However, implementation of security controls (technical as well as administrative in nature) for effective risk mitigation is based on a sound, strategic understanding of the relevant context and what to protect, as well as current threats and vulnerabilities. To this end, theories, methods, and tools for operational management are needed, along with knowledge on how to systematically and continuously work with reducing risks down to an acceptable level by employing tactical security controls. Information security is therefore more than just security controls, and needs to be understood as a socio-technical system that includes people, technology and infrastructure.
The Information Security research at the division of Digital Services and Systems crosses a strategic, operational, and tactical perspective. The research aims to better understand, develop, and disseminate knowledge about socio-technical factors that affect information security from these three perspectives, on an individual, organizational, as well as societal level. The group conducts research primarily on the development of theories, methods, and tools with emphasis on application, preservation, and evaluation of confidentiality, integrity, and availability for both private and public organizations’ information and communication technologies (ICTs).
Examples of our research include management of information security in the form of risk management, knowledge development in the form of simulation and gamification around incident response and continuity planning, but also development and analysis of security controls, such as blockchain-based solutions and security in networks and critical infrastructure.
Our research is based on three challenge areas that also bring together our expertise in information security:
• Strategic - Research on information security governance, such as the development and implementation of information security policies, roles, responsibilities and standards to protect and enable an organization’s goals and vision.
• Operational - Research on the management of and processes for information security, such as training and awareness, evaluation and prioritization of critical information assets, as well as evaluation and communication of physical, administrative and technical security controls.
• Tactical - Research on security controls, detection, response, and analysis of threats and vulnerabilities in networks and systems, both technical and social.