Högskolan i Skövde

Insecure user behavior is the most common cause of cybersecurity incidents. Insecure behavior includes failing to detect phishing, insecure password management, and more. The problem has been known for decades, and state-of-the-art mitigation methods include security education, training, and awareness (SETA). A common problem with SETA is, however, that users do not seem to adopt it to a high enough extent. When users are not adopting SETA, its intended benefit is lost. Previous research argues for personalized SETA and suggests that different user groups have different SETA needs and preferences. The characteristics of those groups are, however, unknown. To that end, this research draws on an existing dataset to identify how different populations perceive different SETA methods. A quantitative analysis shows that users in different demographic groups have different SETA preferences, with age being the most impactful demographic. A qualitative analysis reveals further factors that impact user adoption of SETA, with cost and ease of use being important factors for further research. 

Information Security Risk Management (ISRM) is fundamental in most organisations today. The literature describes ISRM as a complex activity, and one way of addressing this is to enable knowledge reuse in the shape of catalogues. Catalogues in the ISRM domain can contain lists of, e.g. assets, threats and security controls. In this paper, we focus on three aspects of catalogue use. Why we need catalogues, how catalogue granularity is perceived, and how catalogues help novices in practice. As catalogue use is not yet a widespread practice in the ISRM, we have selected a domain where catalogues are a part of the ISRM work. In this case, the Air Traffic Management (ATM) domain uses a methodology that includes catalogues and is built on ISO/IEC 27005. The results are based on data collected from 19 interviews with ATM professionals that are either experts or novices in ISRM. With this paper, we nuance the view on what catalogues can contribute with. For example, consistency, coherency, a starting point and new viewpoints. At the same time, we identify the need to inform about the aim of the catalogues and the limitations that come with catalogue use in order to leverage the use – especially from a novice perspective. © 2023, IFIP International Federation for Information Processing.

Cyber security is a key enabler for safe Air Traffic Management (ATM). This paper presents results from an empirical study, in which we have investigated and evaluated the use of the Security Risk Assessment Methodology for SESAR (SecRAM) in European ATM research and development projects. The study was performed with the intention to find and document common issues and aspects that could be improved in the methodology. The results from the study reveal that while most of the practitioners had a positive perception of the methodology itself, they were less satisfied with the process of applying it in their projects. Based on the results, we provide a number of recommendations, which aim to improve the security risk assessment process in the ATM domain.

Purpose: The purpose of this paper is to develop a method for information classification. The proposed method draws on established standards, such as the ISO/IEC 27002 and information classification practices. The long-term goal of the method is to decrease the subjective judgement in the implementation of information classification in organisations, which can lead to information security breaches because the information is under- or over-classified. Design/methodology/approach: The results are based on a design science research approach, implemented as five iterations spanning the years 2013 to 2019. Findings: The paper presents a method for information classification and the design principles underpinning the method. The empirical demonstration shows that senior and novice information security managers perceive the method as a useful tool for classifying information assets in an organisation. Research limitations/implications: Existing research has, to a limited extent, provided extensive advice on how to approach information classification in organisations systematically. The method presented in this paper can act as a starting point for further research in this area, aiming at decreasing subjectivity in the information classification process. Additional research is needed to fully validate the proposed method for information classification and its potential to reduce the subjective judgement. Practical implications: The research contributes to practice by offering a method for information classification. It provides a hands-on-tool for how to implement an information classification process. Besides, this research proves that it is possible to devise a method to support information classification. This is important, because, even if an organisation chooses not to adopt the proposed method, the very fact that this method has proved useful should encourage any similar endeavour. Originality/value: The proposed method offers a detailed and well-elaborated tool for information classification. The method is generic and adaptable, depending on organisational needs.

In the highly digitalised world in which we live today, information and information systems have become critical assets to organisations, and hence need to be safeguarded accordingly. In order to implement and work with information security in a structured way, an Information Security Management System (ISMS) can be implemented. Asset management is a central activity in ISMS that aims at identifying, assigning ownership and adding protection to information assets. One activity within asset management is information classification that has the objective to ensure that the information receives an appropriate level of protection in accordance with its importance to the organisation. Information classification is a well-known practice for all kinds of organisations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.

However, information classification has received little attention from academia, and many organisations are struggling with the implementation. The reasons behind why it is problematic, and how to address such issues, are largely unknown. Furthermore, existing approaches, described in, for example, standards and national recommendations, do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out essential aspects needed for many organisations to adopt and implement information classification. There is, for instance, a lack of detailed descriptions regarding (1) procedures and concepts, (2) how to tailor the approach for different situations, (3) a framework that structures and guides the classification, (4) what roles should be involved in the classification, and (5) how information with different granularity is handled.

This thesis aims to increase the applicability of information classification by developing a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study was performed in three cycles. A wide range of data was collected, including a series of interviews with experts and novices on information classification, a survey, most of the Swedish public sector information classification policies, and observations. There are three main contributions made by this thesis (1) the identification of issues and enablers for information classification, (2) the design principles underpinning the development of a method for information classification, and (3) the method for information classification itself. Contributions have also been made to the context around information classification, such as, for example, 20 practical suggestions for how to meet documented challenges in practice.

I den starkt digitaliserade värld vi lever i idag har information och informationssystem blivit kritiska tillgångar för organisationer och därför måste dessa följaktligen skyddas. För att implementera och arbeta med informationssäkerhet på ett strukturerat sätt kan ett ledningssystem för informationssäkerhet (LIS) implementeras. Hantering av tillgångar är en central aktivitet i LIS som syftar till att identifiera tillgångar, fastställa lämpligt ansvar och bestämma lämplig skyddsnivå för informationstillgångar. En aktivitet inom hanteringen av tillgångar är informationsklassificering som har som mål att se till att information får en lämplig skyddsnivå i enlighet med dess betydelse för organisationen. Informationsklassificering är en allmänt känd och välanvänd praxis för alla slags organisationer, både inom den privata och offentliga sektorn. Dessutom finns informationsklassificering beskrivit som en del av flera standarder exempelvis i ISO/IEC 27002, COBIT och NIST-SP800.

Informationsklassificering har emellertid fått lite uppmärksamhet inom akademin och dessutom kämpar många organisationer med införandet. De underliggande orsakerna till varför det är problematiskt att implementera och använda informationsklassificering är i mångt och mycket oklara. Vidare tillhandahåller exempelvis befintliga standarder och nationella rekommendationer inget sammanhängande och systematiskt beskrivit tillvägagångssätt för att skildra informationsklassificering. De korta beskrivningarna i standarder och vetenskaplig litteratur utelämnar väsentliga aspekter som krävs för att kunna implementera informationsklassificering i en organisation. Det finns till exempel brist på detaljerade beskrivningar avseende (1) förfaranden och begrepp, (2) hur man kan anpassa tillvägagångssättet för olika situationer, (3) ett ramverk som strukturerar och styr klassificeringen, (4) vilka roller som ska vara involverade i klassificeringen och (5) hur information med olika granularitet hanteras.

Denna avhandling syftar till att utveckla en metod för informationsklassificering som bygger på standarder och praxis och som kan användas som en del av LIS-arbetet. För att möta detta syfte genomfördes en DSR-studie (Design Science Research) i tre cykler. Ett brett spektrum av data har samlats in som en del av detta arbete, inklusive en serie intervjuer med experter och nybörjare om informationsklassificering, en enkätundersökning, ett antal observationer samt en insamling av de flesta svenska myndigheters klassificeringspolicyer. Det finns tre huvudsakliga bidrag med denna avhandling (1) identifiering av problem och möjliggörare för informationsklassificering, (2) designprinciper som ligger till grund för utvecklingen av en metod för informationsklassificering och (3) metoden för informationsklassificering. Det har också gjorts bidrag till kontexten kring informationsklassificering. Exempelvis beskrivs och ges 20 praktiska förslag för hur man bemöter väldokumenterade utmaningar inom riskanalys och vid val av skyddsåtgärder.

In this paper, the formal processes so often assumed in information security risk management and its activities are investigated. For instance, information classification, risk analysis, and security controls are often presented in a predominantly instrumental progression. This approach, however, has received scholarly criticism, as it omits social and organisational aspects, creating a gap between formal and actual processes. This study argues that there is an incomplete understanding of how the activities within these processes actually interplay in practice. For this study, senior information security managers from four major Swedish government agencies were interviewed. As a result, 12 characteristics are presented that reflect an interplay between activities and that have implications for research, as well as for developers of standards and guidelines. The study's conclusions suggest that the information security risk management process should be seen more as an emerging process, where each activity interplays dynamically in response to new requirements and organisational and social challenges. 

Purpose: The study aims to revisit six previously defined challenges in information security risk management to provide insights into new challenges based on current practices. Design/methodology/approach: The study is based on an empirical study consisting of in-depth interviews with representatives from public sector organisations. The data were analysed by applying a practice-based view, i.e. the lens of knowing (or knowings). The results were validated by an expert panel. Findings: Managerial and organisational concerns that go beyond a technical perspective have been found, which affect the ongoing social build-up of knowledge in everyday information security work. Research limitations/implications: The study has delimitation as it consists of data from four public sector organisations, i.e. statistical analyses have not been in focus, while implying a better understanding of what and why certain actions are practised in their security work. Practical implications: The new challenges that have been identified offer a refined set of actionable advice to practitioners, which, for example, can support cost-efficient decisions and avoid unnecessary security trade-offs. Originality/value: Information security is increasingly relevant for organisations, yet little is still known about how related risks are handled in practice. Recent studies have indicated a gap between the espoused and the actual actions. Insights from actual, situated enactment of practice can advise on process adaption and suggest more fit approaches. 

In this study, the enactment of information security risk management by novice practitioners is studied by applying an analytical lens of security-related stress. Two organisations were targeted in the study using a case study approach to obtain data about their practices. The study identifies stressors and stress inhibitors in the ISRM process and the supporting ISRM tools and discusses the implications for practitioners. For example, a mismatch between security standards and how they are interpreted in practice has been identified. This mismatch was further found to be strengthened by the design of the used ISRM tools. Those design shortcomings hamper agility since they may enforce a specific workflow or may restrict documentation. The study concludes that security-related stress can provide additional insight into security-novice practitioners' ISRM challenges. 

Today, information is a key asset for many organisations. Reducing risks of information compromise is increasingly prioritised. However, there is an incomplete understanding of how organisations with limited security knowledge and experience manage information security risks in practice. Previous studies have suggested that security-novice employees faced with burdensome, complex, and ambiguous security requirements can experience security-related stress (SRS), and ultimately influence their security decisions. In this study, we further this research stream by suggesting that SRS can similarly be found with security-novice managers responsible for developing and practising information security risk management (ISRM). Two organisations were targeted in the study using a case study approach, to obtain data about their practices, using SRS as an analytical lens. The study found various examples where SRS influenced security-novice managers’ decisions, and identifies several stressors and stress inhibitors in the ISRM process and supporting ISRM tools, and discusses the implications for practitioners.

I Högskolan i Skövdes (HS) utvecklingsplan (Högskolan i Skövde, 2017) framhålls vikten av att samtliga utbildningsprogram skall erbjuda möjligheter till utbytesstudier. Historiskt sett har antalet utresande vid HS varit lågt samtidigt som fakta som belyser varför så är fallet främst har baserats på enskilda studenters upplevelser av nominerings- och antagningsprocesser. Dock saknas en mer enhetlig och generaliserbar vy av hur olika funktioner på HS rörande utbytesstudier upplevs, både av studenter som genomfört utbytesstudier samt av studenter som varit nominerade men valt att inte genomföra utbytesstudier.

Den frågeställning som adresserats är: vilka hinder finns för studenter som vill genomföra utbytesstudier? Den metod som tillämpats är en enkät som skickats ut till samtliga studenter som varit nominerade för utbytesstudier under 2017. Enkäten har baserats på en Likert-skala (Bryman och Nilsson) som kombinerats med fritextsvar.

Totalt har 20 studenter från olika utbildningsprogram besvarat enkäten. Studien visar att studenterna rent generellt är nöjda med HS administrativa funktioner vilket också är den kanal som oftast utnyttjas. Andra administrativa funktioner såsom programansvariga och ämnesföreträdare upplevs olika av studenterna beroende på vilket ämnesområde som berörs.

Studenterna redovisar ett antal huvudsakliga skäl som hindrar eller försvårar utbytesstudier. 1) Det läggs ett alltför stort ansvar på studenten i att identifiera kurser som denne är behörig till och som inte överlappar med kurser som läses vid det egna lärosätet. Detta innefattar även val av kurser som skall motsvara obligatoriska kurser på hemmaplan som i sin tur ligger som förkunskapskrav för framtida kurser inom utbildning, såsom examensarbeten. 2) Avsaknad av utbytesavtal med specifika länder samt svårighet att identifiera avtal med lärosäten som matchar studentens utbildningsprofil vid det egna lärosätet upplevs likaså som ett hinder för flertalet studenter. 3) Vidare uppger studenterna att det i många fall är svårt att ta till sig information på olika lärosätens hemsidor för att identifiera passande kurser eftersom den information som finns att tillgå upplevs som mycket heterogen och därmed både svårtolkad och svårnavigerad. Detta kan jämföras mot hur svenska lärosäten publicerar information om kurser vilket av studenterna upplevs som mer enhetligt och standardiserat vilket i sin tur gör olika kurser enklare att jämföra.

Något som efterfrågas av många studenter som varit nominerade för utbytesstudier men som i slutändan valt att inte resa är ”utbytesstudie-charter” där det finns färdiga kurspaket som är granskade och validerade av HS. Även önskemål om mer standardiserade paket för boende och andra praktiska frågor efterfrågas av studenterna.

Den information som enkätstudien har lyft fram har i första hand visat på att HS administrativa funktioner för utbytesstudier fungerar tillfredställande. Likaså verifierar enkätstudien de hypoteser som funnits rörande hindrande faktorer för utbytesstudier i de flesta fall stämmer: osäkerhet kring val av kurser och en oro för hur utbytesstudier kommer att påverka framtida studier på hemmaplan är stora orosmoment som kan få studenter av avstå från utbytesstudier trots ett initialt intresse för sådana.

Referenser

Bryman, A., & Nilsson, B. (2011). Samhällsvetenskapliga metoder. Malmö: Liber.

Högskolan i Skövde. (2017). Utvecklingsplan. Skövde.