| 1. |
- Bergström, Erik, 1976-
(författare)
-
Supporting Information Security Management : Developing a Method for Information Classification
- 2020
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- In the highly digitalised world in which we live today, information and information systems have become critical assets to organisations, and hence need to be safeguarded accordingly. In order to implement and work with information security in a structured way, an Information Security Management System (ISMS) can be implemented. Asset management is a central activity in ISMS that aims at identifying, assigning ownership and adding protection to information assets. One activity within asset management is information classification that has the objective to ensure that the information receives an appropriate level of protection in accordance with its importance to the organisation. Information classification is a well-known practice for all kinds of organisations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.However, information classification has received little attention from academia, and many organisations are struggling with the implementation. The reasons behind why it is problematic, and how to address such issues, are largely unknown. Furthermore, existing approaches, described in, for example, standards and national recommendations, do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out essential aspects needed for many organisations to adopt and implement information classification. There is, for instance, a lack of detailed descriptions regarding (1) procedures and concepts, (2) how to tailor the approach for different situations, (3) a framework that structures and guides the classification, (4) what roles should be involved in the classification, and (5) how information with different granularity is handled.This thesis aims to increase the applicability of information classification by developing a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study was performed in three cycles. A wide range of data was collected, including a series of interviews with experts and novices on information classification, a survey, most of the Swedish public sector information classification policies, and observations. There are three main contributions made by this thesis (1) the identification of issues and enablers for information classification, (2) the design principles underpinning the development of a method for information classification, and (3) the method for information classification itself. Contributions have also been made to the context around information classification, such as, for example, 20 practical suggestions for how to meet documented challenges in practice.
|
|
| 2. |
- Lundgren, Martin, et al.
(författare)
-
Security-related stress : A perspective on information security risk management
- 2019
-
Ingår i: 2019 International Conference on Cyber Security and Protection of Digital Services, Cyber Security 2019. - : IEEE. - 9781728102290 - 9781728102306
-
Konferensbidrag (refereegranskat)abstract
- In this study, the enactment of information security risk management by novice practitioners is studied by applying an analytical lens of security-related stress. Two organisations were targeted in the study using a case study approach to obtain data about their practices. The study identifies stressors and stress inhibitors in the ISRM process and the supporting ISRM tools and discusses the implications for practitioners. For example, a mismatch between security standards and how they are interpreted in practice has been identified. This mismatch was further found to be strengthened by the design of the used ISRM tools. Those design shortcomings hamper agility since they may enforce a specific workflow or may restrict documentation. The study concludes that security-related stress can provide additional insight into security-novice practitioners' ISRM challenges.
|
|
| 3. |
- Kävrestad, Joakim, 1989-, et al.
(författare)
-
ContextBased MicroTraining : A Framework for Information Security Training
- 2020
-
Ingår i: Human Aspects of Information Security and Assurance. - Cham : Springer. - 9783030574031 - 9783030574048 ; , s. 71-81
-
Konferensbidrag (refereegranskat)abstract
- This paper address the emergent need for training measures designed to improve user behavior in regards to security. We do this by proposing a framework for information security training that has been developed for several years and over several projects. The result is the framework ContextBased MicroTraining (CBMT) which provides goals and guidelines for how to better implement information security training that supports the user in the situation where the user needs support. CBMT has been developed and tested for use in higher education as well as for the support of users during passwords creation. This paper presents version 1.0 of the framework with the latest renements.
|
|
| 4. |
- Åhlfeldt, Rose-Mharie
(författare)
-
Information Security in Home Healthcare : A Case Study
- 2002
-
Ingår i: Conference Proceedings of AiCE2002, Sydney, September 30th, 2002: Third Australian Institute of Computer Ethics Conference. - Geelong : School of Information Technology, Deakin University. - 0730025608 ; , s. 6-15
-
Konferensbidrag (refereegranskat)
|
|
| 5. |
- Brodin, Martin
(författare)
-
Managing information security for mobile devices in small and medium-sized enterprises : Information management, Information security management, mobile device
- 2020
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The rapid proliferation of mobile devices makes mobile security a weak point in many organisations’ security management. Though there are a number of frameworks and methods available for improving security management, few of these target mobile devices, and most are designed for large organisations. Small and medium size organisations are known to be vulnerable to mobile threats, and often subject to the same legal requirements as larger organisations. However, they typically lack the resources and specialist competences necessary to use the available frameworks.This thesis describes an Action Design Research project to devise and test a low cost, low learning curve method for improving mobile security management. The project is conducted together with a small Swedish consulting company and evaluated in several other companies. In order to solve the challenge that SMEs faces; three objectives have been set:1. Identify existing solutions at a strategic level to managing information that is accessible with mobile devices and their suitability for SMEs.2. Develop a framework to support SMEs to manage information in a secure way on mobile devices.3. Evaluate the framework in practice.The results show that simple theoretical models can be integrated with well-known analysis techniques to inform managers and provide practical help for small companies to improve mobile security practice. The most important contribution to both science and practice is a structured approach for managers to deal with mobile devices, or for that matter other technology advances that do not fit into the existing management system. The journey to the final solution also produced several smaller contributions to science, for example insights from C-suites about strategies and work with mobile devices, differences and similarities between CYOD (choose your own device) and BYOD (bring your own device), the role of security policies in organisations, and twelve identified management issues with mobile devices.
|
|
| 6. |
- Bergström, Erik, 1976-, et al.
(författare)
-
Stress Amongst Novice Information Security Risk Management Practitioners
- 2019
-
Ingår i: International Journal on Cyber Situational Awareness. - : Centre for Multidisciplinary Research, Innovation and Collaboration (C-MRiC). - 2057-2182 .- 2057-2182. ; 4:1, s. 128-154
-
Tidskriftsartikel (refereegranskat)abstract
- Today, information is a key asset for many organisations. Reducing risks of information compromise is increasingly prioritised. However, there is an incomplete understanding of how organisations with limited security knowledge and experience manage information security risks in practice. Previous studies have suggested that security-novice employees faced with burdensome, complex, and ambiguous security requirements can experience security-related stress (SRS), and ultimately influence their security decisions. In this study, we further this research stream by suggesting that SRS can similarly be found with security-novice managers responsible for developing and practising information security risk management (ISRM). Two organisations were targeted in the study using a case study approach, to obtain data about their practices, using SRS as an analytical lens. The study found various examples where SRS influenced security-novice managers’ decisions, and identifies several stressors and stress inhibitors in the ISRM process and supporting ISRM tools, and discusses the implications for practitioners.
|
|
| 7. |
- Bergström, Erik, 1976-, et al.
(författare)
-
Revisiting information security risk management challenges : a practice perspective
- 2019
-
Ingår i: Information and Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 27:3, s. 358-372
-
Tidskriftsartikel (refereegranskat)abstract
- Purpose – The study aims to revisit six previously defined challenges in information security risk management to provide insights into new challenges based on current practices.Design/methodology/approach – The study is based on an empirical study consisting of in-depth interviews with representatives from public sector organisations. The data were analysed by applying a practice-based view, i.e. the lens of knowing (or knowings). The results were validated by an expert panel.Findings – Managerial and organisational concerns that go beyond a technical perspective have been . found, which affect the ongoing social build-up of knowledge in everyday information security work.Research limitations/implications – The study has delimitation as it consists of data from four public sector organisations, i.e. statistical analyses have not been in focus, while implying a better understanding of what and why certain actions are practised in their security work.Practical implications – The new challenges that have been identified offer a refined set of actionable advice to practitioners, which, for example, can support cost-efficient decisions and avoid unnecessary security trade-offs.Originality/value – Information security is increasingly relevant for organisations, yet little is still known about how related risks are handled in practice. Recent studies have indicated a gap between the espoused and the actual actions. Insights from actual, situated enactment of practice can advise on process adaption and suggest more fit approaches.
|
|
| 8. |
- Holgersson, Jesper, et al.
(författare)
-
Information security patterns for web services
- 2006
-
Ingår i: Interoperability for enterprise software and applications. - London : ISTE. - 1905209614 - 9781905209613 ; , s. 133-144
-
Konferensbidrag (refereegranskat)abstract
- Web Services (WS), a currently popular subject among application developers, IT architects, and researchers, can be defined as a technology for publishing, identifying and calling services in a network of interacting computer nodes. The purpose of this paper is to illustrate the benefits of using patterns as a means of managing knowledge concerning security in the context of Web Services. We draw upon experiences from an industrial project in which a pattern catalogue for Web Services was created. The pattern catalogue consists of 29 patterns, which are generic solutions for service-based development and service-oriented architectures. In particular, Web Services are in focus as the enabling technique.
|
|
| 9. |
- Åhlfeldt, Rose-Mharie, 1960-, et al.
(författare)
-
Current Situation Analysis of Information Security Level in Municipalities
- 2018
-
Ingår i: Journal of Information System Security. - : The Information Institute. - 1551-0123 .- 1551-0808. ; 14:1, s. 3-19
-
Tidskriftsartikel (refereegranskat)abstract
- Municipalities manage a significant part of society's services, and hence they also handle a vast amount of information. A municipality's activities include managing a significant part of society's services, and municipalities’ supply and management of information are, therefore, critical for society in general, and also for achieving the municipalities’ own operational goals. However, research shows weaknesses in the municipalities' work on information security, and there is a need to study and identify the current level of security.This paper presents the result from a GAP analysis mapping the current situation of Swedish municipalities' for systematic information security work, based on the demands made on municipalities from both research and social perspectives. The result shows that the information security level regarding the systematic security work is generally low, and that there is a need to implement adapted tools for Information Security Management Systems in order to support municipalities.
|
|
| 10. |
- Lundgren, Martin
(författare)
-
Rethinking capabilities in information security risk management : a systematic literature review
- 2020
-
Ingår i: International Journal of Risk Assessment and Management. - : InderScience Publishers. - 1466-8297 .- 1741-5241. ; 23:2, s. 169-190
-
Forskningsöversikt (refereegranskat)abstract
- Information security risk management capabilities have predominantly focused on instrumental onsets, while largely ignoring the underlying intentions and knowledge these management practices entail. This article aims to study what capabilities are embedded in information security risk management. A theoretical framework is proposed, namely rethinking capability as the alignment between intent and knowing. The framework is situated around four general risk management practices. A systematic literature review utilising the framework was conducted, resulting in the identification of eight identified capabilities. These capabilities were grouped into respective practices: integrating various perspectives and values to reach a risk perception aligned with the intended outcome (identify); adapting to varying perspectives of risks and prioritising them in accordance with the intended outcome (prioritise); security controls to enable resources, and integrate/reconfigure beliefs held by various stakeholders (implement); and sustaining the integrated resources and competences held by stakeholders to continue the alignment with the intended outcome (monitor).
|
|
