| 1. |
- Karlsson, Fredrik, 1974-, et al.
(författare)
-
Information security culture : state-of-the-art review between 2000 and 2013
- 2015
-
Ingår i: Information and Computer Security. - : Emerald. - 2056-4961. ; 23:3, s. 246-285
-
Forskningsöversikt (refereegranskat)abstract
- Purpose – The aim of this paper is to survey existing information security culture research to scrutinise the kind of knowledge that has been developed and the way in which this knowledge has been brought about.Design/methodology/approach – Results are based on a literature review of information security culture research published between 2000 and 2013 (December).Findings – This paper can conclude that existing research has focused on a broad set of research topics, but with limited depth. It is striking that the effects of different information security cultures have not been part of that focus. Moreover, existing research has used a small repertoire of research methods, a repertoire that is more limited than in information systems research in general. Furthermore, an extensive part of the research is descriptive, philosophical or theoretical – lacking a structured use of empirical data – which means that it is quite immature.Research limitations/implications – Findings call for future research that: addresses the effects of different information security cultures; addresses the identified research topics with greater depth; focuses more on generating theories or testing theories to increase the maturity of this subfield of information security research; and uses a broader set of research methods. It would be particularly interesting to see future studies that use intervening or ethnographic approaches because, to date, these have been completely lacking in existing research.Practical implications – Findings show that existing research is, to a large extent, descriptive, philosophical or theoretical. Hence, it is difficult for practitioners to adopt these research results, such as frameworks for cultivating or assessment tools, which have not been empirically validated.Originality/value – Few state-of-the-art reviews have sought to assess the maturity of existing research on information security culture. Findings on types of research methods used in information security culture research extend beyond the existing knowledge base, which allows for a critical discussion about existing research in this sub-discipline of information security.
|
|
| 2. |
- Kajtazi, Miranda, 1983-, et al.
(författare)
-
Information Security Policy Compliance : An Empirical Study on Escalation of Commitment
- 2013
-
Ingår i: 19th Americas Conference on Information Systems (AMCIS 2013). - Red Hook, N.Y. : Curran Associates, Inc.. - 9781629933948 ; , s. 2011-2020
-
Konferensbidrag (refereegranskat)abstract
- This study aims to facilitate a new understanding on employees’ attitude towards compliance with the requirements of their information security policy (ISPs) through the lens of escalation. Escalation presents a situation in which employees must decide whether to persist in or withdraw from a non-performing task. Drawing on the Theory of Planned Behavior (TPB) and Agency Theory, our model delineates three mediating factors in explaining attitude: work impediment, information asymmetry, and safety of resources. We also propose information security awareness as an independent variable having an indirect effect on attitude through mediating factors. The proposed model is tested using the data collected from 376 employees working in the banking industry. The results of the PLS analyses show that while information asymmetry and safety of resources have significant impacts on attitude, work impediment does not. The results also show that ISA has significant impact on all three mediating factors.
|
|
| 3. |
- Bergström, Erik, 1976-
(författare)
-
Supporting Information Security Management : Developing a Method for Information Classification
- 2020
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- In the highly digitalised world in which we live today, information and information systems have become critical assets to organisations, and hence need to be safeguarded accordingly. In order to implement and work with information security in a structured way, an Information Security Management System (ISMS) can be implemented. Asset management is a central activity in ISMS that aims at identifying, assigning ownership and adding protection to information assets. One activity within asset management is information classification that has the objective to ensure that the information receives an appropriate level of protection in accordance with its importance to the organisation. Information classification is a well-known practice for all kinds of organisations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.However, information classification has received little attention from academia, and many organisations are struggling with the implementation. The reasons behind why it is problematic, and how to address such issues, are largely unknown. Furthermore, existing approaches, described in, for example, standards and national recommendations, do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out essential aspects needed for many organisations to adopt and implement information classification. There is, for instance, a lack of detailed descriptions regarding (1) procedures and concepts, (2) how to tailor the approach for different situations, (3) a framework that structures and guides the classification, (4) what roles should be involved in the classification, and (5) how information with different granularity is handled.This thesis aims to increase the applicability of information classification by developing a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study was performed in three cycles. A wide range of data was collected, including a series of interviews with experts and novices on information classification, a survey, most of the Swedish public sector information classification policies, and observations. There are three main contributions made by this thesis (1) the identification of issues and enablers for information classification, (2) the design principles underpinning the development of a method for information classification, and (3) the method for information classification itself. Contributions have also been made to the context around information classification, such as, for example, 20 practical suggestions for how to meet documented challenges in practice.
|
|
| 4. |
- Björck, Fredrik, 1972-
(författare)
-
Discovering Information Security Management
- 2005
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This thesis is concerned with issues relating to the management of information security in organisations, motivated by the need for cost-efficient information security.It is based on the assumption that: in order to achieve cost-efficient information security, the point of departure must be knowledge about the empirical reality in which the management of information security takes place.The data gathering instruments employed are questionnaires with open-ended questions and unstructured research interviews. The empirical material is analysed, and conclusions are drawn following the principles of Grounded Theory. Data sources are professionals in the area of information security management, including information security consultants (n=13), certification auditors (n=8), and information security managers (n=8).The main contributions are: an integrated model illustrating the experts’ perceptions concerning the objectives, actors, resources, threats, and countermeasures of information security management; a framework for the evaluation, formation, and implementation of information security management systems; a new approach for the evaluation of information security in organisations; a set of success factors concerning the formation of information security management systems; and a problem inventory concerning the value and assessment of information security education and training.
|
|
| 5. |
- Metalidou, Efthymia, et al.
(författare)
-
The Human Factor of Information Security : Unintentional Damage Perspective
- 2014
-
Ingår i: Procedia - Social and Behavioral Sciences. - : Elsevier. ; , s. 424-428
-
Konferensbidrag (refereegranskat)abstract
- It is widely acknowledged that employees of an organization are often a weak link in the protection of its information assets. Information security has not been given enough attention in the literature in terms of the human factor effect; researchers have called for more examination in this area. Human factors play a significant role in computer security. In this paper, we focus on the relationship of the human factor on information security presenting the human weaknesses that may lead to unintentional harm to the organization and discuss how information security awareness can be a major tool in overcoming these weaknesses. A framework for a field research is also presented in order to identify the human factors and the major attacks that threat computer security.
|
|
| 6. |
- Kävrestad, Joakim, 1989-, et al.
(författare)
-
ContextBased MicroTraining : A Framework for Information Security Training
- 2020
-
Ingår i: Human Aspects of Information Security and Assurance. - Cham : Springer. - 9783030574031 - 9783030574048 ; , s. 71-81
-
Konferensbidrag (refereegranskat)abstract
- This paper address the emergent need for training measures designed to improve user behavior in regards to security. We do this by proposing a framework for information security training that has been developed for several years and over several projects. The result is the framework ContextBased MicroTraining (CBMT) which provides goals and guidelines for how to better implement information security training that supports the user in the situation where the user needs support. CBMT has been developed and tested for use in higher education as well as for the support of users during passwords creation. This paper presents version 1.0 of the framework with the latest renements.
|
|
| 7. |
- Hedström, Karin, 1967-, et al.
(författare)
-
Value conflicts for information security management
- 2011
-
Ingår i: Journal of strategic information systems. - Amsterdam : Elsevier. - 0963-8687 .- 1873-1198. ; 20:4, s. 373-384
-
Tidskriftsartikel (refereegranskat)abstract
- A business’s information is one of its most important assets, making the protection of information a strategic issue. In this paper, we investigate the tension between information security policies and information security practice through longitudinal case studies at two health care facilities. The management of information security is traditionally informed by a control-based compliance model, which assumes that human behavior needs to be controlled and regulated. We propose a different theoretical model: the value-based compliance model, assuming that multiple forms of rationality are employed in organizational actions at one time, causing potential value conflicts. This has strong strategic implications for the management of information security. We believe health care situations can be better managed using the assumptions of a value-based compliance model.
|
|
| 8. |
- Kowalski, Stewart, et al.
(författare)
-
Information Security Metrics: Research Directions
- 2011
-
Konferensbidrag (refereegranskat)abstract
- This paper is largely based on a state of the art report covering the information security (IS) metrics area produced as part of the Controlled Information Security (COINS) research project funded by the Swedish Civil Contingencies Agency (MSB) and the comprehensive literature review conducted while compiling the report. The report's findings are summarized and some of the key issues discovered in the course of the literature review are reflected upon. Additionally, the paper describes a conceptual systemic scheme/model for the research process, while explaining its relevance to the subject area, that may help with resolution of the outlined issues in future research in the area. The paper is written principally with a management/governance (rather than engineering) perspective in mind
|
|
| 9. |
|
|
| 10. |
- Metalidou, Efthymia, et al.
(författare)
-
Human factor and information security in higher education
- 2014
-
Ingår i: Journal of Systems and Information Technology. - : Emerald Group Publishing Limited. - 1328-7265 .- 1758-8847. ; 16:3, s. 210-221
-
Tidskriftsartikel (refereegranskat)abstract
- Purpose – This paper investigates the association of Lack of Awareness and human factors, and the association of Lack of Awareness and significant attacks that threat computer security in Higher Education.Design/methodology/approach – Five human factors and nine attacks are considered, in order to investigate their relationship. A field research is conducted on Greek employees in Higher Education in order to identify the human factors that affect information security. The sample is consisted of 103 employees that use computers at work. Pearson correlation analysis between Lack of Awareness and nine (9) computer security risks is performed.Findings – Examining the association of Lack of Awareness with these attacks that threat the security of computers, all nine factors of important attacks exert significant and positive effect, apart from Phishing. Considering the relationship of Lack of Awareness to human factors, all five human factors used are significantly and positively correlated with Lack of Awareness. Moreover, all nine important attacks, apart from one, exert a significant and positive effect.Research limitations/implications – The paper extends understanding of the relationship of the human factors, the Lack of Awareness, and information security. The study has focused on employees of the Technological Educational Institute (TEI) of Athens, namely teachers, administrators, and working post-graduate students.Originality/value – The paper has used weighted factors based on data collection in Higher Education to calculate a global index for Lack of Awareness, as the result of the weighted aggregation of nine (9) risks, and extends the analysis performed in the literature to evaluate the effectiveness of Security Awareness in Computer Risk Management.
|
|
