The main research efforts carried out within the SECURIT are performed in the nine research projects included in the program.
The projects are listed below.
An organisational culture consists of employees’ shared basic values and assumptions about the surrounding world. These values and assumptions govern employees’ actions. Organisational culture is often described as a central part in managing an organisation and many studies on culture and information security view organisations as rationale instruments where management can mould the way employees act. Studies that employ approaches to understand how different patterns of attitudes and values, and hence prioritisations, can differ in different contexts are less common.
During disruptive events, such as large-scale fires or epidemic outbreaks, response work are often achieved under significant pressure. In such situations, finding a balance between protecting sensitive information while at the same time enable the employees to do their job is complex and difficult. This project, Balanced IT-based organizational development, aimed at studying how organizations with high dependence on information technologies achieve balanced information security. 'Balanced information security', in this context, refers to the organizational and technical arrangements provided to meet the requirements of the organization both in terms of security and efficiency.
Organisations use different measures to communicate how information should be handled in a secure way. Examples are information security policies, rules, guidelines and educational material. It is important that a congruent message is communicated in order to maximise the results of these measures. It becomes difficult for employees to know how to act if the communicated goals and ways of working are contradictory.
Information security work often adopts an inward looking perspective. This means that the interests of individual organizations dominate the development of information security cultures and practices. In this project, we have approached the issue from a wider perspective, analysing the ways in which societal values are understood and taken into account in information security practices and policies.
Many studies on information security culture and information security focus on the work carried out within organisations, they do not pay attention to the work carried out between organisations. This is despite the fact that today’s organisation often work in networks of actors. Collaboration to achieved shared results means that different organisational cultures and ideas about information security meet and potentially collide with each other.
Information security standards reflect “best practices” developed globally by information security experts. Indirectly these standards have an impact on how information security is developed in different organisation, because they are often used as a point of departure for local information security work. It is, for example, mandatory for Swedish governmental agencies to use the ISO-27000 series when adopting an information security management system.
Electronic information systems in healthcare imply new demands on the care professionals, not least concerning upholding the information security. The aim of this study was to illuminate and describe how physicians and nurses in healthcare reason in relation to the value conflicts that may arise in their daily work when using electronic information systems. In this way, we wished to illuminate how social norms and the caregivers’ professional values influence information security specifically, and the quality of care in general.
The concepts we use to describe and communicate affects how we think about phenomena. How we think about phenomena affects both research and practice. The project Security Culture has focused on a few concepts central to information security; concepts that are use both in practice and research.
According to established standards, the information security management of organizations should be based on the assessed information security risks faced by the organization. In practice, the information security level will also depend on the employees’ comprehension and assessment of the information security risks. Therefore, many organizations introduce information security policies to enforce behaviour resulting in adequate levels of information security. Occasionally, the information security goals and the business goals are in conflict. The way these conflicts are handled is decisive for the information security as well as the efficiency of the organizations.