| 1. |
- Bergström, Erik, 1976-
(författare)
-
Supporting Information Security Management : Developing a Method for Information Classification
- 2020
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- In the highly digitalised world in which we live today, information and information systems have become critical assets to organisations, and hence need to be safeguarded accordingly. In order to implement and work with information security in a structured way, an Information Security Management System (ISMS) can be implemented. Asset management is a central activity in ISMS that aims at identifying, assigning ownership and adding protection to information assets. One activity within asset management is information classification that has the objective to ensure that the information receives an appropriate level of protection in accordance with its importance to the organisation. Information classification is a well-known practice for all kinds of organisations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.However, information classification has received little attention from academia, and many organisations are struggling with the implementation. The reasons behind why it is problematic, and how to address such issues, are largely unknown. Furthermore, existing approaches, described in, for example, standards and national recommendations, do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out essential aspects needed for many organisations to adopt and implement information classification. There is, for instance, a lack of detailed descriptions regarding (1) procedures and concepts, (2) how to tailor the approach for different situations, (3) a framework that structures and guides the classification, (4) what roles should be involved in the classification, and (5) how information with different granularity is handled.This thesis aims to increase the applicability of information classification by developing a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study was performed in three cycles. A wide range of data was collected, including a series of interviews with experts and novices on information classification, a survey, most of the Swedish public sector information classification policies, and observations. There are three main contributions made by this thesis (1) the identification of issues and enablers for information classification, (2) the design principles underpinning the development of a method for information classification, and (3) the method for information classification itself. Contributions have also been made to the context around information classification, such as, for example, 20 practical suggestions for how to meet documented challenges in practice.
|
|
| 2. |
- Rocha Flores, Waldo
(författare)
-
Shaping information security behaviors related to social engineering attacks
- 2016
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Today, few companies would manage to continuously stay competitive without the proper utilization of information technology (IT). This has increased companies’ dependency of IT and created new threats that need to be addressed to mitigate risks to daily business operations. A large extent of these IT-related threats includes hackers attempting to gain unauthorized access to internal computer networks by exploiting vulnerabilities in the behaviors of employees. A common way to exploit human vulnerabilities is to deceive and manipulate employees through the use of social engineering. Although researchers have attempted to understand social engineering, there is a lack of empirical research capturing multilevel factors explaining what drives employees’ existing behaviors and how these behaviors can be improved. This is addressed in this thesis.The contribution of this thesis includes (i) an instrument to measure security behaviors and its multilevel determinants, (ii) identification of multilevel variables that significantly influence employees’ intent for behavior change, (iii) identification of what behavioral governance factors that lay the foundation for behavior change, (iv) identification that national culture has a significant effect on how organizations cope with behavioral information security threats, and (v) a strategy to ensure adequate information security behaviors throughout an organization.This thesis is a composite thesis of eight papers. Paper 1 describes the instrument measuring multilevel determinants. Paper 2 and 3 describes how security knowledge is established in organizations, and the effect on employee information security awareness. In Paper 4 the root cause of employees’ intention to change their behaviors and resist social engineering is described. Paper 5 and 8 describes how the instrument to measure social engineering security behaviors was developed and validated through scenario-based surveys and phishing experiments. Paper 6 and 7 describes experiments performed to understand reason to why employees fall for social engineering. Finally, paper 2, 5 and 6 examines the moderating effect of national culture.
|
|
| 3. |
- Björck, Fredrik, 1972-
(författare)
-
Discovering Information Security Management
- 2005
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This thesis is concerned with issues relating to the management of information security in organisations, motivated by the need for cost-efficient information security.It is based on the assumption that: in order to achieve cost-efficient information security, the point of departure must be knowledge about the empirical reality in which the management of information security takes place.The data gathering instruments employed are questionnaires with open-ended questions and unstructured research interviews. The empirical material is analysed, and conclusions are drawn following the principles of Grounded Theory. Data sources are professionals in the area of information security management, including information security consultants (n=13), certification auditors (n=8), and information security managers (n=8).The main contributions are: an integrated model illustrating the experts’ perceptions concerning the objectives, actors, resources, threats, and countermeasures of information security management; a framework for the evaluation, formation, and implementation of information security management systems; a new approach for the evaluation of information security in organisations; a set of success factors concerning the formation of information security management systems; and a problem inventory concerning the value and assessment of information security education and training.
|
|
| 4. |
- Rostami, Elham, 1983-
(författare)
-
Tailoring information security policies : a computerized tool and a design theory
- 2023
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Protecting information assets in organizations is a must and one way for doing it is developing information security policy (ISP) to direct employees’ behavior and define acceptable procedures that employees have to comply with on a daily basis. However, compliance with the ISP is a perennial problem. Non-compliance with ISPs is at least related to two factors: 1) employees’ behavior, and 2) the design of ISPs. Although much attention has been given to understanding and changing employees’ behavior, designing ISPs that are easy to follow has received less attention. Existing research has suggested designing such ISPs using a tailoring approach where the ISP is designed in several versions that fulfill the needs of different target groups of employees. At the same time, tailoring means increased design complexity for information security managers as the designer of ISPs, where computerized tool can aid. Thus, the aim of this thesis is to develop a computerized tool to support information security managers’ tailoring of ISPs and the design principles that such a tool can be based on. To this end, a design science research approach was employed. Using the knowledge from the Situational Method Engineering field as the kernel theory for the design science research project, a set of design principles and a conceptual model were developed in terms of a Unified Modeling Language class diagram. Subsequently, a web-based software (POLCO) was developed based on the proposed conceptual model to support information security managers to design tailored ISPs. The conceptual model and POLCO were developed, demonstrated, and evaluated as a proof-of-concept in three DSR cycles.The thesis contribute to research and practice by proposing the design principles and the conceptual model that can be considered as: 1) a new theory on how to design ISPs, 2) a way to develop software to assist information security managers in designing tailored ISPs. Meanwhile, POLCO as an artifactual contribution can be considered as a starting point for researchers to do studies in the ISP design area.
|
|
| 5. |
- Lundgren, Björn, 1984-
(författare)
-
Semantic Information and Information Security : Definitional Issues
- 2016
-
Licentiatavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This licentiate thesis consist of two separate research papers which concern two tangential topics – that of semantic information and that of information security. Both topics are approached by similar methods, i.e. with a concern about conceptual and definitional issues. In Paper I – concerning the concept of information, and a semantic conception thereof – the conceptual, and definitional, issues focus on one property, that of truthfulness. It is argued – against the veridicality thesis – that semantic information need not be truthful. In Paper II – concerning information security – it is argued that the current leading definitions (so-called ‘CIA’ definitions, which define information as secure if, and only if, the properties of confidentiality, integrity, and availability are retained) suffer from both actual and possible counter-examples, and lack an appropriate conceptual sense. On the basis of this criticism a new kind of definitions is proposed and argued for.
|
|
| 6. |
- Lundgren, Björn, 1984-
(författare)
-
Information, Security, Privacy, and Anonymity : Definitional and Conceptual Issues
- 2018
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- This doctoral thesis consists of five research papers that address four tangential topics, all of which are relevant for the challenges we are facing in our socio-technical society: information, security, privacy, and anonymity. All topics are approached by similar methods, i.e. with a concern about conceptual and definitional issues. In Paper I—concerning the concept of information and a semantic conception thereof—it is argued that the veridicality thesis (i.e. that information must be true or truthful) is false. In Paper II—concerning information security—it is argued that the current leading definitions suffer from counter-examples, and lack an appropriate conceptual sense. Based on this criticism a new kind of definition is proposed and defended. In Paper III—concerning control definitions of privacy—it is argued that any sensible control-definition of privacy must properly recognize the context as part of the defining criteria. In Paper IV—concerning the concept of privacy—it is argued that privacy is a normative concept and that it is constituted by our social relations. Final, in Paper V—concerning anonymity—it is argued that the threat from deanonymization technology goes beyond harm to anonymity. It is argued that a person who never is deanonymized can still be harmed and what is at stake is an ability to be anonymous.
|
|
| 7. |
- Brodin, Martin
(författare)
-
Managing information security for mobile devices in small and medium-sized enterprises : Information management, Information security management, mobile device
- 2020
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The rapid proliferation of mobile devices makes mobile security a weak point in many organisations’ security management. Though there are a number of frameworks and methods available for improving security management, few of these target mobile devices, and most are designed for large organisations. Small and medium size organisations are known to be vulnerable to mobile threats, and often subject to the same legal requirements as larger organisations. However, they typically lack the resources and specialist competences necessary to use the available frameworks.This thesis describes an Action Design Research project to devise and test a low cost, low learning curve method for improving mobile security management. The project is conducted together with a small Swedish consulting company and evaluated in several other companies. In order to solve the challenge that SMEs faces; three objectives have been set:1. Identify existing solutions at a strategic level to managing information that is accessible with mobile devices and their suitability for SMEs.2. Develop a framework to support SMEs to manage information in a secure way on mobile devices.3. Evaluate the framework in practice.The results show that simple theoretical models can be integrated with well-known analysis techniques to inform managers and provide practical help for small companies to improve mobile security practice. The most important contribution to both science and practice is a structured approach for managers to deal with mobile devices, or for that matter other technology advances that do not fit into the existing management system. The journey to the final solution also produced several smaller contributions to science, for example insights from C-suites about strategies and work with mobile devices, differences and similarities between CYOD (choose your own device) and BYOD (bring your own device), the role of security policies in organisations, and twelve identified management issues with mobile devices.
|
|
| 8. |
- Johansson, Erik, 1967-
(författare)
-
Assessment of Enterprise Information Security : How to make it Credible and Efficient
- 2005
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Information is an important business asset in today’s enterprises. Hence enterprise information security is an important system quality that must be carefully managed. Although enterprise information security is acknowledged as one of the most central areas for enterprise IT management, the topic still lacks adequate support for decision making on top-management level. This composite thesis consists of four articles which presents the Enterprise Information Security Assessment Method (EISAM), a comprehensive method for assessing the current state of the enterprise information security. The method is useful in helping guide top-management’s decision-making because of the following reasons: 1) it is easy to understand, 2) it is prescriptive, 3) it is credible, and 4) it is efficient. The assessment result is easy to understand because it presents a quantitative estimate. The result can be presented as an aggregated single value, abstracting the details of the assessment. The result is easy to grasp and enables comparisons both within the organization and in terms of industry in general. The method is prescriptive since it delivers concrete and traceable measurements. This helps guide top-level management in their decisions regarding enterprise-wide information security by highlighting the areas where improvements efforts are essential. It is credible for two reasons. Firstly, the method presents an explicit and transparent definition of enterprise information security. Secondly, the method in itself includes an indication of assessment uncertainty, expressed in terms of confidence levels. The method is efficient because it focuses on important enterprise information security aspects, and because it takes into account how difficult it is to find security related evidence. Being resource sparse it enables assessments to take place regularly, which gives valuable knowledge for long-term decision-making. The usefulness of the presented method, along with its development, has been verified through empirical studies at a leading electric power company in Europe and through statistical surveys carried out among information security experts in Sweden. The success from this research should encourage further researcher in using these analysis techniques to guide decisions on other enterprise architecture attributes.
|
|
| 9. |
- Kolkowska, Ella, et al.
(författare)
-
Analyzing information security goals
- 2012. - 1
-
Ingår i: Threats, countermeasures and advances in applied information security. - : IGI Global. - 9781466609785 ; , s. 91-110
-
Bokkapitel (övrigt vetenskapligt/konstnärligt)abstract
- "This book addresses the fact that managing information security program while effectively managing risks has never been so critical, discussing issues such as emerging threats and countermeasures for effective management of information security in organizations"--Provided by publisher.
|
|
| 10. |
- Åhlfeldt, Rose-Mharie, et al.
(författare)
-
Information Security Problems and Needs in Healthcare : A Case Study of Norway and Finland vs Sweden
- 2008
-
Ingår i: Enterprise Interoperability III. - London : Springer. - 9781848002203 - 9781848002210 ; , s. 41-53
-
Konferensbidrag (övrigt vetenskapligt/konstnärligt)abstract
- In healthcare, the right information at the right time is a necessity in order to provide the best possible care for a patient. Patient information must also be protected from unauthorized access in order to protect patient privacy. It is also common for patients to visit more than one healthcare provider, which implies the need for crossborder healthcare and a focus on the patient process. Countries work differently with these issues. This paper is focused on three Scandinavian countries, Norway, Sweden and Finland, and their information security problems and needs in healthcare. Data was collected via case studies, and the results were compared to show both similarities and differences between these countries. Similarities include the too wide availability of patient information, an obvious need for risk analysis, and a tendency to focus more on patient safety than on patient privacy. Patients being involved in their own care, and the approach of exchanging patient information are examples of differences.
|
|
