ju.se
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Supporting Information Security Management: Developing a Method for Information Classification
Högskolan i Skövde, Institutionen för informationsteknologi.ORCID iD: 0000-0002-1436-2980
2020 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

In the highly digitalised world in which we live today, information and information systems have become critical assets to organisations, and hence need to be safeguarded accordingly. In order to implement and work with information security in a structured way, an Information Security Management System (ISMS) can be implemented. Asset management is a central activity in ISMS that aims at identifying, assigning ownership and adding protection to information assets. One activity within asset management is information classification that has the objective to ensure that the information receives an appropriate level of protection in accordance with its importance to the organisation. Information classification is a well-known practice for all kinds of organisations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.

However, information classification has received little attention from academia, and many organisations are struggling with the implementation. The reasons behind why it is problematic, and how to address such issues, are largely unknown. Furthermore, existing approaches, described in, for example, standards and national recommendations, do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out essential aspects needed for many organisations to adopt and implement information classification. There is, for instance, a lack of detailed descriptions regarding (1) procedures and concepts, (2) how to tailor the approach for different situations, (3) a framework that structures and guides the classification, (4) what roles should be involved in the classification, and (5) how information with different granularity is handled.

This thesis aims to increase the applicability of information classification by developing a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study was performed in three cycles. A wide range of data was collected, including a series of interviews with experts and novices on information classification, a survey, most of the Swedish public sector information classification policies, and observations. There are three main contributions made by this thesis (1) the identification of issues and enablers for information classification, (2) the design principles underpinning the development of a method for information classification, and (3) the method for information classification itself. Contributions have also been made to the context around information classification, such as, for example, 20 practical suggestions for how to meet documented challenges in practice.
Abstract [sv]

I den starkt digitaliserade värld vi lever i idag har information och informationssystem blivit kritiska tillgångar för organisationer och därför måste dessa följaktligen skyddas. För att implementera och arbeta med informationssäkerhet på ett strukturerat sätt kan ett ledningssystem för informationssäkerhet (LIS) implementeras. Hantering av tillgångar är en central aktivitet i LIS som syftar till att identifiera tillgångar, fastställa lämpligt ansvar och bestämma lämplig skyddsnivå för informationstillgångar. En aktivitet inom hanteringen av tillgångar är informationsklassificering som har som mål att se till att information får en lämplig skyddsnivå i enlighet med dess betydelse för organisationen. Informationsklassificering är en allmänt känd och välanvänd praxis för alla slags organisationer, både inom den privata och offentliga sektorn. Dessutom finns informationsklassificering beskrivit som en del av flera standarder exempelvis i ISO/IEC 27002, COBIT och NIST-SP800.

Informationsklassificering har emellertid fått lite uppmärksamhet inom akademin och dessutom kämpar många organisationer med införandet. De underliggande orsakerna till varför det är problematiskt att implementera och använda informationsklassificering är i mångt och mycket oklara. Vidare tillhandahåller exempelvis befintliga standarder och nationella rekommendationer inget sammanhängande och systematiskt beskrivit tillvägagångssätt för att skildra informationsklassificering. De korta beskrivningarna i standarder och vetenskaplig litteratur utelämnar väsentliga aspekter som krävs för att kunna implementera informationsklassificering i en organisation. Det finns till exempel brist på detaljerade beskrivningar avseende (1) förfaranden och begrepp, (2) hur man kan anpassa tillvägagångssättet för olika situationer, (3) ett ramverk som strukturerar och styr klassificeringen, (4) vilka roller som ska vara involverade i klassificeringen och (5) hur information med olika granularitet hanteras.

Denna avhandling syftar till att utveckla en metod för informationsklassificering som bygger på standarder och praxis och som kan användas som en del av LIS-arbetet. För att möta detta syfte genomfördes en DSR-studie (Design Science Research) i tre cykler. Ett brett spektrum av data har samlats in som en del av detta arbete, inklusive en serie intervjuer med experter och nybörjare om informationsklassificering, en enkätundersökning, ett antal observationer samt en insamling av de flesta svenska myndigheters klassificeringspolicyer. Det finns tre huvudsakliga bidrag med denna avhandling (1) identifiering av problem och möjliggörare för informationsklassificering, (2) designprinciper som ligger till grund för utvecklingen av en metod för informationsklassificering och (3) metoden för informationsklassificering. Det har också gjorts bidrag till kontexten kring informationsklassificering. Exempelvis beskrivs och ges 20 praktiska förslag för hur man bemöter väldokumenterade utmaningar inom riskanalys och vid val av skyddsåtgärder.
Place, publisher, year, edition, pages
Skövde: University of Skövde , 2020. , p. 310
Series
Dissertation Series ; 33
Keywords [en]
information classification, Information security management, Information security management systems, Information classification method
National Category
Information Systems
Research subject
INF303 Information Security; Information Systems
Identifiers
URN: urn:nbn:se:hj:diva-50564ISBN: 978-91-984918-5-2 (print)OAI: oai:DiVA.org:hj-50564DiVA, id: diva2:1464451
Public defence
2020-09-04, G109, Högskolevägen 1, 09:00 (English)
Opponent
Supervisors
Note

Ett av sju delarbeten (övrigt se rubriken Delarbeten/List of papers): VII. Bergström, E., Karlsson, F., & Åhlfeldt, R.-M. (Submitted). Developing an Information Classification Method. Submitted for review to Information and Computer Security.

Available from: 2020-09-07 Created: 2020-09-07 Last updated: 2020-09-07Bibliographically approved
List of papers
1. Information Classification Issues
Open this publication in new window or tab >>Information Classification Issues
2014 (English)In: Secure IT Systems: 19th Nordic Conference, NordSec 2014, Tromsø, Norway, October 15-17, 2014, Proceedings / [ed] Karin Bernsmed & Simone Fischer-Hübner, Springer , 2014, p. 27-41Conference paper, Published paper (Refereed)
Abstract [en]

This paper presents an extensive systematic literature review with the aim of identifying and classifying issues in the information classification process. The classification selected uses human and organizational factors for grouping the identified issues. The results reveal that policy-related issues are most commonly described, but not necessarily the most crucial ones. Furthermore, gaps in the research field are identified in order to outline paths for further research.
Place, publisher, year, edition, pages
Springer, 2014
Series
Lecture Notes in Computer Science, ISSN 0302-9743 ; 8788
Keywords
information classification, systematic literature review, information security management systems
National Category
Computer Sciences
Research subject
Technology; Information Systems
Identifiers
urn:nbn:se:hj:diva-47020 (URN)10.1007/978-3-319-11599-3_2 (DOI)2-s2.0-84910065925 (Scopus ID)978-3-319-11598-6 (ISBN)978-3-319-11599-3 (ISBN)
Conference
19th Nordic Conference, NordSec 2014, Tromsø, Norway, October 15-17, 2014
Available from: 2014-10-22 Created: 2019-12-09 Last updated: 2020-09-07
2. Information Classification Enablers
Open this publication in new window or tab >>Information Classification Enablers
2015 (English)In: Foundations and Practice of Security: 8th International Symposium, FPS 2015, Clermont-Ferrand, France, October 26-28, 2015, Revised Selected Papers / [ed] Garcia-Alfaro, Joaquin Kranakis, Evangelos Bonfante, Guillaume, Cham: Springer , 2015, p. 268-276Conference paper, Published paper (Refereed)
Abstract [en]

This paper presents a comprehensive systematic literature review of information classification (IC) enablers. We propose a classification based on the well-known levels of management: strategic, tactical and operational. The results reveal that a large number of enablers could be adopted to increase the applicability of IC in organizations. The results also indicate that there is not one single enabler solving the problem, but rather several enablers can influence the adoption.
Place, publisher, year, edition, pages
Cham: Springer, 2015
Series
Lecture Notes in Computer Science (LNCS), ISSN 0302-9743 ; 9482
Keywords
nformation classification, Systematic literature review, ISMS
National Category
Information Systems, Social aspects
Research subject
Technology; Humanities and Social sciences; Information Systems
Identifiers
urn:nbn:se:hj:diva-47019 (URN)10.1007/978-3-319-30303-1_17 (DOI)000379392900017 ()2-s2.0-84960324053 (Scopus ID)978-3-319-30302-4 (ISBN)978-3-319-30303-1 (ISBN)
Conference
8th International Symposium, FPS 2015, Clermont-Ferrand, France, October 26-28, 2015
Available from: 2016-03-08 Created: 2019-12-09 Last updated: 2020-09-07
3. Information Classification Policies: An Exploratory Investigation
Open this publication in new window or tab >>Information Classification Policies: An Exploratory Investigation
2018 (English)In: Proceedings of the Annual Information Institute Conference / [ed] G. Dhillon and S. Samonas, 2018Conference paper, Published paper (Refereed)
Abstract [en]

InfoSec policies are considered a key mechanism in information security, and most organizations have one. However, the large majority of security policy research has focused on what policies should include rather than how they are accomplished in practice. To contribute to overcoming the lack of knowledge regarding this crucial aspect, this paper investigates information security policies based on what underlying approaches information classification practices are built on and the perceived ease of turning the policy into practice. To do so, a survey was sent to 284 Swedish government agencies, and 80 of their internal policies were collected as data. The data were analyzed both qualitatively, and qualitatively. The results show that information classification adoption rates are low despite being mandatory and that agencies are struggling in closing the gap between standards and practice. Furthermore, the results also show that information classification policies need to be more specific and give more actionable advice regarding, e.g., how information life-cycle management is included in practice, and where the responsibility for classification is put in the organization.
Keywords
Information security management, information classification, InfoSec policies.
National Category
Public Administration Studies
Identifiers
urn:nbn:se:hj:diva-47049 (URN)978-1-935160-19-9 (ISBN)
Conference
17th Annual Security Conference, March 26-28, 2018 Las Vegas, NV, USA
Available from: 2019-12-11 Created: 2019-12-11 Last updated: 2025-02-21
4. Revisiting information security risk management challenges: a practice perspective
Open this publication in new window or tab >>Revisiting information security risk management challenges: a practice perspective
2019 (English)In: Information and Computer Security, E-ISSN 2056-4961, Vol. 27, no 3, p. 358-372Article in journal (Refereed) Published
Abstract [en]

Purpose: The study aims to revisit six previously defined challenges in information security risk management to provide insights into new challenges based on current practices. Design/methodology/approach: The study is based on an empirical study consisting of in-depth interviews with representatives from public sector organisations. The data were analysed by applying a practice-based view, i.e. the lens of knowing (or knowings). The results were validated by an expert panel. Findings: Managerial and organisational concerns that go beyond a technical perspective have been found, which affect the ongoing social build-up of knowledge in everyday information security work. Research limitations/implications: The study has delimitation as it consists of data from four public sector organisations, i.e. statistical analyses have not been in focus, while implying a better understanding of what and why certain actions are practised in their security work. Practical implications: The new challenges that have been identified offer a refined set of actionable advice to practitioners, which, for example, can support cost-efficient decisions and avoid unnecessary security trade-offs. Originality/value: Information security is increasingly relevant for organisations, yet little is still known about how related risks are handled in practice. Recent studies have indicated a gap between the espoused and the actual actions. Insights from actual, situated enactment of practice can advise on process adaption and suggest more fit approaches. 
Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2019
Keywords
Asset valuation, Information security, Practice theory, Risk management
National Category
Information Systems, Social aspects
Research subject
Information Systems
Identifiers
urn:nbn:se:hj:diva-47016 (URN)10.1108/ICS-09-2018-0106 (DOI)000479219900003 ()2-s2.0-85067021789 (Scopus ID)
Available from: 2019-06-27 Created: 2019-12-09 Last updated: 2020-09-07
5. Dynamic Interplay in the Information Security Risk Management Process
Open this publication in new window or tab >>Dynamic Interplay in the Information Security Risk Management Process
2019 (English)In: International Journal of Risk Assessment and Management, ISSN 1466-8297, E-ISSN 1741-5241, Vol. 22, no 2, p. 212-230Article in journal (Refereed) Published
Abstract [en]

