Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
“Check, Check, Check, We Got Those” – Catalogue Use in Information Security Risk Management
Jönköping University, School of Engineering, JTH, Department of Computer Science and Informatics.ORCID iD: 0000-0002-1436-2980
School of Informatics, University of Skövde, Skövde, Sweden.
SINTEF Digital, Trondheim, Norway.
SINTEF Digital, Trondheim, Norway.
2023 (English)In: Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings / [ed] S. Furnell & N. Clarke, Cham: Springer, 2023, Vol. 674, p. 181-191Conference paper, Published paper (Refereed)
Abstract [en]

Information Security Risk Management (ISRM) is fundamental in most organisations today. The literature describes ISRM as a complex activity, and one way of addressing this is to enable knowledge reuse in the shape of catalogues. Catalogues in the ISRM domain can contain lists of, e.g. assets, threats and security controls. In this paper, we focus on three aspects of catalogue use. Why we need catalogues, how catalogue granularity is perceived, and how catalogues help novices in practice. As catalogue use is not yet a widespread practice in the ISRM, we have selected a domain where catalogues are a part of the ISRM work. In this case, the Air Traffic Management (ATM) domain uses a methodology that includes catalogues and is built on ISO/IEC 27005. The results are based on data collected from 19 interviews with ATM professionals that are either experts or novices in ISRM. With this paper, we nuance the view on what catalogues can contribute with. For example, consistency, coherency, a starting point and new viewpoints. At the same time, we identify the need to inform about the aim of the catalogues and the limitations that come with catalogue use in order to leverage the use – especially from a novice perspective.

Place, publisher, year, edition, pages
Cham: Springer, 2023. Vol. 674, p. 181-191
Series
IFIP Advances in Information and Communication Technology, ISSN 1868-4238, E-ISSN 1868-422X ; 674
Keywords [en]
Information Security Risk Management, Catalogues, Risk management practice
National Category
Computer and Information Sciences
Identifiers
URN: urn:nbn:se:hj:diva-62271DOI: 10.1007/978-3-031-38530-8_15Scopus ID: 2-s2.0-85172661821ISBN: 978-3-031-38529-2 (print)ISBN: 978-3-031-38532-2 (print)ISBN: 978-3-031-38530-8 (electronic)OAI: oai:DiVA.org:hj-62271DiVA, id: diva2:1790832
Conference
17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023
Funder
EU, Horizon 2020, 731765Swedish Civil Contingencies Agency, MSB 2021–14650Available from: 2023-08-23 Created: 2023-08-23 Last updated: 2023-10-10Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Bergström, Erik

Search in DiVA

By author/editor
Bergström, Erik
By organisation
JTH, Department of Computer Science and Informatics
Computer and Information Sciences

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 75 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf