Models, methodology and challenges within strategic information security for senior managements

Sammanfattning: The work in this thesis is based on an interest for strategic information security, and in particular business continuity planning, in combination with own experiences from strategic management of corporations. Information security policy- and education, practice and awareness issues have also been part of my focus. Strategic information security is the part of information security that senior managements (top managements) should own and care for, like for any other strategic area in an organization. One problem is that this is often not the case as the senior management attention and awareness is focused on other areas instead. The work has mainly addressed explanatory models and methodology to explain what strategic information security including business continuity planning is to senior management teams and a training concept. It has also high-lighted challenges from current and future technology, and terminology problems affecting business continuity planning in a direct or indirect way. The purpose of the thesis was broken down into six objectives matching identified knowledge gaps. These resulted in the research question "How to improve the senior management own and care process for strategic information security, and in particular business continuity planning?" The results from the empirical studies are two models and one methodology to be used when targeting strategic information security issues like modeling and implementations of business continuity planning, security policies and security education, practice and awareness during the own and care process. A further result is a training concept for organizational crisis management. In addition, the results also indicate challenges that need to be addressed during work with security policies and business continuity planning. The thesis further contributes with a framework for business continuity planning guiding how the models and methodology, together with the training concept and challenges should be used together in the own and care process, to resolve problems and achieve organizational change. The contribution is of a general nature and is suitable to use in both private and public sector organizations.