Search results
1 – 10 of 27Elham Rostami, Fredrik Karlsson and Shang Gao
This paper aims to propose a conceptual model of policy components for software that supports modularizing and tailoring of information security policies (ISPs).
Abstract
Purpose
This paper aims to propose a conceptual model of policy components for software that supports modularizing and tailoring of information security policies (ISPs).
Design/methodology/approach
This study used a design science research approach, drawing on design knowledge from the field of situational method engineering. The conceptual model was developed as a unified modeling language class diagram using existing ISPs from public agencies in Sweden.
Findings
This study’s demonstration as proof of concept indicates that the conceptual model can be used to create free-standing modules that provide guidance about information security in relation to a specific work task and that these modules can be used across multiple tailored ISPs. Thus, the model can be considered as a step toward developing software to tailor ISPs.
Research limitations/implications
The proposed conceptual model bears several short- and long-term implications for research. In the short term, the model can act as a foundation for developing software to design tailored ISPs. In the long term, having software that enables tailorable ISPs will allow researchers to do new types of studies, such as evaluating the software's effectiveness in the ISP development process.
Practical implications
Practitioners can use the model to develop software that assist information security managers in designing tailored ISPs. Such a tool can offer the opportunity for information security managers to design more purposeful ISPs.
Originality/value
The proposed model offers a detailed and well-elaborated starting point for developing software that supports modularizing and tailoring of ISPs.
Details
Keywords
Martin Karlsson, Fredrik Karlsson, Joachim Åström and Thomas Denk
This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.
Abstract
Purpose
This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.
Design/methodology/approach
The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy.
Findings
The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance.
Research limitations/implications
The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance.
Practical implications
Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations.
Originality/value
Few information security policy compliance studies exist on the consequences of different organizational/information cultures.
Details
Keywords
Karin Hedström, Fredrik Karlsson and Fredrik Söderström
The purpose of this paper is to examine the challenges that arise when introducing an electronic identification (eID) card for professional use in a health-care setting.
Abstract
Purpose
The purpose of this paper is to examine the challenges that arise when introducing an electronic identification (eID) card for professional use in a health-care setting.
Design/methodology/approach
This is a case study of an eID implementation project in healthcare. Data were collected through interviews with key actors in a project team and with eID end users. The authors viewed the eID card as a boundary object intersecting social worlds. For this analysis, the authors combined this with an electronic government initiative challenge framework.
Findings
The findings of this paper illustrate the interpretative flexibility of eID cards and how eID cards as boundary objects intersect social worlds. The main challenges of implementing and using eID cards in healthcare are usability, user behaviour and privacy. However, the way in which these challenges are interpreted varies between different social worlds.
Practical implications
One of the implications for future practice is to increase our understanding of the eID card as a socio-technical artefact, where the social and technical is intertwined, at the same time as the eID card affects the social as well as the technical. By using a socio-technical perspective, it is possible to minimise the potential problems related to the implementation and use of eID.
Originality/value
Previous research has highlighted the need for more empirical research on identity management. The authors contextualise and analyse the implementation and use of eID cards within healthcare. By viewing the eID card as a boundary object, the authors have unveiled its interpretative flexibility and how it is translated across different social worlds.
Details
Keywords
Fredrik Karlsson, Martin Karlsson and Joachim Åström
This paper aims to investigate two different types of compliance measures: the first measure is a value-monistic compliance measure, whereas the second is a value-pluralistic…
Abstract
Purpose
This paper aims to investigate two different types of compliance measures: the first measure is a value-monistic compliance measure, whereas the second is a value-pluralistic measure, which introduces the idea of competing organisational imperatives.
Design/methodology/approach
A survey was developed using two sets of items to measure compliance. The survey was sent to 600 white-collar workers and analysed through ordinary least squares.
Findings
The results suggest that when using the value-monistic measure, employees’ compliance was a function of employees’ intentions to comply, their self-efficacy and awareness of information security policies. In addition, compliance was not related to the occurrence of conflicts between information security and other organisational imperatives. However, when the dependent variable was changed to a value-pluralistic measure, the results suggest that employees’ compliance was, to a great extent, a function of the occurrence of conflicts between information security and other organisational imperatives, indirect conflicts with other organisational values.
Research limitations/implications
The results are based on small survey; yet, the findings are interesting and justify further investigation. The results suggest that relevant organisational imperatives and value systems, along with information security values, should be included in measures for employees’ compliance with information security policies.
Practical implications
Practitioners and researchers should be aware that there is a difference in measuring employees’ compliance using value monistic and value pluralism measurements.
Originality/value
Few studies exist that critically compare the two different compliance measures for the same population.
Details
Keywords
Fredrik Karlsson, Ella Kolkowska and Frans Prenkert
The purpose of this paper is to survey existing inter-organisational information security research to scrutinise the kind of knowledge that is currently available and the way in…
Abstract
Purpose
The purpose of this paper is to survey existing inter-organisational information security research to scrutinise the kind of knowledge that is currently available and the way in which this knowledge has been brought about.
Design/methodology/approach
The results are based on a literature review of inter-organisational information security research published between 1990 and 2014.
Findings
The authors conclude that existing research has focused on a limited set of research topics. A majority of the research has focused management issues, while employees’/non-staffs’ actual information security work in inter-organisational settings is an understudied area. In addition, the majority of the studies have used a subjective/argumentative method, and few studies combine theoretical work and empirical data.
Research limitations/implications
The findings suggest that future research should address a broader set of research topics, focusing especially on employees/non-staff and their use of processes and technology in inter-organisational settings, as well as on cultural aspects, which are lacking currently; focus more on theory generation or theory testing to increase the maturity of this sub-field; and use a broader set of research methods.
Practical implications
The authors conclude that existing research is to a large extent descriptive, philosophical or theoretical. Thus, it is difficult for practitioners to adopt existing research results, such as governance frameworks, which have not been empirically validated.
Originality/value
Few systematic reviews have assessed the maturity of existing inter-organisational information security research. Findings of authors on research topics, maturity and research methods extend beyond the existing knowledge base, which allow for a critical discussion about existing research in this sub-field of information security.
Details
Keywords
Elham Rostami, Fredrik Karlsson and Ella Kolkowska
The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been…
Abstract
Purpose
The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about.
Design/methodology/approach
The results are based on a literature review of ISP management research published between 1990 and 2017.
Findings
Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare.
Research limitations/implications
Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process.
Practical implications
The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners.
Originality/value
Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.
Details
Keywords
Erik Bergström, Fredrik Karlsson and Rose-Mharie Åhlfeldt
The purpose of this paper is to develop a method for information classification. The proposed method draws on established standards, such as the ISO/IEC 27002 and information…
Abstract
Purpose
The purpose of this paper is to develop a method for information classification. The proposed method draws on established standards, such as the ISO/IEC 27002 and information classification practices. The long-term goal of the method is to decrease the subjective judgement in the implementation of information classification in organisations, which can lead to information security breaches because the information is under- or over-classified.
Design/methodology/approach
The results are based on a design science research approach, implemented as five iterations spanning the years 2013 to 2019.
Findings
The paper presents a method for information classification and the design principles underpinning the method. The empirical demonstration shows that senior and novice information security managers perceive the method as a useful tool for classifying information assets in an organisation.
Research limitations/implications
Existing research has, to a limited extent, provided extensive advice on how to approach information classification in organisations systematically. The method presented in this paper can act as a starting point for further research in this area, aiming at decreasing subjectivity in the information classification process. Additional research is needed to fully validate the proposed method for information classification and its potential to reduce the subjective judgement.
Practical implications
The research contributes to practice by offering a method for information classification. It provides a hands-on-tool for how to implement an information classification process. Besides, this research proves that it is possible to devise a method to support information classification. This is important, because, even if an organisation chooses not to adopt the proposed method, the very fact that this method has proved useful should encourage any similar endeavour.
Originality/value
The proposed method offers a detailed and well-elaborated tool for information classification. The method is generic and adaptable, depending on organisational needs.
Details
Keywords
Fredrik Karlsson, Joachim Åström and Martin Karlsson
The aim of this paper is to survey existing information security culture research to scrutinise the kind of knowledge that has been developed and the way in which this knowledge…
Abstract
Purpose
The aim of this paper is to survey existing information security culture research to scrutinise the kind of knowledge that has been developed and the way in which this knowledge has been brought about.
Design/methodology/approach
Results are based on a literature review of information security culture research published between 2000 and 2013 (December).
Findings
This paper can conclude that existing research has focused on a broad set of research topics, but with limited depth. It is striking that the effects of different information security cultures have not been part of that focus. Moreover, existing research has used a small repertoire of research methods, a repertoire that is more limited than in information systems research in general. Furthermore, an extensive part of the research is descriptive, philosophical or theoretical – lacking a structured use of empirical data – which means that it is quite immature.
Research limitations/implications
Findings call for future research that: addresses the effects of different information security cultures; addresses the identified research topics with greater depth; focuses more on generating theories or testing theories to increase the maturity of this subfield of information security research; and uses a broader set of research methods. It would be particularly interesting to see future studies that use intervening or ethnographic approaches because, to date, these have been completely lacking in existing research.
Practical implications
Findings show that existing research is, to a large extent, descriptive, philosophical or theoretical. Hence, it is difficult for practitioners to adopt these research results, such as frameworks for cultivating or assessment tools, which have not been empirically validated.
Originality/value
Few state-of-the-art reviews have sought to assess the maturity of existing research on information security culture. Findings on types of research methods used in information security culture research extend beyond the existing knowledge base, which allows for a critical discussion about existing research in this sub-discipline of information security.
Details