Exploring information security culture within Swedish municipalities : A qualitative study

Abstract: The human aspect in the context of security has been a well-debated topic over the last two decades among researchers and practitioners. It has been recognized that technology alone cannot provide full protection, but should be combined with information security culture. This thesis explored how Swedish municipalities address the cultural aspects of information security. In addition, several important aspects and challenges were identified. Interviews were conducted as a data collection method with nine respondents from nine municipalities to gather their insights and experiences on the topic. The material from the interviews was then analyzed by applying thematic analysis. The results of this thesis have shown that most municipalities used what was feasible from the standards for the protection of information. One challenge was finding a balance between security measures and the various operations of the various entities to avoid hindrances to service delivery. With respect to training and awareness, initiatives employed diverse approaches, in some cases customized while in others not. The follow-up on information security culture was con[1]ducted using the tool Information Security Check provided by the Swedish Civil Contingencies Agency, along with measurements of security awareness through questionnaires, in some cases customized while in others not. Involving top management included diverse activities with support taking various forms beyond financial and human resources. However, the degree of follow-up, top management involvement, and support exhibited variations and in some cases were lacking. One notable discovery was the importance of educating not only the network of champions but also managers in information security, fostering a symbiotic relationship between the two. With respect to the lacking aspects, another finding was the importance of leadership and management knowledge/skills, not only essential for people in the security domain but also for other managerial roles in maintaining a positive information security culture.