information security culture and threat perception
TRANSCRIPT
Information Security Culture and Threat Perception:
Comprehension and awareness of latent threats in organisational settings concerned with
information security
Author: Erik Lambe
Political Science C (Bachelor Thesis)
Department of Government
Uppsala University, spring 2018
Supervisor: Charlotta Friedner Parrat
Words: 13 722
Pages: 40
Abstract
A new challenge for organisations in the 21st century is how they should ensure information
security in a time and environment where the widespread use of Information
Communication Technologies (ICTs), such as smartphones, means that information has
been made vulnerable in numerous new ways. Recent research on information security has
focused on information security culture and how to successfully communicate security
standards within an organisation. This study aims to examine how latent threats to
information security are conceptualised and examined within an organisation in which
information security is important.
Since threats posed by ICTs are said to be latent, this study wishes to explore in what ways
an inclusion of threat conceptualisation can have in understanding what constitutes an
efficacious information security culture when the intention is to ensure information
security.
The study focuses on the Swedish armed forces, and compare how threats to information
security posed by interaction with private ICTs are communicated in information security
policies and how they are conceptualised by the members of the organisation.
Through interviews conducted with service members, the findings of this study indicate
that it is possible to successfully communicate the contents of information security policies
without mandating the members of the organisation to read the sources themselves.
Furthermore, the study identified a feature of information security culture, in this paper
called supererogatory vigilance to threats to information security, which might be of
interest for future studies in this area, since it offers adaptive protection to new threats to
information security that goes beyond what the established sources protects against.
Keywords: Information security; information security culture; information security policy;
administration; policy implementation; latent threats; ICT; dynamic frame analysis
Table of contents 1. Introduction ....................................................................................................................... 1
1.1 Background .................................................................................................................. 1
1.2 Research question ....................................................................................................... 3
1.3 Case selection ............................................................................................................. 4
1.4 Delimitations ................................................................................................................ 5
1.5 Contribution to the field of study ................................................................................... 5
1.6 Prior research .............................................................................................................. 6
2. Theoretical approach ......................................................................................................... 8
2.1 The latent nature of threats to information security ....................................................... 8
2.2 Social constructivism ................................................................................................... 8
3. Material and methods .......................................................................................................10
3.1 Dynamic Frame analysis .............................................................................................10
3.2. Frame analysis...........................................................................................................11
3.2.1 Frame analysis: method .......................................................................................11
3.2.2 Frame analysis: material .......................................................................................13
3.3. Interviews ...................................................................................................................15
3.3.1 Interviews: method ...............................................................................................15
3.3.1 Interviews: material ...............................................................................................17
4. Results .............................................................................................................................19
4.1 Results of the Frame analysis .....................................................................................19
4.2 Results of the interviews .............................................................................................24
5. Discussion & Conclusions ................................................................................................32
5.1 “There is more than one way to cook an egg”: communicating information security
within organisations ..........................................................................................................32
5.2 Supererogatory vigilance to threats of information security .........................................33
5.3 Conclusion ..................................................................................................................35
5.4 Suggestion for future studies on supererogatory vigilance to threats to information
security. ............................................................................................................................36
5.5 Concluding remarks ....................................................................................................38
6. References .......................................................................................................................39
1
1. Introduction
1.1 Background
In the early months of 2018 the US military high command faced a difficult revelation
concerning their ongoing operations. A large number of members in the US armed forces
were users of Strava, a fitness application for smartphones, much akin to the popular
Runkeeper in Sweden, which can track and log training sessions and display these sessions on
a world map with satellite imaging. As late as January 2018, it was pointed out that, since
Strava had a large number of users in the US armed forces, it was now possible to map out
secret US army bases around the world with the use of publically available information from
Strava. By simply documenting their workouts along the fences of these bases on the app,
service members had unwittingly divulged not only the locations but also the size and layouts
of hitherto secret US army bases in Afghanistan, Djibouti and Syria. However, by the time of
this realisation, the information was already out and available for anyone interested.1
Discussing how to avoid sensitive information from organisations2 fall into (or making it
likely that it will fall into) the wrong hands would in a modern setting take us to the
discussion on Information Security. The exact definition of Information Security remains an
open question, but a strong contestant, the “Appropriate Access” definition seems to avoid
many pitfalls made by its predecessor, known as the “CIA” definition. The older CIA
definition holds that information is secure if it retains a certain set of (by the organisation
defined) properties concerning Confidentiality, Integrity and Availability. Conversely, the AA
definition states that: “an information system I is secure for a stakeholder H if and only if: for
every agent A, and every part P of I, A has just the appropriate access to P relative to H.”3
This definition focuses on appropriateness, rather than a set number of criteria to be fulfilled
and can thus account for times when information security is put at risk, but when all the
properties recognised by the old CIA definition are maintained.4
1 Hern, A. “Fitness tracking app Strava gives away top secret US bases” in The Guardian (28/1-2018) 2 I will understand an organisation as “a formal group of people who share a mission and an arrangement to
structure roles, relationships, and activities” in line with Waltz, Ed, (2006) 3 Lundgren, B. & Möller, N. (2017) Defining Information Security, pp.10-11 4 To give an example on how the CIA definition could be found wanting, such a definition would have to hold
that an individual who has access to certain information without breaking the criterion put forth would not risk
information security, even if he is in the process of setting up a meeting with adversary actors in order to sell the
information: it is only after the act of selling the information that information security is threatened according to
2
This notion about appropriate access for agents interacting with an information system have
met a new challenge in the late 20th and in the early 21st century, when easy and common
access to computers, smartphones and other digital devices, popularly categorized as
Information Communication Technologies5, or ICTs for short, would prove to become a
concern for those wishing to minimize the spread of sensitive information that could harm the
security of organisations or imperil their goals.
Given the importance of ICTs on our society, these systems are surely here to stay. One
important objective is to understand the challenges posed by ICTs to information security
within organisations.
The Swedish Civil Contingency Agency in coordination with the Swedish Defence Research
Agency started the project SECURIT in 2012. The project postulated that a mere focus on
technical solutions, such as firewalls, within organisations would be insufficient to meet
current challenges and threats to information security.6 The aforementioned Strava incident
should serve as a useful example: no firewall can prevent information to spread if members of
an organisation willingly download and use an application that facilitate the spread of
sensitive information. Furthermore, as technical solutions to combat threats to information
security improve, such as more advanced firewalls, adversarial actors looking to gather
sensitive information instead turn to social vulnerabilities in the systems.7 To further this
point, other studies on information security have concluded that most security breaches are
due to the actions of the employees of an organisation, rather than external breaches.8
Therefore the SECURIT project would explore how the behaviour, norms and practices of the
members in an organisation might affect information security. As such, they would focus on
what they would come to call Information security culture and its relationship with
Information security. In this project, Information security culture would be defined as:
this definition. Conversely, the AA definition that focuses on appropriateness can account for inappropriate
attitudes as well as behaviours prior to a breach of information security. 5 Definitions for what an ICT is are usually highly technical in nature. For simplicity, it will in this text be used
to denote modern ICTs: more specifically digital objects that can interact (i.e. communicate) with other digital
objects and process data. A cellphone would be considered an ICT in this text; the two cans one conceivably
could piece together with a piece of string would not. This definition of modern ICTs is in line with how, for
example, philosophers like Floridi distinguishes modern ICTs. See for example Floridi, L. (2014) The 4th
Revolution pp.5-6 6 Hallberg, J. (2017) Informationssäkerhet och Organisationskultur, pp.12-13 7 Ibid. p.11 8 Karlsson, F. & Goldkuhl, G. & Hedström, Karin (2016) Practice-Based Discourse Analysis of InfoSec Policies,
p.267
3
“Shared patterns of thought, behaviour, and values that arise and evolve within a
social group, based on communicative processes influenced by internal and
external requirements, are conveyed to new members and have implications on
information security.”9
The aim of the SECURIT project was to address a number of topics and themes related to
information security culture and its impact on information security. One theme identified was
“how is information security culture communicated and interpreted when the intention is to
ensure information security in an organisation”? 10 In this paper I will focus on a research
question related to this theme.
1.2 Research question
The prior studies in the SECURIT project on the previously mentioned theme has focused on
what factors contribute to an individual’s compliance with information security policies i.e.
“direction-giving document[s] for defining acceptable behaviour for employees [in order to]
establish information security practices in an organisation”.11 In this study I will focus on a
factor that has been brought up outside of the SECURIT project, namely how individuals
conceptualise the threats posed by ICTs to information security, and how this relates to
information security culture.12 Threat conceptualisation has been suggested to play an
important role when interacting with ICTs outside of the SECURIT project, since these
threats have been described as latent (see section 2.1).
