| 1. |
- Bergström, Erik, 1976-
(författare)
-
Supporting Information Security Management : Developing a Method for Information Classification
- 2020
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- In the highly digitalised world in which we live today, information and information systems have become critical assets to organisations, and hence need to be safeguarded accordingly. In order to implement and work with information security in a structured way, an Information Security Management System (ISMS) can be implemented. Asset management is a central activity in ISMS that aims at identifying, assigning ownership and adding protection to information assets. One activity within asset management is information classification that has the objective to ensure that the information receives an appropriate level of protection in accordance with its importance to the organisation. Information classification is a well-known practice for all kinds of organisations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.However, information classification has received little attention from academia, and many organisations are struggling with the implementation. The reasons behind why it is problematic, and how to address such issues, are largely unknown. Furthermore, existing approaches, described in, for example, standards and national recommendations, do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out essential aspects needed for many organisations to adopt and implement information classification. There is, for instance, a lack of detailed descriptions regarding (1) procedures and concepts, (2) how to tailor the approach for different situations, (3) a framework that structures and guides the classification, (4) what roles should be involved in the classification, and (5) how information with different granularity is handled.This thesis aims to increase the applicability of information classification by developing a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study was performed in three cycles. A wide range of data was collected, including a series of interviews with experts and novices on information classification, a survey, most of the Swedish public sector information classification policies, and observations. There are three main contributions made by this thesis (1) the identification of issues and enablers for information classification, (2) the design principles underpinning the development of a method for information classification, and (3) the method for information classification itself. Contributions have also been made to the context around information classification, such as, for example, 20 practical suggestions for how to meet documented challenges in practice.
|
|
| 2. |
- Brodin, Martin
(författare)
-
Managing information security for mobile devices in small and medium-sized enterprises : Information management, Information security management, mobile device
- 2020
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The rapid proliferation of mobile devices makes mobile security a weak point in many organisations’ security management. Though there are a number of frameworks and methods available for improving security management, few of these target mobile devices, and most are designed for large organisations. Small and medium size organisations are known to be vulnerable to mobile threats, and often subject to the same legal requirements as larger organisations. However, they typically lack the resources and specialist competences necessary to use the available frameworks.This thesis describes an Action Design Research project to devise and test a low cost, low learning curve method for improving mobile security management. The project is conducted together with a small Swedish consulting company and evaluated in several other companies. In order to solve the challenge that SMEs faces; three objectives have been set:1. Identify existing solutions at a strategic level to managing information that is accessible with mobile devices and their suitability for SMEs.2. Develop a framework to support SMEs to manage information in a secure way on mobile devices.3. Evaluate the framework in practice.The results show that simple theoretical models can be integrated with well-known analysis techniques to inform managers and provide practical help for small companies to improve mobile security practice. The most important contribution to both science and practice is a structured approach for managers to deal with mobile devices, or for that matter other technology advances that do not fit into the existing management system. The journey to the final solution also produced several smaller contributions to science, for example insights from C-suites about strategies and work with mobile devices, differences and similarities between CYOD (choose your own device) and BYOD (bring your own device), the role of security policies in organisations, and twelve identified management issues with mobile devices.
|
|
| 3. |
- Åhlfeldt, Rose-Mharie, 1960-, et al.
(författare)
-
Current Situation Analysis of Information Security Level in Municipalities
- 2018
-
Ingår i: Journal of Information System Security. - : The Information Institute. - 1551-0123 .- 1551-0808. ; 14:1, s. 3-19
-
Tidskriftsartikel (refereegranskat)abstract
- Municipalities manage a significant part of society's services, and hence they also handle a vast amount of information. A municipality's activities include managing a significant part of society's services, and municipalities’ supply and management of information are, therefore, critical for society in general, and also for achieving the municipalities’ own operational goals. However, research shows weaknesses in the municipalities' work on information security, and there is a need to study and identify the current level of security.This paper presents the result from a GAP analysis mapping the current situation of Swedish municipalities' for systematic information security work, based on the demands made on municipalities from both research and social perspectives. The result shows that the information security level regarding the systematic security work is generally low, and that there is a need to implement adapted tools for Information Security Management Systems in order to support municipalities.
|
|
| 4. |
- Åhlfeldt, Rose-Mharie, 1960-, et al.
(författare)
-
Current Situation Analysis of Information Security Level in Municipalities
- 2018
-
Ingår i: Proceedings of the Annual Information Institute Conference. - : The Information Institute. - 9781935160199
-
Konferensbidrag (refereegranskat)abstract
- Municipalities manage a significant part of society's services, and hence also handle a vast amount of information. A municipality's activities include managing a significant part of society's services, and the municipality's supply and management of information are, therefore, critical for society in general, but also for achieving the municipality's own operational goals. However, investigations show weaknesses in the municipalities' work on information security, and there is a need to study and identify the current level of security. This paper presents the result from a GAP analysis mapping the Swedish municipalities current situation for systematic information security work, based on the demands made on municipalities from both research and social perspectives. The result shows that the information security level regarding systematic security work is generally low and that there is a need for adapted tools for Information Security Management Systems in order to support municipalities.
|
|
| 5. |
- Söderström, Eva, 1972-, et al.
(författare)
-
A Holistic Approach of how to handle Patient Information to support Seamless and Secure care
- 2021
-
Ingår i: Proceedings of the 7th International Workshop on Socio-Technical Perspective in IS Development (STPIS 2021). - : CEUR-WS. ; , s. 198-203
-
Konferensbidrag (refereegranskat)abstract
- Healthcare, like society in general, is facing great changes and challenges. Rapid development and uptake of digital technologies bring about the need to change. With the COVID-19 pandemic, the amount of healthcare meetings taking place online has surged. This means, among other things, that there are more healthcare actors involved in a patient’s care, and that information relating to a patient needs to be shared across borders now more than ever need to be improved. However, this is currently not done seamlessly, and there are many hinders and obstacles to overcome. This research aims at enabling a holistic approach on how to handle patient information in order to support seamless and secure care along the whole patient process. In doing so, drivers and hinders need to be identified, and a socio-technical framework with concrete guidelines will be developed. These results will be a first step towards filling this research gap, and will connect several perspectives in order to make the results truly actionable and holistic.
|
|
| 6. |
- Bergström, Erik, 1976-, et al.
(författare)
-
Developing an information classification method
- 2021
-
Ingår i: Information and Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 29:2, s. 209-239
-
Tidskriftsartikel (refereegranskat)abstract
- Purpose: The purpose of this paper is to develop a method for information classification. The proposed method draws on established standards, such as the ISO/IEC 27002 and information classification practices. The long-term goal of the method is to decrease the subjective judgement in the implementation of information classification in organisations, which can lead to information security breaches because the information is under- or over-classified. Design/methodology/approach: The results are based on a design science research approach, implemented as five iterations spanning the years 2013 to 2019. Findings: The paper presents a method for information classification and the design principles underpinning the method. The empirical demonstration shows that senior and novice information security managers perceive the method as a useful tool for classifying information assets in an organisation. Research limitations/implications: Existing research has, to a limited extent, provided extensive advice on how to approach information classification in organisations systematically. The method presented in this paper can act as a starting point for further research in this area, aiming at decreasing subjectivity in the information classification process. Additional research is needed to fully validate the proposed method for information classification and its potential to reduce the subjective judgement. Practical implications: The research contributes to practice by offering a method for information classification. It provides a hands-on-tool for how to implement an information classification process. Besides, this research proves that it is possible to devise a method to support information classification. This is important, because, even if an organisation chooses not to adopt the proposed method, the very fact that this method has proved useful should encourage any similar endeavour. Originality/value: The proposed method offers a detailed and well-elaborated tool for information classification. The method is generic and adaptable, depending on organisational needs.
|
|
| 7. |
|
|
| 8. |
- Bergström, Erik, 1976-, et al.
(författare)
-
Information Classification Policies : An Exploratory Investigation
- 2018
-
Ingår i: Proceedings of the Annual Information Institute Conference. - Washington, DC : Information Institute. - 9781935160199
-
Konferensbidrag (refereegranskat)abstract
- InfoSec policies are considered a key mechanism in information security, and most organizations have one. However, the large majority of security policy research has focused on what policies should include rather than how they are accomplished in practice. To contribute to overcoming the lack of knowledge regarding this crucial aspect, this paper investigates information security policies based on what underlying approaches information classification practices are built on and the perceived ease of turning the policy into practice. To do so, a survey was sent to 284 Swedish government agencies, and 80 of their internal policies were collected as data. The data were analyzed both qualitatively, and qualitatively. The results show that information classification adoption rates are low despite being mandatory and that agencies are struggling in closing the gap between standards and practice. Furthermore, the results also show that information classification policies need to be more specific and give more actionable advice regarding, e.g., how information life-cycle management is included in practice, and where the responsibility for classification is put in the organization.
|
|
| 9. |
- Åhlfeldt, Rose-Mharie, 1960-
(författare)
-
Brister i kommunernas informationssäkerhet
- 2019
-
Ingår i: Perspektiv på digitalisering. - Stockholm : Consid AB. - 9789151930367 ; , s. 89-94
-
Bokkapitel (populärvet., debatt m.m.)
|
|
