Framställning och implementering av informationssäkerhetspolicys i verksamheter: en beskrivning av framställnings- och implementeringsarbete genom teori och empiri
2024 (Swedish)Independent thesis Basic level (degree of Bachelor), 10 credits / 15 HE credits
Student thesisAlternative title
Design and Implementation Of Information Security Policies In Organizations : A Description Of The Design- And Implementation Work Through Theory and Empirics (English)
Abstract [sv]
This study addresses the problem with information system users traditionally not being involved in the creation and implementation of information security policies. Information security policies are part of the total protection of the business's information assets, where the initial protection consists of the employees within the business. A policy intends to give employees control in various safety-related procedures in everyday work. When employees are not involved in creation and implementation, acceptance and compliance with the control is at risk, which, in the long run, can lead to information leaks and intrusions.
The purpose of the essay was to investigate user involvement in the implementation of information security policies through the creation and implementation, as well as the impact of training on socio-technical aspects. We want to make an approach to a investigation of synergies between practice and theory as a means of actualizing the field of security for information system users. We intend to expand upon an existing model with our contributions to the field.
A deductive approach has been applied for this study. A step-by-step breakdown throughout the literature review resulted in various categories, which became our theoretical foundation, from which perspectives we viewed the area. The categories served as a basis for interview questions that were then posed to the qualitative research method where we interviewed three security experts and four users. The empirical basis has then been analyzed through a theoretical lens in a result analysis.
Through the studies, it has been shown through the empirical data of the interviews that discovered phenomena extend across all business sizes. The result shows that policies in larger organizations are established, but according to “traditional methods” that pervade implementation and thinking, with limited user involvement. An imprint of high trust in experts and standards excluding users from participation. The operations' processes and organizational cultural aspects have little impact on the information security policy, throughout the creation and implementation. It appears that limited awareness among users exists, but that the lack of user participation may have consequences both on the broad and the deeper understanding of threats, risks and potential incidents.
The paper's findings have relevance and may be of interest to management and administrators in organizations of all sizes, roles, according to research, traditionally involved in the concerns of security issues. The result is also of interest to the general user of information systems in businesses that needs to protect its information assets through its employees.
Place, publisher, year, edition, pages
2024.
Keywords [en]
Information Security, Information Security Policies, Security Policy Implementation, Information Security Awareness, Information System Security Compliance, User behavior, Employee attitude, Employee Motivation, Social engineering, Security Awareness, Insider Threats, Information System Security Violations.
National Category
Computer and Information Sciences
Identifiers
URN: urn:nbn:se:hb:diva-32241OAI: oai:DiVA.org:hb-32241DiVA, id: diva2:1881480
Subject / course
Informatics
2024-07-032024-07-032025-09-24Bibliographically approved