The research question in this paper is what could studying threat conceptualisation within an
organisation tell us about how information security culture is communicated and interpreted?
Before we move on allow me to make the following clarifications regarding the research
question.
9 Swedish Defence Research Agency (2017-05-08) SECURIT- A Short Presentation, p.1 10 Swedish Defence Research Agency (2012) Security Culture and Information Technology 11 Karlsson, F. & Goldkuhl, G. & Hedström, K. (2016) Practice-Based Discourse Analysis of InfoSec Policies
pp.268-269 12 Imagine for example that an information security policy states that “x is a threat to information security,
therefore avoid to do y”. Previous research in the SECURIT project have studied the output behaviour
concerning compliance once the member of an organisation is faced with such a statement. This paper will
instead focus on the conceptualisation of x and y in the sources (information security policies) and the
conceptualisations of x and y by the people to which the policies apply to.
4
First, by stating “within an organisation” I mean two things:
i) By the direction-giving documents for defining acceptable behaviour for
employees in the organisation, i.e. the information security policies, and
ii) By the members of the organisation.
Second, if there are any differences between (i) and (ii), what would such a differences tell us
about the information security culture that is studied? What can it tell us about the
communicative and interpretative elements of information security culture? This will be a
descriptive study, with the aim of providing potential future studies with material through
analysing the empirical material that will be collected.
1.3 Case selection
A common approach to case selection is to select a case that can be seen as especially relevant
to the study at hand.13 Since we are looking for an organisation to which information security
is important, and likewise has the intention to ensure information security, this paper will
focus on the Swedish armed forces. The Swedish armed forces is an organisation which, by
virtue of its objectives and nature, values information security. As stated in the preface to their
handbook on information security, it is organisational doctrine to safeguard information
regarding capabilities and intentions.14 I will argue that using the Swedish armed forces as a
case can be viewed as a most likely case to find corresponding conceptualisations of how
threats to information security are framed in existing policies, and in the understanding of
these threats by the members of the organisation, meaning that the chances of finding
anything beyond what is expected, is low.15 Members of the armed forces are expected to
follow orders, and the handbook on information security explicitly states that there is no room
for deviant local policies in different regiments.16 To find that there is a deviation at all
between how a threat is perceived in the policies as opposed to by the people affected by the
policies is therefore arguably unlikely.
13 Teorell, J. & Svensson, T. (2007) Att fråga och att svara, p.154 14 Försvarsmakten (2013) Handbok Säkerhetstjänst Informationssäkerhet, p.5 15 Teorell, J. & Svensson, T. (2007) Att fråga och att svara, p.154 16 Ibid. p.364
5
1.4 Delimitations
It should be noted that this study will focus only on how private ICTs and activities connected
to private ICTs are conceptualised as threats to information security within the Swedish
armed forces. This is due to prudence: limiting the scope of the study to private ICTs like
personal smartphones and personal usage of applications will ensure that there is no risk of
involving any material that might be conceived of as sensitive (due to, for example,
confidentiality issues) in the empirical material collected and analysed.
1.5 Contribution to the field of study
Since this paper will focus on how policies are understood by individuals subjected to them,
we will be in the field of administration and policy implementation. There is a gap between
adopted policies in an organisational or political setting, and how adopted policies are
implemented: the ways in which implementation of a policy can deviate from what was
originally intended is of interest when studying administration.17 Furthermore, studying the
conceptualisations of ICT threats is of importance to implementation, since the
conceptualisation of these specific threats have been theorised elsewhere, as we shall see, to
set the limits and reach of responses towards these threats.18
Furthermore, in addressing this research question I will evaluate an unquestioned assumption
in the existing research on information security policy research within the SECURIT project
as well as show that a theory designed for another purpose in one literature can be applied to
this literature to add to the understanding of the original problem, thus making a contribution
to the field that is studied.19
17 Hertting, N. (2014) Implementering: perspektiv och mekanismer, p.185 18 See section 2.1 below on the theoretical framework concerning “latent” threats to information security. 19 King, G. Keohane, R. & Verba, S. (1994) Improving Research Questions, pp.16-17
6
1.6 Prior research
Several studies that can be considered to fall into the area and theme of “how information
security culture is communicated and interpreted when the intention is to ensure information
security in an organisation” has been undertaken before the SECURIT project. For example,
earlier studies in this area have focused on what items to include in information security
policies. It was noted, however, that the research before SECURIT had a weakness: “few
empirical studies have sought to address the communicative quality of information security
policies”.20 Therefore, the contributions made to address this during the SECURIT project
was to explore how one could improve the impact information security policies had on the
behaviour of the members of the organisation by collecting and analysing empirical data.
Three research papers on this theme listed below have published based on the SECURIT
project.
In the study Practice-based discourse analysis in information security policies, the authors
interviewed staff working in the health care sector21 and produced a list of eight quality
criteria that are more likely adhered to.22 These criteria, which stressed the importance of
policies providing clear duties and expectations of employees while avoiding formulations
that lead to conflicts of organisational goals, can according to the authors be used as a
checklist when formulating information security policies that are more likely to be adhered to.
To understand why information security policies are not adhered to, Törner & Nilsson &
Pousette concluded that one explanation could be that these policies sometimes were ignored
in a work environment where they were in opposition to professional values, in particular
where these professional values were kept in high regard: doctors and nurses that were
interviewed reported that they understood the health and well-being of their patients to have a
prima facie value over other values. This meant that they would ignore an information
security policy that would fall into conflict with the prima facie value. In this specific case
whenever the health and well-being of their patients were put into danger by existing
20 Karlsson, F. & Goldkuhl, G. & Hedström, K. (2016) Practice-Based Discourse Analysis of InfoSec Policies
p.269 21 Ibid. p.270 22 Ibid. p.277
7
information security policies it was commonplace and accepted by the staff to simply ignore
conflicting information security policies.23
In another study conducted to examine why information security policies are not adhered to,
the researchers compiled findings from several other studies to explore what variables that
statistically could explain non-compliance to information security policies.24 Their findings
showed that no variable that they studied could by itself offer an explanation as to why
members would comply or neglect to comply with an information security policy. However
several factors could together explain why some people would refrain from following the
policies in place.25 The perceived costs and benefits to the organisation when complying with
the policies; the perceived costs and benefits to the individual when complying with the
policies; the perceived norms of the organisation; and a low level of knowledge about threats
to information security were all shown to be factors of importance.26
To summarize, the empirical studies undertaken during the SECURIT project focused mainly
on why a member of an organisation that is exposed to an information security policy will or
neglect to comply with the information security policy. An underlying and unquestioned
assumption here is that a member of an organisation that is exposed to the information
security policy understands what it entails and what it demands, and that the “output”
behaviour of the member is due to the factors involved in the situation he or she is faced with.
23 Törner, M. & Nilsson, M. & Pousette, A. (2017) Värdekonflikter och Problemlösning i sjukvårdens
informationshantering, p.134 24 Sommestad, T. & Hallberg, J. & Karlzen, H. (2017) Varför följer användarna inte bestämmelserna? pp.159-
160 25 Ibid. p.170 26 Ibid. pp.163-167
8
2. Theoretical approach
2.1 The latent nature of threats to information security
It has been proposed that most threats that ICTs pose to information security must first be
conceptualised by a person before they have reason to change their behaviour in any
meaningful way. This is due to a peculiar feature of the threats ICTs pose: they are latent:
compared to other threats, they remain hidden unless attention brings them into a person’s
awareness.27 To use a simple analogy, they differ from the “threat of touching a hot stove”—
regardless of if a person is warned about the dangers with a hot stove or not, they will receive
some sort of “sensory feedback” once they neglect to avoid touching the stove when it is hot.
Such a threat is a threat, but not a latent one, since the user will find out about the threat when
exposed. On the other hand, an ICT that acts as a conduit or instrument to collect sensitive
information from an organisation can remain hidden without creating any “sensory feedback”
in the same manner, until some informant calls into attention that the ICT in question is a risk.
The reader can recall the example of Strava in the beginning: no sensory feedback warned the
service members of the US army while they used the application to document their training
routine: the security breach only became “real” for them once it was brought into attention
that the particular threat to information security existed. Take this notion of latent threats and
its implication: there is not necessarily28 a way of knowing if non-compliance with an
information security policy really do lead to information leaks: sometimes there is no sensory
feedback, that is, until maybe a journalist uncover her next scoop, or when the whistle-blower
at the next datamining company comes forward. By that time it is too late. What guides
behaviour regarding interactions with ICTs, if this is the case, are ideas about what kind of
threats “that are out there”.
