| 1. |
- Brodin, Martin, et al.
(författare)
-
Management issues for Bring Your Own Device
- 2015
-
Ingår i: Proceedings of 12th European, Mediterranean & Middle Eastern Conference on Information Systems 2015 (EMCIS2015). - : European, Mediterranean & Middle Eastern Conference on Information Systems (EMCIS). - 9789606897085
-
Konferensbidrag (refereegranskat)abstract
- Bring Your Own Device (BYOD) is an emerging research area focusing on the organisational adoption of (primarily mobile) devices used for both private and work purposes. There are many information security related problems concerning the use of BYOD and it should therefore be considered an issue of strategic importance for senior managers. This paper presents a systematic literature analysis using a BYOD strategic management framework to assess developing research trends. The analysis reveals early work in the analysis and design aspects of BYOD strategies, but a lack of research in operationalizing (planning, implementation and evaluating) strategy – the action phase. The resulting research agenda identifies twelve management issues for further research and four overall research directions that may stimulate future research.
|
|
| 2. |
- Brodin, Martin
(författare)
-
Managing information security for mobile devices in small and medium-sized enterprises : Information management, Information security management, mobile device
- 2020
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The rapid proliferation of mobile devices makes mobile security a weak point in many organisations’ security management. Though there are a number of frameworks and methods available for improving security management, few of these target mobile devices, and most are designed for large organisations. Small and medium size organisations are known to be vulnerable to mobile threats, and often subject to the same legal requirements as larger organisations. However, they typically lack the resources and specialist competences necessary to use the available frameworks.This thesis describes an Action Design Research project to devise and test a low cost, low learning curve method for improving mobile security management. The project is conducted together with a small Swedish consulting company and evaluated in several other companies. In order to solve the challenge that SMEs faces; three objectives have been set:1. Identify existing solutions at a strategic level to managing information that is accessible with mobile devices and their suitability for SMEs.2. Develop a framework to support SMEs to manage information in a secure way on mobile devices.3. Evaluate the framework in practice.The results show that simple theoretical models can be integrated with well-known analysis techniques to inform managers and provide practical help for small companies to improve mobile security practice. The most important contribution to both science and practice is a structured approach for managers to deal with mobile devices, or for that matter other technology advances that do not fit into the existing management system. The journey to the final solution also produced several smaller contributions to science, for example insights from C-suites about strategies and work with mobile devices, differences and similarities between CYOD (choose your own device) and BYOD (bring your own device), the role of security policies in organisations, and twelve identified management issues with mobile devices.
|
|
| 3. |
- Brodin, Martin
(författare)
-
Mobile Device Strategy : A management framework for securing company information assets on mobile devices
- 2016
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The problem addressed by this research is a demand for increased flexibility in access to organisational information, driven by the increasing popularity of mobile devices. Employees increasingly bring private devices to work (Bring Your Own Device, BYOD) or use work devices for private purposes (Choose Your Own Device, CYOD). This puts managers in a difficult position, since they want the benefits of mobility, without exposing organisational data to further risk. The research focuses on management (particularly information security management) issues in the design and implementation of strategies for mobile devices. There are two objectives. The first is to identify existing information security management strategies for mobile and dual-use devices. The second is to develop a framework for analysing, evaluating and implementing a mobile device strategy.The overall research strategy is inspired by Design Science; where the mission is to develop an artefact, in this case a framework, which will help to solve a practical problem. Methods include literature review, theoretical development, and the collection and analysis of qualitative data through interviews with executives. The main result of this work is the framework, which deals with the complete process, including analysis, design and implementation of a mobile device management strategy. It helps researchers to understand necessary steps in analysing phenomenon like BYOD and gives practitioners guidance in which analyses to conduct when working on strategies for mobile devices. The framework was developed primarily through theoretical work (with inspiration from the mobile security and strategic management literature, and the ISO/IEC 27000 standard), and evaluated and refined through the empirical studies. The results include twelve management issues, a research agenda, argumentation for CYOD and, guidance for researchers and practitioners.
|
|
| 4. |
- Amorim, Joni A., et al.
(författare)
-
Awareness and training : Identification of relevant security skills and competencies
- 2014
-
Ingår i: Engineering Education in a Technology-Dependent World. - Guimarães : INTERTECH. - 9788565992282 - 9788566680287 ; , s. 37-
-
Konferensbidrag (refereegranskat)abstract
- In order to identify needed skills and competencies for privacy and security, we propose a systematic process that maps privacy and security threats to related controls that are required to prevent, detect or remove such threats. This work suggests how to apply the process, while discussing how games and simulations can be used both to develop the desired behavior and to monitor the current competency level.
|
|
| 5. |
- Amorim, Joni A., et al.
(författare)
-
Privacy and Security in Cyberspace : Training Perspectives on the Personal Data Ecosystem
- 2013
-
Ingår i: European Intelligence and Security Informatics Conference (EISIC), Proceedings CD. - : IEEE conference proceedings. - 9780769550626 ; , s. 139-142
-
Konferensbidrag (refereegranskat)abstract
- There is a growing understanding that privacy is an essential component of security. In order to decrease the probability of having data breaches, the design of information systems, processes and architectures should incorporate considerations related to both privacy and security. This incorporation may benefit from the offering of appropriate training. In this way, this paper intends to discuss how to better offer training while considering new developments that involve both multimedia production and the “gamification” of training. The paper suggests the use in conjunction of two frameworks: the EduPMO Framework, useful for the management of large scale projects that may involve a consortium of organizations developing multimedia for the offering of training, and the Game Development Framework, useful for the identification of the main components of the serious game for training on privacy by design to be developed as part of the training offering.
|
|
| 6. |
|
|
| 7. |
- Bergström, Erik, 1976-, et al.
(författare)
-
Developing an information classification method
- 2021
-
Ingår i: Information and Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 29:2, s. 209-239
-
Tidskriftsartikel (refereegranskat)abstract
- Purpose: The purpose of this paper is to develop a method for information classification. The proposed method draws on established standards, such as the ISO/IEC 27002 and information classification practices. The long-term goal of the method is to decrease the subjective judgement in the implementation of information classification in organisations, which can lead to information security breaches because the information is under- or over-classified. Design/methodology/approach: The results are based on a design science research approach, implemented as five iterations spanning the years 2013 to 2019. Findings: The paper presents a method for information classification and the design principles underpinning the method. The empirical demonstration shows that senior and novice information security managers perceive the method as a useful tool for classifying information assets in an organisation. Research limitations/implications: Existing research has, to a limited extent, provided extensive advice on how to approach information classification in organisations systematically. The method presented in this paper can act as a starting point for further research in this area, aiming at decreasing subjectivity in the information classification process. Additional research is needed to fully validate the proposed method for information classification and its potential to reduce the subjective judgement. Practical implications: The research contributes to practice by offering a method for information classification. It provides a hands-on-tool for how to implement an information classification process. Besides, this research proves that it is possible to devise a method to support information classification. This is important, because, even if an organisation chooses not to adopt the proposed method, the very fact that this method has proved useful should encourage any similar endeavour. Originality/value: The proposed method offers a detailed and well-elaborated tool for information classification. The method is generic and adaptable, depending on organisational needs.
|
|
| 8. |
- Bergström, Erik, 1976-, et al.
(författare)
-
Information Classification Enablers
- 2015
-
Ingår i: Foundations and Practice of Security. - Cham : Springer. - 9783319303024 - 9783319303031 ; , s. 268-276
-
Konferensbidrag (refereegranskat)abstract
- This paper presents a comprehensive systematic literature review of information classification (IC) enablers. We propose a classification based on the well-known levels of management: strategic, tactical and operational. The results reveal that a large number of enablers could be adopted to increase the applicability of IC in organizations. The results also indicate that there is not one single enabler solving the problem, but rather several enablers can influence the adoption.
|
|
| 9. |
- Bergström, Erik, 1976-, et al.
(författare)
-
Information Classification Issues
- 2014
-
Ingår i: Secure IT Systems. - Cham : Springer. - 9783319115986 - 9783319115993 ; , s. 27-41
-
Konferensbidrag (refereegranskat)abstract
- This paper presents an extensive systematic literature review with the aim of identifying and classifying issues in the information classification process. The classification selected uses human and organizational factors for grouping the identified issues. The results reveal that policy-related issues are most commonly described, but not necessarily the most crucial ones. Furthermore, gaps in the research field are identified in order to outline paths for further research.
|
|
| 10. |
- Bergström, Erik, 1976-, et al.
(författare)
-
Information Classification Policies : An Exploratory Investigation
- 2018
-
Ingår i: Proceedings of the Annual Information Institute Conference. - Washington, DC : Information Institute. - 9781935160199
-
Konferensbidrag (refereegranskat)abstract
- InfoSec policies are considered a key mechanism in information security, and most organizations have one. However, the large majority of security policy research has focused on what policies should include rather than how they are accomplished in practice. To contribute to overcoming the lack of knowledge regarding this crucial aspect, this paper investigates information security policies based on what underlying approaches information classification practices are built on and the perceived ease of turning the policy into practice. To do so, a survey was sent to 284 Swedish government agencies, and 80 of their internal policies were collected as data. The data were analyzed both qualitatively, and qualitatively. The results show that information classification adoption rates are low despite being mandatory and that agencies are struggling in closing the gap between standards and practice. Furthermore, the results also show that information classification policies need to be more specific and give more actionable advice regarding, e.g., how information life-cycle management is included in practice, and where the responsibility for classification is put in the organization.
|
|
