his.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Thesis Proposal: A Method for Information Classification
University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre. (Informationssystem (IS), Information Systems)
2017 (English)Report (Other academic)
Abstract [en]

In the highly digitalized world in which we live today, information and information systems have become key assets to organizations.  These assets need to be managed properly because it is difficult to safeguard assets that an organization does not know exist and does not know the value they offer. In an Information Security Management System (ISMS), asset management is an important activity as it aims at identifying, assigning ownership and adding protection to information assets. Within asset management, one activity is information classification that has the objective to ensure that information receives an appropriate level of protection in accordance with its importance to the organization. In practice, this is usually done using a classification scheme, and the result is handled as input to the risk analysis. Information classification is a well-known practice for all kind of organizations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.

However, information classification has received little attention from academia, and many organizations are struggling with the implementation. Little is known about the reasons behind why it is problematic, and how to address such issues. Furthermore, the existing methods, described in, e.g., standards do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out important aspects needed for many to adopt any kind of information classification. For instance, there is a lack of detailed descriptions regarding (1) overview of procedures, and concepts, (2) which roles are involved in the classification, and how they interact, (3) how to tailor the method for different situations and (4) a framework that structures and guides the classification. If information classification is not implemented in an organization, the organization might not know what information they possess, what the value of the information is, but even if it is implemented, an unclear approach can lead to information being under or overvalued, which, in turn, lead to under or overprotected information.

This thesis aims to increase the applicability of information classification by devising a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study has been performed in five cycles. The contributions so far include an identification of issues and enablers for information classification and propose a component-based method for information classification. Furthermore, eighth design principles underpinning an information classification method are presented. Additionally, an outline for further research is provided, where the objectives are to further develop the method by addressing the context around information classification (the risk analysis and security controls), and by adding usage views to the method. Finally, a security declaration as an addition to the information classification method is outlined as a complement for tying security controls to the information classification scheme. 

Place, publisher, year, edition, pages
2017. , p. 58
National Category
Computer Sciences Information Systems
Research subject
Information Systems
Identifiers
URN: urn:nbn:se:his:diva-14546OAI: oai:DiVA.org:his-14546DiVA, id: diva2:1162686
Note

Thesis proposal, PhD programme, University of Skövde

Available from: 2017-12-05 Created: 2017-12-05 Last updated: 2018-01-13Bibliographically approved

Open Access in DiVA

fulltext(959 kB)406 downloads
File information
File name FULLTEXT01.pdfFile size 959 kBChecksum SHA-512
4e9fe74aa9c8defa9a2d454697675a49605b7102c68081ba0d3a5dad320815d158af76a27ca513bf8c1bd364c95577083d123fc48411fc20206b5f8c126cfc35
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Bergström, Erik
By organisation
School of InformaticsThe Informatics Research Centre
Computer SciencesInformation Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 406 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 168 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf