Högskolan i Skövde

his.sePublications
Change search
Refine search result
1 - 15 of 15
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Rows per page
  • 5
  • 10
  • 20
  • 50
  • 100
  • 250
Sort
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
Select
The maximal number of hits you can export is 250. When you want to export more records please use the Create feeds function.
  • 1.
    Bergström, Erik
    et al.
    Department of Computer Science and Informatics, School of Engineering, Jönköping University, Sweden.
    Lundgren, Martin
    Department of Computer Science, Luleå University of Technology, Sweden.
    Stress Amongst Novice Information Security Risk Management Practitioners2019In: International Journal on Cyber Situational Awareness, ISSN 2057-2182, Vol. 4, no 1, p. 128-154, article id 28Article in journal (Refereed)
    Abstract [en]

    Today, information is a key asset for many organisations. Reducing risks of information compromise is increasingly prioritised. However, there is an incomplete understanding of how organisations with limited security knowledge and experience manage information security risks in practice. Previous studies have suggested that security-novice employees faced with burdensome, complex, and ambiguous security requirements can experience security-related stress (SRS), and ultimately influence their security decisions. In this study, we further this research stream by suggesting that SRS can similarly be found with security-novice managers responsible for developing and practising information security risk management (ISRM). Two organisations were targeted in the study using a case study approach, to obtain data about their practices, using SRS as an analytical lens. The study found various examples where SRS influenced security-novice managers’ decisions, and identifies several stressors and stress inhibitors in the ISRM process and supporting ISRM tools, and discusses the implications for practitioners.

    Download full text (pdf)
    fulltext
  • 2.
    Bergström, Erik
    et al.
    School of Engineering, Department of Computer Science and Informatics, Jönköping University, Sweden.
    Lundgren, Martin
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Bernsmed, Karin
    SINTEF Digital, Trondheim.
    Bour, Guillaume
    SINTEF Digital, Trondheim, Norway.
    “Check, Check, Check, We Got Those” – Catalogue Use in Information Security Risk Management2023In: Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings / [ed] Steve Furnell; Nathan Clarke, Cham: Springer, 2023, Vol. 1, p. 181-191Conference paper (Refereed)
    Abstract [en]

    Information Security Risk Management (ISRM) is fundamental in most organisations today. The literature describes ISRM as a complex activity, and one way of addressing this is to enable knowledge reuse in the shape of catalogues. Catalogues in the ISRM domain can contain lists of, e.g. assets, threats and security controls. In this paper, we focus on three aspects of catalogue use. Why we need catalogues, how catalogue granularity is perceived, and how catalogues help novices in practice. As catalogue use is not yet a widespread practice in the ISRM, we have selected a domain where catalogues are a part of the ISRM work. In this case, the Air Traffic Management (ATM) domain uses a methodology that includes catalogues and is built on ISO/IEC 27005. The results are based on data collected from 19 interviews with ATM professionals that are either experts or novices in ISRM. With this paper, we nuance the view on what catalogues can contribute with. For example, consistency, coherency, a starting point and new viewpoints. At the same time, we identify the need to inform about the aim of the catalogues and the limitations that come with catalogue use in order to leverage the use – especially from a novice perspective. © 2023, IFIP International Federation for Information Processing.

  • 3.
    Bergström, Erik
    et al.
    University of Skövde, School of Informatics. University of Skövde, The Informatics Research Centre.
    Lundgren, Martin
    Department of Computer Science, Information Systems, Luleå University of Technology, Luleå, Sweden.
    Ericson, Åsa M.
    Department of Computer Science, Information Systems, Luleå University of Technology, Luleå, Sweden.
    Revisiting information security risk management challenges: a practice perspective2019In: Information and Computer Security, E-ISSN 2056-4961, Vol. 27, no 3, p. 358-372Article in journal (Refereed)
    Abstract [en]

    Purpose: The study aims to revisit six previously defined challenges in information security risk management to provide insights into new challenges based on current practices. Design/methodology/approach: The study is based on an empirical study consisting of in-depth interviews with representatives from public sector organisations. The data were analysed by applying a practice-based view, i.e. the lens of knowing (or knowings). The results were validated by an expert panel. Findings: Managerial and organisational concerns that go beyond a technical perspective have been found, which affect the ongoing social build-up of knowledge in everyday information security work. Research limitations/implications: The study has delimitation as it consists of data from four public sector organisations, i.e. statistical analyses have not been in focus, while implying a better understanding of what and why certain actions are practised in their security work. Practical implications: The new challenges that have been identified offer a refined set of actionable advice to practitioners, which, for example, can support cost-efficient decisions and avoid unnecessary security trade-offs. Originality/value: Information security is increasingly relevant for organisations, yet little is still known about how related risks are handled in practice. Recent studies have indicated a gap between the espoused and the actual actions. Insights from actual, situated enactment of practice can advise on process adaption and suggest more fit approaches. 

  • 4.
    Bernsmed, Karin
    et al.
    SINTEF Digital, Trondheim, Norway.
    Bour, Guillaume
    SINTEF Digital, Trondheim, Norway.
    Lundgren, Martin
    Luleå University of Technology, Sweden.
    Bergström, Erik
    Jönköping University, Sweden.
    An evaluation of practitioners’ perceptions of a security risk assessment methodology in air traffic management projects2022In: Journal of Air Transport Management, ISSN 0969-6997, E-ISSN 1873-2089, Vol. 102, p. 102223-102223, article id 102223Article in journal (Refereed)
    Abstract [en]

    Cyber security is a key enabler for safe Air Traffic Management (ATM). This paper presents results from an empirical study, in which we have investigated and evaluated the use of the Security Risk Assessment Methodology for SESAR (SecRAM) in European ATM research and development projects. The study was performed with the intention to find and document common issues and aspects that could be improved in the methodology. The results from the study reveal that while most of the practitioners had a positive perception of the methodology itself, they were less satisfied with the process of applying it in their projects. Based on the results, we provide a number of recommendations, which aim to improve the security risk assessment process in the ATM domain.

    Download full text (pdf)
    fulltext
  • 5.
    Hedberg, David
    et al.
    University of Skövde, School of Informatics.
    Lundgren, Martin
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Cybersecurity in modern cars: awareness and readiness of auto workshops2024In: Information and Computer Security, E-ISSN 2056-4961, Vol. 32, no 4, p. 407-419Article in journal (Refereed)
    Abstract [en]

    Purpose: This study aims to explore auto mechanics awareness of repairs and maintenance related to the car’s cybersecurity and provide insights into challenges based on current practice. Design/methodology/approach: This study is based on an empirical study consisting of semistructured interviews with representatives from both branded and independent auto workshops. The data was analyzed using thematic analysis. A version of the capability maturity model was introduced to the respondents as a self-evaluation of their cybersecurity awareness. Findings: Cybersecurity was not found to be part of the current auto workshop work culture, and that there is a gap between independent workshops and branded workshops. Specifically, in how they function, approach problems and the tools and support available to them to resolve (particularly regarding previously unknown) issues. Research limitations/implications: Only auto workshop managers in Sweden were interviewed for this study. This role was picked because it is the most likely to have come in contact with cybersecurity-related issues. They may also have discussed the topic with mechanics, manufacturers or other auto workshops – thus providing a broader view of potential issues or challenges. Practical implications: The challenges identified in this study offers actionable advice to car manufacturers, branded workshops and independent workshops. The goal is to further cooperation, improve knowledge sharing and avoid unnecessary safety or security issues. Originality/value: As cars become smarter, they also become potential targets for cyberattacks, which in turn poses potential threats to human safety. However, research on auto workshops, which has previously ensured that cars are road safe, has received little research attention with regards to the role cybersecurity can play in repairs and maintenance. Insights from auto workshops can therefore shed light upon the unique challenges and issues tied to the cybersecurity of cars, and how they are kept up-to-date and road safe in the digital era. 

    Download full text (pdf)
    fulltext
  • 6.
    Hedberg, David
    et al.
    Minneapolis, USA.
    Lundgren, Martin
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Nohlberg, Marcus
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Cyberthreats in Modern Cars: Responsibility and Readiness of Auto Workshops2023In: Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings / [ed] Steve Furnell; Nathan Clarke, Cham: Springer, 2023, Vol. 1, p. 275-284Conference paper (Refereed)
    Abstract [en]

    Modern cars are becoming increasingly smarter and connected. Today, cars often contain features ranging from controlling service functions through a mobile application to remote road assistance. However, as cars become smarter, they also become potential targets for cyberattacks, and a potential threat to human safety. Traditionally, handing in a car to an auto workshop for repairs and maintenance have ensured that the car is road safe. But, to what extent are auto mechanics aware of repairs and maintenance related to the car’s cybersecurity? Based on interviews with eight auto workshop specialists in Sweden, using the capability maturity model as lens to capture the readiness maturity, the following study looks at experiences with cybersecurity related to cars, what current tools are used, and procedures to deal with a cyberattack against cars in their workshop. It was found that auto workshops are potential targets, with limited solutions existing today, and that cyber security is not a part of the current culture. It was also found that there is a gap between independent workshops and branded workshops in how they function and in what manner they approach problems and issues. Specifically, for new issues (i.e., previously unencountered issues), branded workshops relied more on the manufacturer than independent workshops who were left to use whatever solution they could figure out by their own means, which sometimes may be akin to hacking the car’s systems.

  • 7.
    Lundgren, Martin
    Luleå University of Technology, Department of Computer Science, Electrical and Space Engineering, Division of Digital Services and Systems.
    Making the Dead Alive: Dynamic Routines in Risk Management2020Doctoral thesis, comprehensive summary (Other academic)
    Abstract [en]

    Risk management in information security is relevant to most, if not all, organizations. It is perhaps even more relevant considering the opportunities offered by the digitalization era, where reliably sharing, creating, and consuming information has become a competitive advantage, and information has become an asset of strategic concern. The adequate protection of information is therefore important to the whole organization. Determining what to protect, the required level of protection, and how to reach that level of protection is considered risk management, which can be described as the continuous process of identifying and countering information security risks that threaten information availability, confidentiality, and integrity. The processes for performing risk management are typically outlined in a sequence of activities, which describe what organizations should do to systematically manage their information security risks. However, risk management has previously been concluded to be challenging and complex and as something that must be kept alive. That is, routines for performing risk management activities need to be continuously adapted to remain applicable to organizational challenges in specific contexts. However, it remains unclear how such adaptations happen and why they are considered useful by practitioners, as there is a conspicuous absence of empirical studies that examine actual security practices. This issue is addressed in this thesis by conducting empirical studies of governmental agencies and organizations. This was done to contribute to an increased understanding of actual security practices. The analysis used for this study frames formal activities as ‘dead routines,’ since they are constructed as instructions that aid in controlling performance, such as risk management standards. Practitioners’ performance, experience, and understanding are denoted as ‘alive routines,’ as they are flexible and shaped over time. An explanation model was used to elaborate on the contrast between dead— controlling—and alive—shaping—routines of risk management. This thesis found that when dead and alive routines interact and influence each other, they give rise to flexible and emergent processes of adaptations, i.e., dynamic routines. Examples of dynamic routines occurred in response to activities that were originally perceived as too complex and were adapted to simplify or increase their efficiency, e.g., by having a direct relation between security controls and asset types. Dynamic routines also appeared as interactions between activities in response to conflicting expectations that were adjusted accordingly, e.g., the cost or level of complexity in security controls. In conclusion, dynamic routines occur to improve risk management activities to fit new circumstances.

    Download full text (pdf)
    FULLTEXT01
  • 8.
    Lundgren, Martin
    Department of Computer Science, Luleå University of Technology, Sweden.
    Rethinking capabilities in information security risk management: a systematic literature review2020In: International Journal of Risk Assessment and Management, ISSN 1466-8297, E-ISSN 1741-5241, Vol. 23, no 2, p. 169-190Article, review/survey (Refereed)
    Abstract [en]

    Information security risk management capabilities have predominantly focused on instrumental onsets, while largely ignoring the underlying intentions and knowledge these management practices entail. This article aims to study what capabilities are embedded in information security risk management. A theoretical framework is proposed, namely rethinking capability as the alignment between intent and knowing. The framework is situated around four general risk management practices. A systematic literature review utilising the framework was conducted, resulting in the identification of eight identified capabilities. These capabilities were grouped into respective practices: integrating various perspectives and values to reach a risk perception aligned with the intended outcome (identify); adapting to varying perspectives of risks and prioritising them in accordance with the intended outcome (prioritise); security controls to enable resources, and integrate/reconfigure beliefs held by various stakeholders (implement); and sustaining the integrated resources and competences held by stakeholders to continue the alignment with the intended outcome (monitor).

