Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Security-related stress: A perspective on information security risk management
Department of Computer Science Luleå University of Technology Luleå, Sweden .
Högskolan i Skövde, Institutionen för informationsteknologi.
2019 (English)In: 2019 International Conference on Cyber Security and Protection of Digital Services, Cyber Security 2019, IEEE , 2019Conference paper, Published paper (Refereed)
Abstract [en]

In this study, the enactment of information security risk management by novice practitioners is studied by applying an analytical lens of security-related stress. Two organisations were targeted in the study using a case study approach to obtain data about their practices. The study identifies stressors and stress inhibitors in the ISRM process and the supporting ISRM tools and discusses the implications for practitioners. For example, a mismatch between security standards and how they are interpreted in practice has been identified. This mismatch was further found to be strengthened by the design of the used ISRM tools. Those design shortcomings hamper agility since they may enforce a specific workflow or may restrict documentation. The study concludes that security-related stress can provide additional insight into security-novice practitioners' ISRM challenges. 

Place, publisher, year, edition, pages
IEEE , 2019.
Keywords [en]
Compliance, Information security, Information security risk management, Management, Novices, Stress, Tools, Information services, Security of data, Stresses, Case study approach, Information security risk managements, Security standards, Risk management
National Category
Information Systems, Social aspects
Research subject
Software Systems Research Group (SSRG)
Identifiers
URN: urn:nbn:se:hj:diva-47025DOI: 10.1109/CyberSecPODS.2019.8884877Scopus ID: 2-s2.0-85075007461ISBN: 9781728102290 (print)OAI: oai:DiVA.org:hj-47025DiVA, id: diva2:1376389
Conference
5th International Conference on Cyber Security and Protection of Digital Services, Cyber Security 2019; Department of Computer Science, University of OxfordWolfson Building Parks RoadOxford; United Kingdom; 3 June 2019 through 4 June 2019
Available from: 2019-11-28 Created: 2019-12-09 Last updated: 2020-09-07
In thesis
1. Supporting Information Security Management: Developing a Method for Information Classification
Open this publication in new window or tab >>Supporting Information Security Management: Developing a Method for Information Classification
2020 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

In the highly digitalised world in which we live today, information and information systems have become critical assets to organisations, and hence need to be safeguarded accordingly. In order to implement and work with information security in a structured way, an Information Security Management System (ISMS) can be implemented. Asset management is a central activity in ISMS that aims at identifying, assigning ownership and adding protection to information assets. One activity within asset management is information classification that has the objective to ensure that the information receives an appropriate level of protection in accordance with its importance to the organisation. Information classification is a well-known practice for all kinds of organisations, both in the private and public sector, and is included in different variants in standards such as ISO/IEC 27002, COBIT and NIST-SP800.

However, information classification has received little attention from academia, and many organisations are struggling with the implementation. The reasons behind why it is problematic, and how to address such issues, are largely unknown. Furthermore, existing approaches, described in, for example, standards and national recommendations, do not provide a coherent and systematic approach to information classification. The short descriptions in standards, and literature alike, leave out essential aspects needed for many organisations to adopt and implement information classification. There is, for instance, a lack of detailed descriptions regarding (1) procedures and concepts, (2) how to tailor the approach for different situations, (3) a framework that structures and guides the classification, (4) what roles should be involved in the classification, and (5) how information with different granularity is handled.

This thesis aims to increase the applicability of information classification by developing a method for information classification in ISMS that draws from established standards and practice. In order to address this aim, a Design Science Research (DSR) study was performed in three cycles. A wide range of data was collected, including a series of interviews with experts and novices on information classification, a survey, most of the Swedish public sector information classification policies, and observations. There are three main contributions made by this thesis (1) the identification of issues and enablers for information classification, (2) the design principles underpinning the development of a method for information classification, and (3) the method for information classification itself. Contributions have also been made to the context around information classification, such as, for example, 20 practical suggestions for how to meet documented challenges in practice.

Abstract [sv]

I den starkt digitaliserade värld vi lever i idag har information och informationssystem blivit kritiska tillgångar för organisationer och därför måste dessa följaktligen skyddas. För att implementera och arbeta med informationssäkerhet på ett strukturerat sätt kan ett ledningssystem för informationssäkerhet (LIS) implementeras. Hantering av tillgångar är en central aktivitet i LIS som syftar till att identifiera tillgångar, fastställa lämpligt ansvar och bestämma lämplig skyddsnivå för informationstillgångar. En aktivitet inom hanteringen av tillgångar är informationsklassificering som har som mål att se till att information får en lämplig skyddsnivå i enlighet med dess betydelse för organisationen. Informationsklassificering är en allmänt känd och välanvänd praxis för alla slags organisationer, både inom den privata och offentliga sektorn. Dessutom finns informationsklassificering beskrivit som en del av flera standarder exempelvis i ISO/IEC 27002, COBIT och NIST-SP800.

Informationsklassificering har emellertid fått lite uppmärksamhet inom akademin och dessutom kämpar många organisationer med införandet. De underliggande orsakerna till varför det är problematiskt att implementera och använda informationsklassificering är i mångt och mycket oklara. Vidare tillhandahåller exempelvis befintliga standarder och nationella rekommendationer inget sammanhängande och systematiskt beskrivit tillvägagångssätt för att skildra informationsklassificering. De korta beskrivningarna i standarder och vetenskaplig litteratur utelämnar väsentliga aspekter som krävs för att kunna implementera informationsklassificering i en organisation. Det finns till exempel brist på detaljerade beskrivningar avseende (1) förfaranden och begrepp, (2) hur man kan anpassa tillvägagångssättet för olika situationer, (3) ett ramverk som strukturerar och styr klassificeringen, (4) vilka roller som ska vara involverade i klassificeringen och (5) hur information med olika granularitet hanteras.

Denna avhandling syftar till att utveckla en metod för informationsklassificering som bygger på standarder och praxis och som kan användas som en del av LIS-arbetet. För att möta detta syfte genomfördes en DSR-studie (Design Science Research) i tre cykler. Ett brett spektrum av data har samlats in som en del av detta arbete, inklusive en serie intervjuer med experter och nybörjare om informationsklassificering, en enkätundersökning, ett antal observationer samt en insamling av de flesta svenska myndigheters klassificeringspolicyer. Det finns tre huvudsakliga bidrag med denna avhandling (1) identifiering av problem och möjliggörare för informationsklassificering, (2) designprinciper som ligger till grund för utvecklingen av en metod för informationsklassificering och (3) metoden för informationsklassificering. Det har också gjorts bidrag till kontexten kring informationsklassificering. Exempelvis beskrivs och ges 20 praktiska förslag för hur man bemöter väldokumenterade utmaningar inom riskanalys och vid val av skyddsåtgärder.

Place, publisher, year, edition, pages
Skövde: University of Skövde, 2020. p. 310
Series
Dissertation Series ; 33
Keywords
information classification, Information security management, Information security management systems, Information classification method
National Category
Information Systems
Research subject
INF303 Information Security; Information Systems
Identifiers
urn:nbn:se:hj:diva-50564 (URN)978-91-984918-5-2 (ISBN)
Public defence
2020-09-04, G109, Högskolevägen 1, 09:00 (English)
Opponent
Supervisors
Note

Ett av sju delarbeten (övrigt se rubriken Delarbeten/List of papers): VII. Bergström, E., Karlsson, F., & Åhlfeldt, R.-M. (Submitted). Developing an Information Classification Method. Submitted for review to Information and Computer Security.

Available from: 2020-09-07 Created: 2020-09-07 Last updated: 2020-09-07Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Bergström, Erik

Search in DiVA

By author/editor
Bergström, Erik
Information Systems, Social aspects

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 303 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf