| 1. |
- Berndtsson, Joakim, 1975, et al.
(author)
-
Value conflicts and non-compliance: Attitudes to whistleblowing in Swedish organisations
- 2018
-
In: Information and Computer Security. - : Emerald Group Publishing Limited. - 2056-4961 .- 2056-497X. ; 26:2, s. 246-258
-
Journal article (peer-reviewed)abstract
- © 2018, Emerald Publishing Limited. Purpose: The purpose of the study is to explore potential value conflicts between information security work and whistleblowing activities by analysing attitudes to whistleblowing among white-collar workers in Swedish organisations. Design/methodology/approach: The study is conducted using survey data among (n = 674) Swedish white-collar workers. Statistical analyses are conducted to explore variations in acceptance of whistleblowing and analyse the relationship between acceptance for whistleblowing and information security attitudes and behaviours. Findings: The study finds strong support for whistleblowing in both public and private spheres, and by both private and public sector employees. The study also finds stronger acceptance for intra-organisational whistleblowing, while support for external whistleblowing is low. Finally, the study shows that the whistleblowing activities might be perceived as coming in conflict with information security work, even as the support for including whistleblowing functions in information security practices is high. Research limitations/implications: With a focus on one country, the study is limited in terms of empirical scope. It is also limited by a relatively small number of respondents and survey items relating to whistleblowing, which in turn affects its explanatory value. However, the study does provide unique new insight into a specific form of “non-compliance”, i.e. whistleblowing, which merits further investigation. Originality/value: Few studies exist that combine insights from the fields of whistleblowing and information security research. Thus, this study provides a basis for further investigation into attitudes and behaviours linked to whistleblowing in public and private organisations, as well as attendant value conflicts related to information security management and practice.
|
|
| 2. |
- Gyllensten, Kristina, 1977, et al.
(author)
-
Value conflicts and information security – a mixed-methods study in high-risk industry
- 2022
-
In: Information and Computer Security. - 2056-4961 .- 2056-497X. ; 30:3, s. 346-363
-
Journal article (peer-reviewed)abstract
- Purpose: The purpose of this study is to investigate the influence of work-related value conflicts on information security in two organisations in nuclear power production and related industry. Design/methodology/approach: A mixed-methods design was applied. Individual interviews were conducted with 24 employees of two organisations in Sweden and questionnaire data on information security climate were collected from 667 employees (62%) in the same two organisations. Findings: The qualitative part of the study identified five different types of value conflicts influencing information security behaviour. The quantitative part of the study found that value conflicts relating to information security had a negative relationship with rule-compliant behaviour. The opposite was found for participative security behaviour where there was a positive relationship with value conflicts. A high climate of information security was positively related to both rule-compliant and participative information security behaviour. It also moderated the effect of value conflicts on compliant information security behaviour. Originality/value: This paper highlights organisational contextual conditions that influence employees’ motivation and ability to manage value conflicts relating to information security in a high-risk industry. It also enables a better understanding of the influence of the information security climate on information security in the presence of value conflicts in this type of industry.
|
|
| 3. |
- Karlsson, Fredrik, et al.
(author)
-
Guest editorial
- 2018
-
In: Information and Computer Security. - 2056-4961 .- 2056-497X. ; 26, s. 146-149
-
Journal article (other academic/artistic)
|
|
| 4. |
- Andersson, Simon
(author)
-
Problems in information classification: insights from practice
- 2023
-
In: Information and Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 31:4, s. 449-462
-
Journal article (peer-reviewed)abstract
- PurposeThis study aims to identify problems connected to information classification in theory and to put those problems into the context of experiences from practice.Design/methodology/approachFive themes describing problems are discussed in an empirical study, having informants represented from both a public and a private sector organization.FindingsThe reasons for problems to occur in information classification are exemplified by the informants’ experiences. The study concludes with directions for future research.Originality/valueInformation classification sustains the basics of security measures. The human–organizational challenges are evident in the activities but have received little attention in research.
|
|
| 5. |
- Bahsi, Hayretdin, et al.
(author)
-
The cyber-insurance market in Norway
- 2019
-
In: Information and Computer Security. - Bingley, West Yorkshire, England, UK : Emerald Group Publishing Limited. - 2056-4961. ; 28:1, s. 54-67
-
Journal article (peer-reviewed)abstract
- PurposeThis paper aims to describe the cyber-insurance market in Norway but offers conclusions that are interesting to a wider audience.Design/methodology/approachThe study is based on semi-structured interviews with supply-side actors: six general insurance companies, one marine insurance company and two insurance intermediaries.FindingsThe Norwegian cyber-insurance market supply-side has grown significantly in the past two years. The General Data Protection Regulation (GDPR) is found to have had a modest effect on the market so far but has been used by the supply-side as an icebreaker to discuss cyber-insurance with customers. The NIS Directive has had little or no impact on the Norwegian cyber-insurance market until now. Informants also indicate that Norway is still the least mature of the four Nordic markets.Practical implicationsSome policy lessons for different stakeholders are identified.Originality/valueEmpirical investigation of cyber-insurance is still rare, and the paper offers original insights on market composition and actor motivations, ambiguity of coverage, the NIS Directive and GDPR.
|
|
| 6. |
- Bergquist, Jan-Halvard, et al.
(author)
-
An information classification model for public sector organizations in Sweden : a case study of a Swedish municipality
- 2022
-
In: Information and Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 30:2, s. 153-172
-
Journal article (peer-reviewed)abstract
- Purpose: The purpose of this study is to create an information classification model that is tailored to suit the specific needs of public sector organizations in Sweden.Design/methodology/approach: To address the purpose of this research, a case study in a Swedish municipality was conducted. Data was collected through a mixture of techniques such as literature, document and website review. Empirical data was collected through interviews with 11 employees working within 7 different sections of the municipality.Findings: This study resulted in an information classification model that is tailored to the specific needs of Swedish municipalities. In addition, a set of steps for tailoring an information classification model to suit a specific public organization are recommended. The findings also indicate that for a successful information classification it is necessary to educate the employees about the basics of information security and classification and create an understandable and unified information security language.Practical implications: This study also highlights that to have a tailored information classification model, it is imperative to understand the value of information and what kind of consequences a violation of established information security principles could have through the perspectives of the employees.Originality/value: It is the first of its kind in tailoring an information classification model to the specific needs of a Swedish municipality. The model provided by this study can be used as a tool to facilitate a common ground for classifying information within all Swedish municipalities, thereby contributing the first step toward a Swedish municipal model for information classification.
|
|
| 7. |
- Bergström, Erik, 1976-, et al.
(author)
-
Developing an information classification method
- 2021
-
In: Information and Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 29:2, s. 209-239
-
Journal article (peer-reviewed)abstract
- Purpose: The purpose of this paper is to develop a method for information classification. The proposed method draws on established standards, such as the ISO/IEC 27002 and information classification practices. The long-term goal of the method is to decrease the subjective judgement in the implementation of information classification in organisations, which can lead to information security breaches because the information is under- or over-classified. Design/methodology/approach: The results are based on a design science research approach, implemented as five iterations spanning the years 2013 to 2019. Findings: The paper presents a method for information classification and the design principles underpinning the method. The empirical demonstration shows that senior and novice information security managers perceive the method as a useful tool for classifying information assets in an organisation. Research limitations/implications: Existing research has, to a limited extent, provided extensive advice on how to approach information classification in organisations systematically. The method presented in this paper can act as a starting point for further research in this area, aiming at decreasing subjectivity in the information classification process. Additional research is needed to fully validate the proposed method for information classification and its potential to reduce the subjective judgement. Practical implications: The research contributes to practice by offering a method for information classification. It provides a hands-on-tool for how to implement an information classification process. Besides, this research proves that it is possible to devise a method to support information classification. This is important, because, even if an organisation chooses not to adopt the proposed method, the very fact that this method has proved useful should encourage any similar endeavour. Originality/value: The proposed method offers a detailed and well-elaborated tool for information classification. The method is generic and adaptable, depending on organisational needs.
|
|
| 8. |
- Bergström, Erik, 1976-, et al.
(author)
-
Revisiting information security risk management challenges : a practice perspective
- 2019
-
In: Information and Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 27:3, s. 358-372
-
Journal article (peer-reviewed)abstract
- Purpose – The study aims to revisit six previously defined challenges in information security risk management to provide insights into new challenges based on current practices.Design/methodology/approach – The study is based on an empirical study consisting of in-depth interviews with representatives from public sector organisations. The data were analysed by applying a practice-based view, i.e. the lens of knowing (or knowings). The results were validated by an expert panel.Findings – Managerial and organisational concerns that go beyond a technical perspective have been . found, which affect the ongoing social build-up of knowledge in everyday information security work.Research limitations/implications – The study has delimitation as it consists of data from four public sector organisations, i.e. statistical analyses have not been in focus, while implying a better understanding of what and why certain actions are practised in their security work.Practical implications – The new challenges that have been identified offer a refined set of actionable advice to practitioners, which, for example, can support cost-efficient decisions and avoid unnecessary security trade-offs.Originality/value – Information security is increasingly relevant for organisations, yet little is still known about how related risks are handled in practice. Recent studies have indicated a gap between the espoused and the actual actions. Insights from actual, situated enactment of practice can advise on process adaption and suggest more fit approaches.
|
|
| 9. |
- Faizi, Ana, et al.
(author)
-
From rationale to lessons learned in the cloud information security risk assessment : a study of organizations in Sweden
- 2022
-
In: Information and Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 30:2, s. 190-205
-
Journal article (peer-reviewed)abstract
- Purpose:This study aims to address the issue of practicing information security risk assessment (ISRA) on cloud solutions by studying municipalities and large organizations in Sweden.Design/methodology/approach:Four large organizations and five municipalities that use cloud services and conduct ISRA to adhere to their information security risk management practices were studied. Data were gathered qualitatively to answer the study’s research question: How is ISRA practiced on the cloud? The Coat Hanger model was used as a theoretical lens to study and theorize the practices.Findings:The results showed that the organizations aimed to follow the guidelines, in the form of frameworks or their own experience, to conduct ISRA; furthermore, the frameworks were altered to fit the organizations’ needs. The results further indicated that one of the main concerns with the cloud ISRA was the absence of a culture that integrates risk management. Finally, the findings also stressed the importance of a good understanding and a well-written legal contract between the cloud providers and the organizations using the cloud services.Originality/value:As opposed to the previous research, which was more inclined to try out and evaluate various cloud ISRA, the study provides insights into the practice of cloud ISRA experienced by the organizations. This study represents the first attempt to investigate cloud ISRA that organizations practice in managing their information security.
|
|
| 10. |
- Framner, Erik, et al.
(author)
-
Making secret sharing based cloud storage usable
- 2019
-
In: Information and Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 27:5, s. 647-667
-
Journal article (peer-reviewed)abstract
- The purpose of this paper is to develop a usable configuration management for Archistar, whichutilizes secret sharing for redundantly storing data over multiple independent storage clouds in a secure andprivacy-friendly manner. Selecting the optimal secret sharing parameters, cloud storage servers and othersettings for securely storing the secret data shares, while meeting all of end user’s requirements and otherrestrictions, is a complex task. In particular, complex trade-offs between different protection goals and legalprivacy requirements need to be made.
|
|
