| 1. |
- Kolkowska, Ella, et al.
(författare)
-
Analyzing information security goals
- 2012. - 1
-
Ingår i: Threats, countermeasures and advances in applied information security. - : IGI Global. - 9781466609785 ; , s. 91-110
-
Bokkapitel (övrigt vetenskapligt/konstnärligt)abstract
- "This book addresses the fact that managing information security program while effectively managing risks has never been so critical, discussing issues such as emerging threats and countermeasures for effective management of information security in organizations"--Provided by publisher.
|
|
| 2. |
- Herzog, Almut, et al.
(författare)
-
An ontology for information security
- 2009. - 1
-
Ingår i: Techniques and applications for advanced information privacy and security. - : Information Science Reference. - 1605662100 ; , s. 278-301
-
Bokkapitel (övrigt vetenskapligt/konstnärligt)abstract
- Advances in technology are causing new privacy concerns as an increasing number of citizens are engaging in online activities.Techniques and Applications for Advanced Information Privacy and Security: Emerging Organizational, Ethical, and Human Issues provides a thorough understanding of issues and concerns in information technology security. An advanced reference source covering topics such as security management, privacy preservation, and authentication, this book outlines the field and provides a basic understanding of the most salient issues in privacy concerns for researchers and practitioners.Show more Show less
|
|
| 3. |
- Herzog, Almut, et al.
(författare)
-
An ontology of information security
- 2007
-
Ingår i: International Journal of Information Security and Privacy. - : IGI Global. - 1930-1650 .- 1930-1669. ; 1:4, s. 1-23
-
Tidskriftsartikel (refereegranskat)abstract
- We present a publicly available, OWL-based ontology of information security which models assets, threats, vulnerabilities, countermeasures and their relations. The ontology can be used as a general vocabulary, roadmap, and extensible dictionary of the domain of information security. With its help, users can agree on a common language and definition of terms and relationships. In addition to browsing for information, the ontology is also useful for reasoning about relationships between its entities, for example, threats and countermeasures. The ontology helps answer questions like: Which countermeasures detect or prevent the violation of integrity of data? Which assets are protected by SSH? Which countermeasures thwart buffer overflow attacks? At the moment, the ontology comprises 88 threat classes, 79 asset classes, 133 countermeasure classes and 34 relations between those classes. We provide the means for extending the ontology, and provide examples of the extendibility with the countermeasure classes ‘memory protection’ and ‘source code analysis’. This article describes the content of the ontology as well as its usages, potential for extension, technical implementation and tools for working with it.
|
|
| 4. |
- Karlsson, Fredrik, 1974-, et al.
(författare)
-
Practice-based discourse analysis of information security policies
- 2017
-
Ingår i: Computers & security (Print). - : Elsevier. - 0167-4048 .- 1872-6208. ; 67, s. 267-279
-
Tidskriftsartikel (refereegranskat)abstract
- To address the “insider” threat to information and information systems, an information security policy is frequently recommended as an organisational measure. However, having a policy in place does not necessarily guarantee information security. Employees’ poor compliance with information security policies is a perennial problem for many organisations. It has been shown that approximately half of all security breaches caused by insiders are accidental, which means that one can question the usefulness of current information security policies. We therefore propose eight tentative quality criteria in order to support the formulation of information security policies that are practical from the employees’ perspective. These criteria have been developed using practice-based discourse analysis on three information security policy documents from a health care organisation.
|
|
| 5. |
- Hedström, Karin, 1967-, et al.
(författare)
-
Social action theory for understanding information security non-compliance in hospitals : the importance of user rationale
- 2013
-
Ingår i: Information Management & Computer Security. - : Emerald Group Publishing Limited. - 0968-5227 .- 1758-5805. ; 21:4, s. 266-287
-
Tidskriftsartikel (refereegranskat)abstract
- Purpose – Employees' compliance with information security policies is considered an essential component of information security management. The research aims to illustrate the usefulness of social action theory (SAT) for management of information security.Design/methodology/approach – This research was carried out as a longitudinal case study at a Swedish hospital. Data were collected using a combination of interviews, information security documents, and observations. Data were analysed using a combination of a value-based compliance model and the taxonomy laid out in SAT to determine user rationality.Findings – The paper argues that management of information security and design of countermeasures should be based on an understanding of users' rationale covering both intentional and unintentional non-compliance. The findings are presented in propositions with practical and theoretical implications: P1. Employees' non-compliance is predominantly based on means-end calculations and based on a practical rationality, P2. An information security investigation of employees' rationality should not be based on an a priori assumption about user intent, P3. Information security management and choice of countermeasures should be based on an understanding of the use rationale, and P4. Countermeasures should target intentional as well as unintentional non-compliance.Originality/value – This work is an extension of Hedström et al. arguing for the importance of addressing user rationale for successful management of information security. The presented propositions can form a basis for information security management, making the objectives underlying the study presented in Hedström et al. more clear
|
|
| 6. |
- Karlsson, Fredrik, 1974-, et al.
(författare)
-
Practice-Based Discourse Analysis of Information Security Policy in Health Care
- 2014
-
Konferensbidrag (refereegranskat)abstract
- Information security is an understudied area within electronic government. In this study, we examine the quality of information security policy design in health care. Employees cause a majority of the security breaches in health care, and many of them are unintentional. In order to support the formulation of practical, from the employees’ perspective, information security policies, we propose eight tentative quality criteria. These criteria were developed using practice-based discourse analysis on three information security policy documents from a health care organisation.
|
|
| 7. |
- Gustafsson, Mariana, 1978-, et al.
(författare)
-
Safe on-line e-services building legitimacy for e- government : A case study of public e-services in education in Sweden
- 2013
-
Ingår i: eJournal of eDemocracy & Open Government. - Krems, Austria : Donau-Universitaet Krems. - 2075-9517. ; 5:2, s. 155-173
-
Tidskriftsartikel (refereegranskat)abstract
- There is an increased use of public e-services integrating citizens into public administration through electronic interfaces. On-line interaction among public organizations and citizens is one core relation in e-government that hereby becomes embedded into daily practices. A safe entry into e-governmental systems is essential for security and trust in the e-governmental systems and schools as well as public services in general. This paper addresses how electronic identification has been used for access to public e-services in schools in a Swedish municipality. This paper draws on a case study of use of ICT platforms in education administration in order to study the implementation of secure login process and factors that may have implications upon trust in-and legitimacy of public e-services at local e-government level. Besides describing the implementation process and analyzing security and organizational arrangements connected to the use of the platform, the paper address the argument that secure identification tools are essential for increased use of e-services and lead to greater legitimacy of the public (e)services. The analysis focuses on information security, organization set-up and potential development of the platforms, contributing with empirical findings and conceptual applications. A key finding was that the organization of identification and access to public e-services seemed highly dependent of the organizational structure of the public schools. The more general implication of the findings was that safe and well organized identification systems that were considered as trustworthy and useful among citizens were essential for increased use of the services and legitimate public e-services in general.
|
|
| 8. |
- Große, Christine, Fil.Dr, 1974-, et al.
(författare)
-
Left in the Dark : Obstacles to Studying and Performing Critical Infrastructure Protection
- 2021
-
Ingår i: Electronic Journal of Business Research Methods. - : Academic Conferences International Limited. - 1477-7029. ; 19:2
-
Tidskriftsartikel (refereegranskat)abstract
- This paper highlights major methodological obstacles to studying and performing critical infrastructure protection (CIP) in general and CIP governance in particular. The study simultaneously examines a research project on and practice in the context of Swedish CIP. The complex planning approach of interest is called Styrel, a Swedish acronym for Steering Electricity to prioritised power consumers. It aims to identify and prioritise power consumers of societal importance, collectively referred to as critical infrastructure (CI), to provide an emergency response plan for the event of a national power shortage. Methodologically, the investigation uses material from document studies, interviews and a survey, which involved many actors from the Swedish case. For the analysis of the methodological obstacles, this study applies an abstracted research and development process that encompasses four steps: data collection, data assessment, decision-making and evaluation. The paper mutually maps the insights from the research project to the empirical evidence from the case study. Through this reflective analysis, the findings contribute to a deeper understanding of the challenges that significantly impede research and practice in the context of national and international CIP, for example, insufficient information sharing and knowledge exchange among parties, a lack of integrated and advanced methods, and uncertainty in policies that induces a variety of local approaches. In addition, since empirical research on implemented CIP plans is limited, this paper addresses this gap. It reveals five general obstacles for both research and practice: a) the access to high-quality data, b) the loss of knowledge over time, c) the interpretation and evaluation of processes and methods, d) the transferability and comparability of data, results and insights; whereas all culminate in 5) a lack of collective intelligence. The accumulation of these obstacles hinders a detailed assessment of decision-making for CIP and its consequences on society. For this reason, this study emphasises the need for enhancing mutual understanding among the various parties in the area of CIP while respecting relevant security issues when inventing novel methods that facilitate collective intelligence.
|
|
| 9. |
- Herzog, Almut, 1969-
(författare)
-
Usable Security Policies for Runtime Environments
- 2007
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The runtime environments provided by application-level virtual machines such as the Java Virtual Machine or the .NET Common Language Runtime are attractive for Internet application providers because the applications can be deployed on any platform that supports the target virtual machine. With Internet applications, organisations as well as end users face the risk of viruses, trojans, and denial of service attacks. Virtual machine providers are aware of these Internet security risks and provide, for example, runtime monitoring of untrusted code and access control to sensitive resources.Our work addresses two important security issues in runtime environments. The first issue concerns resource or release control. While many virtual machines provide runtime access control to resources, they do not provide any means of limiting the use of a resource once access is granted; they do not provide so-called resource control. We have addressed the issue of resource control in the example of the Java Virtual Machine. In contrast to others’ work, our solution builds on an enhancement to the existing security architecture. We demonstrate that resource control permissions for Java-mediated resources can be integrated into the regular Java security architecture, thus leading to a clean design and a single external security policy.The second issue that we address is the usabilityhttps://www.diva-portal.org/liu/webform/form.jspDiVA Web Form and security of the setup of security policies for runtime environments. Access control decisions are based on external configuration files, the security policy, which must be set up by the end user. This set-up is security-critical but also complicated and errorprone for a lay end user and supportive, usable tools are so far missing. After one of our usability studies signalled that offline editing of the configuration file is inefficient and difficult for end users, we conducted a usability study of personal firewalls to identify usable ways of setting up a security policy at runtime. An analysis of general user help techniques together with the results from the two previous studies resulted in a proposal of design guidelines for applications that need to set up a security policy. Our guidelines have been used for the design and implementation of the tool JPerM that sets the Java security policy at runtime. JPerM evaluated positively in a usability study and supports the validity of our design guidelines.
|
|
| 10. |
- Oscarson, Per, 1965-
(författare)
-
Actual and Perceived Information Systems Security
- 2007
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- As the Internet becomes the major information infrastructure in most sectors, the importance of Information Systems (IS) security steadily increases. While reaching a certain level of actual IS security is vital for most businesses, this level must also be perceived as acceptable by stakeholders. Businesses have to maintain a certain level of security and be able to assess the level of other actors’ security. IS security is abstract and complex, however, and difficult to estimate and measure. This thesis uses epistemic and ontological frameworks to study the conceptual nature of IS security and separate the concepts of actual and perceived IS security. A well-known event is used to illustrate the conceptual discussion: the Sasser worm that was spread around the world in 2004. This study also includes a smaller case study from the City of Stockholm, where about 4,000 computers were infected by Sasser.The outcome of the study is that actual IS security should be treated as a dynamic condition that is influenced by three different objects: information assets, threat objects and security mechanisms. Incidents are processes that are ruled by the conditions of these three objects and affect the states of confidentiality, integrity and availability of information assets. The concepts of threat, risk and trust remain at epistemic level, i.e. perceptions. Perceptions of IS security can differ depending on their social establishment and are classified as subjective judgements, inter-subjective judgements or institutional facts. While actual IS security conditions can influence actors’ perceptions of IS security, perceived IS security can also influence actual IS security.
|
|
