Högskolan i Skövde

The digitalisation of society is rapidly progressing, but along with digitalisation, there are threats. Cyber attacks are a rising concern, especially for the public sec-tor and government agencies. To resist attacks, it is crucial to establish a systematic information security work. Among activities within the systematic information security work, two of them are evaluation and follow-up. Those are activities important for the continuous improvement that should occur when working systematically. However, research has revealed that such activities are challenging to perform. Swedish government agencies have experienced difficulties for years with evaluating and following up on their information security work, although it is a requirement to fulfil. Therefore, this study aims at investigating how information security is evaluated and followed up within Swedish government agencies for civil preparedness by applying a qualitative case study.

The study used two methods to collect data. Data was gathered from public documents and a qualitative content analysis was performed. A total of 152 documents were analysed, including appropriation directions and annual reports. In combination, ten semi-structured interviews were conducted with informants from government agencies responsible for civil preparedness and individuals with extensive work experience regarding information security in the public and private sectors. The interview data were analysed similarly to the public documents, hence content analysis and categorisation into themes.

The results indicate that evaluation and follow-up of information security are performed, but they are burdensome for government agencies. It is mainly due to unclear requirements and weak governance. In addition, evaluation is a time-consuming and resource-intensive activity, which makes it challenging to motivate. The study enlightens these challenges, and its findings could be utilised in future research to aid the problem situation.