  • 9.
    Lundgren, Martin
    et al.
    Department of Computer Science, Luleå University of Technology, Sweden.
    Bergström, Erik
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Dynamic interplay in the information security risk management process2019In: International Journal of Risk Assessment and Management, ISSN 1466-8297, E-ISSN 1741-5241, Vol. 22, no 2, p. 212-230Article in journal (Refereed)
    Abstract [en]

    In this paper, the formal processes so often assumed in information security risk management and its activities are investigated. For instance, information classification, risk analysis, and security controls are often presented in a predominantly instrumental progression. This approach, however, has received scholarly criticism, as it omits social and organisational aspects, creating a gap between formal and actual processes. This study argues that there is an incomplete understanding of how the activities within these processes actually interplay in practice. For this study, senior information security managers from four major Swedish government agencies were interviewed. As a result, 12 characteristics are presented that reflect an interplay between activities and that have implications for research, as well as for developers of standards and guidelines. The study's conclusions suggest that the information security risk management process should be seen more as an emerging process, where each activity interplays dynamically in response to new requirements and organisational and social challenges. 

  • 10.
    Lundgren, Martin
    et al.
    Department of Computer Science Luleå University of Technology Luleå, Sweden.
    Bergström, Erik
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Security-related stress: A perspective on information security risk management2019In: 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), IEEE, 2019Conference paper (Refereed)
    Abstract [en]

    In this study, the enactment of information security risk management by novice practitioners is studied by applying an analytical lens of security-related stress. Two organisations were targeted in the study using a case study approach to obtain data about their practices. The study identifies stressors and stress inhibitors in the ISRM process and the supporting ISRM tools and discusses the implications for practitioners. For example, a mismatch between security standards and how they are interpreted in practice has been identified. This mismatch was further found to be strengthened by the design of the used ISRM tools. Those design shortcomings hamper agility since they may enforce a specific workflow or may restrict documentation. The study concludes that security-related stress can provide additional insight into security-novice practitioners' ISRM challenges. 

  • 11.
    Lundgren, Martin
    et al.
    Department of Computer Science, Electrical and Space Engineering, Luleå University of Technology, Sweden.
    Padyab, Ali
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    A Review of Cyber Threat (Artificial) Intelligence in Security Management2023In: Artificial Intelligence and Cybersecurity: Theory and Applications / [ed] Tuomo Sipola; Tero Kokkonen; Mika Karjalainen, Cham: Springer Nature Switzerland AG , 2023, 1, p. 29-45Chapter in book (Refereed)
    Abstract [en]

    Managing cybersecurity within organizations typically relies on careful consideration and management of its risks. By following an iterative—often sequential—risk management process, an organization’s exposure to risks can be assessed by weighing organizational digital asset values against the probability of being harmed by a threat [29]. However, this approach has been criticized for reflecting only a snapshot of the organization’s assets and threats. Furthermore, identifying threats and the ability to remain updated on current threats and vulnerabilities are often dependent on skilled and experienced experts, causing risks to be primarily determined based on subjective judgment [46]. Nevertheless, this also poses a challenge to organizations that cannot stay up-to-date with what assets are vulnerable or attain personnel with the necessary experience and know-how to obtain relevant information on cybersecurity threats towards those assets [8, 30, 37].

  • 12.
    Lundgren, Martin
    et al.
    Department of Computer Science, Electrical and Space Engineering, Luleå University of Technology, Sweden.
    Padyab, Ali
    University of Skövde, Informatics Research Environment. University of Skövde, School of Informatics.
    Security and Privacy of Smart Homes: Issues and Solutions2021In: Security and Privacy in the Internet of Things: Architectures, Techniques, and Applications / [ed] Ali Ismail Awad; Jemal Abawajy, John Wiley & Sons, 2021, p. 235-260Chapter in book (Refereed)
    Abstract [en]

    The current discussion and adoption of new technologies such as Internet of Things and smart technologies, like smart homes, have blossomed over the last decade. The user-centric aspect plays a vital role in the development of smart homes, since its spread and usage is fundamentally depending on people adopting new technologies into their normal everyday lives. This chapter contributes to raising our understanding of the security and privacy challenges and solutions that exist within smart homes. It first investigates various dimensions of information security and privacy in order to build a framework to analyze actual or perceived security and privacy issues that can arise from new technologies like smart homes. The chapter presents what security techniques and mechanisms are available to address these. Finally, it discusses what the future might hold in terms of security and privacy of smart homes, followed by a section highlighting the contributions of this chapter.

