Högskolan i Skövde

his.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Stress Amongst Novice Information Security Risk Management Practitioners
Department of Computer Science and Informatics, School of Engineering, Jönköping University, Sweden.ORCID iD: 0000-0002-1436-2980
Department of Computer Science, Luleå University of Technology, Sweden.ORCID iD: 0000-0003-1692-5721
2019 (English)In: International Journal on Cyber Situational Awareness, ISSN 2057-2182, Vol. 4, no 1, p. 128-154, article id 28Article in journal (Refereed) Published
Abstract [en]

Today, information is a key asset for many organisations. Reducing risks of information compromise is increasingly prioritised. However, there is an incomplete understanding of how organisations with limited security knowledge and experience manage information security risks in practice. Previous studies have suggested that security-novice employees faced with burdensome, complex, and ambiguous security requirements can experience security-related stress (SRS), and ultimately influence their security decisions. In this study, we further this research stream by suggesting that SRS can similarly be found with security-novice managers responsible for developing and practising information security risk management (ISRM). Two organisations were targeted in the study using a case study approach, to obtain data about their practices, using SRS as an analytical lens. The study found various examples where SRS influenced security-novice managers’ decisions, and identifies several stressors and stress inhibitors in the ISRM process and supporting ISRM tools, and discusses the implications for practitioners.

Place, publisher, year, edition, pages
Centre for Multidisciplinary Research, Innovation and Collaboration (C-MRiC) , 2019. Vol. 4, no 1, p. 128-154, article id 28
Keywords [en]
Security-novice, information security, information security risk management, stress, tools, compliance, management, Information Systems, Social aspects, Systemvetenskap, informationssystem och informatik med samhällsvetenskaplig inriktning
National Category
Information Systems Information Systems, Social aspects
Identifiers
URN: urn:nbn:se:his:diva-18925DOI: 10.22619/IJCSAOAI: oai:DiVA.org:his-18925DiVA, id: diva2:1458393
Note

CC BY 4.0

This paper is a revised and expanded version of Lundgren and Bergström (2019b) presented at the 2019 International Conference on Cyber Science, 3-4 June 2019 in Oxford, UK. We want to thank the anonymous reviewers for their excellent suggestions and valuable insights.

Lundgren, M., & Bergström, E. (2019b). Security-Related Stress: A Perspective on Information Security Risk Management. Paper presented at the 2019 International Conference On Cyber Security and Protection of Digital Services (Cyber Security), Oxford, UK

Available from: 2020-08-17 Created: 2020-08-17 Last updated: 2023-07-06Bibliographically approved
In thesis
1. Supporting Information Security Management: Developing a Method for Information Classification
Open this publication in new window or tab >>Supporting Information Security Management: Developing a Method for Information Classification
2020 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

In the highly digitalised world in which we live today, information and information systems have become critical assets to organisations, and hence need to be safeguarded accordingly. In order to implement and work with information security in a structured way, an Information Security Management System (ISMS) can be implemented. Asset management is a central activity in ISMS that aims at identifying, assigning ownership and adding protection to information assets. One activity within asset management is information classification that has the objective to ensure that the information receives an appropriate level of protection in accordance with its importance to the organisation. Information classification is a well-known practice for all kinds of organisations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.

However, information classification has received little attention from academia, and many organisations are struggling with the implementation. The reasons behind why it is problematic, and how to address such issues, are largely unknown. Furthermore, existing approaches, described in, for example, standards and national recommendations, do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out essential aspects needed for many organisations to adopt and implement information classification. There is, for instance, a lack of detailed descriptions regarding (1) procedures and concepts, (2) how to tailor the approach for different situations, (3) a framework that structures and guides the classification, (4) what roles should be involved in the classification, and (5) how information with different granularity is handled.

This thesis aims to increase the applicability of information classification by developing a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study was performed in three cycles. A wide range of data was collected, including a series of interviews with experts and novices on information classification, a survey, most of the Swedish public sector information classification policies, and observations. There are three main contributions made by this thesis (1) the identification of issues and enablers for information classification, (2) the design principles underpinning the development of a method for information classification, and (3) the method for information classification itself. Contributions have also been made to the context around information classification, such as, for example, 20 practical suggestions for how to meet documented challenges in practice.

Abstract [sv]

I den starkt digitaliserade värld vi lever i idag har information och informationssystem blivit kritiska tillgångar för organisationer och därför måste dessa följaktligen skyddas. För att implementera och arbeta med informationssäkerhet på ett strukturerat sätt kan ett ledningssystem för informationssäkerhet (LIS) implementeras. Hantering av tillgångar är en central aktivitet i LIS som syftar till att identifiera tillgångar, fastställa lämpligt ansvar och bestämma lämplig skyddsnivå för informationstillgångar. En aktivitet inom hanteringen av tillgångar är informationsklassificering som har som mål att se till att information får en lämplig skyddsnivå i enlighet med dess betydelse för organisationen. Informationsklassificering är en allmänt känd och välanvänd praxis för alla slags organisationer, både inom den privata och offentliga sektorn. Dessutom finns informationsklassificering beskrivit som en del av flera standarder exempelvis i ISO/IEC 27002, COBIT och NIST-SP800.

Informationsklassificering har emellertid fått lite uppmärksamhet inom akademin och dessutom kämpar många organisationer med införandet. De underliggande orsakerna till varför det är problematiskt att implementera och använda informationsklassificering är i mångt och mycket oklara. Vidare tillhandahåller exempelvis befintliga standarder och nationella rekommendationer inget sammanhängande och systematiskt beskrivit tillvägagångssätt för att skildra informationsklassificering. De korta beskrivningarna i standarder och vetenskaplig litteratur utelämnar väsentliga aspekter som krävs för att kunna implementera informationsklassificering i en organisation. Det finns till exempel brist på detaljerade beskrivningar avseende (1) förfaranden och begrepp, (2) hur man kan anpassa tillvägagångssättet för olika situationer, (3) ett ramverk som strukturerar och styr klassificeringen, (4) vilka roller som ska vara involverade i klassificeringen och (5) hur information med olika granularitet hanteras.

Denna avhandling syftar till att utveckla en metod för informationsklassificering som bygger på standarder och praxis och som kan användas som en del av LIS-arbetet. För att möta detta syfte genomfördes en DSR-studie (Design Science Research) i tre cykler. Ett brett spektrum av data har samlats in som en del av detta arbete, inklusive en serie intervjuer med experter och nybörjare om informationsklassificering, en enkätundersökning, ett antal observationer samt en insamling av de flesta svenska myndigheters klassificeringspolicyer. Det finns tre huvudsakliga bidrag med denna avhandling (1) identifiering av problem och möjliggörare för informationsklassificering, (2) designprinciper som ligger till grund för utvecklingen av en metod för informationsklassificering och (3) metoden för informationsklassificering. Det har också gjorts bidrag till kontexten kring informationsklassificering. Exempelvis beskrivs och ges 20 praktiska förslag för hur man bemöter väldokumenterade utmaningar inom riskanalys och vid val av skyddsåtgärder.

Place, publisher, year, edition, pages
Skövde: University of Skövde, 2020. p. 310
Series
Dissertation Series ; 33
Keywords
information classification, Information security management, Information security management systems, Information classification method
National Category
Information Systems
Research subject
INF303 Information Security; Information Systems
Identifiers
urn:nbn:se:his:diva-18920 (URN)978-91-984918-5-2 (ISBN)
Public defence
2020-09-04, G109, Högskolevägen 1, 09:00 (English)
Opponent
Supervisors
Available from: 2020-08-14 Created: 2020-08-14 Last updated: 2023-07-06Bibliographically approved
2. Making the Dead Alive: Dynamic Routines in Risk Management
Open this publication in new window or tab >>Making the Dead Alive: Dynamic Routines in Risk Management
2020 (English)Doctoral thesis, comprehensive summary (Other academic)
Alternative title[sv]
Död eller Levande : Dynamiska Rutiner för Riskhantering
Abstract [en]

Risk management in information security is relevant to most, if not all, organizations. It is perhaps even more relevant considering the opportunities offered by the digitalization era, where reliably sharing, creating, and consuming information has become a competitive advantage, and information has become an asset of strategic concern. The adequate protection of information is therefore important to the whole organization. Determining what to protect, the required level of protection, and how to reach that level of protection is considered risk management, which can be described as the continuous process of identifying and countering information security risks that threaten information availability, confidentiality, and integrity. The processes for performing risk management are typically outlined in a sequence of activities, which describe what organizations should do to systematically manage their information security risks. However, risk management has previously been concluded to be challenging and complex and as something that must be kept alive. That is, routines for performing risk management activities need to be continuously adapted to remain applicable to organizational challenges in specific contexts. However, it remains unclear how such adaptations happen and why they are considered useful by practitioners, as there is a conspicuous absence of empirical studies that examine actual security practices. This issue is addressed in this thesis by conducting empirical studies of governmental agencies and organizations. This was done to contribute to an increased understanding of actual security practices. The analysis used for this study frames formal activities as ‘dead routines,’ since they are constructed as instructions that aid in controlling performance, such as risk management standards. Practitioners’ performance, experience, and understanding are denoted as ‘alive routines,’ as they are flexible and shaped over time. An explanation model was used to elaborate on the contrast between dead— controlling—and alive—shaping—routines of risk management. This thesis found that when dead and alive routines interact and influence each other, they give rise to flexible and emergent processes of adaptations, i.e., dynamic routines. Examples of dynamic routines occurred in response to activities that were originally perceived as too complex and were adapted to simplify or increase their efficiency, e.g., by having a direct relation between security controls and asset types. Dynamic routines also appeared as interactions between activities in response to conflicting expectations that were adjusted accordingly, e.g., the cost or level of complexity in security controls. In conclusion, dynamic routines occur to improve risk management activities to fit new circumstances.

Place, publisher, year, edition, pages
Luleå: Luleå University of Technology, 2020
Keywords
Risk management, information security, routine, practice, asset identification, risk analysis, risk treatment, organizational aspects
National Category
Information Systems Information Systems, Social aspects
Identifiers
urn:nbn:se:his:diva-22990 (URN)978-91-7790-563-9 (ISBN)978-91-7790-564-6 (ISBN)
Public defence
2020-05-28, A109, Luleå, 09:00
Opponent
Supervisors
Available from: 2023-07-06 Created: 2023-07-06 Last updated: 2023-07-06Bibliographically approved

Open Access in DiVA

fulltext(472 kB)177 downloads
File information
File name FULLTEXT01.pdfFile size 472 kBChecksum SHA-512
e6382240401bd13cbe3a6f1aad06ae4f30d1231e0ea4569ce63ee14df825e3d4c7d1d0769199ddf2d16f6a151fbdb31bcb47888edaf2be2e577b4a0caaa5f38c
Type fulltextMimetype application/pdf

Other links

Publisher's full textFulltext

Authority records

Bergström, ErikLundgren, Martin

Search in DiVA

By author/editor
Bergström, ErikLundgren, Martin
Information SystemsInformation Systems, Social aspects

Search outside of DiVA

GoogleGoogle Scholar
Total: 177 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 252 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf