Högskolan i Skövde

his.sePublications
Change search
Link to record
Permanent link

Direct link
Publications (10 of 16) Show all publications
Bergström, E., Andersson, S. & Lundgren, M. (2025). To Risk Analyse, or Not to Risk Analyse: That’s the Question. In: Nathan Clarke; Steven Furnell (Ed.), Human Aspects of Information Security and Assurance: 18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024, Proceedings, Part I. Paper presented at 18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024 (pp. 107-119). Cham: Springer
Open this publication in new window or tab >>To Risk Analyse, or Not to Risk Analyse: That’s the Question
2025 (English)In: Human Aspects of Information Security and Assurance: 18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024, Proceedings, Part I / [ed] Nathan Clarke; Steven Furnell, Cham: Springer, 2025, p. 107-119Conference paper, Published paper (Refereed)
Abstract [en]

Risk analysis is a key activity for organisations that are looking to protect their valuable information assets against threats, such as malicious actors. It is one of the essential parts of risk management and is used to justify and prioritise what assets require the attention of which potential security controls. Risk management, and more specifically, risk analysis, is an activity that should be performed continuously. However, recent studies indicate that this is not always the case. As such, this paper investigates risk analysis as it is performed in practice in different Swedish public sector organisations. The results are based on semi-structured interviews with 17 senior security experts, an analysis of standards, and a national method support aiming to fill the gap between standard and practice. The results are presented in three themes: how, when and why risk analysis is performed. Of note, we identify that there is an issue of overlooking specific assets or systems when establishing an organisational-wide risk profile and a general recognition of the necessity for risk analysis, albeit not always in alignment with a classic risk analysis. 

Place, publisher, year, edition, pages
Cham: Springer, 2025
Series
IFIP Advances in Information and Communication Technology, ISSN 1868-4238, E-ISSN 1868-422X ; 721
Keywords
Cybersecurity, Information security, Risk analysis, Risk assessment, Cyber security, Information assets, Organisational, Public sector organization, Risk analyze, Risks management, Security controls, Security experts, Semi structured interviews, Swedishs
National Category
Information Systems Information Systems, Social aspects Work Sciences
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-24793 (URN)10.1007/978-3-031-72559-3_8 (DOI)2-s2.0-85211361560 (Scopus ID)978-3-031-72558-6 (ISBN)978-3-031-72561-6 (ISBN)978-3-031-72559-3 (ISBN)
Conference
18th IFIP WG 11.12 International Symposium, HAISA 2024, Skövde, Sweden, July 9–11, 2024
Projects
VISKA
Funder
Swedish Civil Contingencies Agency, MSB 2021-14650
Note

© IFIP International Federation for Information Processing 2025

Correspondence Address: E. Bergström; School of Engineering, Jönköping University, Jönköping, Sweden; email: erik.bergstrom@ju.se

We gratefully acknowledge the grant from the Swedish Civil Contingencies Agency (MSB), project VISKA (MSB 2021-14650).

Available from: 2024-12-19 Created: 2024-12-19 Last updated: 2025-01-14Bibliographically approved
Hedberg, D., Lundgren, M. & Nohlberg, M. (2024). Cybersecurity in modern cars: awareness and readiness of auto workshops. Information and Computer Security, 32(4), 407-419
Open this publication in new window or tab >>Cybersecurity in modern cars: awareness and readiness of auto workshops
2024 (English)In: Information and Computer Security, E-ISSN 2056-4961, Vol. 32, no 4, p. 407-419Article in journal (Refereed) Published
Abstract [en]

Purpose: This study aims to explore auto mechanics awareness of repairs and maintenance related to the car’s cybersecurity and provide insights into challenges based on current practice. Design/methodology/approach: This study is based on an empirical study consisting of semistructured interviews with representatives from both branded and independent auto workshops. The data was analyzed using thematic analysis. A version of the capability maturity model was introduced to the respondents as a self-evaluation of their cybersecurity awareness. Findings: Cybersecurity was not found to be part of the current auto workshop work culture, and that there is a gap between independent workshops and branded workshops. Specifically, in how they function, approach problems and the tools and support available to them to resolve (particularly regarding previously unknown) issues. Research limitations/implications: Only auto workshop managers in Sweden were interviewed for this study. This role was picked because it is the most likely to have come in contact with cybersecurity-related issues. They may also have discussed the topic with mechanics, manufacturers or other auto workshops – thus providing a broader view of potential issues or challenges. Practical implications: The challenges identified in this study offers actionable advice to car manufacturers, branded workshops and independent workshops. The goal is to further cooperation, improve knowledge sharing and avoid unnecessary safety or security issues. Originality/value: As cars become smarter, they also become potential targets for cyberattacks, which in turn poses potential threats to human safety. However, research on auto workshops, which has previously ensured that cars are road safe, has received little research attention with regards to the role cybersecurity can play in repairs and maintenance. Insights from auto workshops can therefore shed light upon the unique challenges and issues tied to the cybersecurity of cars, and how they are kept up-to-date and road safe in the digital era. 

Place, publisher, year, edition, pages
Emerald Publishing, 2024
Keywords
Auto workshop security, Connected car, Vehicle cybersecurity, Cybersecurity, Current practices, Cyber security, Design/methodology/approach, Empirical studies, On currents, On-currents, Repair and maintenance, Roads and streets
National Category
Information Systems Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-23599 (URN)10.1108/ICS-11-2023-0211 (DOI)001153515300001 ()2-s2.0-85183841672 (Scopus ID)
Note

CC BY 4.0 LEGAL CODE

© 2024, Emerald Publishing Limited.

Article publication date: 1 February 2024

Correspondence Address: D. Hedberg; School of Informatics, University of Skövde, Skövde, Sweden; email: davidhedberg@hotmail.com

Available from: 2024-02-15 Created: 2024-02-15 Last updated: 2024-09-24Bibliographically approved
Salin, H. & Lundgren, M. (2023). A Gap Analysis of the Adoption Maturity of Certificateless Cryptography in Cooperative Intelligent Transportation Systems. Journal of Cybersecurity and Privacy, 3(3), 591-609
Open this publication in new window or tab >>A Gap Analysis of the Adoption Maturity of Certificateless Cryptography in Cooperative Intelligent Transportation Systems
2023 (English)In: Journal of Cybersecurity and Privacy, E-ISSN 2624-800X, Vol. 3, no 3, p. 591-609Article in journal (Refereed) Published
Abstract [en]

Cooperative Intelligent Transport Systems (C-ITSs) are an important development for society. C-ITSs enhance road safety, improve traffic efficiency, and promote sustainable transportation through interconnected and intelligent communication between vehicles, infrastructure, and traffic-management systems. Many real-world implementations still consider traditional Public Key Infrastructures (PKI) as the underlying trust model and security control. However, there are challenges with the PKI-based security control from a scalability and revocation perspective. Lately, certificateless cryptography has gained research attention, also in conjunction with C-ITSs, making it a new type of security control to be considered. In this study, we use certificateless cryptography as a candidate to investigate factors affecting decisions (not) to adopt new types of security controls, and study its current gaps, key challenges and possible enablers which can influence the industry. We provide a qualitative study with industry specialists in C-ITSs, combined with a literature analysis of the current state of research in certificateless cryptographic in C-ITS. It was found that only 53% of the current certificateless cryptography literature for C-ITSs in 2022–2023 provide laboratory testing of the protocols, and 0% have testing in real-world settings. However, the trend of research output in the field has been increasing linearly since 2016 with more than eight times as many articles in 2022 compared to 2016. Based on our analysis, using a five-phased Innovation-Decision Model, we found that key reasons affecting adoption are: availability of proof-of-concepts, knowledge beyond current best practices, and a strong buy-in from both stakeholders and standardization bodies. 

Place, publisher, year, edition, pages
MDPI, 2023
Keywords
C-ITS, certificateless cryptography, crypto-readiness
National Category
Other Engineering and Technologies not elsewhere specified Computer Systems Transport Systems and Logistics
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-23288 (URN)10.3390/jcp3030028 (DOI)2-s2.0-85172125084 (Scopus ID)
Note

CC BY 4.0

© 2023 by the authors.

Correspondence: hasa@du.se

This research received no external funding.

Available from: 2023-10-05 Created: 2023-10-05 Last updated: 2024-08-30Bibliographically approved
Lundgren, M. & Padyab, A. (2023). A Review of Cyber Threat (Artificial) Intelligence in Security Management (1ed.). In: Tuomo Sipola; Tero Kokkonen; Mika Karjalainen (Ed.), Artificial Intelligence and Cybersecurity: Theory and Applications (pp. 29-45). Cham: Springer Nature Switzerland AG
Open this publication in new window or tab >>A Review of Cyber Threat (Artificial) Intelligence in Security Management
2023 (English)In: Artificial Intelligence and Cybersecurity: Theory and Applications / [ed] Tuomo Sipola; Tero Kokkonen; Mika Karjalainen, Cham: Springer Nature Switzerland AG , 2023, 1, p. 29-45Chapter in book (Refereed)
Abstract [en]

Managing cybersecurity within organizations typically relies on careful consideration and management of its risks. By following an iterative—often sequential—risk management process, an organization’s exposure to risks can be assessed by weighing organizational digital asset values against the probability of being harmed by a threat [29]. However, this approach has been criticized for reflecting only a snapshot of the organization’s assets and threats. Furthermore, identifying threats and the ability to remain updated on current threats and vulnerabilities are often dependent on skilled and experienced experts, causing risks to be primarily determined based on subjective judgment [46]. Nevertheless, this also poses a challenge to organizations that cannot stay up-to-date with what assets are vulnerable or attain personnel with the necessary experience and know-how to obtain relevant information on cybersecurity threats towards those assets [8, 30, 37].

Place, publisher, year, edition, pages
Cham: Springer Nature Switzerland AG, 2023 Edition: 1
National Category
Information Systems
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-22135 (URN)10.1007/978-3-031-15030-2_2 (DOI)2-s2.0-85160500378 (Scopus ID)978-3-031-15029-6 (ISBN)978-3-031-15032-6 (ISBN)978-3-031-15030-2 (ISBN)
Note

© 2022 Springer Nature Switzerland AG. Part of Springer Nature.

Available from: 2022-12-16 Created: 2022-12-16 Last updated: 2023-06-20Bibliographically approved
Bergström, E., Lundgren, M., Bernsmed, K. & Bour, G. (2023). “Check, Check, Check, We Got Those” – Catalogue Use in Information Security Risk Management. In: Steve Furnell; Nathan Clarke (Ed.), Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings. Paper presented at 17th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2023, Kent, United Kingdom, July 4–6, 2023 (pp. 181-191). Cham: Springer, 1
Open this publication in new window or tab >>“Check, Check, Check, We Got Those” – Catalogue Use in Information Security Risk Management
2023 (English)In: Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings / [ed] Steve Furnell; Nathan Clarke, Cham: Springer, 2023, Vol. 1, p. 181-191Conference paper, Published paper (Refereed)
Abstract [en]

Information Security Risk Management (ISRM) is fundamental in most organisations today. The literature describes ISRM as a complex activity, and one way of addressing this is to enable knowledge reuse in the shape of catalogues. Catalogues in the ISRM domain can contain lists of, e.g. assets, threats and security controls. In this paper, we focus on three aspects of catalogue use. Why we need catalogues, how catalogue granularity is perceived, and how catalogues help novices in practice. As catalogue use is not yet a widespread practice in the ISRM, we have selected a domain where catalogues are a part of the ISRM work. In this case, the Air Traffic Management (ATM) domain uses a methodology that includes catalogues and is built on ISO/IEC 27005. The results are based on data collected from 19 interviews with ATM professionals that are either experts or novices in ISRM. With this paper, we nuance the view on what catalogues can contribute with. For example, consistency, coherency, a starting point and new viewpoints. At the same time, we identify the need to inform about the aim of the catalogues and the limitations that come with catalogue use in order to leverage the use – especially from a novice perspective. © 2023, IFIP International Federation for Information Processing.

Place, publisher, year, edition, pages
Cham: Springer, 2023
Series
IFIP Advances in Information and Communication Technology (IFIPAICT), ISSN 1868-4238, E-ISSN 1868-422X ; 674
Keywords
Catalogues, Information Security Risk Management, Risk management practice
National Category
Information Systems, Social aspects Information Systems
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-23312 (URN)10.1007/978-3-031-38530-8_15 (DOI)2-s2.0-85172661821 (Scopus ID)978-3-031-38529-2 (ISBN)978-3-031-38532-2 (ISBN)978-3-031-38530-8 (ISBN)
Conference
17th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2023, Kent, United Kingdom, July 4–6, 2023
Available from: 2023-10-16 Created: 2023-10-16 Last updated: 2024-04-15Bibliographically approved
Hedberg, D., Lundgren, M. & Nohlberg, M. (2023). Cyberthreats in Modern Cars: Responsibility and Readiness of Auto Workshops. In: Steve Furnell; Nathan Clarke (Ed.), Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings. Paper presented at 17th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2023, Kent, United Kingdom, July 4–6, 2023 (pp. 275-284). Cham: Springer, 1
Open this publication in new window or tab >>Cyberthreats in Modern Cars: Responsibility and Readiness of Auto Workshops
2023 (English)In: Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings / [ed] Steve Furnell; Nathan Clarke, Cham: Springer, 2023, Vol. 1, p. 275-284Conference paper, Published paper (Refereed)
Abstract [en]

Modern cars are becoming increasingly smarter and connected. Today, cars often contain features ranging from controlling service functions through a mobile application to remote road assistance. However, as cars become smarter, they also become potential targets for cyberattacks, and a potential threat to human safety. Traditionally, handing in a car to an auto workshop for repairs and maintenance have ensured that the car is road safe. But, to what extent are auto mechanics aware of repairs and maintenance related to the car’s cybersecurity? Based on interviews with eight auto workshop specialists in Sweden, using the capability maturity model as lens to capture the readiness maturity, the following study looks at experiences with cybersecurity related to cars, what current tools are used, and procedures to deal with a cyberattack against cars in their workshop. It was found that auto workshops are potential targets, with limited solutions existing today, and that cyber security is not a part of the current culture. It was also found that there is a gap between independent workshops and branded workshops in how they function and in what manner they approach problems and issues. Specifically, for new issues (i.e., previously unencountered issues), branded workshops relied more on the manufacturer than independent workshops who were left to use whatever solution they could figure out by their own means, which sometimes may be akin to hacking the car’s systems.

Place, publisher, year, edition, pages
Cham: Springer, 2023
Series
IFIP Advances in Information and Communication Technology (IFIPAICT), ISSN 1868-4238, E-ISSN 1868-422X ; 674
Keywords
Connected car, vehicle cyber security, auto workshop security
National Category
Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-23032 (URN)10.1007/978-3-031-38530-8_22 (DOI)2-s2.0-85172683789 (Scopus ID)978-3-031-38529-2 (ISBN)978-3-031-38532-2 (ISBN)978-3-031-38530-8 (ISBN)
Conference
17th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2023, Kent, United Kingdom, July 4–6, 2023
Available from: 2023-07-13 Created: 2023-07-13 Last updated: 2023-10-16Bibliographically approved
Padyab, A. & Lundgren, M. (2023). Stress in doctoral supervision: A perspective on supervisors. Journal of Praxis in Higher Education, 5(2), 91-117
Open this publication in new window or tab >>Stress in doctoral supervision: A perspective on supervisors
2023 (English)In: Journal of Praxis in Higher Education, E-ISSN 2003-3605, Vol. 5, no 2, p. 91-117Article in journal (Refereed) Published
Abstract [en]

This paper shares findings from an interview study designed to open up critical conversations on complexity in advising. Using a narrative inquiry approach to centre storytelling and personal experience as valuable knowledge, I interview advisors (both academic and unofficial) who were central to my own doctoral research journey, as well as former doctoral students of mine. The interview results are put in relation with my own critical reflection on my advising practices as an ethos, as opposed to a set of tasks or functions, and put into context with larger social concepts such as positionality.This new perspective is suggested as a supplement to complexify and expand earlier research on advising styles. Advisingis characterised as deeply entangled with mentoring as well as teaching at large, and the paper concludes with identification of larger ethea, reflecting howadvising practices are co-constituted in relation with a range of other factors,such as positionality, institutional and disciplinary context, the larger student lifeworld, and perspectives on teaching and learning.

Place, publisher, year, edition, pages
University of Borås, 2023
Keywords
doctoral advising, intergenerational dialogue, mentorship, narrative inquiry
National Category
Pedagogy
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-23179 (URN)10.47989/kpdc307 (DOI)
Note

CC BY-NC-ND 4.0

Corresponding author: Ali Padyab, University of Skövde, Sweden (ali.padyab@his.se).

Available from: 2023-09-06 Created: 2023-09-06 Last updated: 2023-11-24Bibliographically approved
Bernsmed, K., Bour, G., Lundgren, M. & Bergström, E. (2022). An evaluation of practitioners’ perceptions of a security risk assessment methodology in air traffic management projects. Journal of Air Transport Management, 102, 102223-102223, Article ID 102223.
Open this publication in new window or tab >>An evaluation of practitioners’ perceptions of a security risk assessment methodology in air traffic management projects
2022 (English)In: Journal of Air Transport Management, ISSN 0969-6997, E-ISSN 1873-2089, Vol. 102, p. 102223-102223, article id 102223Article in journal (Refereed) Published
Abstract [en]

Cyber security is a key enabler for safe Air Traffic Management (ATM). This paper presents results from an empirical study, in which we have investigated and evaluated the use of the Security Risk Assessment Methodology for SESAR (SecRAM) in European ATM research and development projects. The study was performed with the intention to find and document common issues and aspects that could be improved in the methodology. The results from the study reveal that while most of the practitioners had a positive perception of the methodology itself, they were less satisfied with the process of applying it in their projects. Based on the results, we provide a number of recommendations, which aim to improve the security risk assessment process in the ATM domain.

Place, publisher, year, edition, pages
Elsevier, 2022
Keywords
Information security, Cyber security, Security risk assessment, Air Traffic Management, SESAR, SecRAM
National Category
Information Systems Information Systems, Social aspects
Identifiers
urn:nbn:se:his:diva-22987 (URN)10.1016/j.jairtraman.2022.102223 (DOI)000806790900003 ()2-s2.0-85130773545 (Scopus ID)
Funder
EU, Horizon 2020, 731765The Research Council of Norway, 247678
Note

CC BY 4.0

This project has received funding from the SESAR JU under the EU H2020 research and innovation programme under grant agreement 731765. The work has also been supported by the Science of Security in Agile Software Development (SoS-Agile) project, funded by the Research Council of Norway (grant number 247678).

Available from: 2023-07-06 Created: 2023-07-06 Last updated: 2023-07-06Bibliographically approved
Salin, H. & Lundgren, M. (2022). Towards Agile Cybersecurity Risk Management for Autonomous Software Engineering Teams. Journal of Cybersecurity and Privacy, 2(2), 276-291
Open this publication in new window or tab >>Towards Agile Cybersecurity Risk Management for Autonomous Software Engineering Teams
2022 (English)In: Journal of Cybersecurity and Privacy, E-ISSN 2624-800X, Vol. 2, no 2, p. 276-291Article in journal (Refereed) Published
Abstract [en]

In this study, a framework was developed, based on a literature review, to help managers incorporate cybersecurity risk management in agile development projects. The literature review used predefined codes that were developed by extending previously defined challenges in the literature—for developing secure software in agile projects—to include aspects of agile cybersecurity risk management. Five steps were identified based on the insights gained from how the reviewed literature has addressed each of the challenges: (1) risk collection; (2) risk refinement; (3) risk mitigation; (4) knowledge transfer; and (5) escalation. To assess the appropriateness of the identified steps, and to determine their inclusion or exclusion in the framework, a survey was submitted to 145 software developers using a four-point Likert scale to measure the attitudes towards each step. The resulting framework presented herein serves as a starting point to help managers and developers structure their agile projects in terms of cybersecurity risk management, supporting less overloaded agile processes, stakeholder insights on relevant risks, and increased security assurance.

Place, publisher, year, edition, pages
MDPI, 2022
Keywords
agile methods, risk management, cybersecurity, agile risk management
National Category
Software Engineering
Identifiers
urn:nbn:se:his:diva-22958 (URN)10.3390/jcp2020015 (DOI)
Note

CC BY 4.0

Funding: This research received no external funding.

Available from: 2023-07-04 Created: 2023-07-04 Last updated: 2024-08-30Bibliographically approved
Lundgren, M. & Padyab, A. (2021). Security and Privacy of Smart Homes: Issues and Solutions. In: Ali Ismail Awad; Jemal Abawajy (Ed.), Security and Privacy in the Internet of Things: Architectures, Techniques, and Applications (pp. 235-260). John Wiley & Sons
Open this publication in new window or tab >>Security and Privacy of Smart Homes: Issues and Solutions
2021 (English)In: Security and Privacy in the Internet of Things: Architectures, Techniques, and Applications / [ed] Ali Ismail Awad; Jemal Abawajy, John Wiley & Sons, 2021, p. 235-260Chapter in book (Refereed)
Abstract [en]

The current discussion and adoption of new technologies such as Internet of Things and smart technologies, like smart homes, have blossomed over the last decade. The user-centric aspect plays a vital role in the development of smart homes, since its spread and usage is fundamentally depending on people adopting new technologies into their normal everyday lives. This chapter contributes to raising our understanding of the security and privacy challenges and solutions that exist within smart homes. It first investigates various dimensions of information security and privacy in order to build a framework to analyze actual or perceived security and privacy issues that can arise from new technologies like smart homes. The chapter presents what security techniques and mechanisms are available to address these. Finally, it discusses what the future might hold in terms of security and privacy of smart homes, followed by a section highlighting the contributions of this chapter.

Place, publisher, year, edition, pages
John Wiley & Sons, 2021
Keywords
Internet of Things, privacy challenges, privacy techniques, security techniques, smart homes
National Category
Information Systems
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-20768 (URN)10.1002/9781119607755.ch9 (DOI)2-s2.0-85147848455 (Scopus ID)9781119607748 (ISBN)9781119607755 (ISBN)9781119607762 (ISBN)9781119607779 (ISBN)
Note

Copyright © 2022 by The Institute of Electrical and Electronics Engineers, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada.

Available from: 2021-12-06 Created: 2021-12-06 Last updated: 2024-11-13Bibliographically approved
Organisations
Identifiers
ORCID iD: ORCID iD iconorcid.org/0000-0003-1692-5721

Search in DiVA

Show all publications