This page in Swedish

Centre for empirical research on information systems (CERIS)

Human aspects of information security

Our research on human aspects of information security started around 2005, with an interest in information security management. Our research has since broadened to human aspects of information security, although many elements still have a clear relationship to information security management.

CERIS human aspects.jpg

Value-conflicts in information security

We research how conflicting priorities, i.e., goals and values, in employees’ daily work affect information security decisions. Our research has shown that organisations' different management systems, of which the information security management system is one, reward different goals. It means employees must prioritize between different goals because of how management has designed these systems and how well they align. It also means that some of the goal conflicts – not all – can be removed by redesigning management systems and how they are operationalized as procedures. To work on identifying this type of conflict of objectives in organisations, we have, among other things, developed a method and a computer aid (so far a prototype) to identify them.

Key publications

Karlsson, F., & Hedström, K. (2008, December 13, 2008). Exploring the conceptual structure of security rationale. AIS SIGSEC Workshop on Information Security & Privacy, WISP 2008, Paris, France. Fulltext

Hedström, K., Kolkowska, E., Karlsson, F., & Allen, J. P. (2011). Value conflicts for information security management. Journal of Strategic Information Systems, 20(4), 373-384. doi.org/10.1016/j.jsis.2011.06.001

Kolkowska, E., Karlsson, F., & Hedström, K. (2017). Towards analysing the rationale of information security noncompliance: Devising a Value-Based Compliance analysis method. Journal of Strategic Information Systems, 26(1), 39-57. doi.org/10.1016/j.jsis.2016.08.005

Karlsson, F., Kolkowska, E., & Petersson, J. (2022). Information Security Policy Compliance - Eliciting Requirements for a Computerized Software to support Value-Based Compliance Analysis. Computers & Security, 114(March 2022), Paper 102578. doi.org/10.1016/j.cose.2021.102578

Information security culture

We research information security culture in different contexts, and has been doing so for more than 10 years. A significant part of this research has been carried out in the framework of two national research programmes: SECURIT and ISKIP. The research has involved studies in different contexts, such as within organisations and the development of information security standards.

Key publications

Andersson, A., Hedström, K., & Karlsson, F. (2022). Standardizing information security – a structurational analysis. Information & Management, 59(3), Article 103623. doi.org/10.1016/j.im.2022.103623

Andersson, A., Karlsson, F., & Hedström K. (2020) Consensus versus warfare –unveiling discourses in de jure information security standard development. Computers & Security, Article 102035. doi.org/10.1016/j.cose.2020.102035

Karlsson, F., Åström, J., & Karlsson, M. (2015). Information security culture – state-of-the-art review between 2000 and 2013. Information Management & Computer Security, 23(3), 246-285. doi.org/10.1108/ICS-05-2014-0033

Karlsson, M., Karlsson, F., Åström, J., & Denk, T. (2022). The effect of perceived organizational culture on employees’ information security compliance. Information & Computer Security, 30(3), 382-401. doi.org/10.1108/ICS-06-2021-0073

Information security policy design

We research different ways to improve the design of information security policies used in organisations to guide employees in their daily work. One key reason for employees’ non-compliance with information security rules is the poor design of information security policies. Today many information security policies are difficult to follow, inconsistent, incomplete, or even in conflict with the organisation’s core tasks. During recent years we have developed a software, POLCO, to make it possible to tailor information security policies to different roles in the organisations, moving away from one-size-fits-all and only present parts that are relevant to each role. Currently, we are working on how to use large language models to help information security managers improve the content when writing policies.

Key publications

Karlsson, F., Hedström, K., & Goldkuhl, G. (2017). Practice-based discourse analysis of information security policies. Computers & Security, 67(June 2017), 267-279. doi.org/10.1016/j.cose.2016.12.012

Rostami, E., & Karlsson, F. (2024). Qualitative Content Analysis of Actionable Advice in Information Security Policies – Introducing the Keyword Loss of Specificity Metric. Information & Computer Security, 32(4), 492-508. doi.org/10.1108/ICS-10-2023-0187

Rostami, E., Karlsson, F., & Gao, S. (2020). Requirements for computerized tools to design information security policies. Computers & Security, 99(December 2020), Article number 102063. doi.org/10.1016/j.cose.2020.102063

Rostami, E., Karlsson, F., & Shang, G. (2023). Policy components - a conceptual model for modularizing and tailoring of information security policies. Information & Computer Security, 31(3), 331-352. doi.org/10.1108/ICS-10-2022-0160

Information security compliance

We research employees’ compliance with information security rules in organisations, which is a classical area in research on human aspects of information security. Our research in this area is closely linked to our research on value conflicts, since it is one reason for employee being non-compliance. We are also doing research on different instruments to investigate employees’ non-compliance, which is important both for practitioners and researchers.

Key publications

Hedström, K., Karlsson, F., & Kolkowska, E. (2013). Social action theory for understanding information security non-compliance in hospitals: The importance of user rationale. Information Management & Computer Security, 21(4), 266-287. doi.org/10.1108/IMCS-08-2012-0043

Karlsson, F., Karlsson, M., & Åström, J. (2017). Measuring employees’ compliance – the importance of value pluralism. Information & Computer Security, 25(3), 279-299. doi.org/10.1108/ICS-11-2016-0084

Gerdin, M., Kolkowska, E., & Grönlund, Å. (2024). What goes around comes around: an in-depth analysis of how respondents interpret ISP non-/compliance questionnaire items. Information & Computer Security, 32(4), 459-476. doi.org/10.1108/ICS-12-2023-0240

Gerdin, M., Grönlund, Å., & Kolkowska, E. (2025). Conceptual Inconsistencies in Variable Definitions and Measurement Items within ISP Non-/compliance Research: A systematic literature review. Computers & Security, 152(May 2025), Article 104365. doi.org/10.1016/j.cose.2025.104365

Cybersecurity and citizens

We are researching different ways to increase information security awareness among citizens. This work is connected to our research on information security policy design. The same software that was developed to design tailored policies for employees in organizations (POLCO) can serve as a foundation and be further developed to create information security policies for different segments of the population, aiming to raise their awareness when using online services. Currently, we are exploring how these policies can be tailored based on the characteristics of various citizen groups to make the policies more relevant for them.

Key publications

Rostami, E., Hanif, M., Karlsson, F., & Gao, S. (2025). Defining Actionable Advice in Information Security Policies-Guiding Employees to Strengthen Digital Sovereignty of Organizations. Procedia Computer Science, 254, 30-38. doi.org/10.1016/j.procs.2025.02.061

Interorganisational information sharing

We are researching interorganisational information sharing, which is closely associated with information security. Interorganisational information sharing is the process where multiple organisations exchange data, knowledge, or intelligence. Such processes are dependent on harmonizing information security frameworks that are used in the collaborating organisations.

Key publications

Karlsson, F., Frostenson, M., Prenkert, F., Kolkowska, E., & Helin, S. (2017). Inter-organisational information sharing in the public sector: A longitudinal case study on the reshaping of success factors. Government Information Quarterly, 34(4), 567-577. doi.org/10.1016/j.giq.2017.10.007

Karlsson, F., Hedström, K., Frostenson, M., Prenkert, F., Kolkowska, E., & Helin, S. (2021). Attempts to share information between public sector organisations over time: A case-based exploration of value conflicts. Information Polity, 26(3), 289-310. doi.org/10.3233/IP-200234

Karlsson, F., Kolkowska, E., & Prenkert, F. (2016). Inter-organisational information security: a systematic literature review. Information and Computer Security, 24(5), 418-451. doi.org/10.1108/ICS-11-2016-091