Trust as a factor in the information classification process

Trust as a factor in the information classification process

Simon Andersson

Information Security, master's level (120 credits) 2021

Luleå University of Technology

Department of Computer Science, Electrical and Space Engineering

Abstract

Risk management is an important part of every business. In order to properly conduct it, risk assessment and within it, information classification is needed. The information classification produces a list of information assets and states how they are valued within the organization. That is then used as an important part of the risk assessment process.

In order to conduct such a valuation, users are consulted as they often times understand the value of information. However, using the CIA-Triad when communicating has proved to be difficult for users not knowledgeable in information security. Trust as a concept has been proven to have some connection to the concepts of the CIA-Triad and has been proposed as a possible translator in order to ease the communication of information value in the process of information classification.

Semi-structured interviews were held with information security professionals in order to further understand the connection between the CIA-triad concepts and trust as well as to gain further understanding in the important parts of information classification. A thematic analysis showed how confidentiality and integrity are prominent factors that connect to trust, with availability, while still being mentioned as having a connection, was not as prominent. Further, the empirical data was used to build a model based on trust and importance that allows for a translation of the CIA-triad concepts. This re- sulted in a classification-scheme based model that allows trust as a concept to be used as a translator of the CIA-concepts, thus including trust as a concept in the information classification process.

Keywords: Information Security, Risk Management, Risk Assessment, Asset Classifica-

tion, Information Classification, Classification Scheme

Contents

1 Introduction 1

1.1 Aim of study and research question . . . 2

1.2 Expected contribution . . . 2

1.3 Delimitation . . . 2

1.4 Structure . . . 3

2 Background Knowledge 4 2.1 Trust . . . 4

2.2 Risk Management . . . 5

2.3 Risk Assessment . . . 5

2.4 Information Asset classification and valuation . . . . 6

2.5 Challenges with information classification . . . . 8

2.6 Classification Scheme based on trust . . . 8

3 Method 10 3.1 Selection of a research approach . . . 10

3.2 Research process . . . 11

3.3 A Qualitative Inductive approach . . . 11

3.4 Data Collection . . . 11

3.5 Semi-structured interviews . . . 12

3.5.1 The Interview Guide . . . 12

3.5.2 The Interview Respondents . . . 14

3.5.3 Booking Interviews . . . 14

3.5.4 Conducting the Interviews . . . 15

3.5.5 The Transcription process . . . 17

3.6 Thematic Analysis . . . 17

3.7 Ethics . . . 18

3.8 Trustworthiness . . . 19

4 Analysis and Results 20 4.1 Views on trust and its connection the CIA . . . 20

4.2 Using CIA to communicate . . . 22

4.3 Information Classification - Important parts . . . 23

4.4 A Re-Iteration of the Trust-Importance model . . . 25

4.4.1 Using the model . . . 28

5 Discussion 30 5.1 Connecting Trust with the CIA-Triad . . . 30

5.2 Reiterating the Trust-Importance Model . . . 30

5.3 Method Discussion . . . 32

6 Conclusion 33

35

References

List of Figures

1 Basic parts of a classification-scheme . . . . 7

2 Expanded Classification Scheme . . . 8

3 Initial Classification Scheme based around trust . . . . 9

4 The Research-flow of the thesis . . . 11

5 Model based on trust and importance . . . 16

6 Model based on CIA and consequence . . . 16

7 The Coding Process . . . 17

8 Adding the information object and owner/carrier . . . 25

9 Top part of re-iterated classification scheme . . . 26

10 Adding new phrases to classification and examples of classification levels . 27 11 A re-iterated version of the trust-importance model . . . 28

List of Tables 1 The interview guide . . . 14

2 Interview Respondents. . . . 15

1 Introduction

The main goal of information security is the protection of information against infor- mation compromise, this refers to the confidentiality, integrity, and availability of data (Gritzalis, Iseppi, Mylonas, & Stavrou, 2018; von Solms & von Solms, 2018). Shameli- Sendi, Aghababaei-Barzegar, and Cheriet (2016) defines it as the protection of an orga- nization’s valuable information from tampering, unwanted exposure or destruction. Such protection becomes increasingly important as there is a continuous adoption of informa- tion technology by organizations. The importance of information as an asset continues to grow and is often defined as one of, if not the most critical one. According to Evans and Price (2020) information assets are essential for every business process, activity as well as every decision of an organization. The importance of information as an asset combined with a dramatic increase in intrusions and cyber-attacks over the last decade shows the importance of managing and protecting the information against risks and threats (Dong

& Yadav, 2014).

As organizations continue to face threats that could disrupt or hinder the internal ac- tivities, thus negatively effect growth and profitability. The work towards reducing risks that could lead to an information compromise is being prioritized in an increasing manner (Gritzalis et al., 2018; Bergstr¨ om & Lundgren, 2019). Included in such a prioritization is risk management, and within it, risk assessment. These activities are, as the name suggests, responsible for the management and assessment of risks as well as the protec- tion of assets. In order to protect an asset, a classification of it is needed. This is often done through the use of a classification scheme where potential harm as a result of a breach of a security aspect is identified and set. Such a scheme often uses confidentiality, integrity and availability (The CIA-Triad) as critical security aspects, as is recommended by e.g., the ISO-27002-standard (International Organization for Standardization [ISO], 2013). The objective of the classification is to ensure that the asset that is being classified receives an appropriate level of protection that is in line with the importance it has to the organization (Bergstr¨ om & ˚ Ahlfeldt, 2014). The CIA-triad aspects are used in order to analyze the information and information is classified according to C, I and A, often on a level of low, medium or high. The classification acts as input to the risk assessment process where one or several protections are eventually set. In this process the classifica- tion acts of the asset (Wheeler, 2011) is a deciding factor. The classification process is a complex one and according to Bergstr¨ om and ˚ Ahlfeldt (2014) one of the reasons might be that there is a lack of a formalized process description, thus it becomes a problematic process to perform. It is also inherently difficult to put a value on assets, whether they be tangible or intangible (Fenz, Heurix, Neubauer, & Pechstein, 2014; Bergstr¨ om, Lundgren,

& Ericson, 2019).

Using employees in information security processes has been found to raise organizational

awareness of security risks and controls as well as adding value to security risk manage-

ment in organizations (Spears & Barki, 2010). Within information classification the user of the information that is to be classified could be utilized and provide useful information to the person in charge of the process. However, employees with little background in the information security field often find the language used in frameworks such as ISO- 27005 does not match the one in the organization and the tasks are explained in a way that is too complex (Bergstr¨ om & Lundgren, 2019). This could mean that users might have difficulties expressing themselves in terms of confidentiality, integrity and availability.

Connected to the CIA-triad is the concept of trust. According to Mayer, Davis, and Schoorman (1995) integrity and availability are strong antecedents to trust while confi- dentiality is a way of acting while being trusted. Mayer et al. (1995) also connects risk and trust, claiming that the need for trust only arises in a risky situation. As trust is something most are familiar with (Shockley-Zalabak & Ellis, 2006), it could act as a translator of the CIA-concepts in order to ease the communication. With the connection between the CIA-triad and trust, the concept of trust could therefore be introduced and explored in the process of involving the users in the information classification.

1.1 Aim of study and research question

The aim of this study is to explore the possibility of using trust in the information clas- sification process and using it to communicate the value of information. This is done through the creation of a framework that connects the CIA-triad with trust.

Thus, the research question for this thesis is: How can trust be used as a factor in the information classification process?

1.2 Expected contribution

The aim of the thesis is to explore the use of trust as a concept in the information classification process. This is done using questions related to trust in order to ease the comprehension of language for the employee that will be participating in the process. The outcome of the thesis may result in a framework showing the relationship between the CIA-Triad and digital trust.

1.3 Delimitation

There are more than one way to approach the risk classification process, this study is

based on as well as limited to the approach developed by Bergstr¨ om (2020). References

to other methods used will be done in the theory chapter in order to expand on the

explanation of methods. The concept of trust is defined according to the definition made

by (Gupta & Dhami, 2015).

1.4 Structure

The remainder of the thesis is organized in the following manner: Chapter 2 describes and

explains the concepts of trust, risk management, risk assessment and asset classification as

well as highlights the main challenges with information classification. Chapter 3 explains

the methods used and the research approach of the thesis. Chapter 4 contains the analysis

and results. Chapter 5 contains the discussion. Lastly, chapter 6 contains the conclusion.

2 Background Knowledge

This section provides information about trust, risk management, risk assessment as well as information classification in order to provide context to the terms used in the thesis.

2.1 Trust

Trust is something that can be defined in a variety of ways, this is likely because it is a difficult concept to clearly define. Some common definitions are: ”To believe that someone is good and honest and will not harm you, or that something is safe and reliable” and ”To hope and expect that something is true”. (Cambridge Dictionary, 2021). Robinson (1996) explains trust as the attitude someone or a party adopts (trustor) towards somebody else or another party (trustee). Lastly, (Gupta & Dhami, 2015, p,466) defines trust as: ”The willingness of a party to be vulnerable to the actions of another party on the expectation that the other will perform a particular action important to the trustee irrespective of the ability to monitor or control that other party”. These definitions are aimed towards trust between individuals, however, it is important to note that trust can be between an indi- vidual and an artifact as well.

In order to conduct work and to communicate with each other, trust has to exist as often times interdependence is necessary, meaning people have to depend on one another in order to reach a common goal (Mayer et al., 1995). In a similar sense, systems that are used plays the role of the trustee in a digital workplace. Depending on the information being used in the system, users have to be able to trust that the information is kept con- fidential, integral as well as available for use. These aspects are all part of the CIA-triad.

Mayer et al. (1995) and Gupta and Dhami (2015) claims that the need for trust only arises in a risky situation, indicating that the connection between risk and trust exists.

Availability and integrity are according to Mayer et al. (1995) two strong antecedents to trust while confidentiality is often referred to as a way of acting while being trusted. It can also be argued for that trust builds upon confidentiality, as part of having trust in someone or something includes that party being confidential with shared information. The information valuation process is conducted in order to protect information from threats and to manage risk, further strengthening the connection between the two concepts. As explained by Shockley-Zalabak and Ellis (2006) trust is something most are familiar with.

Thus, it could be argued for that it could act as a good translator given the connection

of concepts and the general public’s familiarity of trust.

2.2 Risk Management

Within the subject of information security, risk management is a field that consists of a number of processes handling the management of risks. The number and order of pro- cesses can differ depending on what method is used. It can be viewed as the identification, evaluation and prioritization of risks followed by an economical and coordinated appli- cation of resources in order to minimize, monitor as well as control the probability or impact of unfortunate events (Hubbard, 2020). According to Shameli-Sendi et al. (2016) the ultimate goal of the risk management is to maximize the output of an organization while at the same time minimizing the unexpected negative outcomes that are generated by potential risk. Failing to use, or the lack of, a risk management process can lead to the exploitation of assets and for vital assets in the organization to stay unprotected. Risk management and the processes within is often done by using a framework. The process will be different depending on what type of framework one decides to use, however the goal is the same. Most models uses a threat-centric approach, which means that the main focus lies on how an adversary could exploit organizational assets, and how to the organization can protect the assets from said adversary (Silva & Jacob, 2018). An example of a process that is made by a standard-setting body is the ISO 27005:2018 Standard (International Organization for Standardization [ISO], 2018). Another example is that of the Octave Allegro framework, created by the Software Engineering Institute in order to assist in the risk management process (Caralli, Stevens, Young, & Wilson, 2007). According to the International Organization for Standardization [ISO] (2018), a risk management process consists of the following parts:

• Context Establishment

• Risk Identification

• Risk Analysis

• Risk Evaluation

• Risk Treatment

• Monitoring and Review

This is a method commonly followed by organizations and if it is to be compared to other standards, ISO 27005 is often regarded as a complete framework to use (Wangen, Hallstensen, & Snekkenes, 2017). The risk management frameworks are created in order to help and guide users in conducting the risk assessment as well as to support decision makers in gaining an understanding of, and assessing the risks that their organization is exposed to (Schmitz & Pape, 2020).

2.3 Risk Assessment

A part of the risk management process is the risk assessment process. According to the

International Organization for Standardization [ISO] (2018), this process includes:

Risk Identification – The main purpose of the risk identification is to try to determine what can happen in the case of a potential loss. Another important goal is to gain insight into how, why, and where the loss can happen. In order to complete the risk identification the following activities should be performed:

• Asset identification

• Identification of threats

• Identification of existing controls

• Identification of vulnerabilities and consequences

Risk Analysis – The risk analysis is often done through two main methods; quantitative- or qualitative risk analysis. A quantitative risk analysis focuses on a scale of nu- merical values that tries to calculate the cost of e.g., single loss expectancy (the monetary loss of a single occurrence) and the cost of the annual loss expectancy (the monetary loss of a single occurrence * how many times a year the occurrence is expected to occur)(Munteanu, 2006). A qualitative risk analysis instead puts the focus on a matrix of likelihood and impact, where the risk is assessed as a result of those two factors. Getting an exact estimate of risk is difficult, as this method is based on the judgement of a perceived value of assets of the people providing the information to the people conducting the analysis.

Risk Evaluation – Organizations will have criteria for how much risk they are willing to accept, also known as risk acceptance criteria. Based on this criteria, as well as a risk evaluation criteria, the input from the identification and analysis will be analyzed and create the risk evaluation. A list of risks that are prioritized according to the evaluation criterion related to the scenarios that lead to those risks. This list can be seen as a prioritization of which risk to assign a treatment to first.

The above list is the process-flow proposed by the ISO 27005:2018 standard, the risk assessment process can differ depending on what standard is used. Risk assessment is a process that has to be iterated as changes in the organization happen, such as changes in the operational plan or a change in the use of software within the organization. While changes within the organization can be difficult, adding to that is the constant evolution and rapid development of new information technologies and the rate at which organiza- tions are adopting it (Wheeler, 2011). This change can, and often will, happen more often and that new threats are developed along the technology development (Taylor, 2015). Fol- lowing the change, the risk management and risk assessment processes have to be iterated, thus increasing in detail for each iteration as well as finding new threats in the identified assets.

2.4 Information Asset classification and valuation

The risk assessment process handles a risk identification, analysis and evaluation. In order

to do this it is of importance to know what to protect. Often times this is physical assets,

in organizations today however, with the continuous adoption of technology information assets are of just as much importance (Gritzalis et al., 2018). Valuing information is not an easy task, and it is often times noted to be one of the larger problems within risk management (Bergstr¨ om et al., 2019; Fenz et al., 2014). The asset valuation begins with an asset classification according to the criticality of it to business operations. That val- uation is determined by looking at the replacement value and the business consequence in the case of a loss or compromise of the asset. Asset valuation is a key factor for the risk assessment process (International Organization for Standardization [ISO], 2018).

According to International Organization for Standardization [ISO] (2018) the valuation requires an asset identification to take place, whereas the valuation is the next step in the process. There are different ways of conducting this process, however ISO 27005 is a widely used and known standard, making the process outlined a good basis to start with.

Often times a classification scheme is adapted to the organization and is then used to classify all information within it (Bergstr¨ om & ˚ Ahlfeldt, 2014). The basic parts of such a scheme can be seen in Figure 1. The figure is using security aspects as well as levels

Figure 1: Basic parts of a classification-scheme (Bergstr¨ om, 2020)

of impacts as the X and Y axis. Security aspects are decided by the organization using the scheme. Following the ISO-standard the recommended factors to use are confiden- tiality, integrity and availability (International Organization for Standardization [ISO], 2013). The potential impact act as the representation of loss of a security aspect, such as confidentiality. There are no specific recommendations to this scale other than that they should be given a name that makes sense in the context of the application of the scheme (Bergstr¨ om, 2020). The number of levels is also chosen by the organization, however, in order to keep it from becoming overly complicated between 3 and 10 is the recommended number, a typical organization usually has between 3 and 5 (International Organization for Standardization [ISO], 2013; Axelrod, Bayuk, & Schutzer, 2009).

Bergstr¨ om (2020) expanded on the classification scheme by including the CIA-triad as

the critical security aspects, paired with the three factors of the own organization, other

organization as well as individuals tied to each factor (figure 2).

Figure 2: Expanded classification scheme (Bergstr¨ om, 2020)

The classification is then done by ranking the potential impact of e.g., confidentiality in each of the three factors. The highest ranking part part of each aspect decides the final classification for that specific security aspect. This thesis uses the expanded classification scheme as the main method of conducting the information classification as a basis for further development.

2.5 Challenges with information classification

The biggest input to the risk assessment processes is the asset valuation, where the value of assets, both tangible and intangible, are set. The valuation is one of the major prob- lems in risk management- and assessment as it is hard to decide the value of assets and information, it is also subjective to the person performing the valuation (Bergstr¨ om et al., 2019; Fenz et al., 2014; Sajko, Rabuzin, & Baˇ ca, 2006). Another problem lies in the use and format of the used classification scheme. Using a classification scheme is a recommended activity, however, there is difficulty in finding the optimal number of po- tential impact levels as well as security aspects. The problem lies in trying to satisfy the conditions of the scheme not being oversimplified while at the same time being simple enough so that it can be understood by information owners and users (Fibikova & M¨ uller, 2011; Bergstr¨ om, 2020). This is a challenging task and if not done correctly it can result in too complex schemes leading to inconsistent valuation (Parker, 1996).

The information classification as a process is inherently complex, and it gets further complicated for organizations as there is a lack of a formalized process description leading to issues during the conducting of the classification (Bergstr¨ om & ˚ Ahlfeldt, 2014). Within organizations, the main problems that have been identified are weak, or a lack of, clas- sification guidelines, an insufficient inventory of assets as well as confusion of or unclear ownership (Bergstr¨ om & ˚ Ahlfeldt, 2014). The process is also one that many organizations struggle with completing, even though it is not a new concept (Ghernaouti-Helie, Simms,

& Tashi, 2011).

2.6 Classification Scheme based on trust

Based on the concept of trust as defined by Robinson (1996); Gupta and Dhami (2015);

Cambridge Dictionary (2021), and more specifically the connection between the CIA-triad

and trust, as seen in chapter 2.1, a classification scheme based on trust can therefore ar- guably be be combined and is herein proposed as seen in Figure 3. As such, the trust concept could be used as a complement for the CIA-security factors in the classifica- tion scheme. A classification scheme based on trust could therefore work similarly to that of a traditional classification-scheme, however, the critical security factors as well as consequence-levels are exchanged. Trust in that the information is kept private, that the information is maintained as is as well as that the information is available to those au- thorized to it is used as security factors. Instead of consequence, a ranking of importance in trust is used.

Figure 3: Initial Classification Scheme based around trust

3 Method

The thesis intends to improve upon an already existing practice, the information classi- fication of information assets done in order to proceed with the risk assessment process.

In order to achieve this an exploratory approach has been used in order to clarify part of a research-area that is not fully explored. An exploratory approach is connected to qualitative research in the sense that the research starts with a preliminary idea about the importance of a certain subject (David & Sutton, 2016). In the case of this study, the preliminary idea revolved around the fact that information classification is a com- plex process (Bergstr¨ om, 2020). It can also be difficult to understand and it is not very well documented in guiding documents and frameworks (Bergstr¨ om & ˚ Ahlfeldt, 2014).

However, conducting the process is necessary as it is a major input to the risk assessment process. This acted as a basis to the study, hence it explores if there are other possibilities in conducting the information classification in order to ease the comprehension as well as the inclusion of employees.

3.1 Selection of a research approach

There are different ways of conducting research, two of the most common ones are:

Inductive

The research does not start with a base of theory but instead uses a qualitative way of work in order to form concepts and theories around collected data, such as empirical observations. Such work is often explorative and attempts to create explanations to phenomena by the gathered data (David & Sutton, 2016; Woiceshyn

& Daellenbach, 2018).

Deductive

The research starts with a base in theory and often uses a quantitative way of work with the aim of strengthening the understanding of a certain theory. Often times the flow of work starts in theory, a hypotheses is derived, testing of the hypotheses is conducted and lastly the theory is revised (David & Sutton, 2016; Woiceshyn &

Daellenbach, 2018; Nola & Sankey, 2014).

In order to answer the research question of: How can trust be used as a factor in the

information classification process? an inductive approach has been used. This is because

of the fact that the basis of the research question is not based in theory, but rather

in previous observations. The thesis follows a qualitative order of work and starts in

empirical data rather than in set theories.

3.2 Research process

Figure 4: The Research-flow of the thesis

The research process was developed with the intention of creating a classification table based on trust rather than the CIA triad. The objective was to design the classification table based on feedback, which was as an iterative process. Following the steps in Figure 3 this has been achieved.

3.3 A Qualitative Inductive approach

Given the characteristics of the research process, the research adopted a qualitative ap- proach. As the research aimed to study a real world problem, allowing for testing of new concepts about an existing phenomenon as well as providing a means through which a particular practice can be evaluated, these are all parts of a typical qualitative study (Leedy & Ormrod, 2014). Further, a typical qualitative way of gathering data can be done through semi-structured interviews, where both past and present behaviour can be identified (Leedy & Ormrod, 2014).

3.4 Data Collection

The data collection was conducted through by performing a literature overview and semi- structured interviews. The literature overview was necessary to get an overview of the subject as well as to identify current practices as well as previously identified problems with information classification as a method and a process. Based on this literature as well as a suggested modification of a classification scheme (presented in section 2.7) an interview guide was created. The interview guide contained questions that allowed for follow-up questions and discussion in order to understand and hear the experiences of the interview respondent. At the end of each interview, a test of a classic classification scheme as well as the proposed trust-importance classification scheme was conducted.

All the interviews were conducted digitally. If consensus was given, the interviews were recorded and transcribed.

The data collected through interviews was analyzed through a thematic-analysis. Such

an analysis is fitting for qualitative data analysis and serves as a method for identifying, analysing and reporting themes within collected data (Braun & Clarke, 2006). This was deemed fitting for the purpose of the study.

3.5 Semi-structured interviews

Semi-structured interviews are fitting for research where some areas of phenomenon are based on previous knowledge and where peoples awareness of a subject is low, it allows for the collection of opinions, values and thoughts allowing for the enrichment of a study with extensive data (Kallio, Pietil¨ a, Johnson, & Kangasniemi, 2016). The subject of the thesis handles the subject of information classification, a complex not very well documented subject, motivating the choice of the interview-method (Bergstr¨ om, 2020). Some posi- tives of the interview-method is it’s flexibility and adaptability, it’s ability to successfully enable reciprocity between the researcher and respondent as well as resulting in rigorous collected data, one of the main factors that influence both quality and trustworthiness of a study (Kallio et al., 2016; Kitto, Chesters, & Grbich, 2008). There are some negatives to the semi-structured interview data collection that are important to be aware of. It is a demanding both for the respondent as well as for the researcher. The semi-structured interview requires the interviewer to be smart, sensitive, poised and nimble as well as knowledgeable about the subject at hand (Adams, 2015). It is also important to un- derstand that to properly prepare an interview-guide, conduct interviews, transcribe and conduct the analysis is a time consuming task (Denscombe, 2010; Adams, 2015). With these problems in mind, the positives still outweigh the negatives for this type of study and it was decided that the semi-structured interview method was a good fit for the type of study being conducted.

3.5.1 The Interview Guide

The next step in the process was developing an interview-guide that contained questions cover the main areas of the study. It is important to note that it is not a questionnaire, the questions stated are there as support for the conversation, not to ask questions from top to bottom. The main categories used were in this case base on the CIA-Triad as well as information classification. Within each main area sub-categories were created.

These mainly served the purpose of identifying what questions to potentially ask about

what area as well as to make sure all of the areas were covered in the interview. Follow-up

questions were created as examples of what to keep asking if the initial answer did not lead

to another natural follow-up. Overall, the questions were asked with open endings inviting

for discussions, however, some questions are close-ended. This was done intentionally as

such questions can often times be gateways to open ended probing (Adams, 2015). An

example from the questionnaire is Does CIA affect your everyday work? The expected

answer is a simple yes or no, followed by a question of Why is that? that opens up for

discussion and in depth explanations from the respondent. Lastly, the interview guide

was constructed using a language that seemed to match the respondent, including terms

such as information classification did not seem to be a problem given that they were all

information security professionals of some degree. The complete interview guide can be

seen in Table 1.

Main Category Sub-Category Question Follow-up Questions

What is trust to you? How important is trust to you?

In what way, and why, is it or is it not important?

How would you say that General Opinions trust is created?

Trust regarding Trust What is trust based on? Are there any parts that is needed for trust to exist?

Is trust something that can only If yes: Can you explain why that is?

exist between individuals? If no: Can you explain why that is?

In what way?

Is trust important in your work? Is it something that is needed in order for you to conduct your work?

If yes: Can you explain why?

If no: Can you explain why it isnt?

High & Low Levels of trust

Do you have an example of a situation

where a high level of trust is needed? Why is / Why isnt a high level of trust needed?

Do you have an example of a situation Could a similar type of situations arise when you where a low level of trust is needed? place trust in a system?

What is Confidentiality, Integrity Is it something that is important to you?

and Availability to you? Why is it/Why is it not important to you?

General opinions and

views of CIA Does CIA affect your everyday work? In what way? Why do you think it does not?

CIA Do you find the concepts complicated? Why do you think that is?

How would you connect the CIA to information security?

Is it something you use in everyday work? Can you explain how? Why do you think you do not?

Communicating using CIA

Is CIA something you use when communicating with customers and/or other employees?

If Yes: Can you explain in what way?

If No: Why do you think that is?

With CIA in mind, do you think using those terms

can affect the communication with people that are In what way?

not savvy in the subject of information security?

Information What is Information classification to you?

Classification What do you find to be the most important with information classification?

What parts do you think should be included in a classification model?

Table 1: The interview guide 3.5.2 The Interview Respondents

The candidates for the interviews were contacted through e-mail with a short presentation of the thesis as well as what purpose the interview would serve for the thesis. Lastly it was explained that more explanation would be provided if they were interested in participating.

Different roles within one organization were contacted in order to get some diversity in opinion as well as different views on the topics of discussions. However, all potential respondents are professionals within the information security field and familiar or very proficient in the topic of information classification. The list of respondents willing to participate can be found in table 2.

3.5.3 Booking Interviews

The interviews were booked through contacting an organization that provide consultancy

information security-services. The organization in question will be known as Security Org.

Work-title Length of Interview Date

Business Developer 60 Minutes 2021-03-24

Senior Information Security Consultant 1 Hour 12 Minutes 2021-03-25 Senior Consultant / IT-Archivist 28 Minutes 2021-03-26

IT-Archivist 40 Minutes 2021-03-26

Table 2: Interview Respondents.

in this thesis. Security Org. provided 4 interview respondents with different positions in the company, this was beneficial to the study as more than just one position gave different insights to the questions asked, while still being professionals within the field. They were all contacted through e-mail and interviews were booked with time-slots spanning one hour each.

3.5.4 Conducting the Interviews

The interviews were all conducted online, each interview started with a short presentation of the researcher as well as what subjects the interview would handle. Some ethical parts were then stated:

• The interview will only be recorded with your consent.

• Your name and the name for the organization you work for will not be mentioned by the actual name in the thesis

• Identification of you as a respondent will be done through your position in your organization.

All respondents gave their consent to be recorded which allowed for a higher focus on the

interview from the researcher’s point of view, this was beneficial as more focus could be put

on the answers and formulating follow-up questions. The interviews followed the themes

stated by the interview-guide, however not necessarily in that order. Depending on the

subject being discussed, follow-up questions sometimes lead to jumping between the areas

stated in the guide. This is something that is typical of semi-structured interviews, as

the researcher is mostly there to provide the thematic framework while respondent leads

the subject of discussion. (Holme, Solvang, & Nilsson, 1997; Adams, 2015). At the end

of each interview, a short test of two different models was conducted with the purpose of

observing the process of information classification done by professionals. The two models

used were the following Figure 5 and Figure 6. Figure 5 is the model presented in chapter

2.6 and is a classification scheme that is based on trust and importance. Figure 6 is a

classification scheme that is done according to the standard recommendations from ISO.

Figure 5: Model based on trust and importance

Figure 6: Model based on CIA and consequence

The purpose of doing these observations was to gather data regarding understanding

of the model based on traditional security-reasoning and the ISO-Standard as well as the

proposed model based on trust and importance. The respondents were asked to explain

their reasoning while conducting the classification and to ”think aloud” to further explain

what aspects they consider in the process. If the respondent did not understand part of a

model or had other questions, it was noted as well as explained. All respondents did finish

their classifications. In order to avoid the first model used influencing the decision-making

of the second one, the first model used were switched between interviews. For respondent

1 and 3 the CIA - Consequence model was first one introduced, while for respondent 2

and 4 the trust-importance model was the first one introduced.

3.5.5 The Transcription process

Once the interviews were conducted and recorded the transcription process began. This was done not only to copy the recorded data and convert it into a readable form while also being an obligatory part of research, but it also acts as a way to bring the researcher closer to the data and allow for an initial analysis (Denscombe, 2010). During the tran- scription process a verbatim approach was used. Such an approach allows for a detailed transcription while ignoring restarting of sentences, sounds like ”uh”, ”hum” as well as other noises of that nature (Halcomb & Davidson, 2006). This choice was deemed neces- sary as transcribing every sound in the interviews would not be feasible to conduct in a timely manner, nor would it contribute a substantial positive effect to the thesis. Parts of the interviews handled subjects that were of no interest to the study, these parts were not transcribed.

3.6 Thematic Analysis

The thematic analysis is a method of identifying themes within collected qualitative data, this is done through identifying, analysing and interpreting patterns within the data (Clarke, Braun, & Hayfield, 2015). Following the steps proposed by Vaismoradi, Turunen, and Bondas (2013) and (Braun & Clarke, 2006):

• Familiarising with data - Done through transcribing as well as rereading and noting down ideas that come up during the process. During this step, the ideas for themes followed the interview guide as the conversation followed the different general areas in it. While transcribing as well as re-reading the transcript, sentences of special interest were noted down and commented.

• Generating Initial codes - Coding the found interesting features of the data as well as systematically, across the whole data set, collect and combine data that is relevant to each code. This was done through picking interesting sentences from the transcripts as well as taking note of interesting areas of conversation. The sentences were coded, meaning quotes were noted down and codes were added, part of this is shown in in Figure 7. In Figure 7 the transcript has been translated from the language used in the interview, being Swedish. This was done to show how the process worked in the analysis, however, the native language was used while conducting the analysis in order to not lose meanings or suggestions in the translation. These notes and sentences were then placed in different categories.

Figure 7: The Coding Process

• Searching for themes - Collecting and combining the initial codes into potential themes as well as collecting the data relevant to that theme. This was done by expanding on the previously generated categories and instead stating three initial themes of: Trust and its connection the CIA, Using CIA to communicate as well as Information Classification - Important parts. The previously found interesting codes were placed in the theme that was deemed fit. It is important to note that a theme is not a result of found repetitions of initial codes, but rather something the researcher finds of interest in regards to the research question (Braun & Clarke, 2006).

• Reviewing themes - Making sure the themes work in relation the extracted initial codes as well as the data-set. Through doing this, the material became easier and more comprehensive to read and categorise into the different themes. Some previously coded sentences from the transcripts were split and then put in different themes as the previous sentence were applicable to more than one theme.

• Defining and naming themes - A continuous ongoing analysis that is done to refine the specifics of each theme as well as the overall story that the analysis tells. Clear definitions and names for the themes are generated. These are similar to the areas in the interview-guide as that contains the initial structure of the data collection.

The themes generated here are based on the definitions done in the analysis. A final iteration was done to check the names of the themes as well as the contents of them, additionally the placements of codes and quotes were checked to make sure it was satisfactory. The number of themes presented are 3, this is done in order to create rich themes with thorough backup from the empirical data and to avoid the risk of presenting many thin themes.

• Producing the report - The final analysis where vivid and compelling extracts are selected that relates back to the research question. This is presented in the result- part of the thesis.

The thematic analysis allows for a deeper understanding of the collected empirical data.

It also allows for further elaboration and a design iteration of the previously showed Trust-Importance model (Figure 3).

3.7 Ethics

When conducting a study research ethics is an important subject to keep in mind. Ac-

cording to All European Academies (2017) good research ethics consists of the four

principles of reliability, honesty, respect and accountability. Additionally, according to

Vetenskapsr˚ adet (2002) there is a basic protection for individuals that can be divided into

four main requirements. The requirements touching the subjects of information, confi-

dentiality, usability and consensus to the individual.

During the different processes included in the creation of this thesis, the different princi- ples and requirements have been considered and applied. The requirement of information has been achieved through explaining the purpose of the conducted interviews to respon- dents. This included a short introduction to the work being done, a very brief introduction to the interview as well as a statement on how their information was to be used in the thesis. Lastly it was stated that neither their name nor the organization they represented would be mentioned by name in the report. This was appreciated and agreed upon by all respondents.

Included in the recorded interview, the first question asked makes sure the respondent is OK with the interview being recorded, this applies the requirement of consent. As mentioned, the handling of the information related to the respondents was explained to the respondents. This included information on that their work-titles would be used to identify them in the thesis. This was a decision made based on their work-titles mattering as context of the interviews, as different views on information classification provided a richer image of important parts of it, views on trust and how it connects to the CIA-triad.

However, their names nor the organization they represented is not mentioned, making the application of the confidentiality-requirement a valid one.

The honesty-requirement has been fulfilled through being transparent in all methods used as well as all gathered data and the intent on what to do with said data.

3.8 Trustworthiness

Credibility, truth, consistency, as well as applicability are concepts often used together with trustworthiness when describing validity in qualitative research (Brink, 1993). In order to achieve qualitative validity, or trustworthiness, it is of importance to conduct ac- tivities that lead towards that goal. The basis of trustworthiness lies in the accuracy of the findings in regards to the researcher, participant and reader (Creswell & Miller, 2000).

Such strategies used in this thesis are peer debriefing and external auditing, these are processes where the study is being peered by other parties than the researcher (Janesick, 2007).

In order to achieve trustworthiness in the thesis, transparency is of importance, especially in the method part of the thesis. The choices made during the process are described in detail as well as justified, this allows for easy repeatability if the study is to be done in another context.

The data collection was done through the conduction of semi-structured interviews where the interview respondent was introduced to the study as well as information on how their contribution would be used towards the results and analysis of the thesis.

The thesis-process includes seminars where other students and a supervisor reviews and

checks the work done up to the point of the seminar. This makes sure that the thesis

stays on track and abides by the necessary requirements.

4 Analysis and Results

This chapter presents the themes discovered in the thematic analysis that is based on the collected empirical data. In the analysis the statements made by interview respondents are categorized according to the themes that are a result of the analysis. The themes handles statements regarding definitions of trust, trust connected to the CIA-triad as well as views and opinions of information classification and what parts of it that are important.

The interviews were conducted in Swedish, however, the quotes below are translated for readability.

4.1 Views on trust and its connection the CIA

All of the respondents had a slightly different definition of what trust is to them, however, the main aspect that all definitions shared is trust includes one parts willingness of putting faith in another individual, function or item to do something, not break an agreement or to stay continuous. The business developer explained that there can be trust in more than one way, both to information as well as to colleagues and persons, it was explained as:

When i help customers trust is the connection to integrity and so on, how much can i trust that this information that i am partaking in or am receiving is correct and not altered, and what faith do i put in it? And if we turn around and talk about colleagues then trust is, if i put myself in the role of a project- leader, the ability to have faith in that the colleagues i have do what they are supposed to do as well as to have trust in that they will do their work in the best possible way.

Other descriptions included the perspective of agreements and that even if the agreement would fail, there should still be an honest explanation, lastly the importance of willingness was mentioned:

That you from an agreement can assume that something results in what you agreed upon, and if that is not the case not to lie about it. - IT-Archivist One parts ability to put faith in another part or function in the form of quantity or quality. - Senior Information Security Consultant

The descriptions made can be applied to the definition made by Cambridge Dictionary (2021) ”To believe that someone is good and honest and will not harm you, or that some- thing is safe and reliable”. This refers to both trust in information and in other people.

All of the respondents were clear about the divide between having trust in items and

people. In all conducted interviews, the discussions revolved around trust to people and

trust to things, in most cases information, and how the trust is different between the

two. According to the respondents, trust between individuals, colleagues and customers,

especially in the workplace and depending on the context of the situation, can rely on two main factors:

• The customers ability to put trust in the professionalism of the consultant, that they would handle all information, sensitive and public, with care and perform what is promised through some sort of agreement.

• The ability to have faith in that colleagues conduct their tasks with the best of their ability to reach a common goal.

It is also deemed important that without trust in the workplace, between colleagues and customers or clients, processes and transaction would become more complicated as well as less effective.

If you can trust each other it makes transactions between people and things more effective. If you assume that you can’t trust anything things will be far more cumbersome and complicated. - IT-Archivist

The trust in information differs between respondents. The Business Developer and the Senior Consultant/IT - Archivist considered information to have a very close connection to integrity and confidentiality. The Senior Information Security Consultant argues that trust to information contains the whole CIA-triad and that if one is to do anything within information security, it is to create trust in information.

”In my work and when i help customers then trust can be seen as the connection with integrity. How much can i trust the information I’m looking at or receive is correct and not altered, and what degree of trust do i put in it?” - Business Developer

Confidentiality has a lot to do with trust. That you have to understand what it is you are handling and not spread it... Integrity, when thinking about completeness has a lot to do with trust. It should be able to trusted. - Senior Consultant / IT-Archivist

”If connecting trust to Information Security the trust lies in the quality of the information. That it’s correct, available and that there is some sort of quality-protection of the confidentiality that often surrounds information or a task..., Within information security, it (trust) is what is important, it’s the be-all end-all” - Senior Information Security Consultant

There is different reasoning around how the connection between the CIA-Triad and trust

takes form, however, there is a common consensus that the connection exists. While

confidentiality and integrity are the first factors that come to mind for most respondents,

availability is mentioned as an important factor.

4.2 Using CIA to communicate

When asked about the concepts of the CIA-triad all respondents had the idea of it belong- ing to information security, information classification and that the words of the CIA-triad are ones that they often times have to explain or replace when talking with customers and clients. The Business developer explained the following:

You have to ask the right questions. For one, talking about if this is secret or sensitive information if it leaks? Yes, or no. Then you might have to value how sensitive it is, and is it important that this information is always within reach and so on. /.../

When asked: So you have to reword it (The CIA-Triad)?

Oh Yes!

The reasons behind this is that organisations use terms and concepts in different ways, one example that was given was the use of the word document:

If i arrive at a new customer and mention the term document it can mean a word-document for one person, a collection of 40 appendixes and one mis- sive for another and for a third person it could simply be a paper. It is very important that you agree on the meaning of certain terms - Business Developer The Senior Consultant / It Archivist stated that it depends on who you work with and if they are at all invested in the process of information security or classification, and that part of what the person does involves explaining terms:

If you are a system administrator and enter a classification-workshop... This is not something the people i meet think about all the time (referring to the information classification). So a lot of what i do also involves explaining why i do things and why i use the terms that i am using.

The IT-Archivist stated that the terms used in the CIA-triad has a strong connection to information classification processes but that the terms change depending on what area of work one is present in:

Well, confidentiality is a term that does not appear a lot in archiving-contexts, instead you talk about secrecy.

The Information Security Senior Consultant stated that the CIA-terms are not used as

much as one would think and continued to explain that he believes that is the wrong way

to go initially. Further it is explained that the starting point has to be in the information

valuation, that is where the information can be put into context and the realization of

why it is of value can be achieved.

No, surprisingly less than you think. When i arrive at customers that use the terms a lot (CIA-Triad) i usually tell them that they are no the wrong track...

I’ve done this for a lot of years and i know one thing. There is no point in classifying Confidentiality 1 to 4, you will get a C2, I2 och A2, and what do you do with that?

The general opinion of the respondents is that there is a need to translate the terms of confidentiality, integrity and availability to both customers as well as colleagues depending on what area they work in. All of the respondents mentioned scenarios where they had to use different words or simply provide an explanation for what they meant when using the words stated in the CIA-Triad.

4.3 Information Classification - Important parts

The gathered opinion extracted from the gathered data is that information classification is important for organisations, independent of how large or small it is. The reasoning of different parts of information classification and what should be included in a model differed however. According to the business developer the most important parts are an information object, an owner or carrier of that information as well as a classification that is made through the use of CIA:

There’s information-objects and the scale of it, then there’s the carrier of in- formation. Where does this information exist, this is often done within the borders of what we call information security... So carrier of information, information object and a classification of the object... There’s always the vari- ants of CIA but then you need a classification-system that you agree with the customer about. Either high, medium, low or a scale of 1-5.

The Senior Information Security Consultant had another perspective on the important parts of the classification and put more focus on the understanding of why as well as the importance of having a done a complete asset inventory:

First you are to value the information, but first it’s important to create an inventory of it, it’s far from always that has been done fully...

When asked about important parts of a classification model:

Some components are needed: You have to understand what the purpose is, what is it that we want to achieve? That it’s an asset inventory and a mea- surement as well as a valuation of this inventory that ends with a final variable or product that we now have a valuation of our information.

Further the Senior Information Security Consultant explained the importance of different

levels of classification and more importantly, the way the different levels are named. The

following is a comment on the CIA-Consequence model (Figure 6):

This model will run into issues if it is used in an organisation... The worst case scenario in a business with people is that someone dies. We’ve handled this information in a way which caused someone to lose their life. That’s the worst case, another worst case is to go out of business. That is not severe (This is the word used for the highest part of the scale in Figure 6), instead devastating would be better suited. If that happens it’s over, goodnight! - Senior Information Security Consultant

In order to help organisations understand how to classify the information the subject of including examples was brought up several times during the testing of models.

If something happens to this information, if it looses it’s confidentiality, in- tegrity or availability. Will that cause a significant consequence? Yes, but will it be very significant? No? How can we know what significant and very significant is? That’s the question, and you have to help the people who does this with that. You have to give them examples. - Senior Information Security Consultant

It’s always much easier to work from examples in my experience - Senior Consultant / IT Archivist

For non-expert users I think it’s necessary to have the descriptions/examples - Senior Consultant / IT Archivist

Other opinions regarding both models were brought up as well. Examples of this were the vague description of the information type, which in the case of the model-testing was:

Financial data from a customer:

I missed more specific information about the information type and my rela- tionship to it - IT Archivist

Often times there’s more information, but that includes the flow of information and so on, so that’s a bit of a different aspect. - Business Developer

A final common opinion between the respondents is the way the consequence levels are ordered. Most respondents started the initial classification by ordering the consequences with the lowest at the bottom part of the model and the highest consequence at the top of the model, this is according to their standard practice in the field.

Wait.. You’ve flipped this one, I’m reading it upside down... I’m very used to it being the other way around, the lowest classification at the bottom and the most severe one at the top and now i see that this is the other way around. - Business Developer

I’m used to thinking the other way around. I would put severe at the top, then serious, and so on downwards. - Senior Consultant / IT Archivist

Lastly it is stated that it does not matter in what way the scale is oriented, however it

was cause for confusing simply because of a way of standard practice according to the

respondents.

Conclusively, some key important parts according to the respondents related to the information classification process are:

• Understanding the purpose of the process

• Including the information object

• Owner/Carrier of information

• Classification Scale

• Having a complete asset list of information assets before starting

• Clear, hard-hitting words used in the explanation of classification levels

• The use of examples are important

• Context-information to the information being classified

4.4 A Re-Iteration of the Trust-Importance model

Taking the conclusive list just stated that contains some key important parts related to the information classification process according to the respondents, the trust-importance model can be modified in a number of ways. The applicable suggestions that have been added to the model presented as the trust-importance model (figure 3) are the following:

including the information object, including the owner/carrier of information, having a classification scale, using clear hard-hitting words in explanations of levels as well as the use of examples within the model.

In order to add the information object and the information owner/carrier a field has been created at the top of the model, this allows for an initial entry of what information object is to be classified and allows for some context to be added through entering who owns or who is responsible for the information. An example of both has been included in order to further assist users who are to use the model (Figure 8).

Figure 8: Adding the information object and owner/carrier

Included from the initial figure 3 are the translations of the CIA-triad, shown be- low the C, I and A cells in the below figure 9. Along with the inclusion of information owner/carrier and the information object this allows more context to be provided than in the previously suggested model (figure 3). The security-measures are now stated as the translations of the CIA-triad to trust and the classification scale is based on how important the trust is in the translated security factor. Figure 9 is the top part of the new model, including directions on who the classification scheme applies to, which trust- statement that acts as a translator to which CIA-triad concept, who the owner/carrier of the information is as well as the information object.

Figure 9: Top part of re-iterated classification scheme

Including a classification scale is done inherently by using a classification scheme, however,

respondents expressed the importance of including hard-hitting words that allows users

to distinguish what is the highest level of the scale and what is in the middle. Thus, the

name of each level has been adjusted according to the suggestions of the Senior Informa-

tion Security Consultant. Examples have also been included in each level of classification

for each trust factor. This is done in order to help users gain some context to what each

level implies, thus allowing for an easier use of the model and a way of identifying the

levels of classification, as can be seen in figure 10.

Figure 10: Adding new phrases to classification and examples of classification levels

Combining the proposed changes of figure 8, 9 and 10 results in the creation of a re-

iteration of the previously proposed trust-importance model. As can be seen in figure 11,

the re-iterated version contains areas where the information object and its information

owner/carrier are stated, a translation of the CIA-triad, hard-hitting words present in the

classification scale as well as examples stated in each classification cell.

Figure 11: A re-iterated version of the trust-importance model

It is difficult to include all important areas of the information classification process in a classification scheme, nor is that the purpose. The purpose is to enhance the earlier suggestion of a translation of the CIA-Consequence model to a Trust-Importance one in order to ease the comprehension of it. These additions to the model include the key important parts mentioned by respondents and that are applicable to the model.

Other important parts, such as the understanding of the process, while important, has to be included at another part of the process of information classification and not in the classification scheme.

4.4.1 Using the model

Using the re-iterated trust-importance model (Figure 11) is to be done in a similar sense

as using a standard classification scheme. The information object as well as the infor-

mation owner is identified and noted into the corresponding field. In collaboration with

the information owner (and potentially the user, if that is another person) a discussion