To Örebro University

oru.seÖrebro University Publications
Planned maintenance
A system upgrade is planned for 10/12-2024, at 12:00-13:00. During this time DiVA will be unavailable.
Change search
Link to record
Permanent link

Direct link
Publications (10 of 106) Show all publications
Rostami, E. & Karlsson, F. (2024). Qualitative content analysis of actionable advice in information security policies - introducing the keyword loss of specificity metric. Information and Computer Security
Open this publication in new window or tab >>Qualitative content analysis of actionable advice in information security policies - introducing the keyword loss of specificity metric
2024 (English)In: Information and Computer Security, E-ISSN 2056-4961Article in journal (Refereed) Published
Abstract [en]

Purpose: This paper aims to investigate how congruent keywords are used in information security policies (ISPs) to pinpoint and guide clear actionable advice and suggest a metric for measuring the quality of keyword use in ISPs.

Design/methodology/approach: A qualitative content analysis of 15 ISPs from public agencies in Sweden was conducted with the aid of Orange Data Mining Software. The authors extracted 890 sentences from these ISPs that included one or more of the analyzed keywords. These sentences were analyzed using the new metric - keyword loss of specificity - to assess to what extent the selected keywords were used for pinpointing and guiding actionable advice. Thus, the authors classified the extracted sentences as either actionable advice or other information, depending on the type of information conveyed.

Findings: The results show a significant keyword loss of specificity in relation to pieces of actionable advice in ISPs provided by Swedish public agencies. About two-thirds of the sentences in which the analyzed keywords were used focused on information other than actionable advice. Such dual use of keywords reduces the possibility of pinpointing and communicating clear, actionable advice.

Research limitations/implications: The suggested metric provides a means to assess the quality of how keywords are used in ISPs for different purposes. The results show that more research is needed on how keywords are used in ISPs.

Practical implications: The authors recommended that ISP designers exercise caution when using keywords in ISPs and maintain coherency in their use of keywords. ISP designers can use the suggested metrics to assess the quality of actionable advice in their ISPs.

Originality/value: The keyword loss of specificity metric adds to the few quantitative metrics available to assess ISP quality. To the best of the authors' knowledge, applying this metric is a first attempt to measure the quality of actionable advice in ISPs.

Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2024
Keywords
Information security policy, Actionable advice, Policy design, Content analysis, Text analysis
National Category
Computer Sciences
Identifiers
urn:nbn:se:oru:diva-113347 (URN)10.1108/ICS-10-2023-0187 (DOI)001202480800001 ()
Available from: 2024-04-25 Created: 2024-04-25 Last updated: 2024-04-25Bibliographically approved
Rostami, E. & Karlsson, F. (2023). A Qualitative Content Analysis of Actionable Advice in Swedish Public Agencies’ Information Security Policies. In: Steven Furnell; Nathan Clarke (Ed.), Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings. Paper presented at 17th IFIP International Symposium on Human Aspects of Information Security & Assurance (HAISA 2023), Kent, UK, July 4–6, 2023 (pp. 157-168). Springer
Open this publication in new window or tab >>A Qualitative Content Analysis of Actionable Advice in Swedish Public Agencies’ Information Security Policies
2023 (English)In: Human Aspects of Information Security and Assurance: 17th IFIP WG 11.12 International Symposium, HAISA 2023, Kent, UK, July 4–6, 2023, Proceedings / [ed] Steven Furnell; Nathan Clarke, Springer, 2023, p. 157-168Conference paper, Published paper (Refereed)
Abstract [en]

Information security policies (ISPs) are an essential type of formal control that must be designed in a manner that is easily understandable for employees. Prior studies have recommended the inclusion of actionable advice; however, it is unclear how such advice should be worded to minimize the scope for interpretation. Therefore, this study investigates existing ISPs to assess how clear the pieces of actionable advice are and provide suggestions on how actionable advice should be worded in order to be clear. A qualitative content analysis of 15 ISPs from public agencies in Sweden was conducted with the aid of Orange Data Mining Software. First, the findings revealed an unbalance between the ISPs, where one-third of the ISPs provide over 50% of the analyzed actionable advice. Second, around two-thirds offer advice that is ambiguous and does not provide advice that employees can act upon. We, therefore, recommended that ISP designers exercise caution when using words in the ISP and maintain consistency in their word choices throughout.

Place, publisher, year, edition, pages
Springer, 2023
Series
IFIP Advances in Information and Communication Technology, ISSN 1868-4238, E-ISSN 1868-422X ; 674
Keywords
Information Security Policy, Qualitative Content Analysis, Actionable Advice, Orange Data Mining Software
National Category
Information Systems, Social aspects
Identifiers
urn:nbn:se:oru:diva-108602 (URN)10.1007/978-3-031-38530-8_13 (DOI)9783031385292 (ISBN)9783031385322 (ISBN)9783031385308 (ISBN)
Conference
17th IFIP International Symposium on Human Aspects of Information Security & Assurance (HAISA 2023), Kent, UK, July 4–6, 2023
Available from: 2023-09-28 Created: 2023-09-28 Last updated: 2023-09-28Bibliographically approved
Rostami, E., Karlsson, F. & Gao, S. (2023). Policy components - a conceptual model for modularizing and tailoring of information security policies. Information and Computer Security, 31(3), 331-352
Open this publication in new window or tab >>Policy components - a conceptual model for modularizing and tailoring of information security policies
2023 (English)In: Information and Computer Security, E-ISSN 2056-4961, Vol. 31, no 3, p. 331-352Article in journal (Refereed) Published
Abstract [en]

Purpose: This paper aims to propose a conceptual model of policy components for software that supports modularizing and tailoring of information security policies (ISPs).

Design/methodology/approach: This study used a design science research approach, drawing on design knowledge from the field of situational method engineering. The conceptual model was developed as a unified modeling language class diagram using existing ISPs from public agencies in Sweden.

Findings: This study's demonstration as proof of concept indicates that the conceptual model can be used to create free-standing modules that provide guidance about information security in relation to a specific work task and that these modules can be used across multiple tailored ISPs. Thus, the model can be considered as a step toward developing software to tailor ISPs.

Research limitations/implications: The proposed conceptual model bears several short- and long-term implications for research. In the short term, the model can act as a foundation for developing software to design tailored ISPs. In the long term, having software that enables tailorable ISPs will allow researchers to do new types of studies, such as evaluating the software's effectiveness in the ISP development process.

Practical implications: Practitioners can use the model to develop software that assist information security managers in designing tailored ISPs. Such a tool can offer the opportunity for information security managers to design more purposeful ISPs.

Originality/value: The proposed model offers a detailed and well-elaborated starting point for developing software that supports modularizing and tailoring of ISPs.

Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2023
Keywords
Information security policy, Information security management, Policy component, Situational method engineering, Policy design
National Category
Computer Sciences
Identifiers
urn:nbn:se:oru:diva-104974 (URN)10.1108/ICS-10-2022-0160 (DOI)000930607700001 ()2-s2.0-85147558346 (Scopus ID)
Available from: 2023-03-16 Created: 2023-03-16 Last updated: 2024-06-11Bibliographically approved
Havstorm, T. E. & Karlsson, F. (2023). Software developers reasoning behind adoption and use of software development methods – a systematic literature review. International Journal of Information Systems and Project Management, 11(2), 47-78
Open this publication in new window or tab >>Software developers reasoning behind adoption and use of software development methods – a systematic literature review
2023 (English)In: International Journal of Information Systems and Project Management, ISSN 2182-7796, E-ISSN 2182-7788, Vol. 11, no 2, p. 47-78Article, review/survey (Refereed) Published
Abstract [en]

When adopting and using a Software Development Method (SDM), it is important to stay true to the philosophy of the method; otherwise, software developers might execute activities that do not lead to the intended outcomes. Currently, no overview of SDM research addresses software developers’ reasoning behind adopting and using SDMs. Accordingly, this paper aims to survey existing SDM research to scrutinize the current knowledge base on software developers’ type of reasoning behind SDM adoption and use. We executed a systematic literature review and analyzed existing research using two steps. First, we classified papers based on what type of reasoning was addressed regarding SDM adoption and use: rational, irrational, and non-rational. Second, we made a thematic synthesis across these three types of reasoning to provide a more detailed characterization of the existing research. We elicited 28 studies addressing software developers’ reasoning and identified five research themes. Building on these themes, we framed four future research directions with four broad research questions, which can be used as a basis for future research.

