The human connection to information security: A qualitative study on policy development, communication and compliance in government agencies
2023 (English)Independent thesis Basic level (degree of Bachelor), 20 credits / 30 HE credits
Student thesisAlternative title
Den mänskliga kopplingen till informationssäkerhet : En kvalitativ studie om policyutveckling, kommunikation och efterlevnad inom statliga myndigheter (Swedish)
Abstract [en]
The human factor and insider threats play a crucial role in information security. In today’s digital age, protecting organizational data requires a deep understanding of human behaviour and its impact on information security. The increasing volume of electronically stored data has led to a rise in cyber threats and breaches, necessitating effective information security policies and regulations.
This study focuses on the experiences and perspectives of employees and top management in government agencies regarding the development, communication, compliance, and attitudes towards information security policies and regulations. Semi-structured interviews were conducted with participants from both top management or information security officers and regular employees, which allowed for an in-depth exploration of their experiences and perspectives.
The findings show that government agencies systematically develop policies by engaging stakeholders, ensuring accessibility, and adhering to legal frameworks. Addressing the human factor involves training, awareness programs, and top management support. Policy development and implementation include risk assessment, stakeholder identification, objective setting, continuous review, and integration into daily operations. Communication channels such as intranets, training, coordinators, and awareness events are utilized, but their effectiveness is not directly measured. Proposed improvements include enhancing accessibility, improving policy document management, and using clearer language.
Employees generally possess a positive attitude towards information security, though their understanding varies, and challenges to their understanding include complex language and unclear instructions. Compliance also varies, with difficulties arising from technical terminology and information overload. Enhanced compliance can be achieved through simplified language, providing better resources, and top management support. Proactive incident management focuses on learning and risk minimization. The human factor and insider threats remain significant concerns, which emphasizes the need for further education, awareness training, and motivation.
Place, publisher, year, edition, pages
2023. , p. vi, 88
Keywords [en]
Communication, compliance, development, effectiveness, government agencies, human factor, information security, information security awareness, information security culture, information security management system, information security policy, insider threat
National Category
Information Systems, Social aspects
Identifiers
URN: urn:nbn:se:his:diva-22780OAI: oai:DiVA.org:his-22780DiVA, id: diva2:1772736
Subject / course
Informationsteknologi
Educational program
Information Systems
Supervisors
Examiners
2023-06-212023-06-212023-06-21Bibliographically approved