be over emphasised, since within any organisation not all knowledge can be or should be shared with all employees, thus it is necessary that employees be given information on a need to know basis. This knowledge should be protected by the organisation from external sources as in fact it is part of its intellectual property. Figure 2 highlights the areas of possible KL risks in organisations. The lightly shaded blue areas of the model indicate where in the KM process KL during activities such as: collaborations, narrations, group discussions and communities of practices. A key is used to symbolise where KL risks is most likely to occur between the different processes.

In addition, the red arrows highlight the areas where knowledge is being shared or transferred from one form to another, and represent the areas in the KM process where KL will most likely occur. Consequently, risk management and security measures should be adapted to prevent such loss. For those areas without a red arrow, this is not an indication for an absence of KL risks but rather that within these areas the probability of

Exploring the Risks of Knowledge Leakage: An Information Systems Case Study Approach 281

perceived by the interviewees that while internally it is possible to regulate KL, to some extent, through the use of employment contracts and confidentiality clause, there were unequivocal concern from alliances formed with suppliers and third party companies interacting with the system. In addition, KL resulting from employees was basically

*"critical information held on read only files but in reality there is little to stop systematic* 

Even though, there are obvious technical awareness of the dangers of KL, from the case study there is no risk management strategy existing within the organisation to mitigate, control or prevent these risks. Therefore, it was generally perceived that little would be done to prevent KL, especially over time, and was consequently viewed as a secondary factor. Nonetheless, attempts to protect against intra-organisational leakage were made via the use of firewalls and password protected screensavers. This however, was seen as inadequate since the probability and impact of intra-organisational KL risk occurring was rated as 'medium'. This can result in an unprecedented number of unauthorised copies being made and distributed quite rapidly to unauthorised or unidentified recipients. It is also not uncommon that a lapse in procedures often results in an original document being carelessly left in some unprotected location where literally any unauthorised person can access it. Hence education and training of employees is necessary to prevent KL owing to carelessness, naïf acts and during informal

The cross sectional survey shows the 87.6% of respondents being also aware of KL, with 51.3% rating the probability of KL occurring as ranging from "medium" to "very high". 49.7% of these companies had precautionary measures to protect against internal and external KL. Consequently, the mechanisms in place to prevent internal KL shows most

Since these companies had obviously implemented measures to prevent intra – organisational risks, the probability of KL risks occurring was rated by 54.5% as ranging from "medium" to "very high" with 45.4% rating the impact as "medium" and 20.6% as "high". Therefore the impact of KL on the organisation was rated higher than the

In addition to the measures used to protect it against KL risks – internally or externally – there were other factors which contributed to KL. One such factor is the loss of employees, thus it was important to obtain the perception of people within the industry. The results show a cumulative total of 74.7% either "agreeing" or "strongly agreeing" that loss of employees is one of the main causes of KL. However, not all companies took precautionary measures to retain knowledge in the organisation before employees leave, the justification

Employees work in teams— no one person has all the knowledge it is share among the

Regardless of the size of the organisation and the staff turnover rate, KL risks should be addressed and the relevant actions taken to prevent or mitigate its occurrence. A

the implementation of host based firewalls between segregated networks.

prevented by having:

discussions.

organisations opted for:

provided were:

group;

Low staff turnover.

probability of the risks occurring.

*downloading over a period of time"(LSD).* 

rules for appropriate level of physical access; and

No formal measures have been established;

KL occurring was seen as unlikely. From a KM perspective, Figure 2 provides a breakdown of the areas where holistic risk management should occur in the organisation. In addition, it supplies the reader with a simplistic view of the areas where KL risks will occur.

#### **6.3 Technological knowledge leakage**

With the various developments in the previous decade which has seen the reduction in the cost of computer technology and its easy availability, organisations are increasingly reliant upon the use of electronic media, more specifically electronic mail (email) for inter-organisational communication. In addition to email messaging, most organisations typically use a variety of communication technologies to send and receive information. This information is then processed and stored in a number of ways, one of which is through electronic database. The Internet and electronic databases in general, provide users with easy access to vast amounts of information which may not always be intended for general dissemination. This knowledge sometimes gets into the public domain, whether deliberately or unintentionally. Based on the rationale behind the development of this software system, which was for the representation of organisational information via the use of 3D models in a database, and since information in these databases is often interlinked, the system therefore becomes susceptible to attacks of theft, hacking and unauthorised access. Nonetheless, where the models were used for training and maintenance purposes, it was especially prone to attacks from unauthorised personnel, as some employees during training may have been given access to areas of the system which was previously prohibited. During maintenance and training the probability of KL risks occurring were identified as 'high' by the interviewees owing to the nature of the software. Therefore, it is possible for employees or any unauthorised personnel to steal or walk out with any of the organisation's assets including valuable information without being detected as this information has been internalised into tacit knowledge.

*[]… VR model is a fantastic tool for competitors to see how the system is designed, or why a competitor is so efficient []" (LSD).* 

As organisations grow more sophisticated systems have to be installed, thus increasing the challenges of managing communication and change. A number of organisations do not have formal approach to documentation thus it is difficult to pinpoint exactly where there are potential problems or how these problems may arise. However, without proper documentation the risk of failure and reduced efficiency increases when the organisations attempt to upgrade or implement a new system to meet new requirements. The simplistic answer to these problems is provided very bluntly by Frank (2002): "The easiest way to reduce knowledge loss is to avoid losing it in the first place". This is not a possibility in the majority of scenarios, as the acceptance, usefulness and even success of the product designs and solutions offered by an organisation depends to a large extent on the good and efficient training of the employees in the third party companies. Several risks which are indirectly related to the use of the models were also identified especially during maintenance. One of the main contributors of these risks was due to staffs' inexperience in carrying out these maintenance services.

The case study shows KL could be intentional or accidental. Thus, the concept of KL covers a number of risks management issues such as organisational and security risks. It was perceived by the interviewees that while internally it is possible to regulate KL, to some extent, through the use of employment contracts and confidentiality clause, there were unequivocal concern from alliances formed with suppliers and third party companies interacting with the system. In addition, KL resulting from employees was basically prevented by having:

*"critical information held on read only files but in reality there is little to stop systematic downloading over a period of time"(LSD).* 

Even though, there are obvious technical awareness of the dangers of KL, from the case study there is no risk management strategy existing within the organisation to mitigate, control or prevent these risks. Therefore, it was generally perceived that little would be done to prevent KL, especially over time, and was consequently viewed as a secondary factor. Nonetheless, attempts to protect against intra-organisational leakage were made via the use of firewalls and password protected screensavers. This however, was seen as inadequate since the probability and impact of intra-organisational KL risk occurring was rated as 'medium'. This can result in an unprecedented number of unauthorised copies being made and distributed quite rapidly to unauthorised or unidentified recipients. It is also not uncommon that a lapse in procedures often results in an original document being carelessly left in some unprotected location where literally any unauthorised person can access it. Hence education and training of employees is necessary to prevent KL owing to carelessness, naïf acts and during informal discussions.

The cross sectional survey shows the 87.6% of respondents being also aware of KL, with 51.3% rating the probability of KL occurring as ranging from "medium" to "very high". 49.7% of these companies had precautionary measures to protect against internal and external KL. Consequently, the mechanisms in place to prevent internal KL shows most organisations opted for:


Since these companies had obviously implemented measures to prevent intra – organisational risks, the probability of KL risks occurring was rated by 54.5% as ranging from "medium" to "very high" with 45.4% rating the impact as "medium" and 20.6% as "high". Therefore the impact of KL on the organisation was rated higher than the probability of the risks occurring.

In addition to the measures used to protect it against KL risks – internally or externally – there were other factors which contributed to KL. One such factor is the loss of employees, thus it was important to obtain the perception of people within the industry. The results show a cumulative total of 74.7% either "agreeing" or "strongly agreeing" that loss of employees is one of the main causes of KL. However, not all companies took precautionary measures to retain knowledge in the organisation before employees leave, the justification provided were:


280 New Research on Knowledge Management Models and Methods

KL occurring was seen as unlikely. From a KM perspective, Figure 2 provides a breakdown of the areas where holistic risk management should occur in the organisation. In addition, it supplies the reader with a simplistic view of the areas where KL risks will

With the various developments in the previous decade which has seen the reduction in the cost of computer technology and its easy availability, organisations are increasingly reliant upon the use of electronic media, more specifically electronic mail (email) for inter-organisational communication. In addition to email messaging, most organisations typically use a variety of communication technologies to send and receive information. This information is then processed and stored in a number of ways, one of which is through electronic database. The Internet and electronic databases in general, provide users with easy access to vast amounts of information which may not always be intended for general dissemination. This knowledge sometimes gets into the public domain, whether deliberately or unintentionally. Based on the rationale behind the development of this software system, which was for the representation of organisational information via the use of 3D models in a database, and since information in these databases is often interlinked, the system therefore becomes susceptible to attacks of theft, hacking and unauthorised access. Nonetheless, where the models were used for training and maintenance purposes, it was especially prone to attacks from unauthorised personnel, as some employees during training may have been given access to areas of the system which was previously prohibited. During maintenance and training the probability of KL risks occurring were identified as 'high' by the interviewees owing to the nature of the software. Therefore, it is possible for employees or any unauthorised personnel to steal or walk out with any of the organisation's assets including valuable information without being detected as this information has been internalised into tacit

*[]… VR model is a fantastic tool for competitors to see how the system is designed, or why a* 

As organisations grow more sophisticated systems have to be installed, thus increasing the challenges of managing communication and change. A number of organisations do not have formal approach to documentation thus it is difficult to pinpoint exactly where there are potential problems or how these problems may arise. However, without proper documentation the risk of failure and reduced efficiency increases when the organisations attempt to upgrade or implement a new system to meet new requirements. The simplistic answer to these problems is provided very bluntly by Frank (2002): "The easiest way to reduce knowledge loss is to avoid losing it in the first place". This is not a possibility in the majority of scenarios, as the acceptance, usefulness and even success of the product designs and solutions offered by an organisation depends to a large extent on the good and efficient training of the employees in the third party companies. Several risks which are indirectly related to the use of the models were also identified especially during maintenance. One of the main contributors of these risks was due to staffs' inexperience in carrying out these

The case study shows KL could be intentional or accidental. Thus, the concept of KL covers a number of risks management issues such as organisational and security risks. It was

occur.

knowledge.

maintenance services.

**6.3 Technological knowledge leakage** 

*competitor is so efficient []" (LSD).* 

Regardless of the size of the organisation and the staff turnover rate, KL risks should be addressed and the relevant actions taken to prevent or mitigate its occurrence. A

Exploring the Risks of Knowledge Leakage: An Information Systems Case Study Approach 283

assessment process in any organisation cannot be reduced to the simple negotiation of risk between two f companies. As a result third party companies should be explicitly involved in the risk assessment process since the greater risks of exposure and leakage are related to

It is recommended that once the risk assessment process is completed, risk thinking on knowledge exposure and leakage should not be abandoned. Knowledge exposure concerns should be part of the continuous risk management approach from the beginning of a project until the outcomes are realised. Knowledge leakage risks should be continually assessed and monitored and whenever needed contingency measures considered. This attitude towards this type of risk should influence technical and design decisions as well as provide insights

Alavi, M. (2002). Managing Organizational Knowledge, 31.03.03, Available from:

Alter, S. & Ginzberg, M. (1978). Managing uncertainty in MIS Implementation.

