Trust as a factor in the information classification process
Simon Andersson
Information Security, master's level (120 credits) 2021
Luleå University of Technology
Department of Computer Science, Electrical and Space Engineering
Abstract
Risk management is an important part of every business. In order to properly conduct it, risk assessment and within it, information classification is needed. The information classification produces a list of information assets and states how they are valued within the organization. That is then used as an important part of the risk assessment process.
In order to conduct such a valuation, users are consulted as they often times understand the value of information. However, using the CIA-Triad when communicating has proved to be difficult for users not knowledgeable in information security. Trust as a concept has been proven to have some connection to the concepts of the CIA-Triad and has been proposed as a possible translator in order to ease the communication of information value in the process of information classification.
Semi-structured interviews were held with information security professionals in order to further understand the connection between the CIA-triad concepts and trust as well as to gain further understanding in the important parts of information classification. A thematic analysis showed how confidentiality and integrity are prominent factors that connect to trust, with availability, while still being mentioned as having a connection, was not as prominent. Further, the empirical data was used to build a model based on trust and importance that allows for a translation of the CIA-triad concepts. This re- sulted in a classification-scheme based model that allows trust as a concept to be used as a translator of the CIA-concepts, thus including trust as a concept in the information classification process.
Keywords: Information Security, Risk Management, Risk Assessment, Asset Classifica-
tion, Information Classification, Classification Scheme
Contents
1 Introduction 1
1.1 Aim of study and research question . . . 2
1.2 Expected contribution . . . 2
1.3 Delimitation . . . 2
1.4 Structure . . . 3
2 Background Knowledge 4 2.1 Trust . . . 4
2.2 Risk Management . . . 5
2.3 Risk Assessment . . . 5
2.4 Information Asset classification and valuation . . . . 6
2.5 Challenges with information classification . . . . 8
2.6 Classification Scheme based on trust . . . 8
3 Method 10 3.1 Selection of a research approach . . . 10
3.2 Research process . . . 11
3.3 A Qualitative Inductive approach . . . 11
3.4 Data Collection . . . 11
3.5 Semi-structured interviews . . . 12
3.5.1 The Interview Guide . . . 12
3.5.2 The Interview Respondents . . . 14
3.5.3 Booking Interviews . . . 14
3.5.4 Conducting the Interviews . . . 15
3.5.5 The Transcription process . . . 17
3.6 Thematic Analysis . . . 17
3.7 Ethics . . . 18
3.8 Trustworthiness . . . 19
4 Analysis and Results 20 4.1 Views on trust and its connection the CIA . . . 20
4.2 Using CIA to communicate . . . 22
4.3 Information Classification - Important parts . . . 23
4.4 A Re-Iteration of the Trust-Importance model . . . 25
4.4.1 Using the model . . . 28
5 Discussion 30 5.1 Connecting Trust with the CIA-Triad . . . 30
5.2 Reiterating the Trust-Importance Model . . . 30
5.3 Method Discussion . . . 32
6 Conclusion 33
35
References
List of Figures
1 Basic parts of a classification-scheme . . . . 7
2 Expanded Classification Scheme . . . 8
3 Initial Classification Scheme based around trust . . . . 9
4 The Research-flow of the thesis . . . 11
5 Model based on trust and importance . . . 16
6 Model based on CIA and consequence . . . 16
7 The Coding Process . . . 17
8 Adding the information object and owner/carrier . . . 25
9 Top part of re-iterated classification scheme . . . 26
10 Adding new phrases to classification and examples of classification levels . 27 11 A re-iterated version of the trust-importance model . . . 28
List of Tables 1 The interview guide . . . 14
2 Interview Respondents. . . . 15
1 Introduction
The main goal of information security is the protection of information against infor- mation compromise, this refers to the confidentiality, integrity, and availability of data (Gritzalis, Iseppi, Mylonas, & Stavrou, 2018; von Solms & von Solms, 2018). Shameli- Sendi, Aghababaei-Barzegar, and Cheriet (2016) defines it as the protection of an orga- nization’s valuable information from tampering, unwanted exposure or destruction. Such protection becomes increasingly important as there is a continuous adoption of informa- tion technology by organizations. The importance of information as an asset continues to grow and is often defined as one of, if not the most critical one. According to Evans and Price (2020) information assets are essential for every business process, activity as well as every decision of an organization. The importance of information as an asset combined with a dramatic increase in intrusions and cyber-attacks over the last decade shows the importance of managing and protecting the information against risks and threats (Dong
& Yadav, 2014).
As organizations continue to face threats that could disrupt or hinder the internal ac- tivities, thus negatively effect growth and profitability. The work towards reducing risks that could lead to an information compromise is being prioritized in an increasing manner (Gritzalis et al., 2018; Bergstr¨ om & Lundgren, 2019). Included in such a prioritization is risk management, and within it, risk assessment. These activities are, as the name suggests, responsible for the management and assessment of risks as well as the protec- tion of assets. In order to protect an asset, a classification of it is needed. This is often done through the use of a classification scheme where potential harm as a result of a breach of a security aspect is identified and set. Such a scheme often uses confidentiality, integrity and availability (The CIA-Triad) as critical security aspects, as is recommended by e.g., the ISO-27002-standard (International Organization for Standardization [ISO], 2013). The objective of the classification is to ensure that the asset that is being classified receives an appropriate level of protection that is in line with the importance it has to the organization (Bergstr¨ om & ˚ Ahlfeldt, 2014). The CIA-triad aspects are used in order to analyze the information and information is classified according to C, I and A, often on a level of low, medium or high. The classification acts as input to the risk assessment process where one or several protections are eventually set. In this process the classifica- tion acts of the asset (Wheeler, 2011) is a deciding factor. The classification process is a complex one and according to Bergstr¨ om and ˚ Ahlfeldt (2014) one of the reasons might be that there is a lack of a formalized process description, thus it becomes a problematic process to perform. It is also inherently difficult to put a value on assets, whether they be tangible or intangible (Fenz, Heurix, Neubauer, & Pechstein, 2014; Bergstr¨ om, Lundgren,
& Ericson, 2019).
Using employees in information security processes has been found to raise organizational
awareness of security risks and controls as well as adding value to security risk manage-
ment in organizations (Spears & Barki, 2010). Within information classification the user of the information that is to be classified could be utilized and provide useful information to the person in charge of the process. However, employees with little background in the information security field often find the language used in frameworks such as ISO- 27005 does not match the one in the organization and the tasks are explained in a way that is too complex (Bergstr¨ om & Lundgren, 2019). This could mean that users might have difficulties expressing themselves in terms of confidentiality, integrity and availability.
Connected to the CIA-triad is the concept of trust. According to Mayer, Davis, and Schoorman (1995) integrity and availability are strong antecedents to trust while confi- dentiality is a way of acting while being trusted. Mayer et al. (1995) also connects risk and trust, claiming that the need for trust only arises in a risky situation. As trust is something most are familiar with (Shockley-Zalabak & Ellis, 2006), it could act as a translator of the CIA-concepts in order to ease the communication. With the connection between the CIA-triad and trust, the concept of trust could therefore be introduced and explored in the process of involving the users in the information classification.
1.1 Aim of study and research question
The aim of this study is to explore the possibility of using trust in the information clas- sification process and using it to communicate the value of information. This is done through the creation of a framework that connects the CIA-triad with trust.
Thus, the research question for this thesis is: How can trust be used as a factor in the information classification process?
1.2 Expected contribution
The aim of the thesis is to explore the use of trust as a concept in the information classification process. This is done using questions related to trust in order to ease the comprehension of language for the employee that will be participating in the process. The outcome of the thesis may result in a framework showing the relationship between the CIA-Triad and digital trust.
1.3 Delimitation
There are more than one way to approach the risk classification process, this study is
based on as well as limited to the approach developed by Bergstr¨ om (2020). References
to other methods used will be done in the theory chapter in order to expand on the
explanation of methods. The concept of trust is defined according to the definition made
by (Gupta & Dhami, 2015).
1.4 Structure
The remainder of the thesis is organized in the following manner: Chapter 2 describes and
explains the concepts of trust, risk management, risk assessment and asset classification as
well as highlights the main challenges with information classification. Chapter 3 explains
the methods used and the research approach of the thesis. Chapter 4 contains the analysis
and results. Chapter 5 contains the discussion. Lastly, chapter 6 contains the conclusion.
2 Background Knowledge
This section provides information about trust, risk management, risk assessment as well as information classification in order to provide context to the terms used in the thesis.
