Developing an information classification method
2021 (English)In: Information and Computer Security, E-ISSN 2056-4961, Vol. 29, no 2, p. 209-239Article in journal (Refereed) Published
Abstract [en]
Purpose: The purpose of this paper is to develop a method for information classification. The proposed method draws on established standards, such as the ISO/IEC 27002 and information classification practices. The long-term goal of the method is to decrease the subjective judgement in the implementation of information classification in organisations, which can lead to information security breaches because the information is under- or over-classified.
Design/methodology/approach: The results are based on a design science research approach, implemented as five iterations spanning the years 2013 to 2019.
Findings: The paper presents a method for information classification and the design principles underpinning the method. The empirical demonstration shows that senior and novice information security managers perceive the method as a useful tool for classifying information assets in an organisation.
Research limitations/implications: Existing research has, to a limited extent, provided extensive advice on how to approach information classification in organisations systematically. The method presented in this paper can act as a starting point for further research in this area, aiming at decreasing subjectivity in the information classification process. Additional research is needed to fully validate the proposed method for information classification and its potential to reduce the subjective judgement.
Practical implications: The research contributes to practice by offering a method for information classification. It provides a hands-on-tool for how to implement an information classification process. Besides, this research proves that it is possible to devise a method to support information classification. This is important, because, even if an organisation chooses not to adopt the proposed method, the very fact that this method has proved useful should encourage any similar endeavour.
Originality/value: The proposed method offers a detailed and well-elaborated tool for information classification. The method is generic and adaptable, depending on organisational needs.
Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2021. Vol. 29, no 2, p. 209-239
Keywords [en]
Information classification, Information classification method, Information security management, Information security management systems, ISO Standards, Security of data, Design Principles, Design-science researches, Design/methodology/approach, Information assets, Long-term goals, Organisational, Subjective judgement, Classification (of information)
National Category
Information Systems
Identifiers
URN: urn:nbn:se:hj:diva-51259DOI: 10.1108/ICS-07-2020-0110ISI: 000595848200001Scopus ID: 2-s2.0-85097088962OAI: oai:DiVA.org:hj-51259DiVA, id: diva2:1510958
2020-12-172020-12-172021-12-21Bibliographically approved