Annansingh, F. & Nunes, JM. (2003). The Risks of Virtual Reality. *The Institute for the* 

Annansingh, F. & Baptista Nunes, JM. (2005). Validating Interpretivist Research: Using a

Bharadwaj, SA. (2004). Integrating Positivist and Interpretive Approaches Ro Information

Boehm, BW. (1989). *Software Risk Management.* IEEE Computer Society Press, Washington Brown, J.S. & Duguid, P. (2000). Knowledge and the Organization A Social- Practice

Burrell, G. & Morgan, G. (1985). *Sociological Paradigms and Organizational Analysis*, Gower

Coffey, A., and Atkinson, P. (1996). *Making Sense of Qualitative Data: Complementary Research* 

Coleman, D. (1999). Groupware: Collaboration and Knowledge Sharing, In: *Knowledge* 

Creswell, JW. (1994). *Research Design: Qualitative and Quantitative Approaches*, Sage, ISBN 978-

Creswell, JW. (2003). *Research Design: Qualitative, Quantitative, and Mixed Methods Approaches,*

*Management of Information Systems Journal*, Vol. 13, No.5, pp.17-20

*Sloan Management Review*, Vol.20, No.1, (Fall 1978), pp.23-31, ISSN 1532-

Cross-Sectional Survey to Validate Case-Study Elicitation of Knowledge Leakage Risks Associated with the Use of Virtual Reality Models, *Proceedings of the 4th European Conference on Research Methodology for Business and Management Studies,* 

Systems Research: A Lakatosian Model, In: *Emory University*, 04.02.05,

Perspective, *Organization Science* Vol. 12, No. 2, (March/April 2000), pp. 198-213,

*Management Handbook*, Liebowitz, J. pp. 12-1 12-15, CRC Press, ISBN 978-084-9302-

on technical options, thus empowering managers to make informed decisions.

http://www.pinnaflex.com/pdf/framing/CH02.pdf

Université Paris Dauphine Paris, France, April 2005

http://hsb.baylor.edu/ramsower/ais.ac.96/papers/bharadwa.htm

*Strategies,* Sage, ISBN 978-080-3970-53-3, Thousand Oaks, CA

such interactions.

**8. References** 

9194

Available from:

ISSN 1047-7039

38-1, London

ISBN 978-056-6051-49-4, Aldershot

080-3952-54-6, Thousand Oaks, CA

Sage, ISBN 978-076-1924-41-8, London

comparison of the size of the organisations with the security or risk management measures adopted to prevent KL, shows the size of the organisation had no influenced on either the risk management or security measure used. Although, a significant number (87.6%) of respondents claimed to be aware of the dangers of KL within the organisations there were no evidence of an explicit consideration for KL prevention. This again highlights a flaw within the risk management thinking of these organisations.

From the case study, concerns were raised about KL resulting from suppliers and third party companies, rather than employees, as it was believed that it is possible to regulate KL through the use of employment contracts and confidential statements. Thus, Company 3D took no action to formalise policies on KL or knowledge capture and acquisition even though the TD claimed.

*"….this is a new development and we always run a risk when introducing new facilities".* Therefore, this and any new technology was seen as being associated with some degree of

uncertainty.

The risk identified by respondents from the use of VREs as having the highest impact on the organisation was the loss of competitive advantage. This was regardless of the purpose for which the software was employed. Theft of proprietary information was not regarded as factor of major concern as the expected impact on the organisation was rated as 'medium'. In addition to the aforementioned risks, others were identified in the literature and case study which are also associated with the practice of delivering software across the Internet. Hence risks negotiations need to occur between all parties involved in the design, development and use of the VREs.

From a client's perspective one of the key questions emerging from this study is whether presenting the information in a VRE would result in greater risks implications for the organisations concerned. In addition, to being a valuable resource for competitors the use of VREs raises concerns regarding system updates. These concerns are based on the verisimilitude nature of such software. Since models for the system were done using photographs, in a dynamic environment changes will not be evident. This is particularly important, for example, for maintenance work and health and safety issues, where every detail is significant and will determine the difference between life and death.
