Change search
ReferencesLink to record
Permanent link

Direct link
Control Gates for Assuring Information Security during System Development: A Case Study
2012 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesis
Abstract [en]

Has information security its Achilles’ heel in the impact analysis? The hypothetical question appeared during the case study of the governmental IT department working with integration. Complexity and lack of support from the business line was causing inadequate risk and impact assessments. This case study reveals that risk and impact assessment can fail due to complexity, lack of criteria for prioritization, unclear roles and responsibilities. Information security risk formulas requires input but in the real case it was impossible to assess the required input due to the complexity of the governmental IT projects with many vendors and complex portfolios, unclear roles and responsibilities, lack of support from the business department and complex organizational dynamics. The contradictory results indicate that calculating business impact was more difficult than assessing risk/cost or benefits. The difficulties of setting business prioritizations became visible when the client hired consultants to conduct prioritizing assessments. Later the consultants answered that they were unable to prioritize. This incident match what is known in information security research that even if the policies prescribes existence of information security standards that ensures quality it’s unsure whether or not they are successful in the real case. At last the IT department solved the problem by using experienced consultants who made their own priorities. Research shows that support from top-management is critical for success which is visible in the case by weak collaboration from the business department in the cost/benefit/risk and impact assessments which affected the possibility to succeed with the important assessments in the early stage of the project. The case highlights some difficulties in getting the business department involved in the strategic IT-meetings during development.

Place, publisher, year, edition, pages
Keyword [en]
Keyword [sv]
URN: urn:nbn:se:ltu:diva-52708Local ID: 9cf20121-d1fd-4b80-881e-f39fee8ed39eOAI: diva2:1026080
Subject / course
Student thesis, at least 30 credits
Educational program
Information Security, master's level
Validerat; 20120617 (anonymous)Available from: 2016-10-04 Created: 2016-10-04Bibliographically approved

Open Access in DiVA

fulltext(919 kB)0 downloads
File information
File name FULLTEXT02.pdfFile size 919 kBChecksum SHA-512
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Emanuelsson, Fredrik

Search outside of DiVA

GoogleGoogle Scholar
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

ReferencesLink to record
Permanent link

Direct link