Exploring the Risks of Knowledge Leakage: An Information Systems Case Study Approach

Companies in high-tech industries are increasingly investing in 3D and virtual reality (VR) packages to support customers in understanding and using their products. These packages are now taking the form of 3D virtual reality environments (VREs) where employees can navigate, browse and learn in an authentic, close to reality context. These products supported by combinations of photographic techniques and virtual reality programming platforms are becoming increasingly popular and indeed very effective training tools. They provide for realistic contexts and easily navigable environments, which are ideal media for training in complex and specialised settings. These VREs promote specialised knowledge and technical skills within authentic environments and reinforce acquired knowledge by increased interactions with both the environment and the objects that compose it. These user-friendly and intuitive interactions encourage creativity and innovative thinking (Nunes & Annansingh, 2003). Furthermore, because these environments are usually web-based applications, hyperlinks enable access to vast amounts of both company specific and general information. This combination of use with precise descriptions of operational details have been identified by companies using them as posing possible risk of knowledge leakage (KL) exposure, thus, representing a threat to organisational knowledge management (KM). This chapter will discuss the findings of a study which explore this exact issue. Therefore, the motivation behind this chapter is based on the identification and characterisation of KL risks associated with information systems (IS), namely VREs. The concept of KL has now evolved and increasingly literature searches indicate that KL is now emerging as a major consideration for businesses and academia alike. The definition for KL used in this chapter is: “knowledge leakage is the deliberate or accidental loss of knowledge to unauthorised personnel within or outside of an organisational boundary”. (Annansingh, 2004) In the past, IS projects have adopted a positivist approach, which focuses primarily on the development process associated with the technology rather than the perception and perspectives of the people involved in the developmental process (Bharadwaj, 2004). From an IS point of view interpretivist is an epistemological stance, concerned with the users' understanding of reality. It embraces a wide range of philosophical and sociological stances, which share the common characteristics of attempting to understand and explain the social world from the perspective of the actors directly involved in the social process (Burrell &


Introduction
Companies in high-tech industries are increasingly investing in 3D and virtual reality (VR) packages to support customers in understanding and using their products.These packages are now taking the form of 3D virtual reality environments (VREs) where employees can navigate, browse and learn in an authentic, close to reality context.These products supported by combinations of photographic techniques and virtual reality programming platforms are becoming increasingly popular and indeed very effective training tools.They provide for realistic contexts and easily navigable environments, which are ideal media for training in complex and specialised settings.These VREs promote specialised knowledge and technical skills within authentic environments and reinforce acquired knowledge by increased interactions with both the environment and the objects that compose it.These user-friendly and intuitive interactions encourage creativity and innovative thinking (Nunes & Annansingh, 2003).Furthermore, because these environments are usually web-based applications, hyperlinks enable access to vast amounts of both company specific and general information.This combination of use with precise descriptions of operational details have been identified by companies using them as posing possible risk of knowledge leakage (KL) exposure, thus, representing a threat to organisational knowledge management (KM).This chapter will discuss the findings of a study which explore this exact issue.Therefore, the motivation behind this chapter is based on the identification and characterisation of KL risks associated with information systems (IS), namely VREs.The concept of KL has now evolved and increasingly literature searches indicate that KL is now emerging as a major consideration for businesses and academia alike.The definition for KL used in this chapter is: "knowledge leakage is the deliberate or accidental loss of knowledge to unauthorised personnel within or outside of an organisational boundary".(Annansingh, 2004) In the past, IS projects have adopted a positivist approach, which focuses primarily on the development process associated with the technology rather than the perception and perspectives of the people involved in the developmental process (Bharadwaj, 2004).From an IS point of view interpretivist is an epistemological stance, concerned with the users' understanding of reality.It embraces a wide range of philosophical and sociological stances, which share the common characteristics of attempting to understand and explain the social world from the perspective of the actors directly involved in the social process (Burrell & Morgan, 1985).It assumes that knowledge, within the domain of human action, is a necessary social construction and therefore inevitably subjective (Walsham, 1993).Hence an interpretivist paradigm was used with the research design comprising of two stages: an exploratory case-study and a cross-sectional sector wide survey used in order to validate the findings emerging from the first phase.Thus a mixed method approach using interviews and survey was employed.The results show that knowledge embodiment and use in projects occurred during systems development and dissemination owing to the actual utilisation of the 3D models during business transactions and training activities.Since one of the primary goals of KM is to share, transfer and disseminate explicit knowledge, the sharing of this knowledge if done in an ad hoc manner can result in KL.Even the best laid KM policy or framework can be a source of KL due to the absence of an integrated risk management approach.In addition, the general nature of the KM models allows for KL, this weakness or discrepancy occurs where policies and practices do not merge.Another reason for KL is the fact that KM models have failed to consider the protection of knowledge within the organisation and across it boundaries.In addition, current risk identification process in organisations tends to occur via two pathways.This is clearly based on the relationship between an interacting company and their direct customers and the resulting risks from this relationship.Risk identification and assessment have been characterised as fundamental for business continuity and to maintain a competitive advantage over ones competitor.It is essential for the successful business relationship between developing companies and its direct customers, and may ultimately be crucial for the acceptance and success of the 3D modelling solutions proposed.Each party should have an interest in determining the risk associated with acquiring and interacting with the 3D environments in their own organisation.

Organisational knowledge management (KM)
Knowledge is recognised as a valuable asset by organisations and has gained a great deal of attention in academic and business world alike.Interest in KM stems from the realisation that organisational knowledge is a strategic corporate asset that needs to be generated, represented, stored, transferred, transformed and applied to future organisational problems (Shultze & Stabell, 2004).Thus enhancing companies' competitive advantage as it improves efficiency and performance and enhances innovation (Nonaka & Takeuchi, 1995;Nonaka, 1991).Consequently, KM practices are now considered as established practice in large organisations (Srikantaiah & Koenig, 2000).KM is concerned with how this knowledge is created, used, transferred and applied (Nonaka & Takeuchi, 1995;Nonaka & Konno, 1998).KM therefore should focus on information in relevant context and having an understanding of interrelationships and behaviour (Nonaka & Teece, 2001;Wenger et al., 2002;Nonaka, 1994).Furthermore, authors such as Davenport & Prusak (1998) and Coleman (1999) have promoted KM as a practice with implications beyond that of simply developing information and communication technology (ICT) infrastructures, with information sharing and retrieval potential.For example, according to Pollard (2003) the expectations are mostly of organisational gains in terms of:  Growth and innovation  Productivity and efficiency


Customer relationships  Employee learning, satisfaction and retention, and  Management decision-making.In general, KM in organisations should be seen as the process of critically managing knowledge to meet existing needs, to identify and exploit existing and acquired knowledge and to develop new knowledge in order to take advantage of new opportunities and challenges (Quintas et al., 1997).Strategically, KM must be seen as an approach to: manage organisational knowledge assets, support management decision making; enhance competitiveness, and increase capacity for creativity and innovation (Zyngier et al., 2004).Operationally, KM should be viewed as a cycle that starts with knowledge creation, which is followed by knowledge interpretation, knowledge dissemination and use, and knowledge retention and refinement (De Jarnett, 1996).

Knowledge management characterisation
There are several classifications of knowledge with the most common being explicit, implicit and tacit knowledge (Nonaka & Takeuchi, 1995;McInerney & Koenig, 2011;Polanyi, 1974).Explicit knowledge can be transmitted using logical language and hence can easily be shared and stored (Srikantaiah & Koenig, 2000).Tacit knowledge on the other hand is intangible; it is not easily codified and articulated in formal languages.Nonetheless according to Nonaka & Takeuchi (1995) both types of knowledge do not compete with each other, but rather be supplemented by each other.Implicit knowledge can be transferred, but without a conscious process, during learning (Jones & Miller, 2008).However, regardless of the philosophical stance adopted about knowledge and KM this research focuses on the leakage of knowledge rather than its classification and management meanings ascribed to this concept.KM activities and in particular the forgone are prone to KL due to its very nature because KM processes are coupled with the use of VRE.

KM and risk management thinking
IS development activities consume a significant amount of time, energy and resources in most organisations, yet there are many instances when the potential benefits from these activities do not materialised.Much of the difficultly lies with the uncertainty faced during these projects -which is inherent in their development.It is well recognised that effective development and implementation of IS projects requires considerable planning.Quite often project management techniques are used to ensure the efficient and timely execution of a project.However, the deployment of human resources and scheduling of the project activities are not without uncertainty which leads to risks (Alter & Ginzberg, 1978).Risks are an inevitable reality, however, attempting to recognise and manage them does not constitutes a futile exercise (McCarthy, 2001).According to Williams et al., (1999), the more one understands risk the better-equipped one is to manage it.According to Boehm, (1989) risks is: "the probability of loss".Ensuing discussion, therefore, is primarily based on this simplistic definition of risks.There are two factors inextricably associated with risk, namely:  the probability of failing to achieve a goal or a particular outcome; and  the consequences of failing to achieve said outcome (Parry, 1999).Many IS projects fail not because of technological or project management reasons but because of organisational pressures (McCarthy, 2001).Hence the importance of exploring and maintaining such strategic risk management framework and the relevance of incorporating this framework with the strategic management policy of the organisation is paramount for success.Besides the strategic focus particular attention needs to be paid to operational risks with continuous risk management thinking.The application of risk management allows for continuous improvement in decision-making processes.The objective therefore is to provide new insights, thus empowering managers to make informed decisions.One of the key issues arising from the risk management process is risk assessment.This constitutes a number of phases, which are primarily the identification, analysis and prioritisation of such risks (Yeates & Cadle, 2007;Pate-Cornell, 2001;Kliem & Ludin, 2000).Since risk investigation in KL in VREs is lacking, the focus of the chapter is on the identification and analysis of such risk factors.Thus from the stages in the risk management process only the risk identification and analysis phases is considered relevant in this discussion.Consequently, special consideration is given to risk identification techniques in IS so as to provide the underlining framework for classification.The risk identification process will focus on software risks since VREs falls under this generic heading with specific attention given KL risks.

The company
This research was initially triggered by a company which specialises in large-scale metrology, quality engineering, and aerospace.Company 3D specialise in alignment services and CAD drawings for its customers.Since then it has grown and now provides a wide range of services in all engineering disciplines including: Equipment Sales  Systems integration.One of the important areas of expertise is the creation of 3D models and 3D photographic databases of numerous artefacts which can be navigated in a PC environment using a variety of 3D viewing packages.These environments create authentic and detailed virtual models that are easily navigable and contain comprehensive and detailed information that can be easily queried by users or employees.Central to the authoring tool is the photographic database created by using special surveying and photographic equipment.The environments produced are implemented using VRML, which the company use to produce realistic, accurate and visually matter-offact environments which are easily navigable by simple walk-through.Individual entities within the environment can also be linked to external sources using a number of interfaces such as Hypertext Mark-up Language (HTML).These environments are also easily and efficiently upgraded and revised to reflect innovations, changes, new data, explore other technologies, and archive reference information.One major reason for the popularity of these 3D model databases is based on the fact that traditionally database information is composed of text and figures.This makes such databases very complex and time consuming to use, as traditional searching facilities are less intuitive than browsing through natural representations of reality.Thus, these 3D models provide a more intuitive interface for a non-expert user to explore more readily (Annansingh & Nunes, 2005).The intuitive user interface allows a broad cross-section of company personnel, from low-level maintenance, to senior engineers to have access to whatever information is needed to populate the database.These environments are also easily accessible and can be navigated by even those with very limited training (Annansingh & Nunes, 2005).This is a dynamic environment which encourages creativity and risks taking.

Research methodology
IS research traditionally adopted a positivist approach.However, since the objective of this chapter is to:  characterise and identify risks from the case study. use a questionnaire survey to validate and assess risks identified in the literature review and case study.It was believed the perception and perspectives of participants would provide deeper understanding into issues surrounding the development of this software and associated risks, rather than a positivists' approach which prohibits such rich descriptions (Bharadwaj, 2004).Consequently, a constructivist rather than a positivist paradigm is adopted.The constructivist paradigm according to Denzin & Lincoln (1998: 27) "assumes a relativist ontology (there are multiple realities), a subjectivist epistemology, (knower and subject create understandings), and a naturalistic (in the natural world) set of methodological procedures".The interpretivist paradigm which falls under the general umbrella of social constructivism focuses on the understanding of the world as it is, as well as an understanding of the social world from the level of subjective experience.Burrell and Morgan (1985:28) claims that an interpretivist paradigm "seeks explanation within the realm of individual consciousness and subjectivity, within the frame of reference of the participant as opposed to the observer of the action".Based on these arguments and the need to extract the perceptions and perspectives of participants, an interpretivist stance seems appropriate.From an ontological perspective, interpretivist researchers view the social world as extremely complex and problematic, where everyday life is an incredible achievement.The interpretivist researcher therefore seeks to interpret, understand, experience or produce the very basis and source of social reality (Burrell & Morgan, 1985;Mason 2002).Additionally this study is an exploratory case study research.The adoption of an interpretivist approach rather than positivist is selected on the basis that the validity of an extrapolation does not depend on the statistical representation of such case/s in a statistical sense but rather on the plausibility and clarity of the logical reasoning used in describing the results and drawing conclusions from the cases (Walsham, 1993).