  • 13.
    Padyab, Ali
    et al.
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Lundgren, Martin
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    Stress in doctoral supervision: A perspective on supervisors2023In: Journal of Praxis in Higher Education, E-ISSN 2003-3605, Vol. 5, no 2, p. 91-117Article in journal (Refereed)
    Abstract [en]

    This paper shares findings from an interview study designed to open up critical conversations on complexity in advising. Using a narrative inquiry approach to centre storytelling and personal experience as valuable knowledge, I interview advisors (both academic and unofficial) who were central to my own doctoral research journey, as well as former doctoral students of mine. The interview results are put in relation with my own critical reflection on my advising practices as an ethos, as opposed to a set of tasks or functions, and put into context with larger social concepts such as positionality.This new perspective is suggested as a supplement to complexify and expand earlier research on advising styles. Advisingis characterised as deeply entangled with mentoring as well as teaching at large, and the paper concludes with identification of larger ethea, reflecting howadvising practices are co-constituted in relation with a range of other factors,such as positionality, institutional and disciplinary context, the larger student lifeworld, and perspectives on teaching and learning.

    Download full text (pdf)
    fulltext
  • 14.
    Salin, Hannes
    et al.
    School of Information and Engineering, Dalarna University, Sweden.
    Lundgren, Martin
    University of Skövde, School of Informatics. University of Skövde, Informatics Research Environment.
    A Gap Analysis of the Adoption Maturity of Certificateless Cryptography in Cooperative Intelligent Transportation Systems2023In: Journal of Cybersecurity and Privacy, E-ISSN 2624-800X, Vol. 3, no 3, p. 591-609Article in journal (Refereed)
    Abstract [en]

    Cooperative Intelligent Transport Systems (C-ITSs) are an important development for society. C-ITSs enhance road safety, improve traffic efficiency, and promote sustainable transportation through interconnected and intelligent communication between vehicles, infrastructure, and traffic-management systems. Many real-world implementations still consider traditional Public Key Infrastructures (PKI) as the underlying trust model and security control. However, there are challenges with the PKI-based security control from a scalability and revocation perspective. Lately, certificateless cryptography has gained research attention, also in conjunction with C-ITSs, making it a new type of security control to be considered. In this study, we use certificateless cryptography as a candidate to investigate factors affecting decisions (not) to adopt new types of security controls, and study its current gaps, key challenges and possible enablers which can influence the industry. We provide a qualitative study with industry specialists in C-ITSs, combined with a literature analysis of the current state of research in certificateless cryptographic in C-ITS. It was found that only 53% of the current certificateless cryptography literature for C-ITSs in 2022–2023 provide laboratory testing of the protocols, and 0% have testing in real-world settings. However, the trend of research output in the field has been increasing linearly since 2016 with more than eight times as many articles in 2022 compared to 2016. Based on our analysis, using a five-phased Innovation-Decision Model, we found that key reasons affecting adoption are: availability of proof-of-concepts, knowledge beyond current best practices, and a strong buy-in from both stakeholders and standardization bodies. 

    Download full text (pdf)
    fulltext
  • 15.
    Salin, Hannes
    et al.
    Department of Information and Communication Technology, Swedish Transport Administration, Borlänge, Sweden.
    Lundgren, Martin
    Information Systems, Luleå University of Technology, Sweden.
    Towards Agile Cybersecurity Risk Management for Autonomous Software Engineering Teams2022In: Journal of Cybersecurity and Privacy, E-ISSN 2624-800X, Vol. 2, no 2, p. 276-291Article in journal (Refereed)
    Abstract [en]

    In this study, a framework was developed, based on a literature review, to help managers incorporate cybersecurity risk management in agile development projects. The literature review used predefined codes that were developed by extending previously defined challenges in the literature—for developing secure software in agile projects—to include aspects of agile cybersecurity risk management. Five steps were identified based on the insights gained from how the reviewed literature has addressed each of the challenges: (1) risk collection; (2) risk refinement; (3) risk mitigation; (4) knowledge transfer; and (5) escalation. To assess the appropriateness of the identified steps, and to determine their inclusion or exclusion in the framework, a survey was submitted to 145 software developers using a four-point Likert scale to measure the attitudes towards each step. The resulting framework presented herein serves as a starting point to help managers and developers structure their agile projects in terms of cybersecurity risk management, supporting less overloaded agile processes, stakeholder insights on relevant risks, and increased security assurance.

    Download full text (pdf)
    fulltext
1 - 15 of 15
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • apa-cv
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf