Högskolan i Skövde

his.sePublikationer
Ändra sökning
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
Supporting Information Security Management: Developing a Method for Information Classification
Högskolan i Skövde, Institutionen för informationsteknologi. Högskolan i Skövde, Forskningsmiljön Informationsteknologi. School of Engineering, Jönköping University. (Information Systems)ORCID-id: 0000-0002-1436-2980
2020 (Engelska)Doktorsavhandling, sammanläggning (Övrigt vetenskapligt)
Abstract [en]

In the highly digitalised world in which we live today, information and information systems have become critical assets to organisations, and hence need to be safeguarded accordingly. In order to implement and work with information security in a structured way, an Information Security Management System (ISMS) can be implemented. Asset management is a central activity in ISMS that aims at identifying, assigning ownership and adding protection to information assets. One activity within asset management is information classification that has the objective to ensure that the information receives an appropriate level of protection in accordance with its importance to the organisation. Information classification is a well-known practice for all kinds of organisations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.

However, information classification has received little attention from academia, and many organisations are struggling with the implementation. The reasons behind why it is problematic, and how to address such issues, are largely unknown. Furthermore, existing approaches, described in, for example, standards and national recommendations, do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out essential aspects needed for many organisations to adopt and implement information classification. There is, for instance, a lack of detailed descriptions regarding (1) procedures and concepts, (2) how to tailor the approach for different situations, (3) a framework that structures and guides the classification, (4) what roles should be involved in the classification, and (5) how information with different granularity is handled.

This thesis aims to increase the applicability of information classification by developing a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study was performed in three cycles. A wide range of data was collected, including a series of interviews with experts and novices on information classification, a survey, most of the Swedish public sector information classification policies, and observations. There are three main contributions made by this thesis (1) the identification of issues and enablers for information classification, (2) the design principles underpinning the development of a method for information classification, and (3) the method for information classification itself. Contributions have also been made to the context around information classification, such as, for example, 20 practical suggestions for how to meet documented challenges in practice.

Abstract [sv]

I den starkt digitaliserade värld vi lever i idag har information och informationssystem blivit kritiska tillgångar för organisationer och därför måste dessa följaktligen skyddas. För att implementera och arbeta med informationssäkerhet på ett strukturerat sätt kan ett ledningssystem för informationssäkerhet (LIS) implementeras. Hantering av tillgångar är en central aktivitet i LIS som syftar till att identifiera tillgångar, fastställa lämpligt ansvar och bestämma lämplig skyddsnivå för informationstillgångar. En aktivitet inom hanteringen av tillgångar är informationsklassificering som har som mål att se till att information får en lämplig skyddsnivå i enlighet med dess betydelse för organisationen. Informationsklassificering är en allmänt känd och välanvänd praxis för alla slags organisationer, både inom den privata och offentliga sektorn. Dessutom finns informationsklassificering beskrivit som en del av flera standarder exempelvis i ISO/IEC 27002, COBIT och NIST-SP800.

Informationsklassificering har emellertid fått lite uppmärksamhet inom akademin och dessutom kämpar många organisationer med införandet. De underliggande orsakerna till varför det är problematiskt att implementera och använda informationsklassificering är i mångt och mycket oklara. Vidare tillhandahåller exempelvis befintliga standarder och nationella rekommendationer inget sammanhängande och systematiskt beskrivit tillvägagångssätt för att skildra informationsklassificering. De korta beskrivningarna i standarder och vetenskaplig litteratur utelämnar väsentliga aspekter som krävs för att kunna implementera informationsklassificering i en organisation. Det finns till exempel brist på detaljerade beskrivningar avseende (1) förfaranden och begrepp, (2) hur man kan anpassa tillvägagångssättet för olika situationer, (3) ett ramverk som strukturerar och styr klassificeringen, (4) vilka roller som ska vara involverade i klassificeringen och (5) hur information med olika granularitet hanteras.

Denna avhandling syftar till att utveckla en metod för informationsklassificering som bygger på standarder och praxis och som kan användas som en del av LIS-arbetet. För att möta detta syfte genomfördes en DSR-studie (Design Science Research) i tre cykler. Ett brett spektrum av data har samlats in som en del av detta arbete, inklusive en serie intervjuer med experter och nybörjare om informationsklassificering, en enkätundersökning, ett antal observationer samt en insamling av de flesta svenska myndigheters klassificeringspolicyer. Det finns tre huvudsakliga bidrag med denna avhandling (1) identifiering av problem och möjliggörare för informationsklassificering, (2) designprinciper som ligger till grund för utvecklingen av en metod för informationsklassificering och (3) metoden för informationsklassificering. Det har också gjorts bidrag till kontexten kring informationsklassificering. Exempelvis beskrivs och ges 20 praktiska förslag för hur man bemöter väldokumenterade utmaningar inom riskanalys och vid val av skyddsåtgärder.

Ort, förlag, år, upplaga, sidor
Skövde: University of Skövde , 2020. , s. 310
Serie
Dissertation Series ; 33
Nyckelord [en]
information classification, Information security management, Information security management systems, Information classification method
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik
Forskningsämne
INF303 Informationssäkerhet; Informationssystem (IS)
Identifikatorer
URN: urn:nbn:se:his:diva-18920ISBN: 978-91-984918-5-2 (tryckt)OAI: oai:DiVA.org:his-18920DiVA, id: diva2:1458263
Disputation
2020-09-04, G109, Högskolevägen 1, 09:00 (Engelska)
Opponent
Handledare
Tillgänglig från: 2020-08-14 Skapad: 2020-08-14 Senast uppdaterad: 2023-07-06Bibliografiskt granskad
Delarbeten
1. Information Classification Issues
Öppna denna publikation i ny flik eller fönster >>Information Classification Issues
2014 (Engelska)Ingår i: Secure IT Systems: 19th Nordic Conference, NordSec 2014, Tromsø, Norway, October 15-17, 2014, Proceedings / [ed] Karin Bernsmed & Simone Fischer-Hübner, Cham: Springer, 2014, s. 27-41Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

This paper presents an extensive systematic literature review with the aim of identifying and classifying issues in the information classification process. The classification selected uses human and organizational factors for grouping the identified issues. The results reveal that policy-related issues are most commonly described, but not necessarily the most crucial ones. Furthermore, gaps in the research field are identified in order to outline paths for further research.

Ort, förlag, år, upplaga, sidor
Cham: Springer, 2014
Serie
Lecture Notes in Computer Science, ISSN 0302-9743, E-ISSN 1611-3349 ; 8788
Nyckelord
information classification, systematic literature review, information security management systems
Nationell ämneskategori
Datavetenskap (datalogi)
Forskningsämne
Teknik; Informationssystem (IS)
Identifikatorer
urn:nbn:se:his:diva-10109 (URN)10.1007/978-3-319-11599-3_2 (DOI)2-s2.0-84910065925 (Scopus ID)978-3-319-11598-6 (ISBN)978-3-319-11599-3 (ISBN)
Konferens
19th Nordic Conference, NordSec 2014, Tromsø, Norway, October 15-17, 2014
Tillgänglig från: 2014-10-22 Skapad: 2014-10-22 Senast uppdaterad: 2020-08-14Bibliografiskt granskad
2. Information Classification Enablers
Öppna denna publikation i ny flik eller fönster >>Information Classification Enablers
2015 (Engelska)Ingår i: Foundations and Practice of Security: 8th International Symposium, FPS 2015, Clermont-Ferrand, France, October 26-28, 2015, Revised Selected Papers / [ed] Joaquin Garcia-Alfaro, Evangelos Kranakis, Guillaume Bonfante, Cham: Springer, 2015, Vol. 9482, s. 268-276Kapitel i bok, del av antologi (Refereegranskat)
Abstract [en]

This paper presents a comprehensive systematic literature review of information classification (IC) enablers. We propose a classification based on the well-known levels of management: strategic, tactical and operational. The results reveal that a large number of enablers could be adopted to increase the applicability of IC in organizations. The results also indicate that there is not one single enabler solving the problem, but rather several enablers can influence the adoption.

Ort, förlag, år, upplaga, sidor
Cham: Springer, 2015
Serie
Lecture Notes in Computer Science (LNCS), ISSN 0302-9743, E-ISSN 1611-3349 ; 9482
Nyckelord
nformation classification, Systematic literature review, ISMS
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik med samhällsvetenskaplig inriktning
Forskningsämne
Teknik; Humaniora-samhällsvetenskap; Informationssystem (IS)
Identifikatorer
urn:nbn:se:his:diva-12022 (URN)10.1007/978-3-319-30303-1_17 (DOI)000379392900017 ()2-s2.0-84960324053 (Scopus ID)978-3-319-30302-4 (ISBN)978-3-319-30303-1 (ISBN)
Konferens
8th International Symposium, FPS 2015, Clermont-Ferrand, France, October 26-28, 2015
Tillgänglig från: 2016-03-08 Skapad: 2016-03-08 Senast uppdaterad: 2020-08-14Bibliografiskt granskad
3. Information Classification Policies: An Exploratory Investigation
Öppna denna publikation i ny flik eller fönster >>Information Classification Policies: An Exploratory Investigation
2018 (Engelska)Ingår i: Proceedings of the Annual Information Institute Conference / [ed] G. Dhillon, S. Samonas, Washington, DC: Information Institute , 2018Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

InfoSec policies are considered a key mechanism in information security, and most organizations have one. However, the large majority of security policy research has focused on what policies should include rather than how they are accomplished in practice. To contribute to overcoming the lack of knowledge regarding this crucial aspect, this paper investigates information security policies based on what underlying approaches information classification practices are built on and the perceived ease of turning the policy into practice. To do so, a survey was sent to 284 Swedish government agencies, and 80 of their internal policies were collected as data. The data were analyzed both qualitatively, and qualitatively. The results show that information classification adoption rates are low despite being mandatory and that agencies are struggling in closing the gap between standards and practice. Furthermore, the results also show that information classification policies need to be more specific and give more actionable advice regarding, e.g., how information life-cycle management is included in practice, and where the responsibility for classification is put in the organization.

Ort, förlag, år, upplaga, sidor
Washington, DC: Information Institute, 2018
Nyckelord
Information security management, information classification, InfoSec policies., Public Administration Studies, Studier av offentlig förvaltning
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik
Forskningsämne
Informationssystem (IS)
Identifikatorer
urn:nbn:se:his:diva-18924 (URN)978-1-935160-19-9 (ISBN)
Konferens
17th Annual Security Conference, March 26-28, 2018 Las Vegas, NV, USA
Tillgänglig från: 2020-08-17 Skapad: 2020-08-17 Senast uppdaterad: 2020-08-24Bibliografiskt granskad
4. Revisiting information security risk management challenges: a practice perspective
Öppna denna publikation i ny flik eller fönster >>Revisiting information security risk management challenges: a practice perspective
2019 (Engelska)Ingår i: Information and Computer Security, E-ISSN 2056-4961, Vol. 27, nr 3, s. 358-372Artikel i tidskrift (Refereegranskat) Published
Abstract [en]

Purpose: The study aims to revisit six previously defined challenges in information security risk management to provide insights into new challenges based on current practices. Design/methodology/approach: The study is based on an empirical study consisting of in-depth interviews with representatives from public sector organisations. The data were analysed by applying a practice-based view, i.e. the lens of knowing (or knowings). The results were validated by an expert panel. Findings: Managerial and organisational concerns that go beyond a technical perspective have been found, which affect the ongoing social build-up of knowledge in everyday information security work. Research limitations/implications: The study has delimitation as it consists of data from four public sector organisations, i.e. statistical analyses have not been in focus, while implying a better understanding of what and why certain actions are practised in their security work. Practical implications: The new challenges that have been identified offer a refined set of actionable advice to practitioners, which, for example, can support cost-efficient decisions and avoid unnecessary security trade-offs. Originality/value: Information security is increasingly relevant for organisations, yet little is still known about how related risks are handled in practice. Recent studies have indicated a gap between the espoused and the actual actions. Insights from actual, situated enactment of practice can advise on process adaption and suggest more fit approaches. 

Ort, förlag, år, upplaga, sidor
Emerald Group Publishing Limited, 2019
Nyckelord
Asset valuation, Information security, Practice theory, Risk management
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik med samhällsvetenskaplig inriktning
Forskningsämne
Informationssystem (IS)
Identifikatorer
urn:nbn:se:his:diva-17319 (URN)10.1108/ICS-09-2018-0106 (DOI)000479219900003 ()2-s2.0-85067021789 (Scopus ID)
Tillgänglig från: 2019-06-27 Skapad: 2019-06-27 Senast uppdaterad: 2023-07-06Bibliografiskt granskad
5. Dynamic interplay in the information security risk management process
Öppna denna publikation i ny flik eller fönster >>Dynamic interplay in the information security risk management process
2019 (Engelska)Ingår i: International Journal of Risk Assessment and Management, ISSN 1466-8297, E-ISSN 1741-5241, Vol. 22, nr 2, s. 212-230Artikel i tidskrift (Refereegranskat) Published
Abstract [en]

In this paper, the formal processes so often assumed in information security risk management and its activities are investigated. For instance, information classification, risk analysis, and security controls are often presented in a predominantly instrumental progression. This approach, however, has received scholarly criticism, as it omits social and organisational aspects, creating a gap between formal and actual processes. This study argues that there is an incomplete understanding of how the activities within these processes actually interplay in practice. For this study, senior information security managers from four major Swedish government agencies were interviewed. As a result, 12 characteristics are presented that reflect an interplay between activities and that have implications for research, as well as for developers of standards and guidelines. The study's conclusions suggest that the information security risk management process should be seen more as an emerging process, where each activity interplays dynamically in response to new requirements and organisational and social challenges. 

Ort, förlag, år, upplaga, sidor
InderScience Publishers, 2019
Nyckelord
Formal processes, Information classification, Interplay, Risk analysis, Security controls
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik Systemvetenskap, informationssystem och informatik med samhällsvetenskaplig inriktning
Forskningsämne
Informationssystem (IS)
Identifikatorer
urn:nbn:se:his:diva-18624 (URN)10.1504/IJRAM.2019.101287 (DOI)2-s2.0-85086419939 (Scopus ID)
Tillgänglig från: 2020-06-29 Skapad: 2020-06-29 Senast uppdaterad: 2023-07-06Bibliografiskt granskad
6. Stress Amongst Novice Information Security Risk Management Practitioners
Öppna denna publikation i ny flik eller fönster >>Stress Amongst Novice Information Security Risk Management Practitioners
2019 (Engelska)Ingår i: International Journal on Cyber Situational Awareness, ISSN 2057-2182, Vol. 4, nr 1, s. 128-154, artikel-id 28Artikel i tidskrift (Refereegranskat) Published
Abstract [en]

Today, information is a key asset for many organisations. Reducing risks of information compromise is increasingly prioritised. However, there is an incomplete understanding of how organisations with limited security knowledge and experience manage information security risks in practice. Previous studies have suggested that security-novice employees faced with burdensome, complex, and ambiguous security requirements can experience security-related stress (SRS), and ultimately influence their security decisions. In this study, we further this research stream by suggesting that SRS can similarly be found with security-novice managers responsible for developing and practising information security risk management (ISRM). Two organisations were targeted in the study using a case study approach, to obtain data about their practices, using SRS as an analytical lens. The study found various examples where SRS influenced security-novice managers’ decisions, and identifies several stressors and stress inhibitors in the ISRM process and supporting ISRM tools, and discusses the implications for practitioners.

Ort, förlag, år, upplaga, sidor
Centre for Multidisciplinary Research, Innovation and Collaboration (C-MRiC), 2019
Nyckelord
Security-novice, information security, information security risk management, stress, tools, compliance, management, Information Systems, Social aspects, Systemvetenskap, informationssystem och informatik med samhällsvetenskaplig inriktning
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik Systemvetenskap, informationssystem och informatik med samhällsvetenskaplig inriktning
Identifikatorer
urn:nbn:se:his:diva-18925 (URN)10.22619/IJCSA (DOI)
Anmärkning

CC BY 4.0

This paper is a revised and expanded version of Lundgren and Bergström (2019b) presented at the 2019 International Conference on Cyber Science, 3-4 June 2019 in Oxford, UK. We want to thank the anonymous reviewers for their excellent suggestions and valuable insights.

Lundgren, M., & Bergström, E. (2019b). Security-Related Stress: A Perspective on Information Security Risk Management. Paper presented at the 2019 International Conference On Cyber Security and Protection of Digital Services (Cyber Security), Oxford, UK

Tillgänglig från: 2020-08-17 Skapad: 2020-08-17 Senast uppdaterad: 2023-07-06Bibliografiskt granskad
7. Developing an information classification method
Öppna denna publikation i ny flik eller fönster >>Developing an information classification method
2021 (Engelska)Ingår i: Information and Computer Security, E-ISSN 2056-4961, Vol. 29, nr 2, s. 209-239Artikel i tidskrift (Refereegranskat) Published
Abstract [en]

Purpose: The purpose of this paper is to develop a method for information classification. The proposed method draws on established standards, such as the ISO/IEC 27002 and information classification practices. The long-term goal of the method is to decrease the subjective judgement in the implementation of information classification in organisations, which can lead to information security breaches because the information is under- or over-classified. Design/methodology/approach: The results are based on a design science research approach, implemented as five iterations spanning the years 2013 to 2019. Findings: The paper presents a method for information classification and the design principles underpinning the method. The empirical demonstration shows that senior and novice information security managers perceive the method as a useful tool for classifying information assets in an organisation. Research limitations/implications: Existing research has, to a limited extent, provided extensive advice on how to approach information classification in organisations systematically. The method presented in this paper can act as a starting point for further research in this area, aiming at decreasing subjectivity in the information classification process. Additional research is needed to fully validate the proposed method for information classification and its potential to reduce the subjective judgement. Practical implications: The research contributes to practice by offering a method for information classification. It provides a hands-on-tool for how to implement an information classification process. Besides, this research proves that it is possible to devise a method to support information classification. This is important, because, even if an organisation chooses not to adopt the proposed method, the very fact that this method has proved useful should encourage any similar endeavour. Originality/value: The proposed method offers a detailed and well-elaborated tool for information classification. The method is generic and adaptable, depending on organisational needs.

Ort, förlag, år, upplaga, sidor
Emerald Group Publishing Limited, 2021
Nyckelord
Information classification, Information classification method, Information security management, Information security management systems, ISO Standards, Security of data, Design Principles, Design-science researches, Design/methodology/approach, Information assets, Long-term goals, Organisational, Subjective judgement, Classification (of information)
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik Systemvetenskap, informationssystem och informatik med samhällsvetenskaplig inriktning Datavetenskap (datalogi)
Forskningsämne
Informationssystem (IS)
Identifikatorer
urn:nbn:se:his:diva-19309 (URN)10.1108/ICS-07-2020-0110 (DOI)000595848200001 ()2-s2.0-85097088962 (Scopus ID)
Anmärkning

Article publication date: 3 December 2020.

Issue publication date: 3 August 2021.

Tillgänglig från: 2020-12-10 Skapad: 2020-12-10 Senast uppdaterad: 2023-05-02Bibliografiskt granskad

Open Access i DiVA

Thesis(1424 kB)1097 nedladdningar
Filinformation
Filnamn FULLTEXT01.pdfFilstorlek 1424 kBChecksumma SHA-512
d70346f17eafb3aa6ea5d9374a7e14781c6a293fcd3574189c4e4489335112e0f43ab6e0c5c361cc87204fb71da9c40ca2d6f31cadcfdd15f20906d8abded05b
Typ fulltextMimetyp application/pdf

Person

Bergström, Erik

Sök vidare i DiVA

Av författaren/redaktören
Bergström, Erik
Av organisationen
Institutionen för informationsteknologiForskningsmiljön Informationsteknologi
Systemvetenskap, informationssystem och informatik

Sök vidare utanför DiVA

GoogleGoogle Scholar
Totalt: 1102 nedladdningar
Antalet nedladdningar är summan av nedladdningar för alla fulltexter. Det kan inkludera t.ex tidigare versioner som nu inte längre är tillgängliga.

isbn
urn-nbn

Altmetricpoäng

isbn
urn-nbn
Totalt: 2165 träffar
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf