Förslag på vidare studier skulle vara ytterligare kompletterande empiriskt underlag för att stödja studiens analys och slutsats. Genom en större mängd data och genom data med högre kvalité skulle slutsatserna som dragits kunna konfirmeras.
Ett annat intressant förslag till vidare forskning efter en kompletterande undersökning skulle vara vilka sociala och ekonomiska anledningar som ligger till grund för att processer i informationssäkerhetsarbetet inte implementerats. Exempel på detta är Anderson (2001)
”Why information security is hard – an economic perspective” och Gordon och Loeb (2006) ”Budgeting process for information security expenditures” som tar upp ekonomiska, politiska
och sociala faktorer som påverkar informationssäkerhetsarbetet.
Då denna studie enbart fokuserat på risk- och incidenthanteringsprocesser, kontinuitetsplanering och ledningsansvar och kommunikation, skulle ett annat förslag vara vidare forskning på vilka andra processer som har, eller inte har, implementerats i informationssäkerhetsarbetet.
7 Referenser
Anderson, R. (2001). Why information security is hard-an economic perspective. In Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual (pp. 358-365). IEEE.
URL: http://www.acsac.org/2001/abstracts/thu-1530-b-anderson.html
Andersson, Jan-Olof (1997) Underlag för framtagande av katastrofplan för ”verksamheten”. SIS Förlag
Andersson, Jan-Olof (1989-2004) Informationssäkerhetshandbok, version 3, Del 5,
Kontinuitetsskydd för IT-verksamhet, Verksamhetens ”skyddsnät”. SIS Förlag
Arvidsson, Jimmy (2007) Informationssäkerhetshandbok: Skapande av incidentorganisation
och hantering av säkerhetsincidenter. SIS Förlag
Baker, W. H., & Wallace, L. (2007). Is information security under control?: Investigating
quality in information security management. Security & Privacy, IEEE, 5(1), 36-44.
URL: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4085592&tag=1
Baxter, P., & Jack, S. (2008). Qualitative case study methodology: Study design and
implementation for novice researchers. The qualitative report
URL:
http://mz8an8jm8e.scholar.serialssolutions.com/?sid=google&auinit=P&aulast=Baxter&atitle =Qualitative+case+study+methodology:+Study+design+and+implementation+for+novice+res earchers&title=Qualitative+report&volume=13&issue=4&date=2008&spage=544&issn=216 0-3715
Blakley, B., McDermott, E., & Geer, D. (2001). Information security is information risk
management. In Proceedings of the 2001 workshop on New security paradigms (pp. 97-104).
ACM.
URL: http://dl.acm.org/citation.cfm?id=508187
Baskerville, R., & Siponen, M. (2002). An information security meta-policy for emergent
organizations. Logistics Information Management, 15(5/6), 337-346.
URL: http://www.emeraldinsight.com/journals.htm?articleid=852203
Bowen, G. A. (2009). Document analysis as a qualitative research method. Qualitative research journal, 9(2), 27-40.
URL: http://www.emeraldinsight.com/journals.htm?articleid=17021410&show=abstract
Choobineh, J., Dhillon, G., Grimaila, M. R., & Rees, J. (2007). Management of information
security: Challenges and research directions. Communications of the Association for
Information Systems, 20(1), 57.
URL: http://aisel.aisnet.org/cais/vol20/iss1/57/
DiCicco‐Bloom, B., & Crabtree, B. F. (2006). The qualitative research interview. Medical education, 40(4), 314-321.
Disterer, Georg (2013) ISO/IEC 27000, 27001 and 27002 for Information Security
Management. Journal of Information Security, 4, 92.
URL: http://www.scirp.org/journal/PaperInformation.aspx?PaperID=30059#.U56vFPl_vz4
Eloff, J. H., & Eloff, M. (2003, September). Information security management: a new
paradigm. In Proceedings of the 2003 annual research conference of the South African
institute of computer scientists and information technologists on Enablement through technology (pp. 130-136). South African Institute for Computer Scientists and Information Technologists.
URL: http://dl.acm.org/citation.cfm?id=954028
Eloff, M. M., & von Solms, S. H. (2000). Information security management: a hierarchical
framework for various approaches. Computers & Security, 19(3), 243-256
URL: http://www.sciencedirect.com/science/article/pii/S0167404800886137
Eisenhardt, K.M (1989) Building Theories from case study research. Academy of Management, 14(4), 532-550
URL: http://www.jstor.org/stable/258557
ENSIA (2006) Risk Management – Principles and Inventories for Risk Management / Risk
Assessment methods and tools. European Network and Information Security Agency
URL: http://www.enisa.europa.eu/activities/risk-management/current-risk/risk-management-
inventory/files/deliverables/risk-management-principles-and-inventories-for-risk-management-risk-assessment-methods-and-tools
Fenz, S., & Ekelhart, A. (2009). Formalizing information security knowledge. In Proceedings of the 4th international Symposium on information, Computer, and Communications Security (pp. 183-194). ACM.
URL: http://dl.acm.org/citation.cfm?id=1533084
Finne, T. (2000). Information systems risk management: key concepts and business
processes. Computers & Security, 19(3), 243-242.
URL: http://www.sciencedirect.com/science/article/pii/S0167404800886125 Gordon, L. A., & Loeb, M. P. (2006). Budgeting process for information security
expenditures. Communications of the ACM, 49(1), 121-125. URL: http://dl.acm.org/citation.cfm?id=1107465
Gollmann, D. (2010). Computer security. Wiley Interdisciplinary Reviews: Computational Statistics, 2(5), 544-554.
URL: http://onlinelibrary.wiley.com/doi/10.1002/wics.106/full
Garfinkel, S., Spafford, G., & Schwartz, A. (2003). Practical UNIX and Internet security. " O'Reilly Media, Inc."
URL: ftp://ftp.itsinternet.net/pub/Linux_and_Unix_Books/O'Reilly%20-%20Practical%20UNIX%20And%20Internet%20Security.pdf
Hong, K. S., Chi, Y. P., Chao, L. R., & Tang, J. H. (2003). An integrated system theory of
information security management. Information Management & Computer Security, 11(5),
243-248.
URL: http://www.emeraldinsight.com/journals.htm?articleid=862860
Hinde, S. (2002). Security surveys spring crop. Computers & Security, 21(4), 310-321. URL: http://www.sciencedirect.com/science/article/pii/S0167404802004042
Höne, K., & Eloff, J. H. P. (2002). Information security policy—what do international
information security standards say?. Computers & Security, 21(5), 402-409.
URL: http://www.sciencedirect.com/science/article/pii/S0167404802005047
Johnson, M.E.; Goetz, E.; Pfleeger, S.L. (2009) Security through Information Risk
Management. Security & Privacy, IEEE, 7(3), 45-52.
URL: http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=5054909
Kabay, M.E (1996). The NCSA Guide to Enterprise Security, McGraw-Hill, New York, NY. URL: http://dl.acm.org/citation.cfm?id=541335
Kotulic, A. G., & Clark, J. G. (2004). Why there aren’t more information security research
studies. Information & Management 41(5), 597-607.
URL: http://www.sciencedirect.com/science/article/pii/S0378720603000995
National Institute of Standards and Technology (NIST[sp800-34]) (2009) draft sp800-34-rev1 National Institute of Standards and Technology (NIST[sp800-30]) (2001) sp800-30
Oates, B.J (2006) Researching information systems and computing. London: Sage Publications
Pfleeger, C. P., & Pfleeger, S. L. (2002). Security in computing. Prentice Hall Professional Technical Reference.
URL:
http://www.google.se/books?hl=sv&lr=&id=O3VB-zspJo4C&oi=fnd&pg=PR19&dq=Security+in+computing+pfleeger&ots=pRZsTouA_C&sig
=3dBZKD1UJQNaEAcPBd-sYrtNBJw&redir_esc=y#v=onepage&q=Security%20in%20computing%20pfleeger&f=false
Räddningsverket (2003) Handbok för riskanalys. Räddningsverket (Myndigheten för samhällsskydd och beredskap)
URL: https://www.msb.se/RibData/Filer/pdf/18458.pdf
Rowley, J. (2002). Using case studies in research. Management research news, 25(1), 16-27. URL: http://www.emeraldinsight.com/journals.htm?articleid=866789&show=abstract
Saint-Germain, R. (2005). Information security management best practice based on ISO/IEC
17799. Information Management Journal, 39(4), 60-66.
Seale, C. (1999). Quality in qualitative research. Qualitative inquiry, 5(4), 465-478. URL: http://qix.sagepub.com/content/5/4/465.short
Siponen, M., & Willison, R. (2009). Information security management standards: Problems
and solutions. Information & Management, 46(5), 267-270.
URL: http://www.sciencedirect.com/science/article/pii/S0378720609000561
Siponen, M. (2006). Information security standards focus on the existence of process, not its
content. Communications of the ACM, 49(8), 97-100.
URL: http://dl.acm.org/citation.cfm?id=1145316
Spencer, P. R. (2000). Valuing information assets for security risk management. Information Systems Security, Auerbach Publications, 9(4).
URL: http://www.tandfonline.com/doi/pdf/10.1201/1086/43311.9.4.20000910/31364.4 Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: security planning models for
management decision making. Mis Quarterly, 441-469.
URL: http://dl.acm.org/citation.cfm?id=306685
Swedish Standards Institute (SIS[27002]) (2005) SS-ISO/IEC 17799:2005 URL: på http://www.sis.se/
Swedish Standards Institute (SIS[27001]) (2005) SS-ISO/IEC 27001:2005 URL: på http://www.sis.se/
Swedish Standards Institute (SIS[Handbok]) (2006) Handbok i informationssäkerhetsarbete. URL: på http://www.sis.se/
Swedish Standards Institute (SIS[27002]) (2014) SS-ISO/IEC 27002:2014 URL: på http://www.sis.se/
Swedish Standards Institute (SIS[27001]) (2014) SS-ISO/IEC 27001:2014 URL: på http://www.sis.se/
Swedish Standards Institute (SIS[27035-1]) (2011) SS-ISO/IEC 27035-1:2011 URL: på http://www.sis.se/
Swedish Standards Institute (SIS[27035-2]) (2011) SS-ISO/IEC 27035-2:2011 URL: på http://www.sis.se/
Swedish Standards Institute (SIS[22301]) (2012) SS-ISO/IEC 22301:2012 URL: på http://www.sis.se/
Swedish Standards Institute (SIS[22313]) (2013) SS-ISO/IEC 22313:2013 URL: på http://www.sis.se/
Swedish Standards Institute (SIS[27000]) (2014) SS-ISO/IEC 27000:2014 URL: på http://www.sis.se/
Tellis, W. (1997). Application of a case study methodology. The qualitative report, 3(3), 1-17.
URL: http://www.nova.edu/ssss/QR/QR3-3/tellis2.html?ref=dizinler.com
Von Solms, B., & Von Solms, R. (2004). The 10 deadly sins of information security
management. Computers & Security, 23(5), 371-376.
URL: http://www.sciencedirect.com/science/article/pii/S0167404804001221
Von Solms, R. (1996). Information security management: the second generation. Computers & Security, 15(4), 281-288.
URL: http://www.sciencedirect.com/science/article/pii/0167404896889395
Von Solms, R. (1999). Information security management: why standards are
important. Information Management & Computer Security, 7(1), 50-58.
URL: http://www.emeraldinsight.com/journals.htm?articleid=862734 Yin, R.K (2009) Case Study Research: Design and methods. sage URL:
http://www.google.se/books?hl=sv&lr=&id=FzawIAdilHkC&oi=fnd&pg=PR1&dq=Case+St udy+Research:+Design+and+methods&ots=lYZQ8inW_v&sig=xhDlqGu_rgTwagJ8uiPPLyS uLbs&redir_esc=y#v=onepage&q=Case%20Study%20Research%3A%20Design%20and%20 methods&f=false
8 Intervju
Intervju med Robert Reineck, säkerhetsansvarig vid myndigheten Läkemedelsverket, Uppsala. 6/5-14
9 Bilagor
Nedan presenteras de frågor som användes i samband med studiens intervju.