| 1. |
- Bergström, Erik, 1976-
(författare)
-
Supporting Information Security Management : Developing a Method for Information Classification
- 2020
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- In the highly digitalised world in which we live today, information and information systems have become critical assets to organisations, and hence need to be safeguarded accordingly. In order to implement and work with information security in a structured way, an Information Security Management System (ISMS) can be implemented. Asset management is a central activity in ISMS that aims at identifying, assigning ownership and adding protection to information assets. One activity within asset management is information classification that has the objective to ensure that the information receives an appropriate level of protection in accordance with its importance to the organisation. Information classification is a well-known practice for all kinds of organisations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.However, information classification has received little attention from academia, and many organisations are struggling with the implementation. The reasons behind why it is problematic, and how to address such issues, are largely unknown. Furthermore, existing approaches, described in, for example, standards and national recommendations, do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out essential aspects needed for many organisations to adopt and implement information classification. There is, for instance, a lack of detailed descriptions regarding (1) procedures and concepts, (2) how to tailor the approach for different situations, (3) a framework that structures and guides the classification, (4) what roles should be involved in the classification, and (5) how information with different granularity is handled.This thesis aims to increase the applicability of information classification by developing a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study was performed in three cycles. A wide range of data was collected, including a series of interviews with experts and novices on information classification, a survey, most of the Swedish public sector information classification policies, and observations. There are three main contributions made by this thesis (1) the identification of issues and enablers for information classification, (2) the design principles underpinning the development of a method for information classification, and (3) the method for information classification itself. Contributions have also been made to the context around information classification, such as, for example, 20 practical suggestions for how to meet documented challenges in practice.
|
|
| 2. |
- Åhlfeldt, Rose-Mharie
(författare)
-
Information Security in Home Healthcare : A Case Study
- 2002
-
Ingår i: Conference Proceedings of AiCE2002, Sydney, September 30th, 2002: Third Australian Institute of Computer Ethics Conference. - Geelong : School of Information Technology, Deakin University. - 0730025608 ; , s. 6-15
-
Konferensbidrag (refereegranskat)
|
|
| 3. |
- Brodin, Martin
(författare)
-
Managing information security for mobile devices in small and medium-sized enterprises : Information management, Information security management, mobile device
- 2020
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The rapid proliferation of mobile devices makes mobile security a weak point in many organisations’ security management. Though there are a number of frameworks and methods available for improving security management, few of these target mobile devices, and most are designed for large organisations. Small and medium size organisations are known to be vulnerable to mobile threats, and often subject to the same legal requirements as larger organisations. However, they typically lack the resources and specialist competences necessary to use the available frameworks.This thesis describes an Action Design Research project to devise and test a low cost, low learning curve method for improving mobile security management. The project is conducted together with a small Swedish consulting company and evaluated in several other companies. In order to solve the challenge that SMEs faces; three objectives have been set:1. Identify existing solutions at a strategic level to managing information that is accessible with mobile devices and their suitability for SMEs.2. Develop a framework to support SMEs to manage information in a secure way on mobile devices.3. Evaluate the framework in practice.The results show that simple theoretical models can be integrated with well-known analysis techniques to inform managers and provide practical help for small companies to improve mobile security practice. The most important contribution to both science and practice is a structured approach for managers to deal with mobile devices, or for that matter other technology advances that do not fit into the existing management system. The journey to the final solution also produced several smaller contributions to science, for example insights from C-suites about strategies and work with mobile devices, differences and similarities between CYOD (choose your own device) and BYOD (bring your own device), the role of security policies in organisations, and twelve identified management issues with mobile devices.
|
|
| 4. |
- Åhlfeldt, Rose-Mharie, 1960-, et al.
(författare)
-
Current Situation Analysis of Information Security Level in Municipalities
- 2018
-
Ingår i: Journal of Information System Security. - : The Information Institute. - 1551-0123 .- 1551-0808. ; 14:1, s. 3-19
-
Tidskriftsartikel (refereegranskat)abstract
- Municipalities manage a significant part of society's services, and hence they also handle a vast amount of information. A municipality's activities include managing a significant part of society's services, and municipalities’ supply and management of information are, therefore, critical for society in general, and also for achieving the municipalities’ own operational goals. However, research shows weaknesses in the municipalities' work on information security, and there is a need to study and identify the current level of security.This paper presents the result from a GAP analysis mapping the current situation of Swedish municipalities' for systematic information security work, based on the demands made on municipalities from both research and social perspectives. The result shows that the information security level regarding the systematic security work is generally low, and that there is a need to implement adapted tools for Information Security Management Systems in order to support municipalities.
|
|
| 5. |
- Åhlfeldt, Rose-Mharie, et al.
(författare)
-
Information Security Problems and Needs in Healthcare : A Case Study of Norway and Finland vs Sweden
- 2008
-
Ingår i: Enterprise Interoperability III. - London : Springer. - 9781848002203 - 9781848002210 ; , s. 41-53
-
Konferensbidrag (övrigt vetenskapligt/konstnärligt)abstract
- In healthcare, the right information at the right time is a necessity in order to provide the best possible care for a patient. Patient information must also be protected from unauthorized access in order to protect patient privacy. It is also common for patients to visit more than one healthcare provider, which implies the need for crossborder healthcare and a focus on the patient process. Countries work differently with these issues. This paper is focused on three Scandinavian countries, Norway, Sweden and Finland, and their information security problems and needs in healthcare. Data was collected via case studies, and the results were compared to show both similarities and differences between these countries. Similarities include the too wide availability of patient information, an obvious need for risk analysis, and a tendency to focus more on patient safety than on patient privacy. Patients being involved in their own care, and the approach of exchanging patient information are examples of differences.
|
|
| 6. |
- Åhlfeldt, Rose-Mharie
(författare)
-
Information Security in Distributed Healthcare : Exploring the Needs for Achieving Patient Safety and Patient Privacy
- 2008
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- In healthcare, patient information is a critical factor. The right information at the right time is a necessity in order to provide the best possible care for a patient. Patient information must also be protected from unauthorized access in order to protect patient privacy. It is furthermore common for patients to visit more than one healthcare provider, which implies a need for cross border healthcare and continuity in the patient process.This thesis is focused on information security in healthcare when patient information has to be managed and communicated between various healthcare actors and organizations. The work takes a practical approach with a set of investigations from different perspectives and with different professionals involved. Problems and needs have been identified, and a set of guidelines and recommendations has been suggested and developed in order to improve patient safety as well as patient privacy.The results show that a comprehensive view of the entire area concerning patient information management between different healthcare actors is missing. Healthcare, as well as patient processes, have to be analyzed in order to gather knowledge needed for secure patient information management.Furthermore, the results clearly show that there are deficiencies both at the technical and the administrative level of security in all investigated healthcare organizations.The main contribution areas are: an increased understanding of information security by elaborating on the administrative part of information security, the identification of information security problems and needs in cross border healthcare, and a set of guidelines and recommendations in order to advance information security measures in healthcare.
|
|
| 7. |
- Åhlfeldt, Rose-Mharie
(författare)
-
Information Security Issues in Healthcare : An Experience Report
- 2005
-
Ingår i: BIR 2005. - Skövde : Skövde University. - 9163175215 - 9789163175213 ; , s. 127-138
-
Konferensbidrag (refereegranskat)abstract
- Healthcare institutions, like other organizations and governments, have progressed from manual to computerized information management during the past decades. However, Swedish healthcare is characterized by a slowness in implementing digitalization, especially electronic healthcare record (EHR). The implementation of IT in healthcare has been tardy for a number of reasons. The security problem, especially with regard to the management of patient information, is one such cause. This paper includes an experience report concerning the security level of different healthcare providers in the Swedish healthcare sector. A number of investigations have been conducted in the Western region of Sweden: The results demonstrate security variances in information security as well as common deficiencies both at the technical and administrative levels. The authentication technique and the users’ lack of security awareness and education are the main weaknesses.
|
|
| 8. |
- Åhlfeldt, Rose-Mharie
(författare)
-
Information Security Issues in Healthcare : an Experience Report
- 2006
-
Ingår i: Knowledge in organizations 1. - : Högskolan i Skövde. ; , s. 147-158
-
Bokkapitel (övrigt vetenskapligt/konstnärligt)abstract
- This paper presents a method based on process manager technology for making all actors (humans or information systems) involved in healthcare processes to communicate along these processes. The method utilizes straightforward and yet executable process diagrams. Furthermore, the paper suggests a number of additional features to the method that may cater for the representation of security and quality requirements, as well as enhanced efficiency of the healthcare processes.
|
|
| 9. |
- Åhlfeldt, Rose-Mharie, et al.
(författare)
-
Patient Safety and Patient Privacy in Information Security from the Patient's view : A case study
- 2010
-
Ingår i: Journal of Information System Security. - : The Information Institute. - 1551-0123 .- 1551-0808. ; 6:4, s. 71-85
-
Tidskriftsartikel (refereegranskat)abstract
- The patient is the most important actor in healthcare and it is an obligation for healthcare to operate so that it fulfils the requirements of good care, i.e. provide patients with both patient safety and patient privacy. Furthermore, patients visit more than one healthcare provider, which implies the need for cross-border healthcare and a focus on the patient process. In order to manage sensitive patient information, IT solutions are required and the need of information security in healthcare is obvious. This paper presents the results from a case study in Swedish healthcare aiming to identify problems and needs concerning patient safety and patient privacy from a patient view. We also present how patient safety and patient privacy relate to the information security area, and emphasize the patient's view on these issues when the transfer of patient information between different healthcare providers becomes more common in the future. The results show that patients focus more on patient safety than on patient privacy, and that their role in their own process must be highlighted.
|
|
| 10. |
- Åhlfeldt, Rose-Mharie, 1960-, et al.
(författare)
-
Current Situation Analysis of Information Security Level in Municipalities
- 2018
-
Ingår i: Proceedings of the Annual Information Institute Conference. - : The Information Institute. - 9781935160199
-
Konferensbidrag (refereegranskat)abstract
- Municipalities manage a significant part of society's services, and hence also handle a vast amount of information. A municipality's activities include managing a significant part of society's services, and the municipality's supply and management of information are, therefore, critical for society in general, but also for achieving the municipality's own operational goals. However, investigations show weaknesses in the municipalities' work on information security, and there is a need to study and identify the current level of security. This paper presents the result from a GAP analysis mapping the Swedish municipalities current situation for systematic information security work, based on the demands made on municipalities from both research and social perspectives. The result shows that the information security level regarding systematic security work is generally low and that there is a need for adapted tools for Information Security Management Systems in order to support municipalities.
|
|