Place, publisher, year, edition, pages
Sciencesphere, 2023
Keywords
systems development method, software development method, systematic literature review, use, adoption
National Category
Information Systems
Research subject
Informatics
Identifiers
urn:nbn:se:oru:diva-107115 (URN)10.12821/ijispm110203 (DOI)001041234300004 ()2-s2.0-85165179983 (Scopus ID)
Projects
Cargo cult behaviour in agile systems development
Available from: 2023-07-14 Created: 2023-07-14 Last updated: 2023-11-21Bibliographically approved
Havstorm, T. E., Karlsson, F. & Hedström, K. (2023). Uncovering Situations of Cargo Cult Behavior in Agile Software Development Method Use. In: Tung X. Bui (Ed.), Proceedings of the 56th Hawaii International Conference on System Sciences: . Paper presented at 56th Hawaii International Conference on System Sciences (HICSS), Maui, Hawaii, USA, January 3-6, 2023 (pp. 6486-6495). University of Hawai'i at Manoa, 56
Open this publication in new window or tab >>Uncovering Situations of Cargo Cult Behavior in Agile Software Development Method Use
2023 (English)In: Proceedings of the 56th Hawaii International Conference on System Sciences / [ed] Tung X. Bui, University of Hawai'i at Manoa , 2023, Vol. 56, p. 6486-6495Conference paper, Published paper (Refereed)
Abstract [en]

Misinterpretations and faulty use of Software Development Method (SDM) practices and principles are identified pitfalls in Software Development (SD). Previous research indicates cases with method adoption and use failures; one reason could be the SDM Cargo Cult (CC) behavior, where SD organizations claim to be agile but not doing agile. Previous research has suggested the SDM CC framework as an analytical tool. The aim of this paper is to refine the SDM CC framework and empirically test this version of the framework. We use data from an ethnographical study on three SD teams’ Daily Scrum Meetings (DSM). The empirical material was collected through observations, interviews, and the organization’s business documents. We uncovered twelve CC situations in the SD teams’ use of the DSM practice, structured into seven categories of SDM deviations: bringing irrelevant information, canceling meetings, disturbing the team, receiving unclear information, bringing new requirements, problemsolving, and task distribution.

Place, publisher, year, edition, pages
University of Hawai'i at Manoa, 2023
Series
Proceedings of the Annual Hawaii International Conference on System Sciences (HICSS), ISSN 1530-1605, E-ISSN 2572-6862
Keywords
Agile, Cargo cult, Self-determination theory, Social-action theory, Software Development Methods
National Category
Information Systems, Social aspects
Research subject
Informatics
Identifiers
urn:nbn:se:oru:diva-104323 (URN)9780998133164 (ISBN)
Conference
56th Hawaii International Conference on System Sciences (HICSS), Maui, Hawaii, USA, January 3-6, 2023
Projects
Cargo cult behaviour in agile systems development
Available from: 2023-02-19 Created: 2023-02-19 Last updated: 2023-08-24Bibliographically approved
Karlsson, F., Hedström, K. & Kolkowska, E. (2023). Using the Delphi Method to Elicit Requirements for an International Master’s Program in Information Security Management. In: Leslie F. Sikos; Paul Haskell-Dowland (Ed.), Cybersecruity Teaching in Higher Education: (pp. 37-57). Cham: Springer
Open this publication in new window or tab >>Using the Delphi Method to Elicit Requirements for an International Master’s Program in Information Security Management
2023 (English)In: Cybersecruity Teaching in Higher Education / [ed] Leslie F. Sikos; Paul Haskell-Dowland, Cham: Springer , 2023, p. 37-57Chapter in book (Refereed)
Abstract [en]

In today's complex environments, safeguarding organizations’ information assets is difficult and requires more than solely technical skills. In order to meet the need for future information security specialists, in 2018 the Informatics department at Örebro University launched an International Master’s Program in Information Security Management. The program content was developed in collaboration with industry and governmental partners. One of the challenges with this co-design effort was to elicit the requirements of the courses in the program from a diverse set of actors. Also, an educational program has a finite number of teaching hours, which means that a limited number of requirements, or topics on information security, can be covered. Consequently, there was a need to prioritize between the elicited requirements and make the partners prioritize. To both these ends, we employed the Delphi method. In this chapter, we give an account of the process of eliciting and prioritizing course requirements using an adapted Delphi method. The adopted process included three iterations, for which workshops and surveys were used to collect the necessary data. The implementation has been far from instrumental, and in this chapter we discuss the details related to design choices made and the rationale behind these choices.

Place, publisher, year, edition, pages
Cham: Springer, 2023
National Category
Information Systems, Social aspects
Research subject
Informatics
Identifiers
urn:nbn:se:oru:diva-109018 (URN)10.1007/978-3-031-24216-8_2 (DOI)9783031242151 (ISBN)9783031242168 (ISBN)
Funder
Knowledge Foundation
Available from: 2023-10-17 Created: 2023-10-17 Last updated: 2023-10-17Bibliographically approved
Denk, T., Hedström, K. & Karlsson, F. (2022). Citizens' attitudes towards automated decision-making. Information Polity, 27(3), 391-408
Open this publication in new window or tab >>Citizens' attitudes towards automated decision-making
2022 (English)In: Information Polity, ISSN 1570-1255, E-ISSN 1875-8754, Vol. 27, no 3, p. 391-408Article in journal (Refereed) Published
Abstract [en]

Public organisations are starting to show an interest in automated decision-making (ADM). So far, existing research focuses on the governmental perspective on this phenomenon. Less attention is paid to citizens' views on ADM. The aim of this study is to provide empirical insights into citizen awareness of and beliefs about ADM in public-sector services. To this end, we participated in an annual national survey in Sweden carried out by the SOM Institute at Gothenburg University concluding that a minority of the citizens know about the use of ADM in public-sector services. Furthermore, when computers instead of civil servants make decisions in the public-sector, citizens expect decisions by computers to become less legally secure but more impartial. They also expect ADM to take personal circumstances into account to a lesser degree and become less transparent. Finally, we found that citizens with that awareness expect decisions by computers to become more reliable and impartial. Based on our empirical findings in relation to previous research, we suggest four hypotheses on citizen's awareness and beliefs about public-sector ADM.

Place, publisher, year, edition, pages
IOS Press, 2022
Keywords
Automated decision-making, public organisations, public administration, attitudes, values, electronic government
National Category
Political Science
Identifiers
urn:nbn:se:oru:diva-101515 (URN)10.3233/IP-211516 (DOI)000852884600007 ()
Available from: 2022-09-29 Created: 2022-09-29 Last updated: 2022-10-05Bibliographically approved
Karlsson, F., Kolkowska, E. & Petersson, J. (2022). Information security policy compliance-eliciting requirements for a computerized software to support value-based compliance analysis. Computers & security (Print), 114, Article ID 102578.
Open this publication in new window or tab >>Information security policy compliance-eliciting requirements for a computerized software to support value-based compliance analysis
2022 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 114, article id 102578Article in journal (Refereed) Published
Abstract [en]

When end users have to prioritize between different rationalities in organisations there is a risk of non-compliance with information security policies. Thus, in order for information security managers to align information security with the organisations’ core work practices, they need to understand the competing rationalities. The Value-based compliance (VBC) analysis method has been suggested to this end, however it has proven to be complex and time-consuming. Computerized software may aid this type of analysis and make it more efficient and executable. The purpose of this paper is to elicit a set of requirements for computerized software that support analysis of competing rationalities in relation to end users’ compliance and non-compliance with information security policies. We employed a design science research approach, drawing on design knowledge on VBC and elicited 17 user stories. These requirements can direct future research efforts to develop computerized software in this area.

Place, publisher, year, edition, pages
Elsevier, 2022
Keywords
Information security management, Information security policy, Compliance, Computerized support, Value-based compliance
National Category
Information Systems, Social aspects
Research subject
Informatics
Identifiers
urn:nbn:se:oru:diva-96255 (URN)10.1016/j.cose.2021.102578 (DOI)000754417100009 ()2-s2.0-85121671844 (Scopus ID)
Projects
Informationssäkerhetskultur i praktiken
Funder
Swedish Civil Contingencies Agency, 2018-13755
Available from: 2022-01-04 Created: 2022-01-04 Last updated: 2022-03-03Bibliographically approved
Rostami, E., Karlsson, F. & Gao, S. (2022). Policy Components: A Conceptual Model for Tailoring Information Security Policies. In: Nathan Clarke; Steven Furnell (Ed.), Human Aspects of Information Security and Assurance: 16th IFIP WG 11.12 International Symposium, HAISA 2022, Mytilene, Lesbos, Greece, July 6–8, 2022, Proceedings. Paper presented at 16th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance (HAISA 2022), Mytilene, Lesbos, Greece, July 6-8, 2022 (pp. 265-274). Springer, 658
Open this publication in new window or tab >>Policy Components: A Conceptual Model for Tailoring Information Security Policies
2022 (English)In: Human Aspects of Information Security and Assurance: 16th IFIP WG 11.12 International Symposium, HAISA 2022, Mytilene, Lesbos, Greece, July 6–8, 2022, Proceedings / [ed] Nathan Clarke; Steven Furnell, Springer, 2022, Vol. 658, p. 265-274Conference paper, Published paper (Refereed)
Abstract [en]

Today, many business processes are propelled by critical information that needs safeguarding. Procedures on how to achieve this end are found in information security policies (ISPs) that are rarely tailored to different target groups in organizations. The purpose of this paper is therefore to propose a conceptual model of policy components for software that supports modularizing and tailoring of ISPs. We employed design science research to this end. The conceptual model was developed as a Unified Modeling Language class diagram using existing ISPs from public agencies in Sweden. The conceptual model can act as a foundation for developing software to tailor ISPs.

Place, publisher, year, edition, pages
Springer, 2022
Series
IFIP Advances in Information and Communication Technology, ISSN 1868-4238, E-ISSN 1868-422X ; 658
Keywords
Information security policy, Tailored policy design, Conceptual model
National Category
Information Systems, Social aspects
Identifiers
urn:nbn:se:oru:diva-102461 (URN)10.1007/978-3-031-12172-2_21 (DOI)000885946500021 ()2-s2.0-85135024359 (Scopus ID)9783031121722 (ISBN)9783031121715 (ISBN)
Conference
16th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance (HAISA 2022), Mytilene, Lesbos, Greece, July 6-8, 2022
Available from: 2022-12-01 Created: 2022-12-01 Last updated: 2023-02-24Bibliographically approved
Andersson, A., Hedström, K. & Karlsson, F. (2022). “Standardizing information security – a structurational analysis”. Information & Management, 59(3), Article ID 103623.
Open this publication in new window or tab >>“Standardizing information security – a structurational analysis”
2022 (English)In: Information & Management, ISSN 0378-7206, E-ISSN 1872-7530, Vol. 59, no 3, article id 103623Article in journal (Refereed) Published
Abstract [en]

Given that there are an increasing number of information security breaches, organizations are being driven to adopt best practice for coping with attacks. Information security standards are designed to embody best practice and the legitimacy of these standards is a core issue for standardizing organizations. This study uncovers how structures at play in de jure standard development affect the input and throughput legitimacy of standards. We participated as members responsible for standards on information security and our analysis revealed two structures: consensus and warfare. A major implication of the combination of these structures is that legitimacy claims based on appeals to best practice are futile because it is difficult to know which the best practice is.

Place, publisher, year, edition, pages
Elsevier, 2022
Keywords
Standard development, information security, legitimacy, structuration theory, ethnography
National Category
Other Social Sciences
Research subject
Informatics
Identifiers
urn:nbn:se:oru:diva-98294 (URN)10.1016/j.im.2022.103623 (DOI)000820172600012 ()2-s2.0-85125478399 (Scopus ID)
Available from: 2022-03-28 Created: 2022-03-28 Last updated: 2022-08-03Bibliographically approved
Organisations
Identifiers
ORCID iD: ORCID iD iconorcid.org/0000-0002-3265-7627

Search in DiVA

Show all publications