In this paper, the formal processes so often assumed in information security risk management and its activities are investigated. For instance, information classification, risk analysis, and security controls are often presented in a predominantly instrumental progression. This approach, however, has received scholarly criticism, as it omits social and organizational aspects, creating a gap between formal and actual processes. This study argues that there is an incomplete understanding of how the activities within these processes actually interplay in practice. For this study, senior information security managers from four major Swedish government agencies were interviewed. As a result, twelve characteristics are presented that reflect an interplay between activities and that have implications for research, as well as for developers of standards and guidelines. The study’s conclusions suggest that the information security risk management process should be seen more as an emerging process, where each activity interplays dynamically in response to new requirements and organizational and social challenges.
Place, publisher, year, edition, pages
InderScience Publishers, 2019
Keywords
information classification, risk analysis, security controls, interplay, formal processes
National Category
Information Systems Information Systems, Social aspects
Research subject
Information systems
Identifiers
urn:nbn:se:hj:diva-47036 (URN)10.1504/IJRAM.2019.101287 (DOI)
Note

Validerad;2019;Nivå 1;2019-08-21 (johcin)

Available from: 2019-04-18 Created: 2019-12-09 Last updated: 2020-09-07
6. Stress Amongst Novice Information Security Risk Management Practitioners
Open this publication in new window or tab >>Stress Amongst Novice Information Security Risk Management Practitioners
2019 (English)In: International Journal on Cyber Situational Awareness, ISSN 2057-2182, Vol. 4, no 1, p. 128-154Article in journal (Refereed) Published
Abstract [en]

Today, information is a key asset for many organisations. Reducing risks of information compromise is increasingly prioritised. However, there is an incomplete understanding of how organisations with limited security knowledge and experience manage information security risks in practice. Previous studies have suggested that security-novice employees faced with burdensome, complex, and ambiguous security requirements can experience security-related stress (SRS), and ultimately influence their security decisions. In this study, we further this research stream by suggesting that SRS can similarly be found with security-novice managers responsible for developing and practising information security risk management (ISRM). Two organisations were targeted in the study using a case study approach, to obtain data about their practices, using SRS as an analytical lens. The study found various examples where SRS influenced security-novice managers’ decisions, and identifies several stressors and stress inhibitors in the ISRM process and supporting ISRM tools, and discusses the implications for practitioners.
Place, publisher, year, edition, pages
Centre for Multidisciplinary Research, Innovation and Collaboration (C-MRiC), 2019
Keywords
Security-novice, information security, information security risk management, stress, tools, compliance, management
National Category
Information Systems, Social aspects
Research subject
Information systems
Identifiers
urn:nbn:se:hj:diva-47035 (URN)10.22619/IJCSA (DOI)
Note

Validerad;2019;Nivå 1;2019-12-09 (johcin)

Available from: 2019-12-09 Created: 2019-12-09 Last updated: 2020-09-07
7. Reference Implementations - Usages And The Quest For A Definition
Open this publication in new window or tab >>Reference Implementations - Usages And The Quest For A Definition
2014 (English)In: EURAS Proceedings 2014: Cooperation among standardisation organisations and the scientific and academic community / [ed] Ivana Mijatovic, Kai Jakobs, Aachen: Wissenschaftsverlag Mainz , 2014, p. 17-31Conference paper, Published paper (Refereed)
Abstract [en]

This paper presents a systematic literature review performed to investigate if there is a prevailing definition of reference implementation in the standards community, and how reference implementations are referenced to be used within the standards community. The literature review targets all electronically available core journals and conferences in the field, and the results are classified according to a framework introduced in the paper. We found that there is one definition that focuses on conformance testing, but the results from the literature review show more uses of reference implementations such as when developing standards, when implementing them, and when developing products.
Place, publisher, year, edition, pages
Aachen: Wissenschaftsverlag Mainz, 2014
Series
EURAS Contributions to Standardisation Research
Keywords
Reference implementation, systematic literature review, standards
National Category
Information Systems
Research subject
Humanities and Social sciences; Information Systems
Identifiers
urn:nbn:se:hj:diva-47018 (URN)978-3-86073-305-9 (ISBN)
Conference
19th EURAS Annual Standardisation Conference, Cooperation among standardisation organisations and the scientific and academic community, 8–10 September 2014, Belgrade, Serbia
Note

978-3-86073-305-2

Available from: 2014-09-18 Created: 2019-12-09 Last updated: 2020-09-07
8. Kompetensbehov och kompetensförsörjning inom informationssäkerhet från ett samhällsperspektiv
Open this publication in new window or tab >>Kompetensbehov och kompetensförsörjning inom informationssäkerhet från ett samhällsperspektiv
Show others...
2015 (Swedish)Report (Other academic)
Abstract [sv]

På uppdrag av Myndigheten för samhällsskydd och beredskap (MSB) har en studie genomförts med syftet att komplettera resultatet från en tidigare genomförd förstudie (Åhlfeldt m.fl., 2014) med en analys av kompetensförsörjning och kompetensbehov på informations­säkerhetsområdet från ett samhällsperspektiv. Arbetet har genomförts av forskare från två lärosäten, Högskolan i Skövde och Karlstad Universitet, samt inom tre forskningsdiscipliner: pedagogik, informationssäkerhet och företagsekonomi.

Uppdraget har varit att besvara följande frågeställningar:

  • Vilka är kompetensbehoven för att ha en god och balanserad informationssäkerhet som bidrar till samhällets informationssäkerhet?
    • Samtida kompetensbehov (nuläget)
    • Framtida kompetensbehov
    • Hur ska nödvändig kompetens erhållas och på vem ligger ansvaret?
    • Utifrån ovanstående frågeställningar, vilka är de viktigaste framgångsfaktorerna?

Arbetet har genomförts i form av fokusgrupper med representanter från myndigheter och företag som har en nära verksamhetskoppling till samhällets informationssäkerhet och som är viktiga för att samhällets informationssäkerhet ska fungera.

Resultatet visar att det finns stora brister avseende informationssäkerhetskompetens på alla nivåer i samhället. Tre tydliga områden pekas ut 1) nationellt - ökat behov av starkare styrning och ledning samt kravställning 2) organisation - ökat behov av kompetens från ledning till medarbetare men med starkt fokus på kompetenshöjande åtgärder på ledningsnivå samt vid upphandling och 3) medborgarperspektivet där framförallt skolområdet lyfts fram som ett viktigt insatsområde för kompetenshöjande åtgärder.

För att uppnå nödvändig kompetens krävs utbildningsinsatser på alla ovan angivna områden. Dels utbildningar på akademisk nivå för informationssäkerhetsexperter men även övriga utbildningar inom t ex juridik och ekonomi. Även yrkesverksamma på organisationsnivå behöver riktade kompetenshöjande åtgärder som sätter informationssäkerhet i fokus utifrån organisationens verksamhetsbehov, allt ifrån ledningsnivå till medarbetarnivå.

Resultatet visar även att ansvaret för samhällets kompetensförsörjning för informationssäkerhet ligger även den på alla ovan nämnda tre områden men med tydlig betoning på nationell nivå. Här betonas behovet av nationella krav för att medvetandegöra och lyfta informations­säkerheten i samhällsviktig verksamhet för att nå så många medborgare som möjligt.  

Förslag på framtida arbete avseende utveckling av metoder för framtida studier av kompetensförsörjningen pekar främst på metoder för att angripa bristen på helhetssyn samt kompetensförsörjning för management och medborgare.
Place, publisher, year, edition, pages
Skövde: Högskolan i Skövde, 2015. p. 30
Keywords
information security, competence, societal perspective
National Category
Information Systems
Research subject
Technology; Information Systems; Followership and Organizational Resilience
Identifiers
urn:nbn:se:hj:diva-47027 (URN)
Available from: 2019-12-09 Created: 2019-12-09 Last updated: 2020-09-07
9. Informationsklassificering och säkerhetsåtgärder
Open this publication in new window or tab >>Informationsklassificering och säkerhetsåtgärder
2016 (Swedish)Report (Other academic)
Place, publisher, year, edition, pages
Skövde: Högskolan i Skövde, 2016. p. 34
Keywords
information security, information classification, information security management
National Category
Information Systems
Research subject
Humanities and Social sciences; Technology; Information Systems
Identifiers
urn:nbn:se:hj:diva-47021 (URN)
Note

HS‐IIT‐TR‐16‐002

Available from: 2019-12-09 Created: 2019-12-09 Last updated: 2020-09-07
10. Security-related stress: A perspective on information security risk management
Open this publication in new window or tab >>Security-related stress: A perspective on information security risk management
2019 (English)In: 2019 International Conference on Cyber Security and Protection of Digital Services, Cyber Security 2019, IEEE , 2019Conference paper, Published paper (Refereed)
Abstract [en]

In this study, the enactment of information security risk management by novice practitioners is studied by applying an analytical lens of security-related stress. Two organisations were targeted in the study using a case study approach to obtain data about their practices. The study identifies stressors and stress inhibitors in the ISRM process and the supporting ISRM tools and discusses the implications for practitioners. For example, a mismatch between security standards and how they are interpreted in practice has been identified. This mismatch was further found to be strengthened by the design of the used ISRM tools. Those design shortcomings hamper agility since they may enforce a specific workflow or may restrict documentation. The study concludes that security-related stress can provide additional insight into security-novice practitioners' ISRM challenges. 
Place, publisher, year, edition, pages
IEEE, 2019
Keywords
Compliance, Information security, Information security risk management, Management, Novices, Stress, Tools, Information services, Security of data, Stresses, Case study approach, Information security risk managements, Security standards, Risk management
National Category
Information Systems, Social aspects
Research subject
Software Systems Research Group (SSRG)
Identifiers
urn:nbn:se:hj:diva-47025 (URN)10.1109/CyberSecPODS.2019.8884877 (DOI)2-s2.0-85075007461 (Scopus ID)9781728102290 (ISBN)
Conference
5th International Conference on Cyber Security and Protection of Digital Services, Cyber Security 2019; Department of Computer Science, University of OxfordWolfson Building Parks RoadOxford; United Kingdom; 3 June 2019 through 4 June 2019
Available from: 2019-11-28 Created: 2019-12-09 Last updated: 2020-09-07

Open Access in DiVA

fulltext(1424 kB)1215 downloads
File information
File name FULLTEXT01.pdfFile size 1424 kBChecksum SHA-512
d70346f17eafb3aa6ea5d9374a7e14781c6a293fcd3574189c4e4489335112e0f43ab6e0c5c361cc87204fb71da9c40ca2d6f31cadcfdd15f20906d8abded05b
Type fulltextMimetype application/pdf

Authority records

Bergström, Erik

Search in DiVA

By author/editor
Bergström, Erik
Information Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 1215 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 2245 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
Jönköping University
|
Jönköping University Library