2.1 Trust
Trust is something that can be defined in a variety of ways, this is likely because it is a difficult concept to clearly define. Some common definitions are: ”To believe that someone is good and honest and will not harm you, or that something is safe and reliable” and ”To hope and expect that something is true”. (Cambridge Dictionary, 2021). Robinson (1996) explains trust as the attitude someone or a party adopts (trustor) towards somebody else or another party (trustee). Lastly, (Gupta & Dhami, 2015, p,466) defines trust as: ”The willingness of a party to be vulnerable to the actions of another party on the expectation that the other will perform a particular action important to the trustee irrespective of the ability to monitor or control that other party”. These definitions are aimed towards trust between individuals, however, it is important to note that trust can be between an indi- vidual and an artifact as well.
In order to conduct work and to communicate with each other, trust has to exist as often times interdependence is necessary, meaning people have to depend on one another in order to reach a common goal (Mayer et al., 1995). In a similar sense, systems that are used plays the role of the trustee in a digital workplace. Depending on the information being used in the system, users have to be able to trust that the information is kept con- fidential, integral as well as available for use. These aspects are all part of the CIA-triad.
Mayer et al. (1995) and Gupta and Dhami (2015) claims that the need for trust only arises in a risky situation, indicating that the connection between risk and trust exists.
Availability and integrity are according to Mayer et al. (1995) two strong antecedents to trust while confidentiality is often referred to as a way of acting while being trusted. It can also be argued for that trust builds upon confidentiality, as part of having trust in someone or something includes that party being confidential with shared information. The information valuation process is conducted in order to protect information from threats and to manage risk, further strengthening the connection between the two concepts. As explained by Shockley-Zalabak and Ellis (2006) trust is something most are familiar with.
Thus, it could be argued for that it could act as a good translator given the connection
of concepts and the general public’s familiarity of trust.
2.2 Risk Management
Within the subject of information security, risk management is a field that consists of a number of processes handling the management of risks. The number and order of pro- cesses can differ depending on what method is used. It can be viewed as the identification, evaluation and prioritization of risks followed by an economical and coordinated appli- cation of resources in order to minimize, monitor as well as control the probability or impact of unfortunate events (Hubbard, 2020). According to Shameli-Sendi et al. (2016) the ultimate goal of the risk management is to maximize the output of an organization while at the same time minimizing the unexpected negative outcomes that are generated by potential risk. Failing to use, or the lack of, a risk management process can lead to the exploitation of assets and for vital assets in the organization to stay unprotected. Risk management and the processes within is often done by using a framework. The process will be different depending on what type of framework one decides to use, however the goal is the same. Most models uses a threat-centric approach, which means that the main focus lies on how an adversary could exploit organizational assets, and how to the organization can protect the assets from said adversary (Silva & Jacob, 2018). An example of a process that is made by a standard-setting body is the ISO 27005:2018 Standard (International Organization for Standardization [ISO], 2018). Another example is that of the Octave Allegro framework, created by the Software Engineering Institute in order to assist in the risk management process (Caralli, Stevens, Young, & Wilson, 2007). According to the International Organization for Standardization [ISO] (2018), a risk management process consists of the following parts:
• Context Establishment
• Risk Identification
• Risk Analysis
• Risk Evaluation
• Risk Treatment
• Monitoring and Review
This is a method commonly followed by organizations and if it is to be compared to other standards, ISO 27005 is often regarded as a complete framework to use (Wangen, Hallstensen, & Snekkenes, 2017). The risk management frameworks are created in order to help and guide users in conducting the risk assessment as well as to support decision makers in gaining an understanding of, and assessing the risks that their organization is exposed to (Schmitz & Pape, 2020).
2.3 Risk Assessment
A part of the risk management process is the risk assessment process. According to the
International Organization for Standardization [ISO] (2018), this process includes:
Risk Identification – The main purpose of the risk identification is to try to determine what can happen in the case of a potential loss. Another important goal is to gain insight into how, why, and where the loss can happen. In order to complete the risk identification the following activities should be performed:
• Asset identification
• Identification of threats
• Identification of existing controls
• Identification of vulnerabilities and consequences
Risk Analysis – The risk analysis is often done through two main methods; quantitative- or qualitative risk analysis. A quantitative risk analysis focuses on a scale of nu- merical values that tries to calculate the cost of e.g., single loss expectancy (the monetary loss of a single occurrence) and the cost of the annual loss expectancy (the monetary loss of a single occurrence * how many times a year the occurrence is expected to occur)(Munteanu, 2006). A qualitative risk analysis instead puts the focus on a matrix of likelihood and impact, where the risk is assessed as a result of those two factors. Getting an exact estimate of risk is difficult, as this method is based on the judgement of a perceived value of assets of the people providing the information to the people conducting the analysis.
Risk Evaluation – Organizations will have criteria for how much risk they are willing to accept, also known as risk acceptance criteria. Based on this criteria, as well as a risk evaluation criteria, the input from the identification and analysis will be analyzed and create the risk evaluation. A list of risks that are prioritized according to the evaluation criterion related to the scenarios that lead to those risks. This list can be seen as a prioritization of which risk to assign a treatment to first.
The above list is the process-flow proposed by the ISO 27005:2018 standard, the risk assessment process can differ depending on what standard is used. Risk assessment is a process that has to be iterated as changes in the organization happen, such as changes in the operational plan or a change in the use of software within the organization. While changes within the organization can be difficult, adding to that is the constant evolution and rapid development of new information technologies and the rate at which organiza- tions are adopting it (Wheeler, 2011). This change can, and often will, happen more often and that new threats are developed along the technology development (Taylor, 2015). Fol- lowing the change, the risk management and risk assessment processes have to be iterated, thus increasing in detail for each iteration as well as finding new threats in the identified assets.
2.4 Information Asset classification and valuation
The risk assessment process handles a risk identification, analysis and evaluation. In order
to do this it is of importance to know what to protect. Often times this is physical assets,
in organizations today however, with the continuous adoption of technology information assets are of just as much importance (Gritzalis et al., 2018). Valuing information is not an easy task, and it is often times noted to be one of the larger problems within risk management (Bergstr¨ om et al., 2019; Fenz et al., 2014). The asset valuation begins with an asset classification according to the criticality of it to business operations. That val- uation is determined by looking at the replacement value and the business consequence in the case of a loss or compromise of the asset. Asset valuation is a key factor for the risk assessment process (International Organization for Standardization [ISO], 2018).
According to International Organization for Standardization [ISO] (2018) the valuation requires an asset identification to take place, whereas the valuation is the next step in the process. There are different ways of conducting this process, however ISO 27005 is a widely used and known standard, making the process outlined a good basis to start with.
Often times a classification scheme is adapted to the organization and is then used to classify all information within it (Bergstr¨ om & ˚ Ahlfeldt, 2014). The basic parts of such a scheme can be seen in Figure 1. The figure is using security aspects as well as levels
Figure 1: Basic parts of a classification-scheme (Bergstr¨ om, 2020)
of impacts as the X and Y axis. Security aspects are decided by the organization using the scheme. Following the ISO-standard the recommended factors to use are confiden- tiality, integrity and availability (International Organization for Standardization [ISO], 2013). The potential impact act as the representation of loss of a security aspect, such as confidentiality. There are no specific recommendations to this scale other than that they should be given a name that makes sense in the context of the application of the scheme (Bergstr¨ om, 2020). The number of levels is also chosen by the organization, however, in order to keep it from becoming overly complicated between 3 and 10 is the recommended number, a typical organization usually has between 3 and 5 (International Organization for Standardization [ISO], 2013; Axelrod, Bayuk, & Schutzer, 2009).
Bergstr¨ om (2020) expanded on the classification scheme by including the CIA-triad as
the critical security aspects, paired with the three factors of the own organization, other
organization as well as individuals tied to each factor (figure 2).
Figure 2: Expanded classification scheme (Bergstr¨ om, 2020)
The classification is then done by ranking the potential impact of e.g., confidentiality in each of the three factors. The highest ranking part part of each aspect decides the final classification for that specific security aspect. This thesis uses the expanded classification scheme as the main method of conducting the information classification as a basis for further development.
2.5 Challenges with information classification
The biggest input to the risk assessment processes is the asset valuation, where the value of assets, both tangible and intangible, are set. The valuation is one of the major prob- lems in risk management- and assessment as it is hard to decide the value of assets and information, it is also subjective to the person performing the valuation (Bergstr¨ om et al., 2019; Fenz et al., 2014; Sajko, Rabuzin, & Baˇ ca, 2006). Another problem lies in the use and format of the used classification scheme. Using a classification scheme is a recommended activity, however, there is difficulty in finding the optimal number of po- tential impact levels as well as security aspects. The problem lies in trying to satisfy the conditions of the scheme not being oversimplified while at the same time being simple enough so that it can be understood by information owners and users (Fibikova & M¨ uller, 2011; Bergstr¨ om, 2020). This is a challenging task and if not done correctly it can result in too complex schemes leading to inconsistent valuation (Parker, 1996).
The information classification as a process is inherently complex, and it gets further complicated for organizations as there is a lack of a formalized process description leading to issues during the conducting of the classification (Bergstr¨ om & ˚ Ahlfeldt, 2014). Within organizations, the main problems that have been identified are weak, or a lack of, clas- sification guidelines, an insufficient inventory of assets as well as confusion of or unclear ownership (Bergstr¨ om & ˚ Ahlfeldt, 2014). The process is also one that many organizations struggle with completing, even though it is not a new concept (Ghernaouti-Helie, Simms,
& Tashi, 2011).
2.6 Classification Scheme based on trust
Based on the concept of trust as defined by Robinson (1996); Gupta and Dhami (2015);
Cambridge Dictionary (2021), and more specifically the connection between the CIA-triad
and trust, as seen in chapter 2.1, a classification scheme based on trust can therefore ar- guably be be combined and is herein proposed as seen in Figure 3. As such, the trust concept could be used as a complement for the CIA-security factors in the classifica- tion scheme. A classification scheme based on trust could therefore work similarly to that of a traditional classification-scheme, however, the critical security factors as well as consequence-levels are exchanged. Trust in that the information is kept private, that the information is maintained as is as well as that the information is available to those au- thorized to it is used as security factors. Instead of consequence, a ranking of importance in trust is used.
Figure 3: Initial Classification Scheme based around trust
3 Method
The thesis intends to improve upon an already existing practice, the information classi- fication of information assets done in order to proceed with the risk assessment process.
In order to achieve this an exploratory approach has been used in order to clarify part of a research-area that is not fully explored. An exploratory approach is connected to qualitative research in the sense that the research starts with a preliminary idea about the importance of a certain subject (David & Sutton, 2016). In the case of this study, the preliminary idea revolved around the fact that information classification is a com- plex process (Bergstr¨ om, 2020). It can also be difficult to understand and it is not very well documented in guiding documents and frameworks (Bergstr¨ om & ˚ Ahlfeldt, 2014).
However, conducting the process is necessary as it is a major input to the risk assessment process. This acted as a basis to the study, hence it explores if there are other possibilities in conducting the information classification in order to ease the comprehension as well as the inclusion of employees.
3.1 Selection of a research approach
There are different ways of conducting research, two of the most common ones are:
Inductive
The research does not start with a base of theory but instead uses a qualitative way of work in order to form concepts and theories around collected data, such as empirical observations. Such work is often explorative and attempts to create explanations to phenomena by the gathered data (David & Sutton, 2016; Woiceshyn
& Daellenbach, 2018).
Deductive
The research starts with a base in theory and often uses a quantitative way of work with the aim of strengthening the understanding of a certain theory. Often times the flow of work starts in theory, a hypotheses is derived, testing of the hypotheses is conducted and lastly the theory is revised (David & Sutton, 2016; Woiceshyn &
Daellenbach, 2018; Nola & Sankey, 2014).
In order to answer the research question of: How can trust be used as a factor in the
information classification process? an inductive approach has been used. This is because
of the fact that the basis of the research question is not based in theory, but rather
in previous observations. The thesis follows a qualitative order of work and starts in
empirical data rather than in set theories.
3.2 Research process
Figure 4: The Research-flow of the thesis
The research process was developed with the intention of creating a classification table based on trust rather than the CIA triad. The objective was to design the classification table based on feedback, which was as an iterative process. Following the steps in Figure 3 this has been achieved.
3.3 A Qualitative Inductive approach
Given the characteristics of the research process, the research adopted a qualitative ap- proach. As the research aimed to study a real world problem, allowing for testing of new concepts about an existing phenomenon as well as providing a means through which a particular practice can be evaluated, these are all parts of a typical qualitative study (Leedy & Ormrod, 2014). Further, a typical qualitative way of gathering data can be done through semi-structured interviews, where both past and present behaviour can be identified (Leedy & Ormrod, 2014).
3.4 Data Collection
The data collection was conducted through by performing a literature overview and semi- structured interviews. The literature overview was necessary to get an overview of the subject as well as to identify current practices as well as previously identified problems with information classification as a method and a process. Based on this literature as well as a suggested modification of a classification scheme (presented in section 2.7) an interview guide was created. The interview guide contained questions that allowed for follow-up questions and discussion in order to understand and hear the experiences of the interview respondent. At the end of each interview, a test of a classic classification scheme as well as the proposed trust-importance classification scheme was conducted.
All the interviews were conducted digitally. If consensus was given, the interviews were recorded and transcribed.
The data collected through interviews was analyzed through a thematic-analysis. Such
an analysis is fitting for qualitative data analysis and serves as a method for identifying, analysing and reporting themes within collected data (Braun & Clarke, 2006). This was deemed fitting for the purpose of the study.
3.5 Semi-structured interviews
Semi-structured interviews are fitting for research where some areas of phenomenon are based on previous knowledge and where peoples awareness of a subject is low, it allows for the collection of opinions, values and thoughts allowing for the enrichment of a study with extensive data (Kallio, Pietil¨ a, Johnson, & Kangasniemi, 2016). The subject of the thesis handles the subject of information classification, a complex not very well documented subject, motivating the choice of the interview-method (Bergstr¨ om, 2020). Some posi- tives of the interview-method is it’s flexibility and adaptability, it’s ability to successfully enable reciprocity between the researcher and respondent as well as resulting in rigorous collected data, one of the main factors that influence both quality and trustworthiness of a study (Kallio et al., 2016; Kitto, Chesters, & Grbich, 2008). There are some negatives to the semi-structured interview data collection that are important to be aware of. It is a demanding both for the respondent as well as for the researcher. The semi-structured interview requires the interviewer to be smart, sensitive, poised and nimble as well as knowledgeable about the subject at hand (Adams, 2015). It is also important to un- derstand that to properly prepare an interview-guide, conduct interviews, transcribe and conduct the analysis is a time consuming task (Denscombe, 2010; Adams, 2015). With these problems in mind, the positives still outweigh the negatives for this type of study and it was decided that the semi-structured interview method was a good fit for the type of study being conducted.
3.5.1 The Interview Guide
The next step in the process was developing an interview-guide that contained questions cover the main areas of the study. It is important to note that it is not a questionnaire, the questions stated are there as support for the conversation, not to ask questions from top to bottom. The main categories used were in this case base on the CIA-Triad as well as information classification. Within each main area sub-categories were created.
These mainly served the purpose of identifying what questions to potentially ask about
what area as well as to make sure all of the areas were covered in the interview. Follow-up
questions were created as examples of what to keep asking if the initial answer did not lead
to another natural follow-up. Overall, the questions were asked with open endings inviting
for discussions, however, some questions are close-ended. This was done intentionally as
such questions can often times be gateways to open ended probing (Adams, 2015). An
example from the questionnaire is Does CIA affect your everyday work? The expected
answer is a simple yes or no, followed by a question of Why is that? that opens up for
discussion and in depth explanations from the respondent. Lastly, the interview guide
was constructed using a language that seemed to match the respondent, including terms
such as information classification did not seem to be a problem given that they were all
information security professionals of some degree. The complete interview guide can be
seen in Table 1.
Main Category Sub-Category Question Follow-up Questions
What is trust to you? How important is trust to you?
In what way, and why, is it or is it not important?
How would you say that General Opinions trust is created?
Trust regarding Trust What is trust based on? Are there any parts that is needed for trust to exist?
Is trust something that can only If yes: Can you explain why that is?
exist between individuals? If no: Can you explain why that is?
In what way?
Is trust important in your work? Is it something that is needed in order for you to conduct your work?
If yes: Can you explain why?
If no: Can you explain why it isnt?
High & Low Levels of trust
Do you have an example of a situation
where a high level of trust is needed? Why is / Why isnt a high level of trust needed?
Do you have an example of a situation Could a similar type of situations arise when you where a low level of trust is needed? place trust in a system?
What is Confidentiality, Integrity Is it something that is important to you?
and Availability to you? Why is it/Why is it not important to you?
General opinions and
views of CIA Does CIA affect your everyday work? In what way? Why do you think it does not?
CIA Do you find the concepts complicated? Why do you think that is?
How would you connect the CIA to information security?
Is it something you use in everyday work? Can you explain how? Why do you think you do not?
Communicating using CIA
Is CIA something you use when communicating with customers and/or other employees?
If Yes: Can you explain in what way?
If No: Why do you think that is?
With CIA in mind, do you think using those terms
can affect the communication with people that are In what way?
not savvy in the subject of information security?
Information What is Information classification to you?
Classification What do you find to be the most important with information classification?
What parts do you think should be included in a classification model?