Högskolan i Skövde

his.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Supporting Information Security Management: Developing a Method for Information Classification
University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment. School of Engineering, Jönköping University. (Information Systems)ORCID iD: 0000-0002-1436-2980
2020 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

In the highly digitalised world in which we live today, information and information systems have become critical assets to organisations, and hence need to be safeguarded accordingly. In order to implement and work with information security in a structured way, an Information Security Management System (ISMS) can be implemented. Asset management is a central activity in ISMS that aims at identifying, assigning ownership and adding protection to information assets. One activity within asset management is information classification that has the objective to ensure that the information receives an appropriate level of protection in accordance with its importance to the organisation. Information classification is a well-known practice for all kinds of organisations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.

However, information classification has received little attention from academia, and many organisations are struggling with the implementation. The reasons behind why it is problematic, and how to address such issues, are largely unknown. Furthermore, existing approaches, described in, for example, standards and national recommendations, do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out essential aspects needed for many organisations to adopt and implement information classification. There is, for instance, a lack of detailed descriptions regarding (1) procedures and concepts, (2) how to tailor the approach for different situations, (3) a framework that structures and guides the classification, (4) what roles should be involved in the classification, and (5) how information with different granularity is handled.

This thesis aims to increase the applicability of information classification by developing a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study was performed in three cycles. A wide range of data was collected, including a series of interviews with experts and novices on information classification, a survey, most of the Swedish public sector information classification policies, and observations. There are three main contributions made by this thesis (1) the identification of issues and enablers for information classification, (2) the design principles underpinning the development of a method for information classification, and (3) the method for information classification itself. Contributions have also been made to the context around information classification, such as, for example, 20 practical suggestions for how to meet documented challenges in practice.

Abstract [sv]

I den starkt digitaliserade värld vi lever i idag har information och informationssystem blivit kritiska tillgångar för organisationer och därför måste dessa följaktligen skyddas. För att implementera och arbeta med informationssäkerhet på ett strukturerat sätt kan ett ledningssystem för informationssäkerhet (LIS) implementeras. Hantering av tillgångar är en central aktivitet i LIS som syftar till att identifiera tillgångar, fastställa lämpligt ansvar och bestämma lämplig skyddsnivå för informationstillgångar. En aktivitet inom hanteringen av tillgångar är informationsklassificering som har som mål att se till att information får en lämplig skyddsnivå i enlighet med dess betydelse för organisationen. Informationsklassificering är en allmänt känd och välanvänd praxis för alla slags organisationer, både inom den privata och offentliga sektorn. Dessutom finns informationsklassificering beskrivit som en del av flera standarder exempelvis i ISO/IEC 27002, COBIT och NIST-SP800.

Informationsklassificering har emellertid fått lite uppmärksamhet inom akademin och dessutom kämpar många organisationer med införandet. De underliggande orsakerna till varför det är problematiskt att implementera och använda informationsklassificering är i mångt och mycket oklara. Vidare tillhandahåller exempelvis befintliga standarder och nationella rekommendationer inget sammanhängande och systematiskt beskrivit tillvägagångssätt för att skildra informationsklassificering. De korta beskrivningarna i standarder och vetenskaplig litteratur utelämnar väsentliga aspekter som krävs för att kunna implementera informationsklassificering i en organisation. Det finns till exempel brist på detaljerade beskrivningar avseende (1) förfaranden och begrepp, (2) hur man kan anpassa tillvägagångssättet för olika situationer, (3) ett ramverk som strukturerar och styr klassificeringen, (4) vilka roller som ska vara involverade i klassificeringen och (5) hur information med olika granularitet hanteras.

Denna avhandling syftar till att utveckla en metod för informationsklassificering som bygger på standarder och praxis och som kan användas som en del av LIS-arbetet. För att möta detta syfte genomfördes en DSR-studie (Design Science Research) i tre cykler. Ett brett spektrum av data har samlats in som en del av detta arbete, inklusive en serie intervjuer med experter och nybörjare om informationsklassificering, en enkätundersökning, ett antal observationer samt en insamling av de flesta svenska myndigheters klassificeringspolicyer. Det finns tre huvudsakliga bidrag med denna avhandling (1) identifiering av problem och möjliggörare för informationsklassificering, (2) designprinciper som ligger till grund för utvecklingen av en metod för informationsklassificering och (3) metoden för informationsklassificering. Det har också gjorts bidrag till kontexten kring informationsklassificering. Exempelvis beskrivs och ges 20 praktiska förslag för hur man bemöter väldokumenterade utmaningar inom riskanalys och vid val av skyddsåtgärder.

