Search results

1 – 4 of 4
Content available
Article
Publication date: 11 June 2018

Fredrik Karlsson, Ella Kolkowska and Marianne Törner

Downloads
282

Abstract

Details

Information & Computer Security, vol. 26 no. 2
Type: Research Article
ISSN: 2056-4961

Click here to view access options
Article
Publication date: 14 November 2016

Fredrik Karlsson, Ella Kolkowska and Frans Prenkert

The purpose of this paper is to survey existing inter-organisational information security research to scrutinise the kind of knowledge that is currently available and the…

Downloads
1321

Abstract

Purpose

The purpose of this paper is to survey existing inter-organisational information security research to scrutinise the kind of knowledge that is currently available and the way in which this knowledge has been brought about.

Design/methodology/approach

The results are based on a literature review of inter-organisational information security research published between 1990 and 2014.

Findings

The authors conclude that existing research has focused on a limited set of research topics. A majority of the research has focused management issues, while employees’/non-staffs’ actual information security work in inter-organisational settings is an understudied area. In addition, the majority of the studies have used a subjective/argumentative method, and few studies combine theoretical work and empirical data.

Research limitations/implications

The findings suggest that future research should address a broader set of research topics, focusing especially on employees/non-staff and their use of processes and technology in inter-organisational settings, as well as on cultural aspects, which are lacking currently; focus more on theory generation or theory testing to increase the maturity of this sub-field; and use a broader set of research methods.

Practical implications

The authors conclude that existing research is to a large extent descriptive, philosophical or theoretical. Thus, it is difficult for practitioners to adopt existing research results, such as governance frameworks, which have not been empirically validated.

Originality/value

Few systematic reviews have assessed the maturity of existing inter-organisational information security research. Findings of authors on research topics, maturity and research methods extend beyond the existing knowledge base, which allow for a critical discussion about existing research in this sub-field of information security.

Details

Information & Computer Security, vol. 24 no. 5
Type: Research Article
ISSN: 2056-4961

Keywords

Click here to view access options
Article
Publication date: 23 January 2020

Elham Rostami, Fredrik Karlsson and Ella Kolkowska

The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has…

Abstract

Purpose

The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about.

Design/methodology/approach

The results are based on a literature review of ISP management research published between 1990 and 2017.

Findings

Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare.

Research limitations/implications

Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process.

Practical implications

The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners.

Originality/value

Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.

Details

Information & Computer Security, vol. 28 no. 2
Type: Research Article
ISSN: 2056-4961

Keywords

Click here to view access options
Article
Publication date: 7 October 2013

Karin Hedström, Fredrik Karlsson and Ella Kolkowska

Employees' compliance with information security policies is considered an essential component of information security management. The research aims to illustrate the…

Downloads
1184

Abstract

Purpose

Employees' compliance with information security policies is considered an essential component of information security management. The research aims to illustrate the usefulness of social action theory (SAT) for management of information security.

Design/methodology/approach

This research was carried out as a longitudinal case study at a Swedish hospital. Data were collected using a combination of interviews, information security documents, and observations. Data were analysed using a combination of a value-based compliance model and the taxonomy laid out in SAT to determine user rationality.

Findings

The paper argues that management of information security and design of countermeasures should be based on an understanding of users' rationale covering both intentional and unintentional non-compliance. The findings are presented in propositions with practical and theoretical implications: P1. Employees' non-compliance is predominantly based on means-end calculations and based on a practical rationality, P2. An information security investigation of employees' rationality should not be based on an a priori assumption about user intent, P3. Information security management and choice of countermeasures should be based on an understanding of the use rationale, and P4. Countermeasures should target intentional as well as unintentional non-compliance.

Originality/value

This work is an extension of Hedström et al. arguing for the importance of addressing user rationale for successful management of information security. The presented propositions can form a basis for information security management, making the objectives underlying the study presented in Hedström et al. more clear.

Details

Information Management & Computer Security, vol. 21 no. 4
Type: Research Article
ISSN: 0968-5227

Keywords

1 – 4 of 4