2.2 Social constructivism
A theoretical approach that is suitable when studying how a certain phenomenon might be
differently understood by people with different ideas is social constructivism. Early
proponents of this theory postulated that “[e]veryday life presents itself as a reality interpreted
27 Floridi, L. (2014) The Latent Nature of Global Information Warfare, pp.318-319 28 This is not to say that there never is feedback: for example, your anti-virus software might react to the file or
application you willingly downloaded.
9
by [humans] and [is] subjectively meaningful to them as a coherent world.”29 In other words,
they understood human beings as entities that through interpretation of ideas attempted to
make sense of what they experienced and the challenges they faced in their everyday life.
What should be studied in order to understand behaviour according to this theory is “reality as
it is available to the common sense of the ordinary members of society.”30 In more
contemporary writings, social constructivism has been summarized as holding three central
claims:
“First, meaning and knowledge is created in a social process, i.e. that the material
reality must be interpreted and put into words or symbols in order to be made
aware to others within the social community. Events can happen independently of
human awareness: it is only in a social context in which we create and use
language, as well as interpret the events that we give said events meaning.
Second, social constructivism prescribes to the ontological claim that the social
world is created by human beings through the creation of knowledge and
meaning.
Third and last, the theory holds that there is an interaction between the production
of knowledge and the creation of what the individuals perceive of as the world.
Since we create meaning through interpretation and the creation and usage of
language, ideas that are shared by many people might end up perceived of as the
“real” world for individuals exposed to these ideas.”31 (My translation)
As one can note from the above, social constructivism holds that people in a certain setting, or
members of a certain organisation create the “reality of their everyday life”, and that this
reality can create both the boundaries and the possibilities of their actions with the material
world.32 It is through these theoretical lenses that we will observe what “reality” that is
created by the written information security policies concerning private ICTs in the Swedish
armed forces, as well as what “reality” is perceived by members of the organisation.
29 Berger, P. & Luckmann, T. (1966) The Social Construction of Reality, p.33 30 Ibid. p.33 31 Eriksson, J. (2011) Strider om Mening: En Dynamisk frameanalys av den svenska sexköpslagen, pp.19-20 32 Ibid. p.21
10
3. Material and methods
3.1 Dynamic Frame analysis
In order to answer the research question posed above, I will utilize a method called dynamic
frame analysis. The method was put forth as a means of combatting approaching social
problems without including the actors in the analysis, and thereby treating a social problem as
an “independently existing object”.33 The method studies ideas about policies not only by
looking at how a certain policy is framed in written sources, but also by actors involved in
creating or subjected to these sources.34 This method has been used by Eriksson (2011) when
exploring (and explaining) the factors at work behind policy development; In this study, I will
use the same method to compare how the sources (i.e. established information security
policies) conceptualises threats to information security with how the actual members of the
organisation conceptualises these threats, with the intention of creating a descriptive account
of what will be uncovered.
A dynamic frame analysis builds on three assumptions: i) that ideas should be understood and
studied as social constructions, which are created in a dynamic process; ii) that actors are
included in the analysis as units capable of creating meaning and iii) ideas are considered to
make possible as well as hinder actors in different ways, and that this interaction is studied
explicitly.35
As such, I will conduct a frame analysis of the information security policies put forth by the
Swedish Armed Forces to examine how the issues concerning private ICTs and information
security are framed therein, and then conduct a series of interviews in order to include the
actors in the analysis, thus making this endeavour a dynamic frame analysis. I will begin by
breaking down how the frame analysis on the information security policies in the Swedish
armed forces will be conducted, and what material that will be used, followed by explaining
how the interviews were structured and carried out.
33 Eriksson, J. (2011) Strider om Mening: En Dynamisk frameanalys av den svenska sexköpslagen p.26 34 Ibid. p.38 35 Ibid. p.28
11
3.2. Frame analysis
When conducting a frame analysis one considers that the phenomenon analysed is framed in a
certain way: and one way of framing a certain phenomenon is just one of many different ways
in which it potentially could be framed. The frame itself might affect how the phenomenon
can be interpreted by actors and organisations, and in turn have effects on how actors and
organisations can and will respond to the phenomenon.36 In this study, a frame analysis will
be used to understand how the written information security policies in the Swedish defence
force conceptualises the threats posed by private ICTs.
3.2.1 Frame analysis: method
In order to conduct a frame analysis in a structured manner one should first create a set of
analytical questions which can be used not only to approach the material in a systematic
manner, but also to provide the study with systematically ordered data that can be analysed
and compared. These analytical questions should be contextually suitable in relation to the
subject that is studied.37 They typically include questions such as “how is the problem
portrayed, i.e. what kind of problem it is, and for whom”; “what different subjects or agents
are to be found in the frame”; “how is the cause of the problem framed”; and “what solution is
proposed as a counter to the problem”?38
In order to create a set of analytical questions that are contextually suitable for this frame
analysis on information security policies and the guidelines that they produce, I will turn to
Information Warfare and Organizational Decision-Making (2007), a collection of texts on
how to play offence in the domain of Information Security. It was written especially with the
new possibilities of collecting information from new sources such as ICTs.39 Using this book
as a source, the following three analytical questions are proposed when approaching the
material:
36 Esaiasson, P. et al. (2012) Metodpraktikan: Konsten att studera samhälle, individ och marknad p.218 37 Ibid. p.218 38 Ibid. pp.218-219 39 Kott, A. (2007) Information Warfare and Organizational Decision-Making p.ix
12
1. What private ICTs, or what activity/interaction with private ICTs are the subject of the
guidelines?
The first question serves two purposes. First, it recognises that different ICTs, and different
activities with ICTs can have different vulnerabilities that can be used to collect information40
and as such is in need of specific guidelines to be countered. For example, some activities
with ICTs make possible the collection of data used for data mining, or network analysis,41
while other activities might make it possible to monitor the location of an individual within an
organisation, or provide access to actions or transactions of individuals within the
organisation that can be used to assess or map out the capabilities and resources of the
organisation.42 Second, this question will create different categories that guidelines can fall
under in this study, thus both offering the study a structured way in approaching the other
questions as well as the reader with an easy overview of the different private ICTs and
activities with private ICTs that this study has explored.
2. What is the recognised threat to information security?
Another way of putting this question is “how could sensitive information be made vulnerable
by disregarding the guidelines”? Sensitive information can be made vulnerable in different
ways: for example, there is a difference between storing sensitive information in a setting in
which it is at a risk for collection by other actors through intrusion or security breaches, and
from storing sensitive information in a setting in which it can be reached as open source
information publically available to other actors interacting with the same service or
platform.43 The Strava incident represents an example of information that could be collected
by virtue of that information to be publically available to other actors interacting with the
same service. People interacting with ICTs can also be tempted to store sensitive information
in settings in which it can be accessed through intrusions. The problem is then not only that
the intrusion could happen (again, that is a problem concerning people designing firewalls and
malware protection) but the behaviour, akin to negligence, in storing sensitive information in
40 Waltz, E. (2007) Know Thy Enemy: Acquisition, Representation, and Management of Knowledge About
Adversary Organizations p.2 41 Kelton, K. et.al. (2007) Learning from the Enemy: Approaches to Identifying an Modelling the hidden Enemy
Organisation p.36 42 Ibid. p42 43 Waltz, E. (2007) Know Thy Enemy: Acquisition, Representation, and Management of Knowledge About
Adversary Organizations p.7
13
settings which are recognised by an involved party44 as being significantly vulnerable to
intrusion.
3. What solution is proposed as a counter to the problem?
The third and final question is self-explanatory and is the same as the fourth standard question
listed earlier in this section since it does not need any contextual revisions to be made
relevant. This question is supposed to capture what is framed as necessary in order to avoid
the threat recognised in (2) above.
Before we move on, let me first acknowledge some potential weaknesses with the literature
used in order to create the analytical questions for the frame analysis.
First and foremost, the book was published in 2007. This means that it might be outdated. The
second weakness of using a text like this to structure up a set of analytical questions has to do
with the theoretical approach of social constructivism that I am relying on: such an act will
surely mean that I as a researcher will be part of creating the social reality which I am
studying. It should be noted that my findings will partly be a result of the analytical tool I as a
researcher created for this study.45 The above is not a reason to find the approach wanting on
its own: rather it is something a social constructivist have to accept as a matter of fact when
conducting research. Being transparent not only with the capabilities, but also the limitations
of an analytical tool, will make it possible for readers to both understand and evaluate the tool
from the standpoint of validity, i.e. whether or not the analytical questions posed in this
section accurately measure what they intend to measure.46
3.2.2 Frame analysis: material
In order to identify what information security policies that concerns private ICTs in the
Swedish armed forces, an attempt was made to find all material on the subject matter. The
Swedish armed forces usually provide guidelines on non-classified subjects to employees
through handbooks that are available as open sources. Two of these, Handbok Säkerhetstjänst
44 By reference to the AA definition (see section 1.1 above), this recognition could come from either the
stakeholder (when we are dealing with the organisations proposed information security policies) or from the
agents interacting with the information system (when we are dealing with the employee interpretation of the
information security policies). In this paper, the frame analysis will deal with the former, the interviews with the
latter. 45 Eriksson, J. (2011) Strider om Mening: En Dynamisk frameanalys av den svenska sexköpslagen p.20 46 Teorell, J. & Svensson, T. (2007) Att fråga och att svara, p.59
14
Informationssäkerhet and Handbok i Sociala Medier were identified as containing
information of interest. Furthermore, an excerpt from the internal network of the Swedish
armed forces, called Emilia, concerning mobile devices was also deemed as pertaining
important information. As such, an official request was made to HKV (The Swedish defence
forces Headquarter), and the information could be collected once the request was granted.
The material collected for the frame analysis included:
1. The Swedish armed forces Handbok Säkerhetstjänst Informationssäkerhet, or the
“Handbook on information security” released in 2013.
2. The Swedish armed forces Handbok i Sociala Medier, or the “Handbook on social
media”, released in 2013
3. An excerpt from the internal network Emilia of the Swedish armed forces, Instruktion
för användning av mobila enheter, mobiltelefoni och mobila teletjänster i
försvarsmakten, or “Instructions for using mobile devices, cellphones and mobile
telecomunication in the armed forces”, released in 2013.
Two points about the material used is worth mentioning. First, information pertaining to
information security and ICTs are spread out in different documents in the organisation
studied. This is to be expected in a large organisation. By listing what documents are being
studied I want to bring attention to where information has been collected. These were all the
sources that were identified as interesting for the study, but there is also a possibility that
additional information is available in other documents. Second, the information security
policies that were of interest to the study from these sources only concerned the usage and
interaction with private ICTs: no policies regarding any interaction with ICTs within the
organisation were of interest out of prudence to the Swedish defence force: since such a
choice would mean that the interviews carried out later would have to include questions
regarding organisation related ICTs. While not a necessary outcome, this would run the risk
of taking the study into the territories of confidential information if the interviewees would
not watch their words. As such the only information extracted from the sources concerned the
interaction with private ICTs and disregarded any and all mentions of interactions with
organisational ICTs. These two factors are important to point out, since the sources used and
what information was extracted from them will set the possibilities, but also the limits on the
scope of the study thus affecting the reliability of the frame analysis. By being transparent
about how these sources have been used it will ensure reliability for the frame analysis; that
15
other researchers using the same sources in the same way, will be able to arrive at the same
conclusions.47
Furthermore, the information security policies are all collected from sources dating back to
2013, which is interesting given that this means that the Swedish defence force have not since
updated the handbooks nor guidelines.
3.3. Interviews
Interviews are recognised as a method that can be used to obtain information about
individuals understanding of phenomena in the world.48 In order to gain knowledge about
how members of the Swedish armed forces understand what specific threats there might be to
information security (linked to the usage of private ICTs) and how they conceptualise these
threats, interviews were conducted with active members of the organisation.
3.3.1 Interviews: method
In order for an interview to provide the researcher with good data, the interviewee must be
able to talk freely about a subject they can adequately engage in. Thus they need to both
understand the questions posed and feel comfortable enough to offer responses to the
questions.49
To ensure that the interviews would produce good data, the interviews conducted were semi-
structured. This entails that there are questions formulated that would be asked to every
interviewee; but that the follow up questions depended on their respective answers. As such,
every interview has the capacity to provide unique information, yet still cover the same
themes.50
Furthermore, each interview included four different stages; an introduction, a set of
background questions, the interview questions and finally the concluding questions. This way
of structuring an interview has been suggested in order to both build trust with the interviewee
47 Teorell, J. & Svensson, T. (2007) Att fråga och att svara, p.59 48 Esaisson, P. et al. (2012) Metodpraktikan: Konsten att studera samhälle, individ och marknad pp.261-262 49 Teorell, J. & Svensson, T. (2007) Att fråga och att svara, p.90 50 Brounéus, Karen, (2011) In-depth interviewing: The process skill and ethics of interviews in peace research,
p.130
16
as well as ensuring that they are able to provide the researcher with information at each
stage.51
In order to allow the interviewee to speak freely about the subject, the interview began by
informing the interviewee that the study will comply with the four requirements adhered to by
the Swedish Research Council. As such, the interviewee was informed about the general
purpose of the study; that their participation is anonymous and voluntary; and that the data
collected will only be used in this study. Finally, each interviewee was asked to give consent
to their participation in the interview.52 This was followed by background questions meant to
prepare the interviewee for the upcoming intellectually demanding questions focusing on
several themes concerning information security and private ICTs.53 Before the focus turned to
the themes, a short introduction to the concept of information security was provided to make
sure that the interviewee understood the matter at hand. The themes made sure that the
interviewee talked about the specific ICTs and activities linked to ICTs covered by the written
information security policies. The thematic approach also provided opportunities for the
interviewee to speak freely about other potential threats to information security linked to
private ICTs. In a final step, the interview concluded on questions relating to if the
respondents would like to add something that has not been covered by the interview, or if they
wanted to clarify something said earlier.
It is a risk that the information gathered from interviews is skewed. For example interviewees
might provide answers that they think are expected; they might have difficulties recalling
events correctly; and they might misunderstand the questions. Such matters would affect the
validity from the inferences from the interviews.54 The structure of the interview guide
minimized these risks by offering each interviewee anonymity, an introduction to what the
subject of information security is, as well as follow up questions when needed.
51 Brounéus, Karen, (2011) In-depth interviewing: The process skill and ethics of interviews in peace research
p.139 52 Vetenskapsrådet, (2002) Forskningsetiska principer inom humanistisk-samhällsvetenskaplig forskning, pp.7-
15 53 See the interview guide in the appendix for a comprehensive list of these themes 54 Brounéus, Karen, (2011) In-depth interviewing: The process skill and ethics of interviews in peace research,
p.135
17
It is also possible that the researcher’s interpretation of the statements provided colour or
shape the results and conclusions.55 In order to provide transparency and to support the
interview results, quotes are presented in section 4.2.
3.3.1 Interviews: material
The interviewees need to be experienced and knowledgeable the subject area.56 This meant
that the interviews were going to be conducted with people with experience of working in the
Swedish armed forces. In an initial outreach to identify potential interviewees, several
regiments were contacted. However, the regiments that could accommodate interviews could
only do so on a date after the conclusion of the study. Because of this, requests through
colleagues and the university were sent out to other parts of the organisation. These requests
resulted in four interviews with interviewees that had been employed in the Swedish armed
forces between eight months and eleven years. The study included both soldiers and officers
of different ranks. The interviews were conducted face-to-face whenever it was possible and
in some cases, when the distance to the interviewee was too great and time constraints
demanded it, carried out over phone. Each interview spanned between 23 to 49 minutes
depending on how much each interviewee had to talk about the subject. All interviews were
recorded and transcribed.
The difficulty to find interviewees for this project may reflect the subject under study. An
interview concerning security issues can be deemed sensitive in an organisation such as the
Swedish armed forces, since divulging potential confidential information, however
unwittingly, is a criminal offence.
As such, all the interviewees that participated were comfortable doing so, either on the basis
of many years of experience and in knowing what they could and could not say in an
interview, or by virtue of having nothing confidential that they could even potentially divulge.
However, some approached individuals declined participation because of feeling
uncomfortable discussing a subject that sounded remotely security-related. Thus, the study
lost potential interviewees because the subject was perceived of as potentially sensitive.
Because of this, information was obtained from people with a certain set of knowledge,
55 Eriksson, J. (2011) Strider om Mening: En Dynamisk frameanalys av den svenska sexköpslagen p.54 56 Brounéus, Karen, (2011) In-depth interviewing: The process skill and ethics of interviews in peace research,
p.134
18
potentially affecting the representativeness of the interviews if we want to generalise the
results to the population of employees in the Swedish armed forces. However, to generalise
the results to a larger population was not an ambition since the study had an exploratory
ambition. It needs mentioning that the selection of individuals comfortable enough to
participate in interviews may be more inclined to approach the subject in a certain way. Thus
it cannot be excluded that selection bias have affected the results.57
Another limitation of the interview portion of this study was the small number of
interviewees: only four persons could be interviewed within the timeframe and resources
available. This was both due to the sensitivity concerning the subject, but also due to time
constraints. Because of conflicting schedules, several interviewees could only participate on a
later date after this study would conclude. There is no set number of interviews needed in a
small descriptive study: but the fewer interviews carried out, the more weight will be given to
an individual interviewee; and in so doing inviting potential outliers to be given a
disproportionate impact on the results.58 Nevertheless the information gathered from a small
number of interviews can still be used to formulate new hypotheses that can be tested in
future studies.59
Even though the study faced potential selection bias caused by issues with access, I hope that
the above will make the boundaries and limitations of the research transparent, and clarifying
“what kind of contribution this study is to the research subject”.60
57 Teorell, J. & Svensson, T. (2007) Att fråga och att svara, p.69 58 Brounéus, Karen, (2011) In-depth interviewing: The process skill and ethics of interviews in peace research,
p.135 59 Ibid. p.131 60 Ibid.p.135
19
4. Results
4.1 Results of the Frame analysis
The frame analysis consisted of three questions:
1. What private ICTs, or what activity/interaction with private ICTs, are the subjects of the
guidelines?
2. What is the recognised threat to information security?
3. What solution is proposed to counter the problem?
Below, I will summarize what guidelines are to be found in the information security policies
concerning the interaction of private ICTs and information security. Each guideline will be
given a letter and categorized under a suitable heading to provide the reader with a systematic
overview.
The first set of guidelines concerns the interaction with private mobile devices. With a mobile
device the information security policies means both smartphones and tablets. It is noted that:
The increasing use of smartphones and tablets in combination with a merger of the
professional and private sphere, entails that the organisations information and
information assets are exposed in a new way through the mobile devices. 61 (My
translation)
Two guidelines are listed specifically for private mobile devices:
Guideline A) Private mobile devices
1. Using a private mobile device vulnerable to intrusion.
2. Information stored in a private mobile device could be reached through intrusion caused by
the user downloading malware through apps, files, or by visiting certain websites.62
3. The user should not store nor talk about sensitive information on a private mobile device.63
61 Försvarsmakten (2013) Instruktion för användning av mobila enheter, mobiltelefoni och mobila teletjänster i
försvarsmakten, p.1 62 Ibid. p.2 63 Ibid. p.4
20
Guideline A) is informing the user that any mobile device should be treated as if it is possible
that it is or could be breached, and as such precautions should always be made in regards to
what is stored on the mobile device, as well as what is discussed.
Guideline B) Private mobile devices
1. Using a private mobile device with microphones.
2. The microphones on a private mobile device can be used to monitor conversations
unbeknownst to the user.64
3. Private mobile devices should not be brought into meetings where classified information is
discussed.65
Guideline B) is informing the user that a mobile device should be treated as a receiver that can
collect information through sounds in the vicinity of the devices’ microphone.
The second set of guidelines is related to the first set of guidelines in the sense that this is a
subcategory to the first. This category concerns the usage of applications, i.e. software (or
programs) that can be downloaded to private ICTs.
This category contains “social media”, i.e. applications characterized by that they are offering
the users:
Network based meeting places which makes possible the exchange of information
and an advanced form of communication between humans. [..] [I]t is the users
themselves that create the content on social media. 66 (My translation)
There are numerous guidelines for these forms of applications concerning proper conduct, and
usage of these from a work-ethical perspective. For example, the users should always consider
that they are subject to the basic values and principles of the organisation when on social
media. The usage of social media during work hours, if done without breaking any other
64 Försvarsmakten (2013) Instruktion för användning av mobila enheter, mobiltelefoni och mobila teletjänster i
försvarsmakten, p.4 65 Ibid. p.4 66 Försvarsmakten (2013) Handbok Sociala Medier, p.9
21
guidelines, is acceptable as long as this does not impede the activities of the organisation or
the duties of the employee.67 These sort of guidelines will not be included below since this
study is only concerned with the guidelines in place to maintain information security.
Guideline C) The usage of applications
1. The interaction with photo or video sharing applications
2. Information about protected properties or sensitive material can be given away by means of
photography and filming.68
3. Never upload pictures or video of a protected property or of sensitive material.69
Guideline D) The usage of applications
1. Using applications that make use of geotagging, i.e. recording geographical information
about the current location of the user.
2. Information about the organisation, its facilities and its employees can be gathered from
collecting geotagging data. 70
3. Do not use or activate applications that use geotagging on or in close proximity to protected
property or military installations.71
This guideline suggests that the Swedish armed forces in 2013 formulated an information
security guideline that would, if followed, have avoided Strava-like incidents in the Swedish
armed forces.
Guideline E) The usage of applications
1. Using applications that stores personal information.
2. A lack of understanding of the privacy settings in an application might mean that you
unwittingly divulge more information than you know.72
3. Actively adjust your privacy settings so that you know what information you make public
on social media: keep yourself updated on changes the site makes regarding privacy.73
67 Försvarsmakten (2013) Handbok Säkerhetstjänst Informationssäkerhet, p278 68 Försvarsmakten (2013) Handbok Sociala Medier, p.17 & 21 69 Ibid. p.17 & 21 70 Ibid. p.30 71 Ibid. p.30 72 Ibid. p.16 73 Ibid. p.16
22
Guideline F) The usage of applications
1. Publishing information about your experiences or engaging in conversations on social
media.
2. Publishing information about your experiences, or engaging in conversations on social
media that gives away information about ongoing operations, exercises, whereabouts of units
and their schedules, equipment, capabilities or rotation and leave can endanger the
organisation or its employees.74
3. When you publish information or engage in conversations online, formulate yourself in
such a manner that you do not give away information about ongoing operations, exercises,
whereabouts and times, equipment, capabilities or rotation and leave.75 Be on the lookout for
unknown individuals who are trying to engage in conversations about sensitive subject
matters.76
The third set of guidelines refers to the usage of private e-mail services.
Guideline G) Private e-mail services
1. The usage of a private e-mail service.
2. Sending e-mails through a private e-mail should be treated as open information.77
3. Private e-mails should not contain classified or sensitive information.78
While private e-mail services usually allows private accounts for users, the guidelines
suggests that the security of these services are non-existent. The handbook even goes so far as
to tell the end user that sending information in an e-mail through a private e-mail service is to
be likened with sending the same information on a postcard79 – if intercepted anyone can
collect what information you have divulged.
74 Försvarsmakten (2013) Handbok Sociala Medier, p.28 75 Ibid. p.28 76 Ibid. p.27 77 Försvarsmakten (2013) Handbok Säkerhetstjänst Informationssäkerhet, p.272 78 Ibid. p.276 79 Ibid. p.275
23
The fourth set of guidelines concerns uploading information and files to the internet in
general.
Guideline H) Uploading information to the internet
1. Uploading information to the internet: perpetuity and accessibility
2. Information stored online should always be presumed to always remain available there,
regardless of if the user deletes it after some time. Information stored online should also be
presumed to always remain accessible there, regardless of the protection it was under when it
first was uploaded.80
3. Never upload sensitive information, regardless of where it is stored online.81
Summary of the frame analysis
To provide the reader with an overview, the guidelines regarding private ICTs and
information security can be found summarized in table 1 below:
Table 1: Overview of the results of the frame analysis on guidelines concerning private ICTs and information
security in the Swedish armed forces.
80 Försvarsmakten (2013) Handbok Sociala Medier, p.29 81 Ibid. p.29
24
4.2 Results of the interviews
In the previous section the guidelines regarding interaction with private ICTs in the
information security policies were outlined. The interviewees’ awareness of latent threats
linked to private mobile devices, the usage of applications, the usage of private e-mails and
usage of internet will be accounted for in this section. I will refer back to the specific
guidelines listed in the previous section when necessary.
The interviews were carried out in Swedish. In this section I will present selected quotes that
were atypical for either all the interviewees, or when otherwise noted, quotes that were unique
for certain interviewees. The reader should note that all quotes presented below, in English,
are my own translations of the original quotes. The transcriptions were coded with the
following symbols:
R: Researcher.
I1: Interviewee 1, with four years of experience in the organisation.
I2: Interviewee 2, with eleven years of experience in the organisation.
I3: Interviewee 3, with four years of experience in the organisation.
I4: Interviewee 4, with eight months of experience in the organisation.
[…]: Skipped part of a statement
[word]: Changed wording to ensure complete anonymity.
– : Speech pauses.
The interviewees on using private mobile devices
Guideline (A) regarding the risks involved with intrusions on mobile devices was the first
thing that came to mind when discussing information security with an interviewee:
I4: When you download an application to a private device you usually give your
consent for that application to assess or access other parts of your device. So let us
say that you have an application that you believe to be secure – let’s say a bank
application, in which you trust – and then you install another program on your
device. If they coexist on the same device, it would in theory be possible for one
application to reach the other application. So when you, let us say, download an
25
Angry Bird game or whatever you could do, then you should recognise that you
then act like you have the same level of trust for the Angry Bird game application
as you have for your bank application – in theory. Which in and of itself might be
hard to comprehend since a lot of other things in life are separated from one
another. You think “now I’m going to the bank” – that’s one thing; “now I’m
going to the arcade” – that’s another thing. But in a computer all applications
inhabit the same space, and it is hard to separate the different parts security-wise.
This threat was recognised as especially dire for mobile devices:
I4: […] [I]t just gets worse with smartphones which you can download all manner
of crap on – and also because smartphones gets more and more important
applications such as bank-applications, and all the info – all the phone numbers;
names; all the information about all the Wi-Fi networks your phone has connected
to and so on. So there is a lot to gain- but substantially a lot to lose- by
downloading an application.
As such, these statements can be seen as indicative of an understanding that mobile devices
are particularly vulnerable to malware, just as the guideline states.
The second guideline listed regarding the usage of mobile devices (B) concerned the risk of
that information could be collected through the microphone. One interviewee, who has
worked in the organisation since before the 2013 guidelines on information security were
introduced, notes that:
I2: We just presume that all mobile devices are compromised. […] [W]hen I
started working [in the organisation] no one thought about it – everyone used to
bring their phones in to the office and in to the meeting rooms and so forth.
The above quote shows that the interviewee both has perceived the threat as it is described in
the information security policy concerning private mobile devices, but it is also an indication
that the apprehension of this threat is fairly new.
26
As such, the threats to information security described in guideline (A) and (B) have both been
recognised by the interviewees.
The interviewees on using applications and social media
As outlined in guideline (C), one should consider that pictures and videos that one uploads to
social media or with a file-sharing app, does not threaten information security, as outlined in
guideline (C) were identified as an important objective for the interviewees:
I4: You could either make the active decision to never post anything, but if you
choose to upload – then you need to think about it carefully: what is allowed and
what isn’t?
The interviewees mentioned that there were several reasons for thinking carefully about what
pictures to upload. One had to consider prudence, since you, as a member, always represents
the organisation at large; and one had to consider whether or not the pictures or videos did not
contain any sensitive information.
Geotagging, as outlined in guideline (D) was recognised by all interviewees as a threat to
information security
I3: To map out the location which I’m currently in, if the application through the
use of networks or location services that I as a user must utilize – or allow access
for – if such an application is mapping out my movements, then it might be like in
every circumstance, a risk involved with that, if you as an individual is targeted by
someone with ill intentions, […] but if we turn to the military perspective we can
see another risk connected to divulging sensitive information or like, divulging
where military units are located, how we move, where we are in the country,
where we conduct field exercises, when we conduct field exercises, how we
conduct field exercises.
The interviewee recognised as such that there were specific reasons for the organisation to
deter its members from using geotagging, and that sensitive information could be divulged
concerning the organisation through this service.
27
When discussing how one is using social media, the interviewees reported that they all used
Facebook, but that they usually attempt to keep it as private as possible.
I2: [I] have chosen to keep my Facebook profile as private as possible. […] I have
thought about that – to make sure to keep it as private as possible.
They all expressed a need for using the privacy settings in order to maintain that they would
not share more than they intended online, as guideline (E) recommended. Some interviewees,
as we shall see below, went even further than that.
To divulge either by publishing or by engaging in conversations on websites or social media
about ongoing operations, exercises, whereabouts of units and their schedule as outlined in
guideline (F) was also well recognised:
I2:”It’s what we do right now and where we are” – that’s the sensitive stuff. So if
I’m […] on a field exercise then I can’t share that “now we are […] on this field
exercise”. That’s not very smart. We never do that – we think twice. And I exhort
that my employees take heed of this as well, so we try to think about it.
As such, guidelines (C), (D), (E) and (F) were all recognised as well by the interviewees. But
an interesting addition to the above is that they also went on to report on additional threats to
information security that followed from interactions with or usage of applications that they
reported.
Interviewees 1 & 3 mentioned the recent Cambridge Analytica scandal as something to take
into account as well with has already been mentioned.
I1: It is like the recent revelations in the news, about [Zuckerberg] who shared
personal information to different companies […].
R: Ah– you’re thinking about the Cambridge Analytica Scandal?
I1: Yes
And:
28
I3: […] Facebook is distinct from other forms of social media – even if we
disregard the obvious risk that Facebook now has showcased through the
Cambridge [Analytica] scandal […].
Interviewee 1 & 3 both identified that the privacy settings are not always what they seem to
be on the social media site Facebook. This is an identification of a specific vulnerability that
recently made it into public awareness and that goes beyond what the guideline (E) suggests
to be adequate behaviour on social media if one wishes to ensure information security.
Also noteworthy was Interviewee 2 who reported that he and his colleagues had from
experience learned to be extra vigilant with using social media before and during large
exercises:
I2: Just before certain field exercises begin I tend to receive a lot of friend
requests. It is usually from accounts with normal names, and when you click on
the profile then you’ll see this good looking model with four friends on Facebook,
and that’s when you realise that it is a fake profile. And we have been able to see
especially during [a large field exercise] and shortly before, that a really large
amount of friend requests were sent to me and other colleagues.
This in turn coloured his view on dating apps:
I2: Well, I haven’t used one personally […]. And it is a tremendously useful tool
for an intelligence gathering organisation.
R: I was thinking about what you mentioned earlier about what kind of friend
requests you were receiving. A malicious actor seems to specifically try to attract
people by using profiles featuring good looking women?
I2: Yes, that is the way it is. I’ve discussed this with my colleagues as well, and
everyone seems to be getting this. One can see a pattern.
All people interviewed stated that dating apps and social media posed threats to information
security through what information you as a user uploaded through pictures, text and what
information you were giving away through geotagging. But only interviewee 2 identified a
need for extra vigilance for attempts by fake accounts, usually featuring good looking women,
29
to actively try to contact users in the armed forces, especially before and during field
exercises. For example, this was interviewee 4s outlook on the same subject:
I4: [T]hen we begin to wander into the domain of conspiracy-theories. It might be
the case that there are people who actively search for soldiers and attempt to
initiate a fake relationship in order to milk them for classified information and
such. Or just collect general metadata about their lives so to speak. Now, I’m –
I’m not handling any classified information, so for me it would not matter. Sure, it
could work, but I don’t believe that not using a dating app would have prevented
that from happening so to speak, even though it would make the endeavour more
difficult.
Other interviewees raised the possibility of that this could happen, but referred to this as
possibilities rather than reality, at least for them. Interviewee 4 even went so far as to
suggest that such a threat sounds like a conspiracy theory.
Alertness to these kind of risks, or the will to react to them is according to interviewee 2 not
only due to his own experiences but also due to a generational gap:
I2: I think that there is a generational difference here. The older people, they were
active back in the 80s when things happened, but back then we didn’t have
Facebook and computers like that. I feel like younger people expose themselves
more.
As such we can see that when it comes to applications and social media, not only does the
interviewees have a good grasp on guidelines (C)-(F), but some of them also suggested that
there were additional threats to information security to take into account.
The interviewees on using private e-mails
Regarding guideline (G), the interviewees all responded that a private e-mail address only
should be used for non-work related material.
I2: […] [Y]ou simply do not discuss work in a private e-mail. I never do.
30
And:
I4: My private [e-mail] is my private and I use it accordingly.
R: So you don’t use it for anything work related?
I4: Correct.
One interviewee summarized why this was the case as follows:
I1: […] everything you write there should be seen as something anyone can or
could get ahold of, and that is something that you have to keep in mind […]
As we can see from the above quotes, the behaviour towards private e-mail services, and the
reason as to why such a behaviour is necessary, is overlapping with the contents of the
guideline.
The interviewees on using the internet
The final guideline identified in the frame analysis, (H), refers that members of the armed
forces should view that information that is uploaded to the internet could always become
accessible, and will persist over time. This was no stranger concept to the interviewees either.
To exemplify this, interviewee 1 maintained that information that is once uploaded is forever
there:
I1: Then [the information] exists in the ether and there is no way to take it back
again, and it is to be thought of as open access information […] anyone can access
it through some work.
The interviewees and their interaction with the handbooks and guidelines.
An interesting state of affairs that became evident during the interviews was that, even though
the interviewees showed a great level of knowledge that corresponded with the guidelines
derived from the information security policies, only one interviewee had previously read one
of the handbooks that were the basis of the questions:
31
I1: I am pretty sure that I’ve read “Handbok Säkerhetstjänst och
informationssäkerhet”. […] But “Handbok sociala medier” I do not recognise.
To the other interviewees, the existence of the handbook seemed to be a surprise, even though
they reportedly felt confident about the alleged subjects and themes of the handbooks. As one
interviewee put it:
I3: I believe myself to have a very good grasp of the concept of information
security in the defence force. However, I have not read any of the handbooks that
deals with private usage of ICTs and certainly not anything regarding
applications.
At a first glance, this might seem perplexing: how come they have gained knowledge about
the contents of the information security policies if they have not seen the policies before?
There is of course the chance that the interviewees forgot about coming across them. But the
response of one interviewee might hint at something different:
I2: […] I’m pretty sure I’ve come into contact with these texts before through
[other forms of internal training].
He went on to elaborate that, since the sheer number of handbooks in the organisation
sometimes makes the idea of reading through them all cover to cover implausible or difficult:
I2: There are a lot of handbooks like these in the Swedish defence force dealing
with all manners of subjects so it is a bit – a lot of people find it quite tiresome to
read through texts like these, at the same time as people working with security
thinks that this subject is the most important thing there is. And in between there
somewhere is maybe the truth.
That the content of the information security policies corresponds so well with the
conceptualisation of threats related to the usage of private ICTs are as such for the
interviewees in this study not the results of them reading through handbooks cover to cover,
but rather engaging in other activities (like different internal training courses) that help shape
their understanding on information security.
32
5. Discussion & Conclusions
Two interesting takeaways can be made from the results presented in section 4. Below I will
present these takeaways and argue for how the interviews might provide valuable information
to a future study wishing to move away from a descriptive ambition to an explanatory goal in
order to further the understanding of the findings of this study.
5.1 “There is more than one way to cook an egg”: communicating information security
within organisations
One of the more comforting assertions that can be made from comparing the contents of the
policies with what was collected from the interviews was that there was a convergence
between how the established information security policies described the threats posed by
private ICTs to information security and the apprehension of these threats during the
interviews. Some interviewees almost repeated word by word the phrasings used in the
different handbooks and texts on information security. This was especially interesting since
almost no interviewees had any recollection of coming into contact with the actual handbooks
containing the official guidelines: at most, one interviewee could recall of once coming into
contact with one handbook, and another interviewee could recall that excerpts from these
books had been used in other forms of internal training.
It should be noted that this has not been a study that can claim that this is the general state of
affairs in the organisation studied: the few interviewees can hardly represent such a large
organisation. What can be concluded is rather two descriptive facts that go something like
this: The correspondence between the content of the sources (the information security
policies) and the perceptions of the people subjected under the sources i) can overlap, and ii)
they can overlap without that the people subjected under the sources have to consume the
texts in the sources for it to be so. Allow me to expand on these points:
There is not much to be said about (i). If anything it tells us that the content of the information
security policies, albeit dealing with latent threats, are still comprehensible enough to be
accurately understood by the people interviewed here who were subjected to the policies.
33
The second point (ii) might be a relief for a security manager. To say that you can learn about
a subject from other ways than reading books and texts might sound obvious. But the
takeaway here is that we can see from our interviewees that it is possible to communicate an
information security culture that lives up to the demands of the information security policies
among members of an organisation by engaging them in other forms of learning than
mandating them to read through large handbooks. Take it from someone who has read them:
the handbooks are hardly page turners. To hope that the written guidelines would be
consumed as texts in order to be followed might be a fool’s errand, especially in an
environment with people who, as one interviewee put it, often find it tiresome to constantly
read different handbooks on various subjects. It should be calming that awareness and
behaviour among staff in an organisation can be shaped successfully to fall in line with the
established policies through other means than simply mandating everyone to read through
large amounts of information.
5.2 Supererogatory vigilance to threats of information security
As mentioned earlier, the written information security policies of the organisation studied
dated back to 2013, five years ago from the time of this writing. An interesting finding of the
interviews were that the members of the organisation not only had a good grasp of these
established policies, but that they sometimes also went “over and beyond” the policies and
recognised threats to information security that were not outlined in the original policies. The
examples from this study would be two.
First, some interviewees showed knowledge about the recent revelations concerning the
Cambridge Analytica scandal, i.e. that information about the user and user activity on the
social media site Facebook previously thought covered by privacy settings need not be
private.82 This specific threat is not accounted for by the handbook on social media that states
that, even though one should not upload certain material nor post certain information on social
media, such sites can be a useful space to be in, as long as you set your privacy settings
accordingly. One could say that the interviewees have here identified a threat that went over
and beyond what is called for in guideline (E) that normally offers guidance on social media
sites.
82 Cadwalldr, Carole & Graham-Harrison, Emma, “Revealed: 50 million Facebook profiles harvested for
Cambridge Analytica in major data breach” from The Guardian (2018-03-17)
34
Second, another interviewee raised concerns that individuals in the armed forces ran the risk
of being contacted by fake profiles of a certain kind through social media, and that this threat
is heightened during certain circumstances (in this particular case in close proximity to, or
during larger field exercises). Again, to be clear, the handbook on social media, in guideline
(F) does warn against engaging in conversations online where information about the
organisation might be divulged. It even warns against attempts from unknown individuals to
establish contact. But the interviewee had in this instance shown vigilance that was “over and
beyond”: details about what the threat entail, how it manifests and under what circumstances
it is likely to manifest is more comprehensive than anything found in the handbooks.
In both instances, the interviewees called into attention that one should take these threats
seriously due to information security reasons: and in both instances, these threats and their
specific framings were not covered in the information security policies of the organisation.
Instead these threats were additions to what was covered in the policies. I will call the
behaviour these interviewees have expressed for examples of supererogatory vigilance to
threats to information security. I use the word supererogatory to denote that the vigilance that
I here like to point out is beyond what is required by the guidelines of the established policies;
yet seen as necessary in order to ensure the goals of the policies, i.e. ensuring information
security.
Let us not forget what the aim of the SECURIT project was: to study information security
culture, i.e. “shared patterns of thought, behaviour, and values that arise and evolve within a
social group, based on communicative processes influenced by internal and external
requirements, are conveyed to new members and have implications on information security.”
Supererogatory vigilance to threats to information security might have a role to play in
information security culture that might be of interest for future studies.
To study under what conditions supererogatory vigilance to threats to information security
thrives might give an organisation an extra “safety net” to protect against the loss of sensitive
information. Communicating what constitutes necessary behaviour via policies might ensure
that important information is given to each and every member of the organisation. But
updating a policy or set of policies could be, depending on the organisation, both time- and
resource demanding, not to mention that the policy or policies then might have to be re-
implemented for the change to have an effect. As such, studying supererogatory vigilance to
35
threats to information security so that organisations in the long run can implement the
conditions for it to take hold might be an effective way for organisations to ensure that its
members react quickly to new threats even before the old policies have been updated.
To neglect to study under what conditions supererogatory vigilance to threats to information
security thrives might carry with it risks. If left unexplored, this phenomenon might exist in
varying degrees in different departments of an organisation; different groups might be able to
discern certain threats to information security while others fail to do so, potentially leaving
some parts of the organisation less responsive or apprehensive to new threats to information
security than others, and consequently more vulnerable to information leaks.
5.3 Conclusion
We can now return to the question asked at the beginning in this paper, namely what could
studying threat conceptualisation within an organisation tell us about how information
security culture is communicated and interpreted?
The findings of this study could describe two items that might be of interest for someone to
study to understand how information security culture is communicated and interpreted.
1. The correspondence between the
content of information security
policies and peoples understanding
of the latent threats described in
these policies.
That the threats that are described
in the established information
security policies are correctly
understood by the people subjected
to them.
The first item that should interest a researcher is if there is a correspondence between the
content of information security policies and peoples understanding of the threats outlined in
these policies. This is to ensure that the standards set by the organisation actually has the
potential to take hold. The second question might be how one can effectively create such a
correlation in an organisation. What this study can conclude, sans any claim to offer
36
explanations as to how, is that it is possible to create this correspondence without mandating
the people subjected to the policies to read through the sources. Information security policies
can be successfully communicated through information security culture without relying on
large quantities of texts distributed to everyone in an organisation.
The second item concerns the expressions of supererogatory vigilance that could be found
among some of the interviewees.
2. The conditions for
Supererogatory vigilance to threats
to information security
An information security culture in
which the members of an
organisation that has the intention
to ensure information security take
it upon themselves to adapt and
recognise new latent threats to
information security.
The second item that should interest a researcher who wants to understand how information
security culture is communicated and interpreted if the intention is to ensure information
security, is how one can encourage supererogatory vigilance to threats to information security
in an information security culture. To understand how this item might take hold in an
information security culture and how to successfully encourage it might have the potential of
adding an additional, adaptive protective layer against new threats to information security.
5.4 Suggestion for future studies on supererogatory vigilance to threats to information
security.
From the interviews, several interviewees mentioned factors that they implicitly or explicitly
thought led them to express supererogatory vigilance to threats to information security. This
study have had a descriptive aim, with no intention of proving or in any way evaluating
causation. But I will here make suggestions for future studies whose aim it would be to
explain what motivates supererogatory vigilance to threats to information security culture. It
is up to a future study to determine what factors actually carries weight when explaining why
an individuals’ perception of threats go beyond what is divulged in the stated policies.
Drawing from the interviews that were carried out in this study, I suggest that a future
37
explanatory study on the subject might want to (at least) include the following as potential
candidates for independent variables to explain the driving forces behind an adaptive
information security culture:
1. News consumption
Two interviewees expressed the belief that one should take into account the recent revelations
learnt from the newly uncovered Cambridge-Analytica scandal when one is on Facebook, and
one of these interviewees mentioned that they learned this from following the news. As such,
it is possible that news consumption might be a factor that can be explored in a future study
that wishes to understand why supererogatory vigilance to threats to information security
arise.
2. Discussing threats to information security with colleagues, or experiences of threats to
information security
One interviewee had identified the risk of malicious actors attempting to collect sensitive
information online from members of the organisations, either by attempting to draw members
of the organisation into conversations or outright befriending them on Facebook and on other
social media. Discussing this with colleagues at the time, they concluded that this was a risk
due to how many were affected by the same out of the ordinary events occurring in close
proximity to and during larger exercises. He also pointed out that contact with individuals
who had worked in the organisation during the cold war, “when things happened” could be an
explanatory factor. This suggests that it is a possibility that i) a social climate in which
concerns about threats to information security are raised and discussed among colleagues as
well as ii) the actual experience of threats, and the retelling of these experiences might help
make certain threats feel more real than others.
It should be noted that (1)-(2) above does not make a claim to be an exhaustive list of
potential independent variables of interest to be explored in a future study who wishes to draw
conclusions regarding in what conditions supererogatory vigilance to threats to information
security can exist in, but could provide a future study with at least some interesting starting
points to expand from.
38
5.5 Concluding remarks
I would like to end of a positive note. The recent years have proven that ICTs and our
interaction with them can seriously imperil not only our own privacy but also the information
security of important organisations. Even so we should not feel that we are at a crossroads
were we have to choose between being either luddites or at the complete mercy of our
smartphones and computers.
As this study has shown, people can successfully gain knowledge about threats that are latent:
and in so doing both acquiring the motivation and the means to combat these threats. Even
more positive, some people have in this study managed to react to threats in a more adaptive
manner than simply learning from the existing policies: they have shown that it is possible to
act out of interest to the goals of a certain policy yet adopt behaviours that are beyond what is
demanded of them in the policy guidelines. Further exploration about under what conditions
such supererogatory behaviour thrives might give us the tools necessary to, both as private
citizens and as organisations, comfortably move further into the age of information and ICTs.
39
6. References
Berger, Peter & Luckmann, Thomas (1966). The Social Construction of Reality: A Treatise in the
Sociology of Knowledge. 1991 ed., Clay Ltd: Penguin Books.
Brounéus, Karen (2011). In-depth interviewing: The process skill and ethics of interviews in peace
research, Routledge.
Cadwalldr, Carole & Graham-Harrison, Emma ‘Revealed: 50 million Facebook profiles harvested
for Cambridge Analytica in major data breach’ from The Guardian (2018-03-17) accessible
from https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-
influence-us-election (accessed 2018-04-30 15:39 UTC+1)
Erikson, Josefina (2011) Strider om Mening: En Dynamisk frameanalys av den svenska
sexköpslagen. Uppsala University: Department of Political Science
Esaiasson, Peter & Gilljam, Mikael & Oscarsson, Henrik & Wängnerud, Lena. (2012)
Metodpraktikan: Konsten att studera samhälle, individ och marknad. 5 edition. Stockholm:
Norstedts Juridik AB..
Floridi, Luciano (2014). The 4th Revolution: How the Infosphere is Reshaping Human Reality.
Oxford: Oxford University Press.
Floridi, Luciano (2014) ”The Latent Nature of Global Information Warfare”, from Philosophy &
Technology 27:3, accessible from: https://link.springer.com/article/10.1007%2Fs13347-014-
0171-x (accessed 21/11-2017 kl 09:52 UTC+1)
Försvarsmakten (2013) Handbok för sociala medier, accessible from:
https://www.forsvarsmakten.se/siteassets/4-om-
myndigheten/dokumentfiler/handbocker/handbok-sociala-medier.pdf (accessed 3/1-2018-03-
01 12:12 UTC+1)
Försvarsmakten (2013) Handbok Säkerhetstjänst Informationssäkerhet, accessible from:
https://www.forsvarsmakten.se/siteassets/4-om-
myndigheten/dokumentfiler/handbocker/handbok-sak-infosak-andring-2.pdf (accessed 2018-
03-01 12:25 UTC+1)
Försvarsmakten, Instruktion för användning av mobila enheter, mobiltelefoni och mobila
teletjänster i Försvarsmakten, from Emilia (2013-04-10), 15 670:55958
Hallberg, Jonas (2017) Informationssäkerhet och Organisationskultur, Studentlitteratur AB:Lund
Hern, Alex “Fitness tracking app Strava gives away top secret US bases” from The Guardian
(28/1-2018) available from https://www.theguardian.com/world/2018/jan/28/fitness-tracking-
app-gives-away-location-of-secret-us-army-bases (accessed 2018-02-01 14:53 UTC+1)
Hertting, Nils, Implementering: Perspektiv och Mekanismer, from Rothstein, Bo (ed.) (2014)
Politik som Organisation, Studentlitteratur AB: Lund
40
Karlsson, Fredrik & Goldkuhl, Göran & Karin Hedström (2016) Practice-Based Discourse
Analysis of InfoSec Policies, accessible from
https://www.sciencedirect.com/science/article/pii/S0167404816301833?via%3Dihub
(accessed 2018-03-27 09:42 UTC+1)
Karlsson, Fredrik & Kolkowska, Ella & Prenkert Frans (2015) Inter-organisational information
security: a systematic literature review, accessible from
https://www.emeraldinsight.com/doi/pdfplus/10.1108/ICS-11-2016-091 (accessed 27/3-2018-
03-27 11:23 UTC+1)
Kelton, Kari & Levchuk, Georgiy & Levchuk, Yuri, & Meirina, Candra & Pattipati, Krishna, &
Singh, Satnam & Willet, Peter & Yu, Feili “Learning from the Enemy: Approaches to
Identifying an Modelling the hidden Enemy Organisation”, from Kott, Alexander (ed.),
(2007) Information Warfare and Organizational Decision-Making, Artech House: Norwood:
Massachusetts
King, Gary, Keohane, Robert & Verba, Sidney (1994) “Improving Research Questions.” Excerpt
from Designing Social Inquiry. Princeton: Princeton University Press. Pages 14-19
Kott, Alexander (ed.), (2007) Information Warfare and Organizational Decision-Making, Artech
House: Norwood: Massachusetts
Lundgren, Björn & Möller, Niklas (2017) Defining Information Security, accessible from
https://link.springer.com/article/10.1007%2Fs11948-017-9992-1 (accessed 2018-03-27 10:13
UTC+1)
Sommestad, Teodor & Hallberg, Jonas & Karlzen, Henrik (2017) Varför följer användarna inte
bestämmelserna? from Hallberg, Jonas (ed.) Informationssäkerhet och Organisationskultur,
Studentlitteratur AB: Lund
Swedish Defence Research Agency (2017-05-08) SECURIT- A Short Presentation, accessible from
https://www.foi.se/download/18.2bc30cfb157f5e989c364/1494239078110/SECURIT.pdf
(accessed 2018-04-01 09:07 UTC+1)
Swedish Defence Research Agency (2012) Security Culture and Information Technology
accessible from https://www.foi.se/var-kunskap/informationssakerhet-och-
kommunikation/informationssakerhet/projekt/security-culture-and-information-
technology.html (accessed 2018-05-13 11:23 UTC+1)
Teorell, Jan, & Svensson, Torsten (2007) Att fråga och att svara, 4th ed. Malmö: Liber AB
Vetenskapsrådet, (2002) Forskningsetiska principer inom humanistisk-samhällsvetenskaplig
forskning
Waltz, Ed, “Know Thy Enemy: Acquisition, Representation, and Management of Knowledge
About Adversary Organizations”, from Kott, Alexander (ed.), (2007) Information Warfare
and Organizational Decision-Making, Artech House: Norwood: Massachusetts