Informationssäkerhetspolicyer i svenska SMF : Utmaningar och hinder / Informationssecuritypolicys within Swedish SME:s : Challenges and barriers

Persson, Oscar, Notelid, Nils

January 2023

Information security is an important focus area in our business climate, where cyberattacks pose a growing threat. To address the increasing threat landscape, it is crucial for companies to establish guidelines and regulations on how employees and companies should act to maintain information security. Therefore, many companies are working on implementing an Information Security Management System (ISMS), where information security policies (ISP) are considered the cornerstone. However, research has shown that small and medium-sized enterprises (SMEs) face specific obstacles and challenges when it comes to implementing and complying with an ISP. The purpose of this study is to provide recommendations for Swedish SMEs to achieve better implementation and compliance levels of ISPs. The empirical data for this study is based on data collected through semi-structured interviews with Swedish SMEs. The collected data was then analyzed using thematic analysis. The results of the empirical data indicate that a lack of competence is the primary issue for Swedish SMEs in their information security efforts. The study’s conclusions discuss the recommendations based on the collected empirical data and the reviewed literature. Among the recommendations, the authors emphasize the importance of education to increase information security awareness, as well as the importance of engagement from top management. The authors have chosen to limit the scope of the study to businesses in Sweden. Furthermore, no consideration has been given to industry-specific characteristics since the study’s respondents operate in diverse business sectors. / Informationssäkerhet är ett viktigt fokusområde inom dagens företagsklimat, där cyberattacker utgör ett växande hot. För att möta den ökande hotbilden lyfts värdet av att företag etablerar riktlinjer och bestämmelser över hur anställda och verksamheten ska agera för att bibehålla informationssäkerheten. Många företag jobbar därmed för att etablera ett ledningssystem för informationssäkerhet (LIS), där informationssäkerhetspolicyer (ISP) anses utgöra grundpelaren för ett LIS. Forskning pekar däremot på att små och medelstora företag (SMF) upplever särskilda hinder och utmaningar när det kommer till att implementera och efterleva en ISP. Studiens syfte är således att framföra rekommendationer för hur svenska SMF kan åstadkomma en bättre implementations- och efterlevnadsgrad av informationssäkerhetspolicyer.Studiens empiri bygger på datainsamling som erhållits från semistrukturerade intervjuer med svenska SMF. Insamlade data har sedan analyserats med hjälp av en tematisk analysmetod. Resultatet av empirin indikerar på att kompetensbristen är den primära faktorn som hindrar svenska SMF i sitt informationssäkerhetsarbete. Studiens slutsatser avhandlar rekommendationer utifrån insamlad empiri och granskad litteratur. Bland rekommendationerna ser studiens författare att utbildning i syfte att höja informationssäkerhetsmedvetenheten och engagemang från företagsledningen är av största vikt för att lyckas. Författarna har valt att begränsa studiens omfång till den svenska företagsmarknaden. Vidare har ingen hänsyn tagits till industrispecifika karaktärsdrag, då studiens respondenter verkar inom spridda sektorer.

Information Security Policy (ISP)

Information Security

Small and Medium-sized Enterprises (SME)

Policy compliance

Informationssäkerhetspolicy (ISP)

Informationssäkerhet

Små och medelstora företag (SMF)

Policyefterlevnad

Information Systems

The human connection to information security : A qualitative study on policy development, communication and compliance in government agencies / Den mänskliga kopplingen till informationssäkerhet : En kvalitativ studie om policyutveckling, kommunikation och efterlevnad inom statliga myndigheter

Abdulhadi, Osama

January 2023

The human factor and insider threats play a crucial role in information security. In today’s digital age, protecting organizational data requires a deep understanding of human behaviour and its impact on information security. The increasing volume of electronically stored data has led to a rise in cyber threats and breaches, necessitating effective information security policies and regulations. This study focuses on the experiences and perspectives of employees and top management in government agencies regarding the development, communication, compliance, and attitudes towards information security policies and regulations. Semi-structured interviews were conducted with participants from both top management or information security officers and regular employees, which allowed for an in-depth exploration of their experiences and perspectives. The findings show that government agencies systematically develop policies by engaging stakeholders, ensuring accessibility, and adhering to legal frameworks. Addressing the human factor involves training, awareness programs, and top management support. Policy development and implementation include risk assessment, stakeholder identification, objective setting, continuous review, and integration into daily operations. Communication channels such as intranets, training, coordinators, and awareness events are utilized, but their effectiveness is not directly measured. Proposed improvements include enhancing accessibility, improving policy document management, and using clearer language. Employees generally possess a positive attitude towards information security, though their understanding varies, and challenges to their understanding include complex language and unclear instructions. Compliance also varies, with difficulties arising from technical terminology and information overload. Enhanced compliance can be achieved through simplified language, providing better resources, and top management support. Proactive incident management focuses on learning and risk minimization. The human factor and insider threats remain significant concerns, which emphasizes the need for further education, awareness training, and motivation.

Communication

compliance

development

effectiveness

government agencies

human factor

information security

information security awareness

information security culture

information security management system

information security policy

insider threat

Information Systems, Social aspects

Awareness and training: the influence on end-user' attitude towards information security policy compliance

Snyman, Mmabatho Charity

02 1900

Research accentuates that end-users‘ noncompliance with information security policy (ISP) is a key concern for government just as it is for the private sector. Although awareness and training programmes are important factors impacting employees‘ intentions to comply with an organisation‘s ISP, it can be argued that there is insufficient empirical evidence to support this assertion. To address this gap, this study seeks to expand research on ISP compliance by focusing on attitudes as targets of change. A research model based on the Theory of Planned Behaviour was proposed to illustrate the influence of ISP awareness training on end-users‘ attitudes towards complying with their organisation‘s ISP. Relevant hypotheses were developed to test the research conceptualisation. A survey and an experiment was undertaken to collect the data from a sample of 173 end-users of a single government organisation in one province. The data was captured and analysed using a Statistical Package for Social Sciences (SPSS). Furthermore, Structural Equation Modelling (SEM) was used to test whether the overall model appears to be a good fit to support the hypotheses. The reliability, validity, and model fit were found to be statistically significant, and three out of five research hypotheses were supported. Overall this study contributes to the existing body of knowledge by providing an understanding of the methods that can be used to encourage end-users‘ ISP compliance behaviour through an attitudinal shift, thereby targeting end-users‘ attitude as a means to improve information security policy compliance. Implications of the findings are further discussed in the paper. / Information Technology / M. Tech. (Information Technology)

Attitudes

Information security

Information security policy

Awareness training

Intentions to comply

Information security compliance

Self-efficacy

005.8

Computer security -- Government policy

Data protection -- Government policy

Computer networks -- Security measures

Compliance auditing

Information technology -- Management

Assessing information security compliant behaviour using the self-determination theory

Gangire, Yotamu

02 1900

Information security research shows that employees are a source of some of the security incidents in the organisation. This often results from failure to comply with the Information Security Policies (ISPs). The question is, therefore, how to improve information security behaviour of employees so that it complies with the ISPs. This study aims to contribute to the understanding of information security behaviour, especially how it can be improved, from an intrinsic motivation perspective. A review of the literature suggested that research in information security behaviour is still predominantly based on the extrinsic perspective, while the intrinsic perspective has not received as much attention. This resulted in the study being carried out from the perspective of the self-determination theory (SDT) since this theory has also not received as much attention in the study of information security behaviour. The study then proposed an information security compliant behaviour conceptual model based on the self-determination theory, (ISCBMSDT). Based on this model, a questionnaire, the ISCBMSDT questionnaire, was developed using the Human Aspects of Information Security Questionnaire and SDT. Using this questionnaire, a survey (n = 263) was carried out at a South African university and responses were received from the academic, administrative and operational staff. The following statistical analysis of the data was carried out: exploratory factor analysis, reliability analysis, analysis of variance (ANOVA), independent samples test (t-tests) and Pearson correlation analysis. The responses to the survey questions suggest that autonomy questions received positive perception followed by competence questions and relatedness questions. The correlation analysis results show the existence of a statistically significant relationship between competence and autonomy factors. Also, a partial significant relationship between autonomy and relatedness factors as well as between competence and relatedness factors was observed. The exploratory factor analysis that was performed on the questionnaire produced 11 factors. Cronbach alpha was then computed for the eleven factors and all were found to be above 0.7, thus suggesting that the questionnaire is valid and reliable. The results of the research study also suggest that competence and autonomy could be more important than relatedness in directing information security behaviour among employees. / School of Computing / M. Tech. (Information Technology)

Information security policies (ISP)

Information security policy compliance

Self-determination theory

Intrinsic motivation

005.80711

Information policy -- South Africa