All organisations possess large amounts of information. However, without knowledge of how information is to be classified, there is a risk that information will fall into the wrong hands. Erik Bergström is a research student in the field of information technology, and he has developed a method that aims to make it easier for organisations to classify their information.
In today’s digitalised world, information and information systems have become critical assets for companies and organisations. It is therefore important for information to be protected, to ensure it does not fall into the wrong hands. Information must be kept secure in order to protect the organisation, but employees, customers and partners can also be affected by a failure to adequately protect information.
Part of the work in making information secure involves classifying it correctly. Erik Bergström is a research student at the University of Skövde’s School of Informatics, but otherwise works at the School of Engineering at Jönköping University.
– There are existing standards for the description of information classification, but the most common standards in this field only state that information must be classified, without explaining how. Many of the actors I’ve spoken with have found it very difficult to understand exactly what they should do. There was an expressed desire to be able to reduce the uncertainty surrounding how classification decisions should be made, explains Erik Bergström.
Looked at the public sector
Much of the basis of Erik Bergström’s research comes from Sweden’s public sector. Among other things, he has studied a couple of municipalities and one regional council, and has been in contact with 245 Swedish government agencies.
At an early stage of his research, he observed that different employees within the same organisation sometimes valued the same type of information differently. This is a serious issue, as it can result in information not being correctly protected. Erik Bergström has therefore developed a method that, among other things, graphically describes how information is to be classified, with additional instructions for how it can be implemented within an organisation.
– In simple terms, information security involves protecting the information that exists within an organisation. What I have done provides the organisation with support to facilitate the implementation of information classification within their work.
Bringing order to the literature
As a field of research, information security is quite large, and many people have made a contribution concerning how information should be classified, but, according to Erik Bergström, the available literature isn’t particularly well organised.
– I have attempted to bring some order to the literature within this field by reviewing and thematising problems and solutions.
Another result is that the method developed by Erik Bergström has been constructed upon design principles that others can use as a basis for the development of their own methods for information classification.
– Information security is a complex issue, and partly involves making it as good as possible and trying to keep up as best one can. My ambition is not necessarily to solve all the problems surrounding information classification, but to at least help and make it easier for organisations to manage their information better than they have done before.