Place, publisher, year, edition, pages
Skövde: University of Skövde , 2020. , p. 310
Series
Dissertation Series ; 33
Keywords [en]
information classification, Information security management, Information security management systems, Information classification method
National Category
Information Systems
Research subject
INF303 Information Security; Information Systems
Identifiers
URN: urn:nbn:se:his:diva-18920ISBN: 978-91-984918-5-2 (print)OAI: oai:DiVA.org:his-18920DiVA, id: diva2:1458263
Public defence
2020-09-04, G109, Högskolevägen 1, 09:00 (English)
Opponent
Supervisors
Available from: 2020-08-14 Created: 2020-08-14 Last updated: 2023-07-06Bibliographically approved
List of papers
1. Information Classification Issues
Open this publication in new window or tab >>Information Classification Issues
2014 (English)In: Secure IT Systems: 19th Nordic Conference, NordSec 2014, Tromsø, Norway, October 15-17, 2014, Proceedings / [ed] Karin Bernsmed & Simone Fischer-Hübner, Cham: Springer, 2014, p. 27-41Conference paper, Published paper (Refereed)
Abstract [en]

This paper presents an extensive systematic literature review with the aim of identifying and classifying issues in the information classification process. The classification selected uses human and organizational factors for grouping the identified issues. The results reveal that policy-related issues are most commonly described, but not necessarily the most crucial ones. Furthermore, gaps in the research field are identified in order to outline paths for further research.

Place, publisher, year, edition, pages
Cham: Springer, 2014
Series
Lecture Notes in Computer Science, ISSN 0302-9743, E-ISSN 1611-3349 ; 8788
Keywords
information classification, systematic literature review, information security management systems
National Category
Computer Sciences
Research subject
Technology; Information Systems
Identifiers
urn:nbn:se:his:diva-10109 (URN)10.1007/978-3-319-11599-3_2 (DOI)2-s2.0-84910065925 (Scopus ID)978-3-319-11598-6 (ISBN)978-3-319-11599-3 (ISBN)
Conference
19th Nordic Conference, NordSec 2014, Tromsø, Norway, October 15-17, 2014
Available from: 2014-10-22 Created: 2014-10-22 Last updated: 2020-08-14Bibliographically approved
2. Information Classification Enablers
Open this publication in new window or tab >>Information Classification Enablers
2015 (English)In: Foundations and Practice of Security: 8th International Symposium, FPS 2015, Clermont-Ferrand, France, October 26-28, 2015, Revised Selected Papers / [ed] Joaquin Garcia-Alfaro, Evangelos Kranakis, Guillaume Bonfante, Cham: Springer, 2015, Vol. 9482, p. 268-276Chapter in book (Refereed)
Abstract [en]

This paper presents a comprehensive systematic literature review of information classification (IC) enablers. We propose a classification based on the well-known levels of management: strategic, tactical and operational. The results reveal that a large number of enablers could be adopted to increase the applicability of IC in organizations. The results also indicate that there is not one single enabler solving the problem, but rather several enablers can influence the adoption.

Place, publisher, year, edition, pages
Cham: Springer, 2015
Series
Lecture Notes in Computer Science (LNCS), ISSN 0302-9743, E-ISSN 1611-3349 ; 9482
Keywords
nformation classification, Systematic literature review, ISMS
National Category
Information Systems, Social aspects
Research subject
Technology; Humanities and Social sciences; Information Systems
Identifiers
urn:nbn:se:his:diva-12022 (URN)10.1007/978-3-319-30303-1_17 (DOI)000379392900017 ()2-s2.0-84960324053 (Scopus ID)978-3-319-30302-4 (ISBN)978-3-319-30303-1 (ISBN)
Conference
8th International Symposium, FPS 2015, Clermont-Ferrand, France, October 26-28, 2015
Available from: 2016-03-08 Created: 2016-03-08 Last updated: 2020-08-14Bibliographically approved
3. Information Classification Policies: An Exploratory Investigation
Open this publication in new window or tab >>Information Classification Policies: An Exploratory Investigation
2018 (English)In: Proceedings of the Annual Information Institute Conference / [ed] G. Dhillon, S. Samonas, Washington, DC: Information Institute , 2018Conference paper, Published paper (Refereed)
Abstract [en]

InfoSec policies are considered a key mechanism in information security, and most organizations have one. However, the large majority of security policy research has focused on what policies should include rather than how they are accomplished in practice. To contribute to overcoming the lack of knowledge regarding this crucial aspect, this paper investigates information security policies based on what underlying approaches information classification practices are built on and the perceived ease of turning the policy into practice. To do so, a survey was sent to 284 Swedish government agencies, and 80 of their internal policies were collected as data. The data were analyzed both qualitatively, and qualitatively. The results show that information classification adoption rates are low despite being mandatory and that agencies are struggling in closing the gap between standards and practice. Furthermore, the results also show that information classification policies need to be more specific and give more actionable advice regarding, e.g., how information life-cycle management is included in practice, and where the responsibility for classification is put in the organization.

Place, publisher, year, edition, pages
Washington, DC: Information Institute, 2018
Keywords
Information security management, information classification, InfoSec policies., Public Administration Studies, Studier av offentlig förvaltning
National Category
Information Systems
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-18924 (URN)978-1-935160-19-9 (ISBN)
Conference
17th Annual Security Conference, March 26-28, 2018 Las Vegas, NV, USA
Available from: 2020-08-17 Created: 2020-08-17 Last updated: 2020-08-24Bibliographically approved
4. Revisiting information security risk management challenges: a practice perspective
Open this publication in new window or tab >>Revisiting information security risk management challenges: a practice perspective
2019 (English)In: Information and Computer Security, E-ISSN 2056-4961, Vol. 27, no 3, p. 358-372Article in journal (Refereed) Published
Abstract [en]

Purpose: The study aims to revisit six previously defined challenges in information security risk management to provide insights into new challenges based on current practices. Design/methodology/approach: The study is based on an empirical study consisting of in-depth interviews with representatives from public sector organisations. The data were analysed by applying a practice-based view, i.e. the lens of knowing (or knowings). The results were validated by an expert panel. Findings: Managerial and organisational concerns that go beyond a technical perspective have been found, which affect the ongoing social build-up of knowledge in everyday information security work. Research limitations/implications: The study has delimitation as it consists of data from four public sector organisations, i.e. statistical analyses have not been in focus, while implying a better understanding of what and why certain actions are practised in their security work. Practical implications: The new challenges that have been identified offer a refined set of actionable advice to practitioners, which, for example, can support cost-efficient decisions and avoid unnecessary security trade-offs. Originality/value: Information security is increasingly relevant for organisations, yet little is still known about how related risks are handled in practice. Recent studies have indicated a gap between the espoused and the actual actions. Insights from actual, situated enactment of practice can advise on process adaption and suggest more fit approaches. 

Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2019
Keywords
Asset valuation, Information security, Practice theory, Risk management
National Category
Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-17319 (URN)10.1108/ICS-09-2018-0106 (DOI)000479219900003 ()2-s2.0-85067021789 (Scopus ID)
Available from: 2019-06-27 Created: 2019-06-27 Last updated: 2023-07-06Bibliographically approved
5. Dynamic interplay in the information security risk management process
Open this publication in new window or tab >>Dynamic interplay in the information security risk management process
2019 (English)In: International Journal of Risk Assessment and Management, ISSN 1466-8297, E-ISSN 1741-5241, Vol. 22, no 2, p. 212-230Article in journal (Refereed) Published
Abstract [en]

In this paper, the formal processes so often assumed in information security risk management and its activities are investigated. For instance, information classification, risk analysis, and security controls are often presented in a predominantly instrumental progression. This approach, however, has received scholarly criticism, as it omits social and organisational aspects, creating a gap between formal and actual processes. This study argues that there is an incomplete understanding of how the activities within these processes actually interplay in practice. For this study, senior information security managers from four major Swedish government agencies were interviewed. As a result, 12 characteristics are presented that reflect an interplay between activities and that have implications for research, as well as for developers of standards and guidelines. The study's conclusions suggest that the information security risk management process should be seen more as an emerging process, where each activity interplays dynamically in response to new requirements and organisational and social challenges. 

Place, publisher, year, edition, pages
InderScience Publishers, 2019
Keywords
Formal processes, Information classification, Interplay, Risk analysis, Security controls
National Category
Information Systems Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-18624 (URN)10.1504/IJRAM.2019.101287 (DOI)2-s2.0-85086419939 (Scopus ID)
Available from: 2020-06-29 Created: 2020-06-29 Last updated: 2023-07-06Bibliographically approved
6. Stress Amongst Novice Information Security Risk Management Practitioners
Open this publication in new window or tab >>Stress Amongst Novice Information Security Risk Management Practitioners
2019 (English)In: International Journal on Cyber Situational Awareness, ISSN 2057-2182, Vol. 4, no 1, p. 128-154, article id 28Article in journal (Refereed) Published
Abstract [en]

Today, information is a key asset for many organisations. Reducing risks of information compromise is increasingly prioritised. However, there is an incomplete understanding of how organisations with limited security knowledge and experience manage information security risks in practice. Previous studies have suggested that security-novice employees faced with burdensome, complex, and ambiguous security requirements can experience security-related stress (SRS), and ultimately influence their security decisions. In this study, we further this research stream by suggesting that SRS can similarly be found with security-novice managers responsible for developing and practising information security risk management (ISRM). Two organisations were targeted in the study using a case study approach, to obtain data about their practices, using SRS as an analytical lens. The study found various examples where SRS influenced security-novice managers’ decisions, and identifies several stressors and stress inhibitors in the ISRM process and supporting ISRM tools, and discusses the implications for practitioners.

Place, publisher, year, edition, pages
Centre for Multidisciplinary Research, Innovation and Collaboration (C-MRiC), 2019
Keywords
Security-novice, information security, information security risk management, stress, tools, compliance, management, Information Systems, Social aspects, Systemvetenskap, informationssystem och informatik med samhällsvetenskaplig inriktning
National Category
Information Systems Information Systems, Social aspects
Identifiers
urn:nbn:se:his:diva-18925 (URN)10.22619/IJCSA (DOI)
Note

CC BY 4.0

This paper is a revised and expanded version of Lundgren and Bergström (2019b) presented at the 2019 International Conference on Cyber Science, 3-4 June 2019 in Oxford, UK. We want to thank the anonymous reviewers for their excellent suggestions and valuable insights.

Lundgren, M., & Bergström, E. (2019b). Security-Related Stress: A Perspective on Information Security Risk Management. Paper presented at the 2019 International Conference On Cyber Security and Protection of Digital Services (Cyber Security), Oxford, UK

Available from: 2020-08-17 Created: 2020-08-17 Last updated: 2023-07-06Bibliographically approved
7. Developing an information classification method
Open this publication in new window or tab >>Developing an information classification method
2021 (English)In: Information and Computer Security, E-ISSN 2056-4961, Vol. 29, no 2, p. 209-239Article in journal (Refereed) Published
Abstract [en]

Purpose: The purpose of this paper is to develop a method for information classification. The proposed method draws on established standards, such as the ISO/IEC 27002 and information classification practices. The long-term goal of the method is to decrease the subjective judgement in the implementation of information classification in organisations, which can lead to information security breaches because the information is under- or over-classified. Design/methodology/approach: The results are based on a design science research approach, implemented as five iterations spanning the years 2013 to 2019. Findings: The paper presents a method for information classification and the design principles underpinning the method. The empirical demonstration shows that senior and novice information security managers perceive the method as a useful tool for classifying information assets in an organisation. Research limitations/implications: Existing research has, to a limited extent, provided extensive advice on how to approach information classification in organisations systematically. The method presented in this paper can act as a starting point for further research in this area, aiming at decreasing subjectivity in the information classification process. Additional research is needed to fully validate the proposed method for information classification and its potential to reduce the subjective judgement. Practical implications: The research contributes to practice by offering a method for information classification. It provides a hands-on-tool for how to implement an information classification process. Besides, this research proves that it is possible to devise a method to support information classification. This is important, because, even if an organisation chooses not to adopt the proposed method, the very fact that this method has proved useful should encourage any similar endeavour. Originality/value: The proposed method offers a detailed and well-elaborated tool for information classification. The method is generic and adaptable, depending on organisational needs.

Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2021
Keywords
Information classification, Information classification method, Information security management, Information security management systems, ISO Standards, Security of data, Design Principles, Design-science researches, Design/methodology/approach, Information assets, Long-term goals, Organisational, Subjective judgement, Classification (of information)
National Category
Information Systems Information Systems, Social aspects Computer Sciences
Research subject
Information Systems
Identifiers
urn:nbn:se:his:diva-19309 (URN)10.1108/ICS-07-2020-0110 (DOI)000595848200001 ()2-s2.0-85097088962 (Scopus ID)
Note

Article publication date: 3 December 2020.

Issue publication date: 3 August 2021.

Available from: 2020-12-10 Created: 2020-12-10 Last updated: 2023-05-02Bibliographically approved

Open Access in DiVA

Thesis(1424 kB)1107 downloads
File information
File name FULLTEXT01.pdfFile size 1424 kBChecksum SHA-512
d70346f17eafb3aa6ea5d9374a7e14781c6a293fcd3574189c4e4489335112e0f43ab6e0c5c361cc87204fb71da9c40ca2d6f31cadcfdd15f20906d8abded05b
Type fulltextMimetype application/pdf

Authority records

Bergström, Erik

Search in DiVA

By author/editor
Bergström, Erik
By organisation
School of InformaticsInformatics Research Environment
Information Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 1112 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 2191 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf