During disruptive events, such as large-scale fires or epidemic outbreaks, response work are often achieved under significant pressure. In such situations, finding a balance between protecting sensitive information while at the same time enable the employees to do their job is complex and difficult. This project, Balanced IT-based organizational development, aimed at studying how organizations with high dependence on information technologies achieve balanced information security. 'Balanced information security', in this context, refers to the organizational and technical arrangements provided to meet the requirements of the organization both in terms of security and efficiency.
The question "How is information security accomplished in operative work during societal disturbances?" have provided guidance during the field studies in this project. The field studies included observations of situated work and interviews of the following actors; the fire and rescue services, the health care, the police, the county administrative board, 112-dispatching, and the Swedish civil contingencies agency.
The results from the field studies show that there is a conflict between solving the immediate and urgent tasks that the organization faces while respecting existing information security rules. Individuals with operative responsibility of responding to disruptive events have a very good ability to improvise in their work. In many cases in order to address the problems that require immediate action, such improvisation results in a deviation from the organizations IT-security policies.
The studies also show that there is a need to ensure access to information security skills in the operational response work. At a general level, the results indicate that in terms of how priority is given to information security issues, there is a significant difference between people in core functions of the organizations on the one hand and on the other hand, the experts in charge of information security. These differences seem to affect the development of the information security culture in the organization.
Based on the study results, there are reasons to consider the need for intervention studies in organizations with latent weaknesses in their information security. Such studies could indicate, on the one hand, what kind of measures that might work, but perhaps more importantly, identify which unexpected and perhaps undesirable effects boosted information security measures might result in.
Landgren, J (2017) Informationssäkerhet vid hantering av samhällsstörningar. I Hallberg, J., Johansson, P., Karlsson, F., Lundberg, F., Lundgren, B., Törner, M., Informationssäkerhet och organisationskultur. Studentlitteratur AB, Lund, 79-93
Bergstrand, F., & Stenmark, D. (2016). Leveraging Bystander Reports in Emergency Response Work: Framing Emergency Managers Social Media Use. In 2016 49th Hawaii International Conference on System Sciences (HICSS) (pp. 162-171). IEEE.
Uhr, C., Johansson, B. J., Landgren, J., Holmberg, M., Bynander, F., Koelega, S., & Trnka, J. (2016). Once upon a time in Västmanland - the power of narratives or how the" truth" unfolds. In proceedings of ISCRAM16, Rio de Janerio, Brazil.
Landgren, J. (2015). Organisatorisk förstärkning. I Uhr, C (red.) Att åstadkomma inriktning och samordning – 7 analyser utifrån hanteringen av skogsbranden i Västmanland 2014. Centrum för samhällets resiliens, Lunds universitet, 259-279.