| 1. |
- Rostami, Elham, 1983-
(författare)
-
Tailoring information security policies : a computerized tool and a design theory
- 2023
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- Protecting information assets in organizations is a must and one way for doing it is developing information security policy (ISP) to direct employees’ behavior and define acceptable procedures that employees have to comply with on a daily basis. However, compliance with the ISP is a perennial problem. Non-compliance with ISPs is at least related to two factors: 1) employees’ behavior, and 2) the design of ISPs. Although much attention has been given to understanding and changing employees’ behavior, designing ISPs that are easy to follow has received less attention. Existing research has suggested designing such ISPs using a tailoring approach where the ISP is designed in several versions that fulfill the needs of different target groups of employees. At the same time, tailoring means increased design complexity for information security managers as the designer of ISPs, where computerized tool can aid. Thus, the aim of this thesis is to develop a computerized tool to support information security managers’ tailoring of ISPs and the design principles that such a tool can be based on. To this end, a design science research approach was employed. Using the knowledge from the Situational Method Engineering field as the kernel theory for the design science research project, a set of design principles and a conceptual model were developed in terms of a Unified Modeling Language class diagram. Subsequently, a web-based software (POLCO) was developed based on the proposed conceptual model to support information security managers to design tailored ISPs. The conceptual model and POLCO were developed, demonstrated, and evaluated as a proof-of-concept in three DSR cycles.The thesis contribute to research and practice by proposing the design principles and the conceptual model that can be considered as: 1) a new theory on how to design ISPs, 2) a way to develop software to assist information security managers in designing tailored ISPs. Meanwhile, POLCO as an artifactual contribution can be considered as a starting point for researchers to do studies in the ISP design area.
|
|
| 2. |
- Karlsson, Fredrik, 1974-, et al.
(författare)
-
Inter-organisational information security : a systematic literature review
- 2016
-
Ingår i: Information & Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 24:5, s. 418-451
-
Forskningsöversikt (refereegranskat)abstract
- Purpose: The purpose of this paper is to survey existing inter-organisational information securityresearch to scrutinise the kind of knowledge that is currently available and the way in which thisknowledge has been brought about.Design/methodology/approach: The results are based on a literature review of inter-organisational information security research published between 1990 and 2014.Findings: The authors conclude that existing research has focused on a limited set of research topics.A majority of the research has focused management issues, while employees’/non-staffs’ actualinformation security work in inter-organisational settings is an understudied area. In addition, themajority of the studies have used a subjective/argumentative method, and few studies combinetheoretical work and empirical data.Research limitations/implications: The findings suggest that future research should address abroader set of research topics, focusing especially on employees/non-staff and their use of processes andtechnology in inter-organisational settings, as well as on cultural aspects, which are lacking currently;focus more on theory generation or theory testing to increase the maturity of this sub-field; and use abroader set of research methods.Practical implications: The authors conclude that existing research is to a large extent descriptive,philosophical or theoretical. Thus, it is difficult for practitioners to adopt existing research results, suchas governance frameworks, which have not been empirically validated.Originality/value: Few systematic reviews have assessed the maturity of existinginter-organisational information security research. Findings of authors on research topics, maturity andresearch methods extend beyond the existing knowledge base, which allow for a critical discussionabout existing research in this sub-field of information security.
|
|
| 3. |
- Kolkowska, Ella, 1972-, et al.
(författare)
-
Organizational power and information security rule compliance
- 2013
-
Ingår i: Computers & security (Print). - : Elsevier BV. - 0167-4048 .- 1872-6208. ; 33, s. 3-11
-
Tidskriftsartikel (refereegranskat)abstract
- This paper analyzes power relationships and the resulting failure in complying with information security rules. It argues that an inability to understand the intricate power relationships in the design and implementation of information security rules leads to a lack of compliance with the intended policy. The argument is conducted through an empirical, qualitative case study set in a Swedish Social Services organization. Our findings indicate that various dimensions of power and how these relate to information security rules ensure adequate compliance. This also helps to improve configuration of security rules through proactive information security management.
|
|
| 4. |
- Karlsson, Fredrik, 1974-, et al.
(författare)
-
Information security policy compliance-eliciting requirements for a computerized software to support value-based compliance analysis
- 2022
-
Ingår i: Computers & security (Print). - : Elsevier. - 0167-4048 .- 1872-6208. ; 114
-
Tidskriftsartikel (refereegranskat)abstract
- When end users have to prioritize between different rationalities in organisations there is a risk of non-compliance with information security policies. Thus, in order for information security managers to align information security with the organisations’ core work practices, they need to understand the competing rationalities. The Value-based compliance (VBC) analysis method has been suggested to this end, however it has proven to be complex and time-consuming. Computerized software may aid this type of analysis and make it more efficient and executable. The purpose of this paper is to elicit a set of requirements for computerized software that support analysis of competing rationalities in relation to end users’ compliance and non-compliance with information security policies. We employed a design science research approach, drawing on design knowledge on VBC and elicited 17 user stories. These requirements can direct future research efforts to develop computerized software in this area.
|
|
| 5. |
- Rostami, Elham, 1983-, et al.
(författare)
-
The hunt for computerized support in information security policy management : A literature review
- 2020
-
Ingår i: Information and Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 28:2, s. 215-259
-
Forskningsöversikt (refereegranskat)abstract
- Purpose: The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about.Design/methodology/approach: The results are based on a literature review of ISP management research published between 1990 and 2017.Findings: Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare.Research limitations/implications: Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process.Practical implications: The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners.Originality/value: Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.
|
|
| 6. |
|
|
| 7. |
- Kolkowska, Ella, 1972-, et al.
(författare)
-
Information security goals in a Swedish hospital
- 2009
-
Ingår i: Security, assurance and privacy. ; , s. Article no. 16-
-
Konferensbidrag (refereegranskat)abstract
- One of the problems highlighted within the area of information security is that internatonal standards are implemented in organisations without adopting them to special organisational settings. This paper presents findings of information security goals found in policies, guidelines, and routines at a Swedish hospital. The purpose of the paper is to analyze the information security goals and relate them to confidentiality, integrity and availability (CIA) that are traditional objectives for managing information security in organisations. A critical view on the CIA-triad has been taken in the study, to see how it is related to a hospital setting. Seven main information security goals and 63 sub-goals supporting the main goals were identified. We found that the CIA-triad covers three of these main-goals. Confidentiality and integrity, however, have a broader definition in the hospital-setting than the traditional definitions. In addition, we found four main information security goals that the CIA-triad fails to cover. These are ‘Follow information security laws, rules and standards,’ ‘Traceability,’ ‘Standardized formation’ and ‘Informed patients and/or family.’ These findings shows that there is a need to adopt the traditional information security objective to special organisational settings.
|
|
| 8. |
- Kolkowska, Ella, 1972-, et al.
(författare)
-
Towards analysing the rationale of information security non-compliance : Devising a Value-Based Compliance analysis method
- 2017
-
Ingår i: Journal of strategic information systems. - Amsterdam, Netherlands : Elsevier. - 0963-8687 .- 1873-1198. ; 6:1, s. 39-57
-
Tidskriftsartikel (refereegranskat)abstract
- Employees’ poor compliance with information security policies is a perennial problem. Current information security analysis methods do not allow information security managers to capture the rationalities behind employees’ compliance and non-compliance. To address this shortcoming, this design science research paper suggests: (a) a Value-Based Compliance analysis method and (b) a set of design principles for methods that analyse different rationalities for information security. Our empirical demonstration shows that the method supports a systematic analysis of why employees comply/do not comply with policies. Thus we provide managers with a tool to make them more knowledgeable about employees’ information security behaviours.
|
|
| 9. |
- Gerdin, Marcus, 1995-, et al.
(författare)
-
What Goes Around Comes Around : Effects of Unclear Questionnaire Items in Information Security Research
- 2023
-
Ingår i: Human Aspects of Information Security and Assurance. - : Springer. - 9783031385292 - 9783031385322 - 9783031385308 ; , s. 470-481
-
Konferensbidrag (refereegranskat)abstract
- The credibility of research on information system security is challenged by inconsistent results and there is an ongoing discussion about research methodology and its effect on results within the employee non-/compliance to information security policies literature. We add to this discussion by investigating discrepancies between what we cl/aim to measure (theoretical properties of variables) and what we actually measure (respondents’ interpretations of our operationalized variables). The study asks: (1) How well do respondents’ interpretations of variables correspond to their theoretical definitions? (2) What are the characteristics and causes of any discrepancies between variable definitions and respondent interpretations? We report a pilot study including interviews with seven respondents to understand their interpretations of the variable Perceived severity from the Protection Motivation Theory (PMT).We found that respondents’ interpretations differ substantially from the theoretical definitions which introduces error in measurement. There were not only individual differences in interpretations but also, and more importantly, systematic ones; When questions are not well specified, or do not cover respondents’ practice, respondents make interpretations based on their practice. Our results indicate three types of ambiguities, namely (i) Vagueness in part/s of the measurement item causing inconsistencies in interpretation between respondents, (ii) Envision/Interpret ‘new’ properties not related to the theory, (iii) ‘Misses the mark’ measurements whereby respondents misinterpret the fundamentals of the item. The qualitative method used proved conducive to understanding respondents’ thinking, which is a key to improving research instruments.
|
|
| 10. |
- Karlsson, Fredrik, 1974-, et al.
(författare)
-
Inter-organisational information sharing : Between a rock and a hard place
- 2015
-
Ingår i: Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015). - Plymouth UK : Plymouth University. - 9781841023885 ; , s. 71-81
-
Konferensbidrag (refereegranskat)abstract
- Although inter-organisational collaboration is common, most information security (IS) research has focused on IS issues within organisations. Confidentiality, integrity of data and availability (CIA) and responsibility, integrity of role, trust, and ethicality (RITE) are two sets of principles for managing IS that have been developed from an intra-organisational, rather static, perspective. The aim of this paper is thus to investigate the relation between the CIA and RITE principles in the context of an inter-organisational collaboration, i.e., collaboration between organisations. To this end we investigated inter-organisational collaboration and information sharing concerning Swedish cooper corrosion research in the field a long-term nuclear waste disposal. We found that in an inter-organisational context, responsibility, integrity of role and ethicality affected the CIA-principles, which in turn affected the collaborating actors’ trust in each other over time.
|
|
