Human aspects of information security
Our research on human aspects of information security started around 2005, with an interest in information security management. Our research has since broadened to human aspects of information security, although many elements still have a clear relationship to information security management.

Value-conflicts in information security
We research how conflicting priorities, i.e., goals and values, in employees’ daily work affect information security decisions. Our research has shown that organisations' different management systems, of which the information security management system is one, reward different goals. It means employees must prioritize between different goals because of how management has designed these systems and how well they align. It also means that some of the goal conflicts – not all – can be removed by redesigning management systems and how they are operationalized as procedures. To work on identifying this type of conflict of objectives in organisations, we have, among other things, developed a method and a computer aid (so far a prototype) to identify them.
Key publications
Karlsson, F., & Hedström, K. (2008, December 13, 2008). Exploring the conceptual structure of security rationale. AIS SIGSEC Workshop on Information Security & Privacy, WISP 2008, Paris, France. Fulltext
Hedström, K., Kolkowska, E., Karlsson, F., & Allen, J. P. (2011). Value conflicts for information security management. Journal of Strategic Information Systems, 20(4), 373-384. doi.org/10.1016/j.jsis.2011.06.001
Kolkowska, E., Karlsson, F., & Hedström, K. (2017). Towards analysing the rationale of information security noncompliance: Devising a Value-Based Compliance analysis method. Journal of Strategic Information Systems, 26(1), 39-57. doi.org/10.1016/j.jsis.2016.08.005
Karlsson, F., Kolkowska, E., & Petersson, J. (2022). Information Security Policy Compliance - Eliciting Requirements for a Computerized Software to support Value-Based Compliance Analysis. Computers & Security, 114(March 2022), Paper 102578. doi.org/10.1016/j.cose.2021.102578
Information security culture
We research information security culture in different contexts, and has been doing so for more than 10 years. A significant part of this research has been carried out in the framework of two national research programmes: SECURIT and ISKIP. The research has involved studies in different contexts, such as within organisations and the development of information security standards.
Key publications
Andersson, A., Hedström, K., & Karlsson, F. (2022). Standardizing information security – a structurational analysis. Information & Management, 59(3), Article 103623. doi.org/10.1016/j.im.2022.103623
Andersson, A., Karlsson, F., & Hedström K. (2020) Consensus versus warfare –unveiling discourses in de jure information security standard development. Computers & Security, Article 102035. doi.org/10.1016/j.cose.2020.102035
Karlsson, F., Åström, J., & Karlsson, M. (2015). Information security culture – state-of-the-art review between 2000 and 2013. Information Management & Computer Security, 23(3), 246-285. doi.org/10.1108/ICS-05-2014-0033
Karlsson, M., Karlsson, F., Åström, J., & Denk, T. (2022). The effect of perceived organizational culture on employees’ information security compliance. Information & Computer Security, 30(3), 382-401. doi.org/10.1108/ICS-06-2021-0073
Information security policy design
We research different ways to improve the design of information security policies used in organisations to guide employees in their daily work. One key reason for employees’ non-compliance with information security rules is the poor design of information security policies. Today many information security policies are difficult to follow, inconsistent, incomplete, or even in conflict with the organisation’s core tasks. During recent years we have developed a software, POLCO, to make it possible to tailor information security policies to different roles in the organisations, moving away from one-size-fits-all and only present parts that are relevant to each role. Currently, we are working on how to use large language models to help information security managers improve the content when writing policies.
Key publications
Karlsson, F., Hedström, K., & Goldkuhl, G. (2017). Practice-based discourse analysis of information security policies. Computers & Security, 67(June 2017), 267-279. doi.org/10.1016/j.cose.2016.12.012
Rostami, E., & Karlsson, F. (2024). Qualitative Content Analysis of Actionable Advice in Information Security Policies – Introducing the Keyword Loss of Specificity Metric. Information & Computer Security, 32(4), 492-508. doi.org/10.1108/ICS-10-2023-0187
Rostami, E., Karlsson, F., & Gao, S. (2020). Requirements for computerized tools to design information security policies. Computers & Security, 99(December 2020), Article number 102063. doi.org/10.1016/j.cose.2020.102063
Rostami, E., Karlsson, F., & Shang, G. (2023). Policy components - a conceptual model for modularizing and tailoring of information security policies. Information & Computer Security, 31(3), 331-352. doi.org/10.1108/ICS-10-2022-0160
Information security compliance
We research employees’ compliance with information security rules in organisations, which is a classical area in research on human aspects of information security. Our research in this area is closely linked to our research on value conflicts, since it is one reason for employee being non-compliance. We are also doing research on different instruments to investigate employees’ non-compliance, which is important both for practitioners and researchers.
Key publications
Hedström, K., Karlsson, F., & Kolkowska, E. (2013). Social action theory for understanding information security non-compliance in hospitals: The importance of user rationale. Information Management & Computer Security, 21(4), 266-287. doi.org/10.1108/IMCS-08-2012-0043
Karlsson, F., Karlsson, M., & Åström, J. (2017). Measuring employees’ compliance – the importance of value pluralism. Information & Computer Security, 25(3), 279-299. doi.org/10.1108/ICS-11-2016-0084
Gerdin, M., Kolkowska, E., & Grönlund, Å. (2024). What goes around comes around: an in-depth analysis of how respondents interpret ISP non-/compliance questionnaire items. Information & Computer Security, 32(4), 459-476. doi.org/10.1108/ICS-12-2023-0240
Gerdin, M., Grönlund, Å., & Kolkowska, E. (2025). Conceptual Inconsistencies in Variable Definitions and Measurement Items within ISP Non-/compliance Research: A systematic literature review. Computers & Security, 152(May 2025), Article 104365. doi.org/10.1016/j.cose.2025.104365
Cybersecurity and citizens
We are researching different ways to increase information security awareness among citizens. This work is connected to our research on information security policy design. The same software that was developed to design tailored policies for employees in organizations (POLCO) can serve as a foundation and be further developed to create information security policies for different segments of the population, aiming to raise their awareness when using online services. Currently, we are exploring how these policies can be tailored based on the characteristics of various citizen groups to make the policies more relevant for them.
Key publications
Rostami, E., Hanif, M., Karlsson, F., & Gao, S. (2025). Defining Actionable Advice in Information Security Policies-Guiding Employees to Strengthen Digital Sovereignty of Organizations. Procedia Computer Science, 254, 30-38. doi.org/10.1016/j.procs.2025.02.061
Interorganisational information sharing
We are researching interorganisational information sharing, which is closely associated with information security. Interorganisational information sharing is the process where multiple organisations exchange data, knowledge, or intelligence. Such processes are dependent on harmonizing information security frameworks that are used in the collaborating organisations.
Key publications
Karlsson, F., Frostenson, M., Prenkert, F., Kolkowska, E., & Helin, S. (2017). Inter-organisational information sharing in the public sector: A longitudinal case study on the reshaping of success factors. Government Information Quarterly, 34(4), 567-577. doi.org/10.1016/j.giq.2017.10.007
Karlsson, F., Hedström, K., Frostenson, M., Prenkert, F., Kolkowska, E., & Helin, S. (2021). Attempts to share information between public sector organisations over time: A case-based exploration of value conflicts. Information Polity, 26(3), 289-310. doi.org/10.3233/IP-200234
Karlsson, F., Kolkowska, E., & Prenkert, F. (2016). Inter-organisational information security: a systematic literature review. Information and Computer Security, 24(5), 418-451. doi.org/10.1108/ICS-11-2016-091