Organisations use different measures to communicate how information should be handled in a secure way. Examples are information security policies, rules, guidelines and educational material. It is important that a congruent message is communicated in order to maximise the results of these measures. It becomes difficult for employees to know how to act if the communicated goals and ways of working are contradictory.

The aim of the Congruence project was to contribute with tools on how to communicate information security in a consistent and coherent way. The project had two research questions:

  • How to identify when different information security messages and goals are communicated?
  • How can a consistent and coherent communication of information security be supported?

These questions were approached using case studies that included interviews, observations and content analysis of information security policies and rules in Swedish health care. The project resulted in a method to analyse information security and guidelines on how to design information security policies. The method supports analysis of non-compliance with information security rules and makes it possible to identify when contradictory information security messages and goals are communicated. The method can be used to assess if different management systems in an organisation communicate contradictions to the employees. The proposed guidelines support how information security policies can be designed to communicate information security content in a more coherent way.

A future research question is to assess how well the proposed guidelines work in other contexts than health care, which is the context they were originally designed for. It would also be of interest to investigate if these guidelines can be used to support design other types of information security material, such as educational material.

Karlsson F, Hedström K, Goldkuhl G (2017) Practice-Based Discourse Analysis of Information Security Policies. Computers & Security, Volume 67, 267-279.

Kolkowska, E, Karlsson F, Hedström K (2017) Towards analysing the rationale of information security non-compliance: Devising a Value-Based Compliance analysis method. Journal of Strategic Information Systems, Volume 26, Issue 1, 39-57.

Karlsson F, Goldkuhl G, Hedström K. Practice-based Discourse Analysis of InfoSec Policies. In Federatth, H. and Gollmann, D. (Eds.) ICT Systems Security and Privacy Protection - 30th IFIP TC 11 International Conference, SEC 2015, Hamburg, Germany. Springer, Heidelberg, pp. 297-310.

Karlsson F, Goldkuhl G, Hedström K (2014) Practice-Based Discourse Analysis of Information Security Policy in Health Care. 11th Scandinavian Workshop on E-government (SWEG 2014), February 4-5, Linköping, Sweden.

Hedström K, Karlsson F, Kolkowska E (2017) Utveckling av en praktikanpassad informationssäkerhetspolicy. I Hallberg J, Johansson P, Karlsson F, Lundberg F, Lundgren B, Törner M: Informationssäkerhet och organisationskultur. Studentlitteratur, Lund.

Löfstedt T. (2015) Exploring integrated management systems – challenges and potentials in relation to IT governance, 38th Information Systems Research Seminar in Scandinavia (IRIS38), Oulu, Finland.