Research design
The main function of the research design is to:  conceptualise the operational plan to undertake the different procedures and tasks necessary for the execution of the research;  ensure that the procedures are sufficient to obtain valid, objective and accurate answers to the research question (Kumar, 2011).There are three main approaches to research.According to Creswell (2003), these are qualitative, quantitative and mixed method approach.
A mixed method approach is adopted with a dominant qualitative method and supporting quantitative method (QUAL -quan) (Creswell, 2003).One of the reasons for conducting a qualitative study is the research is exploratory and involves the use of a case study.In order to validate the results from this case study a cross sectional questionnaire survey is used.Thus, the study is theoretically driven by a qualitative case study research method with a complementary quantitative cross sectional survey (Tashakkori & Teddlie, 1998;Creswell 1994).Additionally, since not much has been written about the risk of KL resulting from VREs, obtaining both the perceptions and perspectives of various individuals as well as reaching a consensus within a population will assist with the generalisation of the findings.The mixed method procedure used to accomplish this is sequential as described by Creswell (2003).The underlying principle driving this research is the qualitative method as interviews provide the bulk of the information, in addition to the use of both open and closed ended questions in the questionnaires.
Having established the research paradigm, design and chosen methodology, the next logical step is to define the strategy necessary to achieve this goal.A number of IS taxonomy were examined, however none of these models were viewed as being singularly appropriate for this study.As such, an adaptation was done to Galliers (1992) IS taxonomy.Therefore, the rationale for the study consists of identifying the base-events that may trigger the risks, defining and characterising the risks, and finally proposing recommendations on how to minimise and remediate their occurrence.This research develops and uses the practice-based IS research (PB-ISR) framework presented in Figure 1.This PB-ISR framework is particularly useful for projects where research questions emerge from real-life organisational processes and problems encountered in practice.Thus the formulation of the research question is inherently linked with practice rather than theory (Annansingh & Nunes, 2005).

Research question
Foreshadowed problems are the starting point of any research (Hammersley & Atkinson, 1994).In this study, the foreshadowed problem emerges from the unexpected fact, that using VREs may result in risks of KL.In fact, despite the many advantages offered by VREs, their very nature poses risks exposure owing to the fact that the environments produced are intuitive, realistic, browsable and link to comprehensive specialised and technical databases.For Company 3D, the problem is particularly complex, since they produce these virtual environments on behalf of very specialised and high-tech companies, which in turn make these 3D models available both internally and externally to their customers.Thus the research question driving this project emerged from the increasing awareness by Company 3D, that these risks could become crucial in the success of their products and services.

Case study research
The use of case studies as a research tool has become increasingly important, as they are excellent at simplifying complex issues or objects and can draw on experience and/or add to the strength of information from other researchers (Soy, 1998).A case study strategy, can be used for either one of three purposes -exploratory, descriptive or exploratory (Yin, 2003;Walsham, 1993).A single exploratory case study was employed using Company 3D since it was considered typical of other SMEs involved with 3D models.Owing to this, a case-study research design was implemented based on the triangulation of methods presented.Nonetheless, risk analysis is inherently a causal and explanatory analysis which requires special attention to internal validity (Yin, 2003).This is essential whenever a study aims at establishing explanations and causal relations.Internal validity establishes that certain conditions lead to others and requires the use of multiple pieces of evidence from multiple sources to uncover convergent lines of inquiry.Therefore, throughout the study there was an on-going interaction between theory and the data collected.Concept maps were used to represent the data collected as they allow for the establishment of chains of evidence forward and backward.These concept maps allowed a comparative analysis between the results collected from the case study with the theoretical stance, as well as a constant reinterpretation of new findings and already accepted causal chains.Thus the data gained through exploratory interviews were based on the knowledge, experience and perspectives of the respondents.Consequently, a cross sectional survey of similar companies in the UK interacting with 3D models was considered appropriate in order to gain a more holistic understanding of the leakage risks (Annansingh & Nunes, 2005).

