An information classification model for public sector organizations in Sweden: a case study of a Swedish municipality

Abstract: Purpose The purpose of this study is to create an information classification model that is tailored to suit the specific needs of public sector organizations in Sweden. Design/methodology/approach To address the purpose of this research, a case study in a Swedish municipality was conducted. Data was collected through a mixture of techniques such as literature, document and website review. Empirical data was collected through interviews with 11 employees working within 7 different sections of the municipality… Show more

“…The classified assets act as the primary input to the risk analysis, which is needed to understand what kind of protection to apply. Conducting information classification is often done with the use of a classification scheme that contains a chosen number of consequence levels and definitions of each level in terms of confidentiality, integrity and availability (Bergquist et al, 2021). It is necessary to define the stated levels clearly; not doing so can result in uneven classifications if there is too much room for interpretation.…”

“…Once the classification of assets is set, the result act as input into the risk assessment where classified information is required to analyze, prioritize and manage risks and apply protection (Bergström and Åhlfeldt, 2014; Everett, 2011; Webb et al , 2014). Thus, it is an essential piece of risk analysis and management within organizations (Bergquist et al , 2021; Everett, 2011; Gerber and Von Solms, 2005). According to Veritas (2015), 54% of data in organizations are unclassified and unlabeled; the result is difficulties in effectively spending and using organizational resources as there is no possibility of applying protection to assets you do not know exist.…”

“…The occurrence of human-organizational problems in information classification has previously been identified (Bergström and Åhlfeldt, 2014), and further investigation has been suggested (Bergquist et al , 2021). This paper presents an analysis of problems to shed light on them from a practice point of view.…”

Problems in information classification: insights from practice

“…The classified assets act as the primary input to the risk analysis, which is needed to understand what kind of protection to apply. Conducting information classification is often done with the use of a classification scheme that contains a chosen number of consequence levels and definitions of each level in terms of confidentiality, integrity and availability (Bergquist et al, 2021). It is necessary to define the stated levels clearly; not doing so can result in uneven classifications if there is too much room for interpretation.…”

“…Once the classification of assets is set, the result act as input into the risk assessment where classified information is required to analyze, prioritize and manage risks and apply protection (Bergström and Åhlfeldt, 2014; Everett, 2011; Webb et al , 2014). Thus, it is an essential piece of risk analysis and management within organizations (Bergquist et al , 2021; Everett, 2011; Gerber and Von Solms, 2005). According to Veritas (2015), 54% of data in organizations are unclassified and unlabeled; the result is difficulties in effectively spending and using organizational resources as there is no possibility of applying protection to assets you do not know exist.…”

“…The occurrence of human-organizational problems in information classification has previously been identified (Bergström and Åhlfeldt, 2014), and further investigation has been suggested (Bergquist et al , 2021). This paper presents an analysis of problems to shed light on them from a practice point of view.…”

Problems in information classification: insights from practice

Cybersecurity and the AI Silver Bullet