| 1. |
- Kolkowska, Ella, et al.
(author)
-
Analyzing information security goals
- 2012. - 1
-
In: Threats, countermeasures and advances in applied information security. - : IGI Global. - 9781466609785 ; , s. 91-110
-
Book chapter (other academic/artistic)abstract
- "This book addresses the fact that managing information security program while effectively managing risks has never been so critical, discussing issues such as emerging threats and countermeasures for effective management of information security in organizations"--Provided by publisher.
|
|
| 2. |
- Karlsson, Fredrik, 1974-, et al.
(author)
-
Practice-based discourse analysis of information security policies
- 2017
-
In: Computers & security (Print). - : Elsevier. - 0167-4048 .- 1872-6208. ; 67, s. 267-279
-
Journal article (peer-reviewed)abstract
- To address the “insider” threat to information and information systems, an information security policy is frequently recommended as an organisational measure. However, having a policy in place does not necessarily guarantee information security. Employees’ poor compliance with information security policies is a perennial problem for many organisations. It has been shown that approximately half of all security breaches caused by insiders are accidental, which means that one can question the usefulness of current information security policies. We therefore propose eight tentative quality criteria in order to support the formulation of information security policies that are practical from the employees’ perspective. These criteria have been developed using practice-based discourse analysis on three information security policy documents from a health care organisation.
|
|
| 3. |
- Hedström, Karin, 1967-, et al.
(author)
-
Social action theory for understanding information security non-compliance in hospitals : the importance of user rationale
- 2013
-
In: Information Management & Computer Security. - : Emerald Group Publishing Limited. - 0968-5227 .- 1758-5805. ; 21:4, s. 266-287
-
Journal article (peer-reviewed)abstract
- Purpose – Employees' compliance with information security policies is considered an essential component of information security management. The research aims to illustrate the usefulness of social action theory (SAT) for management of information security.Design/methodology/approach – This research was carried out as a longitudinal case study at a Swedish hospital. Data were collected using a combination of interviews, information security documents, and observations. Data were analysed using a combination of a value-based compliance model and the taxonomy laid out in SAT to determine user rationality.Findings – The paper argues that management of information security and design of countermeasures should be based on an understanding of users' rationale covering both intentional and unintentional non-compliance. The findings are presented in propositions with practical and theoretical implications: P1. Employees' non-compliance is predominantly based on means-end calculations and based on a practical rationality, P2. An information security investigation of employees' rationality should not be based on an a priori assumption about user intent, P3. Information security management and choice of countermeasures should be based on an understanding of the use rationale, and P4. Countermeasures should target intentional as well as unintentional non-compliance.Originality/value – This work is an extension of Hedström et al. arguing for the importance of addressing user rationale for successful management of information security. The presented propositions can form a basis for information security management, making the objectives underlying the study presented in Hedström et al. more clear
|
|
| 4. |
- Karlsson, Fredrik, 1974-, et al.
(author)
-
Practice-Based Discourse Analysis of Information Security Policy in Health Care
- 2014
-
Conference paper (peer-reviewed)abstract
- Information security is an understudied area within electronic government. In this study, we examine the quality of information security policy design in health care. Employees cause a majority of the security breaches in health care, and many of them are unintentional. In order to support the formulation of practical, from the employees’ perspective, information security policies, we propose eight tentative quality criteria. These criteria were developed using practice-based discourse analysis on three information security policy documents from a health care organisation.
|
|
| 5. |
- Gustafsson, Mariana, 1978-, et al.
(author)
-
Safe on-line e-services building legitimacy for e- government : A case study of public e-services in education in Sweden
- 2013
-
In: eJournal of eDemocracy & Open Government. - Krems, Austria : Donau-Universitaet Krems. - 2075-9517. ; 5:2, s. 155-173
-
Journal article (peer-reviewed)abstract
- There is an increased use of public e-services integrating citizens into public administration through electronic interfaces. On-line interaction among public organizations and citizens is one core relation in e-government that hereby becomes embedded into daily practices. A safe entry into e-governmental systems is essential for security and trust in the e-governmental systems and schools as well as public services in general. This paper addresses how electronic identification has been used for access to public e-services in schools in a Swedish municipality. This paper draws on a case study of use of ICT platforms in education administration in order to study the implementation of secure login process and factors that may have implications upon trust in-and legitimacy of public e-services at local e-government level. Besides describing the implementation process and analyzing security and organizational arrangements connected to the use of the platform, the paper address the argument that secure identification tools are essential for increased use of e-services and lead to greater legitimacy of the public (e)services. The analysis focuses on information security, organization set-up and potential development of the platforms, contributing with empirical findings and conceptual applications. A key finding was that the organization of identification and access to public e-services seemed highly dependent of the organizational structure of the public schools. The more general implication of the findings was that safe and well organized identification systems that were considered as trustworthy and useful among citizens were essential for increased use of the services and legitimate public e-services in general.
|
|
| 6. |
- Große, Christine, Fil.Dr, 1974-, et al.
(author)
-
Left in the Dark : Obstacles to Studying and Performing Critical Infrastructure Protection
- 2021
-
In: Electronic Journal of Business Research Methods. - : Academic Conferences International Limited. - 1477-7029. ; 19:2
-
Journal article (peer-reviewed)abstract
- This paper highlights major methodological obstacles to studying and performing critical infrastructure protection (CIP) in general and CIP governance in particular. The study simultaneously examines a research project on and practice in the context of Swedish CIP. The complex planning approach of interest is called Styrel, a Swedish acronym for Steering Electricity to prioritised power consumers. It aims to identify and prioritise power consumers of societal importance, collectively referred to as critical infrastructure (CI), to provide an emergency response plan for the event of a national power shortage. Methodologically, the investigation uses material from document studies, interviews and a survey, which involved many actors from the Swedish case. For the analysis of the methodological obstacles, this study applies an abstracted research and development process that encompasses four steps: data collection, data assessment, decision-making and evaluation. The paper mutually maps the insights from the research project to the empirical evidence from the case study. Through this reflective analysis, the findings contribute to a deeper understanding of the challenges that significantly impede research and practice in the context of national and international CIP, for example, insufficient information sharing and knowledge exchange among parties, a lack of integrated and advanced methods, and uncertainty in policies that induces a variety of local approaches. In addition, since empirical research on implemented CIP plans is limited, this paper addresses this gap. It reveals five general obstacles for both research and practice: a) the access to high-quality data, b) the loss of knowledge over time, c) the interpretation and evaluation of processes and methods, d) the transferability and comparability of data, results and insights; whereas all culminate in 5) a lack of collective intelligence. The accumulation of these obstacles hinders a detailed assessment of decision-making for CIP and its consequences on society. For this reason, this study emphasises the need for enhancing mutual understanding among the various parties in the area of CIP while respecting relevant security issues when inventing novel methods that facilitate collective intelligence.
|
|
| 7. |
- Oscarson, Per, 1965-
(author)
-
Actual and Perceived Information Systems Security
- 2007
-
Doctoral thesis (other academic/artistic)abstract
- As the Internet becomes the major information infrastructure in most sectors, the importance of Information Systems (IS) security steadily increases. While reaching a certain level of actual IS security is vital for most businesses, this level must also be perceived as acceptable by stakeholders. Businesses have to maintain a certain level of security and be able to assess the level of other actors’ security. IS security is abstract and complex, however, and difficult to estimate and measure. This thesis uses epistemic and ontological frameworks to study the conceptual nature of IS security and separate the concepts of actual and perceived IS security. A well-known event is used to illustrate the conceptual discussion: the Sasser worm that was spread around the world in 2004. This study also includes a smaller case study from the City of Stockholm, where about 4,000 computers were infected by Sasser.The outcome of the study is that actual IS security should be treated as a dynamic condition that is influenced by three different objects: information assets, threat objects and security mechanisms. Incidents are processes that are ruled by the conditions of these three objects and affect the states of confidentiality, integrity and availability of information assets. The concepts of threat, risk and trust remain at epistemic level, i.e. perceptions. Perceptions of IS security can differ depending on their social establishment and are classified as subjective judgements, inter-subjective judgements or institutional facts. While actual IS security conditions can influence actors’ perceptions of IS security, perceived IS security can also influence actual IS security.
|
|
| 8. |
- Fried, Andrea, 1972-, et al.
(author)
-
Communicating preventive innovation - the case of the information security standard ISO/IEC 27001
- 2022
-
Conference paper (other academic/artistic)abstract
- Preventive innovation differs from ordinary innovation. The innovation diffusion literature claims that the economic benefits of preventive innovation to adopters, such as ensuring information security, are mainly intangible and often time-delayed and sometimes only adopted for incidents that may never occur. Adopter communication about preventive innovation therefore seems to be crucial.Using the example of the information security standard ISO/IEC 27001, we examine how communication of preventive innovations is shaped by its adopters. By analyzing texts about the information security standard ISO/IEC 27001 on Swedish corporate websites using computational linguistics tools and classical content analysis, we could identify, first, different adoption approaches of preventive innovation driven, second, by three modes of data governance: agency, stewardship and brokerage. Third, we provide evidence that the communication of preventive innovation depends on its data governance mode, but, fourth, also on the economic benefits of preventive innovation for adopters.Our contribution to the innovation literature is twofold. First, the concept of preventive innovation originally presented by Rogers (1995) is revived and further developed. Comparing it to its original scope, we show that preventive innovation can be meaningful for adopting organizations not only when they go through all possible adoption phases identified by Rogers (1995). Also an economic benefit from preventive innovation is possible. Both aspects, adoption approach as well as economic opportunity strongly shape the production of meaning in communication about preventive innovation. Second, we show that computational linguistics can support qualitative research in the study of meaning production in communication, especially when dealing with large amounts of data, for instance, gained from corporate websites.
|
|
| 9. |
- Gustafsson, Mariana S., 1978-
(author)
-
Reassembling Local E-Government : A study of actors’ translations of digitalisation in public administration
- 2017
-
Doctoral thesis (other academic/artistic)abstract
- The digitalisation of society decidedly affects public administration. Swedish public administration has long worked with information technologies for an effective and improved management of public services. But new and increased use of information technologies in society poses new challenges. New demands on information security are increasing, while accessibility and transparency are important priorities in policies on digitalisation in public services. However, the central government’s ambitions and expectations with regard to digitalisation face a slow and hesitant implementation in local governments. There are important differences between municipalities in priorities, local needs, and implementation mechanisms in connection with e-government. In this thesis, I argue there is a need to reconsider the role of governance mechanisms in e-government. There is a need to understand local translations of national policies and technological developments in relation to the goals of more effective and legitimate public administration. The main purpose of this thesis is to analyse tensions that emerge in the implementation of egovernment in local public administration. On the basis of a constructivist and interpretivist approach, I have undertaken two empirical studies. One focuses on municipal administration of education in Linköping. The other focuses on a governance network on digitalisation policy in Östergötland. The studies are presented in four papers. The issues addressed in the papers are further analysed with a focus on four fields of tension, using network governance theory and translation theory. This shows that the implementation of e-government in local public administration is a tension-laden process. The four fields of tension relate to: different logics and dilemmas for adoption and implementation; concerns and ambiguities in a context of unclear organisational and institutional arrangements; concerns and resistance from professional users; and a reassessment of the meaning of security as a reference for the interpretation of information security. I contend that established managerial and evolutionary models of e-government leave important process-related aspects out of the analysis of change in public administration. The contribution of this thesis lies in its description and analysis of the four identified fields of tension. One significant implication of my analysis is that reassembling current governance mechanisms in local public administration is crucial.
|
|
| 10. |
- Karlsson, Fredrik, 1974-, et al.
(author)
-
Practice-Based Discourse Analysis of InfoSec Policies
- 2015
-
In: ICT systems security and privacy protection. - Boston : Springer International Publishing. - 9783319184661 - 9783319184678 ; , s. 297-310
-
Conference paper (peer-reviewed)abstract
- Employees' poor compliance with information security policies is a perennial problem for many organizations. Existing research shows that about half of all breaches caused by insiders are accidental, which means that one can question the usefulness of information security policies. In order to support the formulation of practical, from the employees' perspective, information security policies, we propose eight tentative quality criteria. These criteria were developed using practice-based discourse analysis on three information security policy documents from a health care organisation.
|
|