Interviews
Supported by risk typologies and conceptual understandings drawn from the literature review, initial exploratory interviews were undertaken with the Technical Director (TD), the Development Director (DD), Security and Database Administrator (SDA), Sales and Marketing Director (SMD), Lead Software Developer (LSD) and members of his team.These interviews allowed for an early identification and assessment of risks and were used to provide greater insight into KL risks with such systems.

Data analysis interviews
Data analysis of qualitative data begins with the identification of key themes and patterns (Coffey & Atkinson, 1996).Base on the interviews, initial data analysis was conducted via a question by question summary.Following this, open coding was used to identify, name, categorise and describe significant themes and issues found in the interview scripts.The codes emerged from actual terms used by the participants as well as those in existing theory and the literature (Saunders et al., 2009).Consequently, for open coding each sentence in the interview scripts were scrutinised in relation to risks identification and KL risks in VREs, this enabled the broadening of the research focus while keeping within the exploratory confines.Further to the use of open coding, axial coding was used.Axial coding was used to identify the relationships between the categories of data that emerged from the open coding process.As the relationship between categories were identified they were rearranged based on a hierarchal system with sub-categories emerging (Saunders et al., 2009).Axial coding was used to determine the risks arising from each vulnerability as well as the consequences associated with the risks identified (Coffey & Atkinson, 1996).Here based on the key concepts and the associated risks, the properties or consequences of each were examined via a combination of inductive and deductive thinking.From these categories, selective coding was used to group the different types of risks into key concepts around KL. Since selective coding was used to identify the main concepts from the sub-categories, a number of key concepts emerged (Saunders et al., 2009).Concepts were used as they provide useful mental images or perceptions.Since concepts are subjective impressions-their understandings may differ from person to personwhich if measured would cause problems in comparing responses (Kumar, 2011).The decision to assign concepts to the data was done to facilitate data condensation, thus making it more manageable.A number of key concepts were identified from this set of data, namely: organisational KL risks, KL from the KM process and technological KL.From these concepts, relevant phenomena and examples were identified and selected to support such occurrences.Here similarities and differences were identified with a number of emerging patterns and structures, thus facilitating a more diverse analytical scrutiny (Coffey & Atkinson, 1996).Based on the risks and key concepts identified from employing open, axial and selective coding, testing of these phenomena was done via the use of a questionnaire survey.

Questionnaires
Having completed the analysis and representation of the data from the interviews a cross sectional survey was sent to companies in the UK.This questionnaire survey was used as a validation tool, that is, it was conducted to validate the findings of the case-study by querying the industry sectors that are involved in the design, development and use of 3D virtual models.This approach was adopted as recommended in De Vaus (1996).The aim was to determine whether risks identified from the case study were a true representation of perceptions in the sector.Postal questionnaires were sent to SMEs and targeted a wide group within the organisation with different job functions.300 companies were selected as matching the criteria of designing and developing 3D models, 40 however had ceased trading and 50 useable questionnaires were returned.

Data analysis questionnaire
The use of descriptive data analysis facilitates the exploration of key issues.Like the questionnaire in the case study, descriptive data analysis is used to analysed the data from the cross sectional survey.Descriptive data analysis provides simple summaries about the sample and the measures adopted.Together with simple graphic analysis, it forms the basis of quantitative data analysis.Both descriptive univariate and bivariate analysis were conducted and made use of percentages, frequencies, diagrams, cross tabulation and correlations (De Vaus, 2002).

Presentation and discussion of the findings
KL occurs via three main pathways: organisational KL, technological KL and from the KM Process.Based on each of these pathways a discussion now ensue which focuses on the different types of KL.

Organisational knowledge leakage
A firm's competitive advantage lies in its ability to prevent the loss of knowledge across the organisation's boundaries (Brown & Duguid 2000).KL occurs when the ideas develop in the originating company -where it is being used --are leaked to the production line of its competitors.The combination of a virtual reality world with a precise description of construction and operational details has been identified as a possible knowledge exposure risk and a threat to internal KM.The use of VREs therefore is a fantastic tool for competitors and other unauthorised personnel to detect, understand and monitor events in the organisation.This is based on the fact that even though organisations have established formal and bounded structures of practice, informal and fluid networks are constantly evolving.Once instituted, these networks adopt an entirely different role from those formally established in the organisation.Thus as individuals in the organisation "work collaboratively and vital interstitial communities are continually being formed and reformed" (Brown & Duguid, 2000), knowledge is being disseminated and shared.The dissemination and sharing of this knowledge can result in KL.Quite often networks are formed and established outside the confines of the regular organisational structure and even outside its boundaries.Therefore, due to these processes and activities KL is not only occurring internally but also externally.In addition, from the results several risks were identified as being particular to 3D models as well as those generic to IS projects.The fact that the creation of these environments is fairly new, highlights additional problems for developers, outside the regular software development problems, as development of this sort, can result in longer project cycles and a number of generic vulnerabilities which can lead to project and software risks that affected the quality and performance of the system.Thus it was expressed by developer's that customers would experience problems with the expected performance of the system especially with regards to the information retrieval and storage, real time responses, and database response, contentions or access.The probability of these problems occurring was seen as 'high'.This phenomenon was however, not surprising owing to the fact that the use of 3D models to produce VREs is constantly emerging.These applications are then navigated in a PC environment using a variety of 3D viewing packages.These environments create authentic and detailed virtual models of artefacts that are easily navigable and contain comprehensive information which are queried by users or employees at the click of the mouse (Nunes & Annansingh, 2003).Consequently, evidence indicates the following are most likely risks to occur thus leading to KL, theft; data readily interpreted, easy analysis of information; easy accessibility.In addition, due to the verisimilitude nature these environments make it difficult to monitor environmental changes which could lead to incorrect decision making.Owing to the fact that there is need for constant update users need to be aware that environments are based on supposition and that information easily is out-dated.

Leakage from knowledge management process
The ease in which knowledge is transferred -that is leaky knowledge -will depend on whether it is tacit or explicit knowledge.Tacit knowledge is difficult to transfer while explicit knowledge leaves the organisation quite readily (Alavi, 2002).From the models of KM and as seen in Figure 2 (Nunes et al., 2005), one of the primary goals of KM is to share, transfer and disseminate explicit knowledge.The sharing of this knowledge however is sometimes done in an ad hoc manner and can result in KL.Like larger corporation, SMEs need appropriate and current knowledge in order to compete.However, SMEs tend to be more susceptible to problems of high staff turnover and knowledge retention than their larger counterpart.Thus, knowledge within these companies should be appropriately managed, disseminated and retained.Even though KM processes are onerous in terms of both direct and indirect costs, the consequences for a SME of not maintaining those processes can create vulnerabilities to KL and consequently losses in efficiency, productivity and competitiveness.
From the case study it was noted that while Company 3D encourage employees to obtain knowledge from external sources, the company lacked an explicit KM strategy to collate, share and disseminate this information once captured.Therefore, a lack of formal mechanisms existed for the identification and protection of strategic knowledge within the organisation.In addition, making this information available to the different employee's increased the probability of KL risks, as security mechanisms were quite often inadequate within the databases to prevent unauthorised access or systematic downloading of information.Subsequently, whether these practices were typical of the industry was sought in the questionnaire.From which, it was seen that 41.2% indicated not having an explicit KM strategy, while 32.4% believed such a strategy did not exist.Nonetheless, a low indication of explicit KM strategy in these organisations was not surprising as the majority of participants were from SMEs.For which, studies have shown that SMEs in general, tend not to adopt or implement KM strategy or its principles (Nunes et al., 2005).Even though a number of these companies reported not having an explicit KM strategy, 81.2% had knowledge storage mechanisms in place.While these practices are recommended for the business continuity, integration and dissemination, the protection of this knowledge from KL -both internally and externally-should be considered strategically.The need for the risk and KL assessment cannot be over emphasised, since within any organisation not all knowledge can be or should be shared with all employees, thus it is necessary that employees be given information on a need to know basis.This knowledge should be protected by the organisation from external sources as in fact it is part of its intellectual property.Figure 2 highlights the areas of possible KL risks in organisations.The lightly shaded blue areas of the model indicate where in the KM process KL during activities such as: collaborations, narrations, group discussions and communities of practices.A key is used to symbolise where KL risks is most likely to occur between the different processes.
In addition, the red arrows highlight the areas where knowledge is being shared or transferred from one form to another, and represent the areas in the KM process where KL will most likely occur.Consequently, risk management and security measures should be adapted to prevent such loss.For those areas without a red arrow, this is not an indication for an absence of KL risks but rather that within these areas the probability of K L o c c u r r i n g w a s s e e n a s u n l i k e l y .F r o m a K M p e r s p e c t i v e , F i g u r e 2 p r o v i d e s a breakdown of the areas where holistic risk management should occur in the organisation.
In addition, it supplies the reader with a simplistic view of the areas where KL risks will occur.

Technological knowledge leakage
With the various developments in the previous decade which has seen the reduction in the cost of computer technology and its easy availability, organisations are increasingly reliant upon the use of electronic media, more specifically electronic mail (email) for inter-organisational communication.In addition to email messaging, most organisations typically use a variety of communication technologies to send and receive information.This information is then processed and stored in a number of ways, one of which is through electronic database.The Internet and electronic databases in general, provide users with easy access to vast amounts of information which may not always be intended for general dissemination.This knowledge sometimes gets into the public domain, whether deliberately or unintentionally.Based on the rationale behind the development of this software system, which was for the representation of organisational information via the use of 3D models in a database, and since information in these databases is often interlinked, the system therefore becomes susceptible to attacks of theft, hacking and unauthorised access.Nonetheless, where the models were used for training and maintenance purposes, it was especially prone to attacks from unauthorised personnel, as some employees during training may have been given access to areas of the system which was previously prohibited.During maintenance and training the probability of KL risks occurring were identified as 'high' by the interviewees owing to the nature of the software.Therefore, it is possible for employees or any unauthorised personnel to steal or walk out with any of the organisation's assets including valuable information without being detected as this information has been internalised into tacit knowledge.
[]… VR model is a fantastic tool for competitors to see how the system is designed, or why a competitor is so efficient []" (LSD).As organisations grow more sophisticated systems have to be installed, thus increasing the challenges of managing communication and change.A number of organisations do not have formal approach to documentation thus it is difficult to pinpoint exactly where there are potential problems or how these problems may arise.However, without proper documentation the risk of failure and reduced efficiency increases when the organisations attempt to upgrade or implement a new system to meet new requirements.The simplistic answer to these problems is provided very bluntly by Frank (2002): "The easiest way to reduce knowledge loss is to avoid losing it in the first place".This is not a possibility in the majority of scenarios, as the acceptance, usefulness and even success of the product designs and solutions offered by an organisation depends to a large extent on the good and efficient training of the employees in the third party companies.Several risks which are indirectly related to the use of the models were also identified especially during maintenance.One of the main contributors of these risks was due to staffs' inexperience in carrying out these maintenance services.The case study shows KL could be intentional or accidental.Thus, the concept of KL covers a number of risks management issues such as organisational and security risks.It was perceived by the interviewees that while internally it is possible to regulate KL, to some extent, through the use of employment contracts and confidentiality clause, there were unequivocal concern from alliances formed with suppliers and third party companies interacting with the system.In addition, KL resulting from employees was basically prevented by having: "critical information held on read only files but in reality there is little to stop systematic downloading over a period of time"(LSD).Even though, there are obvious technical awareness of the dangers of KL, from the case study there is no risk management strategy existing within the organisation to mitigate, control or prevent these risks.Therefore, it was generally perceived that little would be done to prevent KL, especially over time, and was consequently viewed as a secondary factor.Nonetheless, attempts to protect against intra-organisational leakage were made via the use of firewalls and password protected screensavers.This however, was seen as inadequate since the probability and impact of intra-organisational KL risk occurring was rated as 'medium'.This can result in an unprecedented number of unauthorised copies being made and distributed quite rapidly to unauthorised or unidentified recipients.It is also not uncommon that a lapse in procedures often results in an original document being carelessly left in some unprotected location where literally any unauthorised person can access it.Hence education and training of employees is necessary to prevent KL owing to carelessness, naïf acts and during informal discussions.The cross sectional survey shows the 87.6% of respondents being also aware of KL, with 51.3% rating the probability of KL occurring as ranging from "medium" to "very high".49.7% of these companies had precautionary measures to protect against internal and external KL.Consequently, the mechanisms in place to prevent internal KL shows most organisations opted for:  rules for appropriate level of physical access; and  the implementation of host based firewalls between segregated networks.Since these companies had obviously implemented measures to prevent intraorganisational risks, the probability of KL risks occurring was rated by 54.5% as ranging from "medium" to "very high" with 45.4% rating the impact as "medium" and 20.6% as "high".Therefore the impact of KL on the organisation was rated higher than the probability of the risks occurring.In addition to the measures used to protect it against KL risks -internally or externallythere were other factors which contributed to KL.One such factor is the loss of employees, thus it was important to obtain the perception of people within the industry.The results show a cumulative total of 74.7% either "agreeing" or "strongly agreeing" that loss of employees is one of the main causes of KL.However, not all companies took precautionary measures to retain knowledge in the organisation before employees leave, the justification provided were:  Employees work in teams-no one person has all the knowledge it is share among the group;  No formal measures have been established;  Low staff turnover.Regardless of the size of the organisation and the staff turnover rate, KL risks should be addressed and the relevant actions taken to prevent or mitigate its occurrence.A comparison of the size of the organisations with the security or risk management measures adopted to prevent KL, shows the size of the organisation had no influenced on either the risk management or security measure used.Although, a significant number (87.6%) of respondents claimed to be aware of the dangers of KL within the organisations there were no evidence of an explicit consideration for KL prevention.This again highlights a flaw within the risk management thinking of these organisations.From the case study, concerns were raised about KL resulting from suppliers and third party companies, rather than employees, as it was believed that it is possible to regulate KL through the use of employment contracts and confidential statements.Thus, Company 3D took no action to formalise policies on KL or knowledge capture and acquisition even though the TD claimed.
"….this is a new development and we always run a risk when introducing new facilities".Therefore, this and any new technology was seen as being associated with some degree of uncertainty.The risk identified by respondents from the use of VREs as having the highest impact on the organisation was the loss of competitive advantage.This was regardless of the purpose for which the software was employed.Theft of proprietary information was not regarded as factor of major concern as the expected impact on the organisation was rated as 'medium'.In addition to the aforementioned risks, others were identified in the literature and case study which are also associated with the practice of delivering software across the Internet.Hence risks negotiations need to occur between all parties involved in the design, development and use of the VREs.From a client's perspective one of the key questions emerging from this study is whether presenting the information in a VRE would result in greater risks implications for the organisations concerned.In addition, to being a valuable resource for competitors the use of VREs raises concerns regarding system updates.These concerns are based on the verisimilitude nature of such software.Since models for the system were done using photographs, in a dynamic environment changes will not be evident.This is particularly important, for example, for maintenance work and health and safety issues, where every detail is significant and will determine the difference between life and death.

Conclusions
In this study, particular attention was given to the embodiment, use, and dissemination of knowledge as a result of the employment of VREs.Knowledge embodiment and use in projects occurred during systems development and dissemination owing to the actual utilisation of the 3D models during business transactions and training activities.Since one of the primary goals of KM is to share, transfer and disseminate explicit knowledge the sharing of this knowledge if done in an ad hoc manner can result in KL.The results shows that even the best laid KM policy or framework can be source of KL due to the absence of an integrated risk management approach.In addition, the general nature of the KM models allows for KL, this weakness or discrepancy occurs where policies and practices do not merge.Another reason for KL is the fact that KM models have failed to consider the protection of knowledge within the organisation and across it boundaries.Consequently the risk assessment process in any organisation cannot be reduced to the simple negotiation of risk between two f companies.As a result third party companies should be explicitly involved in the risk assessment process since the greater risks of exposure and leakage are related to such interactions.It is recommended that once the risk assessment process is completed, risk thinking on knowledge exposure and leakage should not be abandoned.Knowledge exposure concerns should be part of the continuous risk management approach from the beginning of a project until the outcomes are realised.Knowledge leakage risks should be continually assessed and monitored and whenever needed contingency measures considered.This attitude towards this type of risk should influence technical and design decisions as well as provide insights on technical options, thus empowering managers to make informed decisions.