| 1. |
- Bergström, Erik, 1976-
(författare)
-
Supporting Information Security Management : Developing a Method for Information Classification
- 2020
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- In the highly digitalised world in which we live today, information and information systems have become critical assets to organisations, and hence need to be safeguarded accordingly. In order to implement and work with information security in a structured way, an Information Security Management System (ISMS) can be implemented. Asset management is a central activity in ISMS that aims at identifying, assigning ownership and adding protection to information assets. One activity within asset management is information classification that has the objective to ensure that the information receives an appropriate level of protection in accordance with its importance to the organisation. Information classification is a well-known practice for all kinds of organisations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.However, information classification has received little attention from academia, and many organisations are struggling with the implementation. The reasons behind why it is problematic, and how to address such issues, are largely unknown. Furthermore, existing approaches, described in, for example, standards and national recommendations, do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out essential aspects needed for many organisations to adopt and implement information classification. There is, for instance, a lack of detailed descriptions regarding (1) procedures and concepts, (2) how to tailor the approach for different situations, (3) a framework that structures and guides the classification, (4) what roles should be involved in the classification, and (5) how information with different granularity is handled.This thesis aims to increase the applicability of information classification by developing a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study was performed in three cycles. A wide range of data was collected, including a series of interviews with experts and novices on information classification, a survey, most of the Swedish public sector information classification policies, and observations. There are three main contributions made by this thesis (1) the identification of issues and enablers for information classification, (2) the design principles underpinning the development of a method for information classification, and (3) the method for information classification itself. Contributions have also been made to the context around information classification, such as, for example, 20 practical suggestions for how to meet documented challenges in practice.
|
|
| 2. |
- Rostami, Elham, 1983-
(författare)
-
Tailoring information security policies : a computerized tool and a design theory
- 2023
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Protecting information assets in organizations is a must and one way for doing it is developing information security policy (ISP) to direct employees’ behavior and define acceptable procedures that employees have to comply with on a daily basis. However, compliance with the ISP is a perennial problem. Non-compliance with ISPs is at least related to two factors: 1) employees’ behavior, and 2) the design of ISPs. Although much attention has been given to understanding and changing employees’ behavior, designing ISPs that are easy to follow has received less attention. Existing research has suggested designing such ISPs using a tailoring approach where the ISP is designed in several versions that fulfill the needs of different target groups of employees. At the same time, tailoring means increased design complexity for information security managers as the designer of ISPs, where computerized tool can aid. Thus, the aim of this thesis is to develop a computerized tool to support information security managers’ tailoring of ISPs and the design principles that such a tool can be based on. To this end, a design science research approach was employed. Using the knowledge from the Situational Method Engineering field as the kernel theory for the design science research project, a set of design principles and a conceptual model were developed in terms of a Unified Modeling Language class diagram. Subsequently, a web-based software (POLCO) was developed based on the proposed conceptual model to support information security managers to design tailored ISPs. The conceptual model and POLCO were developed, demonstrated, and evaluated as a proof-of-concept in three DSR cycles.The thesis contribute to research and practice by proposing the design principles and the conceptual model that can be considered as: 1) a new theory on how to design ISPs, 2) a way to develop software to assist information security managers in designing tailored ISPs. Meanwhile, POLCO as an artifactual contribution can be considered as a starting point for researchers to do studies in the ISP design area.
|
|
| 3. |
- Kävrestad, Joakim, 1989-, et al.
(författare)
-
ContextBased MicroTraining : A Framework for Information Security Training
- 2020
-
Ingår i: Human Aspects of Information Security and Assurance. - Cham : Springer. - 9783030574031 - 9783030574048 ; , s. 71-81
-
Konferensbidrag (refereegranskat)abstract
- This paper address the emergent need for training measures designed to improve user behavior in regards to security. We do this by proposing a framework for information security training that has been developed for several years and over several projects. The result is the framework ContextBased MicroTraining (CBMT) which provides goals and guidelines for how to better implement information security training that supports the user in the situation where the user needs support. CBMT has been developed and tested for use in higher education as well as for the support of users during passwords creation. This paper presents version 1.0 of the framework with the latest renements.
|
|
| 4. |
- Brodin, Martin
(författare)
-
Managing information security for mobile devices in small and medium-sized enterprises : Information management, Information security management, mobile device
- 2020
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The rapid proliferation of mobile devices makes mobile security a weak point in many organisations’ security management. Though there are a number of frameworks and methods available for improving security management, few of these target mobile devices, and most are designed for large organisations. Small and medium size organisations are known to be vulnerable to mobile threats, and often subject to the same legal requirements as larger organisations. However, they typically lack the resources and specialist competences necessary to use the available frameworks.This thesis describes an Action Design Research project to devise and test a low cost, low learning curve method for improving mobile security management. The project is conducted together with a small Swedish consulting company and evaluated in several other companies. In order to solve the challenge that SMEs faces; three objectives have been set:1. Identify existing solutions at a strategic level to managing information that is accessible with mobile devices and their suitability for SMEs.2. Develop a framework to support SMEs to manage information in a secure way on mobile devices.3. Evaluate the framework in practice.The results show that simple theoretical models can be integrated with well-known analysis techniques to inform managers and provide practical help for small companies to improve mobile security practice. The most important contribution to both science and practice is a structured approach for managers to deal with mobile devices, or for that matter other technology advances that do not fit into the existing management system. The journey to the final solution also produced several smaller contributions to science, for example insights from C-suites about strategies and work with mobile devices, differences and similarities between CYOD (choose your own device) and BYOD (bring your own device), the role of security policies in organisations, and twelve identified management issues with mobile devices.
|
|
| 5. |
- Karlsson, Martin, 1982-, et al.
(författare)
-
The effect of perceived organizational culture on employees’ information security compliance
- 2022
-
Ingår i: Information and Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 30:3, s. 382-401
-
Tidskriftsartikel (refereegranskat)abstract
- Purpose: This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.Design/methodology/approach: The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy,market and bureaucracy.Findings: The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance.Research limitations/implications: The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance.Practical implications: Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations.Originality/value: Few information security policy compliance studies exist on the consequences of different organizational/information cultures.
|
|
| 6. |
- Andersson, Annika, 1968-, et al.
(författare)
-
“Standardizing information security – a structurational analysis”
- 2022
-
Ingår i: Information & Management. - : Elsevier. - 0378-7206 .- 1872-7530. ; 59:3
-
Tidskriftsartikel (refereegranskat)abstract
- Given that there are an increasing number of information security breaches, organizations are being driven to adopt best practice for coping with attacks. Information security standards are designed to embody best practice and the legitimacy of these standards is a core issue for standardizing organizations. This study uncovers how structures at play in de jure standard development affect the input and throughput legitimacy of standards. We participated as members responsible for standards on information security and our analysis revealed two structures: consensus and warfare. A major implication of the combination of these structures is that legitimacy claims based on appeals to best practice are futile because it is difficult to know which the best practice is.
|
|
| 7. |
- Gebremeskel, Bemenet Kasahun, et al.
(författare)
-
Information Security Challenges During Digital Transformation
- 2023
-
Ingår i: Procedia Computer Science. - : Elsevier BV. - 1877-0509. ; 219, s. 44-51
-
Tidskriftsartikel (refereegranskat)abstract
- Since the proliferation of information technology (IT) into business processes, organisations have grown to rely on a large amount of data to improve their products and services and create added value. This development has made information the most valuable asset for any organisation, which, in turn, has made information security a primary concern for leaders. Despite the tremendous potential of digital transformation, prior empirical studies indicate that information security challenges must be overcome to realise the anticipated benefits. Analysing the data collected from 14 leaders through semi-structured interviews, this study identified six information security challenges facing organisations undertaking digital transformation—financial constraints, risk of security breaches, reduced productivity, reduced access and control over information, lack of expertise, and dynamic security management needs. Propositions, as well as the implication of the findings for research and practice, are discussed.
|
|
| 8. |
- Ording, Lovisa Göransson, et al.
(författare)
-
The influence of inputs in the information security policy development : an institutional perspective
- 2022
-
Ingår i: Transforming Government. - : Emerald Group Publishing Limited. - 1750-6166 .- 1750-6174. ; 16:4, s. 418-435
-
Tidskriftsartikel (refereegranskat)abstract
- Purpose: The purpose of this paper is to investigate what role literature-based inputs have on the information security policy (ISP) development in practice.Design/methodology/approach: A literature review is carried out to identify commonly used inputs for ISP development in theory firstly. Secondly, through the lens of institutional theory, an interpretive approach is adapted to study the influence of literature-based inputs in the ISP development in practice. Semi-structured interviews with senior experienced information security officers and managers from the public sector in Sweden are carried out for this research.Findings: According to the literature review, 10 inputs for ISP development have been identified. The results from the interviews indicate that the role inputs have on the ISP development serves as more than a rational tool, where organisational context, institutional pressures and the search for legitimacy play an important role.Research limitations/implications: From the institutional perspective, this study signifies the influence of inputs on ISP development can be derived from institutionalised rules or practices established by higher authorities; actions and practices that are perceived as successful and often used by other organisations; the beliefs of what is viewed as appropriate to meet the specific pressures from stakeholders.Practical implications: This research recommends five practical implications for practitioners working with the ISP development. These recommendations aim to create an understanding of how an ISP could be developed, considering more than the rational functionalist perspective.Originality/value: To the best of the authors' knowledge, it is the first of its kind in examining the role of literature-based inputs in ISP development in practice through the lens of institutional theory.
|
|
| 9. |
- Åkerlund, Agnes, et al.
(författare)
-
Integration of Data Envelopment Analysis in Business Process Models : A novel approach to measure information security
- 2020
-
Ingår i: Proceedings of the 6th International Conference on Information Systems Security and Privacy (ICISSP). - : SciTePress. - 9789897583995 ; , s. 281-288
-
Konferensbidrag (refereegranskat)abstract
- This article explores the question of how to measure information security. Organisational information security is difficult to evaluate in this complex area because it includes numerous factors. The human factor has been acknowledged as one of the most challenging factors to consider in the field of information security. This study models the application of data envelopment analysis to business processes in order to facilitate the evaluation of information security that includes human factors. In addition to the model, this study demonstrates that data envelopment analysis provides an efficiency measure to assess the information security level of a business process. The novel approach that is proposed in this paper is exemplified with the aid of three fictive processes. The Business Process Model and Notation has been used to map the processes because it facilitates the visualisation of human interactions in processes and the form of the processed information. The combination of data envelopment analysis with process modelling and analyses of process deficiencies and threats to information security enables the evaluation of information security to include human factors in the analyses. Moreover, it provides a measure to benchmark information security in organisational processes.
|
|
| 10. |
- Rostami, Elham, 1983-, et al.
(författare)
-
Requirements for computerized tools to design information security policies
- 2020
-
Ingår i: Computers & security (Print). - : Elsevier. - 0167-4048 .- 1872-6208. ; 99
-
Tidskriftsartikel (refereegranskat)abstract
- Information security is a hot topic nowadays, and while top-class technology exists to safeguard information assets, organizations cannot rely on technical controls alone. Information security policy (ISP) is one of the most important formal controls when organizations work with implementing information security. However, designing ISPs is a challenging task for information security managers and to ease the burden, computerized tools have been suggested to support this design task. One important prerequisite for developing such tools is the requirements. However, existing research has, to a very limited extent, synthesized existing requirements. Against this backdrop, this study aims to elicit a set of requirements, anchored in existing ISP research, for computerized tools that support ISP design. First, we summarize existing ISP research into 14 requirement themes. Second, we suggest a set of user stories that operationalize these requirement themes from an information security manager's perspective. Third, we suggest another set of user stories that operationalize the same requirement themes from an ISP user's perspective. In total, we suggest 28 user stories that can act as a starting point for both researchers and practitioners when developing computerized tools that provide ISP design support for information security managers.
|
|
