| 1. |
- Björck, Fredrik, 1972-
(författare)
-
Discovering Information Security Management
- 2005
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This thesis is concerned with issues relating to the management of information security in organisations, motivated by the need for cost-efficient information security.It is based on the assumption that: in order to achieve cost-efficient information security, the point of departure must be knowledge about the empirical reality in which the management of information security takes place.The data gathering instruments employed are questionnaires with open-ended questions and unstructured research interviews. The empirical material is analysed, and conclusions are drawn following the principles of Grounded Theory. Data sources are professionals in the area of information security management, including information security consultants (n=13), certification auditors (n=8), and information security managers (n=8).The main contributions are: an integrated model illustrating the experts’ perceptions concerning the objectives, actors, resources, threats, and countermeasures of information security management; a framework for the evaluation, formation, and implementation of information security management systems; a new approach for the evaluation of information security in organisations; a set of success factors concerning the formation of information security management systems; and a problem inventory concerning the value and assessment of information security education and training.
|
|
| 2. |
- Johnson, Pontus, et al.
(författare)
-
Assessment of Business Process Information Security
- 2007
-
Ingår i: International Journal of Business Process Integration and Management. - 1741-8763. ; 3:2, s. 118-130
-
Tidskriftsartikel (refereegranskat)abstract
- Business processes are increasingly dependent on their supporting information systems. With this dependence comes an increased security risk with respect to the information flowing through the processes. This paper presents a method for assessment of the level of information security within business processes in the form of a percentage number, where a high score indicates good information security and a low score indicates a poor level of information security. The method also provides a numerical estimate of the credibility of the information security score, so that an assessment based on few and uncertain pieces of evidence is associated with low credibility and an assessment based on a large set of trustworthy evidence is associated with high credibility. A common problem with information security assessments is the cost related to collecting the required evidence. The paper proposes an evidence collection strategy designed to minimize the effort spent on gathering assessment data while maintaining the desired credibility of the results. A case study is presented, demonstrating the use of the method.
|
|
| 3. |
- Johansson, Erik, et al.
(författare)
-
Assessment of Enterprise Information Security : The Importance of Prioritization
- 2005
-
Ingår i: Ninth IEEE International EDOC Enterprise Computing Conference, Proceedings. - 0769524419 ; , s. 207-218
-
Konferensbidrag (refereegranskat)abstract
- Assessing the level of information, security in an enterprise is a serious challenge for many organizations. This paper considers the prioritization of the field of enterprise information security. The paper thus considers how we may know what parts Of information security are important for a company to address and what parts are not. Two methods for prioritization are used. The results demonstrate to what extent different standards committees, guideline authors and expert groups differ in their opinions on what the important issues are in enterprise information security. The ISOJEC 17799, the NIST SP 800-26, the ISF standards committees, the CMU/SEI OCTAVE framework authors and an expert panel at the Swedish Information Processing Society (DFS) are considered. The differences in prioritization have important consequences on enterprise information security assessments. The effects on the information security assessment results in a European energy company are presented in the paper.
|
|
| 4. |
- Johansson, Erik, 1967-
(författare)
-
Assessment of Enterprise Information Security : How to make it Credible and Efficient
- 2005
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Information is an important business asset in today’s enterprises. Hence enterprise information security is an important system quality that must be carefully managed. Although enterprise information security is acknowledged as one of the most central areas for enterprise IT management, the topic still lacks adequate support for decision making on top-management level. This composite thesis consists of four articles which presents the Enterprise Information Security Assessment Method (EISAM), a comprehensive method for assessing the current state of the enterprise information security. The method is useful in helping guide top-management’s decision-making because of the following reasons: 1) it is easy to understand, 2) it is prescriptive, 3) it is credible, and 4) it is efficient. The assessment result is easy to understand because it presents a quantitative estimate. The result can be presented as an aggregated single value, abstracting the details of the assessment. The result is easy to grasp and enables comparisons both within the organization and in terms of industry in general. The method is prescriptive since it delivers concrete and traceable measurements. This helps guide top-level management in their decisions regarding enterprise-wide information security by highlighting the areas where improvements efforts are essential. It is credible for two reasons. Firstly, the method presents an explicit and transparent definition of enterprise information security. Secondly, the method in itself includes an indication of assessment uncertainty, expressed in terms of confidence levels. The method is efficient because it focuses on important enterprise information security aspects, and because it takes into account how difficult it is to find security related evidence. Being resource sparse it enables assessments to take place regularly, which gives valuable knowledge for long-term decision-making. The usefulness of the presented method, along with its development, has been verified through empirical studies at a leading electric power company in Europe and through statistical surveys carried out among information security experts in Sweden. The success from this research should encourage further researcher in using these analysis techniques to guide decisions on other enterprise architecture attributes.
|
|
| 5. |
- Johansson, Erik, et al.
(författare)
-
Assessment of Enterprise Information Security : The Importance of Information Search Cost
- 2006
-
Ingår i: Proceedings of the Annual Hawaii International Conference on System Sciences. - 1530-1605. ; 9, s. 219a-
-
Tidskriftsartikel (refereegranskat)abstract
- There are today several methods and standards available for assessment of the level of information security in an enterprise. A problem with these assessment methods is that they neither provide an indication of the amount of effort required to obtain the assessment nor an approximation of this measure's credibility. This paper describes a part of a new method for assessing the level of enterprise information security expresses the credibility of the results in terms of confidence levels and make use of an estimation of the cost of searching for security evidence. Such methods for predicting information search cost of assessments are detailed in the paper. Search cost predictions are used for providing guidance on how to minimize the effort spent on performing enterprise information security assessments. The conclusions are based on a security assessment performed at a large European energy company and a statistical survey among Swedish security experts.
|
|
| 6. |
- Holgersson, Jesper, et al.
(författare)
-
Information security patterns for web services
- 2006
-
Ingår i: Interoperability for enterprise software and applications. - London : ISTE. - 1905209614 - 9781905209613 ; , s. 133-144
-
Konferensbidrag (refereegranskat)abstract
- Web Services (WS), a currently popular subject among application developers, IT architects, and researchers, can be defined as a technology for publishing, identifying and calling services in a network of interacting computer nodes. The purpose of this paper is to illustrate the benefits of using patterns as a means of managing knowledge concerning security in the context of Web Services. We draw upon experiences from an industrial project in which a pattern catalogue for Web Services was created. The pattern catalogue consists of 29 patterns, which are generic solutions for service-based development and service-oriented architectures. In particular, Web Services are in focus as the enabling technique.
|
|
| 7. |
- Åhlfeldt, Rose-Mharie, et al.
(författare)
-
Information Security Problems and Needs in Healthcare : A Case Study of Norway and Finland vs Sweden
- 2008
-
Ingår i: Enterprise Interoperability III. - London : Springer. - 9781848002203 - 9781848002210 ; , s. 41-53
-
Konferensbidrag (övrigt vetenskapligt/konstnärligt)abstract
- In healthcare, the right information at the right time is a necessity in order to provide the best possible care for a patient. Patient information must also be protected from unauthorized access in order to protect patient privacy. It is also common for patients to visit more than one healthcare provider, which implies the need for crossborder healthcare and a focus on the patient process. Countries work differently with these issues. This paper is focused on three Scandinavian countries, Norway, Sweden and Finland, and their information security problems and needs in healthcare. Data was collected via case studies, and the results were compared to show both similarities and differences between these countries. Similarities include the too wide availability of patient information, an obvious need for risk analysis, and a tendency to focus more on patient safety than on patient privacy. Patients being involved in their own care, and the approach of exchanging patient information are examples of differences.
|
|
| 8. |
- Herzog, Almut, et al.
(författare)
-
An ontology for information security
- 2009. - 1
-
Ingår i: Techniques and applications for advanced information privacy and security. - : Information Science Reference. - 1605662100 ; , s. 278-301
-
Bokkapitel (övrigt vetenskapligt/konstnärligt)abstract
- Advances in technology are causing new privacy concerns as an increasing number of citizens are engaging in online activities.Techniques and Applications for Advanced Information Privacy and Security: Emerging Organizational, Ethical, and Human Issues provides a thorough understanding of issues and concerns in information technology security. An advanced reference source covering topics such as security management, privacy preservation, and authentication, this book outlines the field and provides a basic understanding of the most salient issues in privacy concerns for researchers and practitioners.Show more Show less
|
|
| 9. |
- Johansson, Erik, et al.
(författare)
-
Assessment of Enterprise Information Security : An Architecture Theory Diagram Definition
- 2005
-
Ingår i: Proceedings CSER 2005. - 0615128432 ; , s. 136-146
-
Konferensbidrag (refereegranskat)abstract
- In order to manage and improve something, it is normally necessary to be able to assess the current state of affairs. A problem with assessment, however, is that in order to assess, it is normally necessary to be able to define the assessment topic. These general statements are also true within the area of Enterprise Information Security. Although much has been written on the topic, there is little consensus on what Enterprise Information Security really is. The lack of consensus lessens the credibility of existing assessment approaches. This paper presents a well-defined, transparent, and quantified method for the assessment of Enterprise Information Security. The method is based on the consolidation of the most prominent sources on the topic and results in a single quantitative estimate of the level of Enterprise Information Security in a company. The usefulness of the presented method has been verified by a case study at a large European electric utility. The present paper is a part of an ongoing research project on a credible and cost-effective method for Enterprise Information Security assessment.
|
|
| 10. |
- Åhlfeldt, Rose-Mharie
(författare)
-
Information Security in Distributed Healthcare : Exploring the Needs for Achieving Patient Safety and Patient Privacy
- 2008
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- In healthcare, patient information is a critical factor. The right information at the right time is a necessity in order to provide the best possible care for a patient. Patient information must also be protected from unauthorized access in order to protect patient privacy. It is furthermore common for patients to visit more than one healthcare provider, which implies a need for cross border healthcare and continuity in the patient process.This thesis is focused on information security in healthcare when patient information has to be managed and communicated between various healthcare actors and organizations. The work takes a practical approach with a set of investigations from different perspectives and with different professionals involved. Problems and needs have been identified, and a set of guidelines and recommendations has been suggested and developed in order to improve patient safety as well as patient privacy.The results show that a comprehensive view of the entire area concerning patient information management between different healthcare actors is missing. Healthcare, as well as patient processes, have to be analyzed in order to gather knowledge needed for secure patient information management.Furthermore, the results clearly show that there are deficiencies both at the technical and the administrative level of security in all investigated healthcare organizations.The main contribution areas are: an increased understanding of information security by elaborating on the administrative part of information security, the identification of information security problems and needs in cross border healthcare, and a set of guidelines and recommendations in order to advance information security measures in healthcare.
|
|
