Högskolan i Skövde

his.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Dynamic interplay in the information security risk management process
Department of Computer Science, Luleå University of Technology, Sweden.ORCID iD: 0000-0003-1692-5721
University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment. (Informationssystem (IS), Information Systems)ORCID iD: 0000-0002-1436-2980
2019 (English)In: International Journal of Risk Assessment and Management, ISSN 1466-8297, E-ISSN 1741-5241, Vol. 22, no 2, p. 212-230Article in journal (Refereed) Published
Abstract [en]

In this paper, the formal processes so often assumed in information security risk management and its activities are investigated. For instance, information classification, risk analysis, and security controls are often presented in a predominantly instrumental progression. This approach, however, has received scholarly criticism, as it omits social and organisational aspects, creating a gap between formal and actual processes. This study argues that there is an incomplete understanding of how the activities within these processes actually interplay in practice. For this study, senior information security managers from four major Swedish government agencies were interviewed. As a result, 12 characteristics are presented that reflect an interplay between activities and that have implications for research, as well as for developers of standards and guidelines. The study's conclusions suggest that the information security risk management process should be seen more as an emerging process, where each activity interplays dynamically in response to new requirements and organisational and social challenges. 

Place, publisher, year, edition, pages
InderScience Publishers, 2019. Vol. 22, no 2, p. 212-230
Keywords [en]
Formal processes, Information classification, Interplay, Risk analysis, Security controls
National Category
Information Systems Information Systems, Social aspects
Research subject
Information Systems
Identifiers
URN: urn:nbn:se:his:diva-18624DOI: 10.1504/IJRAM.2019.101287Scopus ID: 2-s2.0-85086419939OAI: oai:DiVA.org:his-18624DiVA, id: diva2:1449129
Available from: 2020-06-29 Created: 2020-06-29 Last updated: 2023-07-06Bibliographically approved
In thesis
1. Supporting Information Security Management: Developing a Method for Information Classification
Open this publication in new window or tab >>Supporting Information Security Management: Developing a Method for Information Classification
2020 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

In the highly digitalised world in which we live today, information and information systems have become critical assets to organisations, and hence need to be safeguarded accordingly. In order to implement and work with information security in a structured way, an Information Security Management System (ISMS) can be implemented. Asset management is a central activity in ISMS that aims at identifying, assigning ownership and adding protection to information assets. One activity within asset management is information classification that has the objective to ensure that the information receives an appropriate level of protection in accordance with its importance to the organisation. Information classification is a well-known practice for all kinds of organisations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.

However, information classification has received little attention from academia, and many organisations are struggling with the implementation. The reasons behind why it is problematic, and how to address such issues, are largely unknown. Furthermore, existing approaches, described in, for example, standards and national recommendations, do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out essential aspects needed for many organisations to adopt and implement information classification. There is, for instance, a lack of detailed descriptions regarding (1) procedures and concepts, (2) how to tailor the approach for different situations, (3) a framework that structures and guides the classification, (4) what roles should be involved in the classification, and (5) how information with different granularity is handled.

This thesis aims to increase the applicability of information classification by developing a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study was performed in three cycles. A wide range of data was collected, including a series of interviews with experts and novices on information classification, a survey, most of the Swedish public sector information classification policies, and observations. There are three main contributions made by this thesis (1) the identification of issues and enablers for information classification, (2) the design principles underpinning the development of a method for information classification, and (3) the method for information classification itself. Contributions have also been made to the context around information classification, such as, for example, 20 practical suggestions for how to meet documented challenges in practice.

Abstract [sv]

I den starkt digitaliserade värld vi lever i idag har information och informationssystem blivit kritiska tillgångar för organisationer och därför måste dessa följaktligen skyddas. För att implementera och arbeta med informationssäkerhet på ett strukturerat sätt kan ett ledningssystem för informationssäkerhet (LIS) implementeras. Hantering av tillgångar är en central aktivitet i LIS som syftar till att identifiera tillgångar, fastställa lämpligt ansvar och bestämma lämplig skyddsnivå för informationstillgångar. En aktivitet inom hanteringen av tillgångar är informationsklassificering som har som mål att se till att information får en lämplig skyddsnivå i enlighet med dess betydelse för organisationen. Informationsklassificering är en allmänt känd och välanvänd praxis för alla slags organisationer, både inom den privata och offentliga sektorn. Dessutom finns informationsklassificering beskrivit som en del av flera standarder exempelvis i ISO/IEC 27002, COBIT och NIST-SP800.

Informationsklassificering har emellertid fått lite uppmärksamhet inom akademin och dessutom kämpar många organisationer med införandet. De underliggande orsakerna till varför det är problematiskt att implementera och använda informationsklassificering är i mångt och mycket oklara. Vidare tillhandahåller exempelvis befintliga standarder och nationella rekommendationer inget sammanhängande och systematiskt beskrivit tillvägagångssätt för att skildra informationsklassificering. De korta beskrivningarna i standarder och vetenskaplig litteratur utelämnar väsentliga aspekter som krävs för att kunna implementera informationsklassificering i en organisation. Det finns till exempel brist på detaljerade beskrivningar avseende (1) förfaranden och begrepp, (2) hur man kan anpassa tillvägagångssättet för olika situationer, (3) ett ramverk som strukturerar och styr klassificeringen, (4) vilka roller som ska vara involverade i klassificeringen och (5) hur information med olika granularitet hanteras.

Denna avhandling syftar till att utveckla en metod för informationsklassificering som bygger på standarder och praxis och som kan användas som en del av LIS-arbetet. För att möta detta syfte genomfördes en DSR-studie (Design Science Research) i tre cykler. Ett brett spektrum av data har samlats in som en del av detta arbete, inklusive en serie intervjuer med experter och nybörjare om informationsklassificering, en enkätundersökning, ett antal observationer samt en insamling av de flesta svenska myndigheters klassificeringspolicyer. Det finns tre huvudsakliga bidrag med denna avhandling (1) identifiering av problem och möjliggörare för informationsklassificering, (2) designprinciper som ligger till grund för utvecklingen av en metod för informationsklassificering och (3) metoden för informationsklassificering. Det har också gjorts bidrag till kontexten kring informationsklassificering. Exempelvis beskrivs och ges 20 praktiska förslag för hur man bemöter väldokumenterade utmaningar inom riskanalys och vid val av skyddsåtgärder.

Place, publisher, year, edition, pages
Skövde: University of Skövde, 2020. p. 310
Series
Dissertation Series ; 33
Keywords
information classification, Information security management, Information security management systems, Information classification method
National Category
Information Systems
Research subject
INF303 Information Security; Information Systems
Identifiers
urn:nbn:se:his:diva-18920 (URN)978-91-984918-5-2 (ISBN)
Public defence
2020-09-04, G109, Högskolevägen 1, 09:00 (English)
Opponent
Supervisors
Available from: 2020-08-14 Created: 2020-08-14 Last updated: 2023-07-06Bibliographically approved
2. Making the Dead Alive: Dynamic Routines in Risk Management
Open this publication in new window or tab >>Making the Dead Alive: Dynamic Routines in Risk Management
2020 (English)Doctoral thesis, comprehensive summary (Other academic)
Alternative title[sv]
Död eller Levande : Dynamiska Rutiner för Riskhantering
Abstract [en]

Risk management in information security is relevant to most, if not all, organizations. It is perhaps even more relevant considering the opportunities offered by the digitalization era, where reliably sharing, creating, and consuming information has become a competitive advantage, and information has become an asset of strategic concern. The adequate protection of information is therefore important to the whole organization. Determining what to protect, the required level of protection, and how to reach that level of protection is considered risk management, which can be described as the continuous process of identifying and countering information security risks that threaten information availability, confidentiality, and integrity. The processes for performing risk management are typically outlined in a sequence of activities, which describe what organizations should do to systematically manage their information security risks. However, risk management has previously been concluded to be challenging and complex and as something that must be kept alive. That is, routines for performing risk management activities need to be continuously adapted to remain applicable to organizational challenges in specific contexts. However, it remains unclear how such adaptations happen and why they are considered useful by practitioners, as there is a conspicuous absence of empirical studies that examine actual security practices. This issue is addressed in this thesis by conducting empirical studies of governmental agencies and organizations. This was done to contribute to an increased understanding of actual security practices. The analysis used for this study frames formal activities as ‘dead routines,’ since they are constructed as instructions that aid in controlling performance, such as risk management standards. Practitioners’ performance, experience, and understanding are denoted as ‘alive routines,’ as they are flexible and shaped over time. An explanation model was used to elaborate on the contrast between dead— controlling—and alive—shaping—routines of risk management. This thesis found that when dead and alive routines interact and influence each other, they give rise to flexible and emergent processes of adaptations, i.e., dynamic routines. Examples of dynamic routines occurred in response to activities that were originally perceived as too complex and were adapted to simplify or increase their efficiency, e.g., by having a direct relation between security controls and asset types. Dynamic routines also appeared as interactions between activities in response to conflicting expectations that were adjusted accordingly, e.g., the cost or level of complexity in security controls. In conclusion, dynamic routines occur to improve risk management activities to fit new circumstances.

Place, publisher, year, edition, pages
Luleå: Luleå University of Technology, 2020
Keywords
Risk management, information security, routine, practice, asset identification, risk analysis, risk treatment, organizational aspects
National Category
Information Systems Information Systems, Social aspects
Identifiers
urn:nbn:se:his:diva-22990 (URN)978-91-7790-563-9 (ISBN)978-91-7790-564-6 (ISBN)
Public defence
2020-05-28, A109, Luleå, 09:00
Opponent
Supervisors
Available from: 2023-07-06 Created: 2023-07-06 Last updated: 2023-07-06Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Lundgren, MartinBergström, Erik

Search in DiVA

By author/editor
Lundgren, MartinBergström, Erik
By organisation
School of InformaticsInformatics Research Environment
In the same journal
International Journal of Risk Assessment and Management
Information SystemsInformation Systems, Social aspects

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 532 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf