Fredrik Karlsson

Fredrik Karlsson
Örebro University | oru · School of Business

Professor

About

82
Publications
13,105
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
1,170
Citations
Additional affiliations
August 1996 - present
Örebro University
Position
  • Professor in Informatics

Publications

Publications (82)
Chapter
Today, many business processes are propelled by critical information that needs safeguarding. Procedures on how to achieve this end are found in information security policies (ISPs) that are rarely tailored to different target groups in organizations. The purpose of this paper is therefore to propose a conceptual model of policy components for soft...
Article
This paper investigates the use of cloud services in the public sector and management of information security challenges in the procurement of such services. The findings are based on an exploratory approach that included a systematic literature review and a survey among the public agencies and municipalities in Sweden. The literature review is use...
Article
Public organisations are starting to show an interest in automated decision-making (ADM). So far, existing research focuses on the governmental perspective on this phenomenon. Less attention is paid to citizens’ views on ADM. The aim of this study is to provide empirical insights into citizen awareness of and beliefs about ADM in public-sector serv...
Article
Given that there are an increasing number of information security breaches, organizations are being driven to adopt best practice for coping with attacks. Information security standards are designed to embody best practice and the legitimacy of these standards is a core issue for standardizing organizations. This study uncovers how structures at pl...
Article
Purpose This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers. Design/methodology/approach The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden ( n = 674), asking about compliance...
Article
When end users have to prioritize between different rationalities in organisations there is a risk of non-compliance with information security policies. Thus, in order for information security managers to align information security with the organisations’ core work practices, they need to understand the competing rationalities. The Value-Based Comp...
Chapter
In this chapter, we explore different types of research contributions and research implications. We explain why such a distinction can be useful when discussing research outcomes both when crafting and when evaluating manuscripts for publication. By taking an incremental view of knowledge development, we identify three types of research contributio...
Article
Despite the importance of inter-organisational information sharing (IOIS) in the public sector, such endeavours often fail. Existing research has shown that the values held by collaborating organisations are one important factor affecting these kinds of initiatives. However, research has sought only to a limited extent to address how value conflict...
Article
Purpose The purpose of this paper is to develop a method for information classification. The proposed method draws on established standards, such as the ISO/IEC 27002 and information classification practices. The long-term goal of the method is to decrease the subjective judgement in the implementation of information classification in organisations...
Chapter
Full-text available
Sammanfattning Alltfler myndigheter inför automatiserat beslutsfattande, vilket innebär att en dator fattar beslut istället för handläggare och utredare. Detta kapitel undersöker med-borgarnas inställning till att öka det automatiserade beslutsfattandet i myndigheter. Kapitlets analyser visar att en majoritet (64 procent) anser att det är ett mycke...
Article
Full-text available
Information security standards are influential tools in society today. The validity claim of standards is based on what is considered “best practice.” We unveil the negotiations that take place when “best practice” is constructed during standard development. By using discourse analysis, we investigate how power operates in national and internationa...
Article
In this paper, we motivate, devise, demonstrate, and evaluate an approach for the research-based development of information systems development methods (ISDMs). This approach, termed “method engineering as design science” (ME-DS), emerged from the identified need for scholars to develop ISDMs using proper research methods that meet the standards of...
Article
Full-text available
Information security is a hot topic nowadays, and while top-class technology exists to safeguard information assets, organizations cannot rely on technical controls alone. Information security policy (ISP) is one of the most important formal controls when organizations work with implementing information security. However, designing ISPs is a challe...
Article
Full-text available
Purpose The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about. Design/methodology/approach The results are based on a literature review of ISP manage...
Chapter
Full-text available
I allt större utsträckning införs automatiserat beslutsfattande i offentlig sektor. Det innebär att datorer ersätter handläggare som beslutsfattare. Flera av de ärenden som avgörs med automatiserat beslutsfattande berör medborgarna. Detta kapitel undersöker om medborgarna är medvetna om denna förändring och hur de tror att besluten förändras när da...
Chapter
[This is an extended version] Organizations today adopt agile information systems development methods (ISDM), but many do not succeed with the adoption process and in achieving desired results. Systems developers sometimes fail in efficient use of ISDM, often due to a lack of understanding the fundamental intentions of the chosen method. In many...
Book
This book constitutes the refereed proceedings of the 34th IFIP TC 11 International Conference on Information Security and Privacy Protection, SEC 2019, held in Lisbon, Portugal, in June 2019. The 26 revised full papers presented were carefully reviewed and selected from 76 submissions. The papers present novel research on theoretical and practica...
Conference Paper
Organizations today adopt agile information systems development methods (ISDM), but many do not succeed with the adoption process and in achieving desired results. Systems developers sometimes fail in efficient use of ISDM, often due to a lack of understanding the fundamental intentions of the chosen method. In many cases organizations simply imita...
Technical Report
Användandet av publika molntjänster som driftsform för att erbjuda verksamheter IT-stöd ökar i vårt samhälle. När offentliga aktörer skiftar till molntjänster innebär det att samhällsviktiga funktioner och tjänster tillhandahålls på detta sätt. Detta skapar nya förutsättningar kring hur funktioner, tjänster och den information som hanteras skall ga...
Article
Today, public organisations need to share information in order to complete their tasks. Over the years, scholars have mapped out the social and organisational factors that affect the success or failure of these kinds of endeavours. However, few of the suggested models have sought to address the temporal aspect of inter-organisational information sh...
Book
The need to protect and manage information securely increases with the availability of information in the society. Technological security solutions have become increasingly better and the attempts from unauthorized individuals to access information are being transferred, from gaps in the technology and software to the week points in the social syst...
Article
Purpose This paper investigates two different types of compliance measures; the first measure is a value-monistic compliance measure, while the second is a value-pluralistic measure, which introduces the idea of competing organisational imperatives. Design/methodology/approach A survey was developed using two sets of items to measure compliance....
Article
To address the “insider” threat to information and information systems, an information security policy is frequently recommended as an organisational measure. However, having a policy in place does not necessarily guarantee information security. Employees’ poor compliance with information security policies is a perennial problem for many organisati...
Article
Purpose The purpose of this paper is to survey existing inter-organisational information security research to scrutinise the kind of knowledge that is currently available and the way in which this knowledge has been brought about. Design/methodology/approach The results are based on a literature review of inter-organisational information securit...
Conference Paper
Existing research provide frameworks for analysing the rationale behind engineering methods and how this rationale matches the rationale of individual project members. As methods are used in groups, this raises questions about how to study method rationale on an aggregated project level. We propose an elaboration of method rationale theory to enabl...
Article
Full-text available
Employees’ poor compliance with information security policies is a perennial problem. Current information security analysis methods do not allow information security managers to capture the rationalities behind employees’ compliance and non-compliance. To address this shortcoming, this design science research paper suggests: (a) a Value-Based Compl...
Article
Full-text available
Purpose The purpose of this paper is to examine the challenges that arise when introducing an electronic identification (eID) card for professional use in a health-care setting. Design/methodology/approach This is a case study of an eID implementation project in healthcare. Data were collected through interviews with key actors in a project team a...
Research
Full-text available
Syftet med den här studien är att utvärdera svensk terminologi på informationssäkerhetsområdet med fokus på frågor om målgrupper och grundläggande begrepp. Denna rapport redovisar målgruppsstrategier för ett löpande terminologiarbete baserat på en fallstudie där experter från olika yrkeskategorier har fått definiera en uppsättning grundläggande beg...
Article
Purpose – The aim of this paper is to survey existing information security culture research to scrutinise the kind of knowledge that has been developed and the way in which this knowledge has been brought about. Design/methodology/approach – Results are based on a literature review of information security culture research published between 2000 an...
Conference Paper
Employees’ poor compliance with information security policies is a perennial problem for many organizations. Existing research shows that about half of all breaches caused by insiders are accidental, which means that one can question the usefulness of information security policies. In order to support the formulation of practical, from the employee...
Conference Paper
The “software crisis” is still a prevailing problem to many organizations despite existence of advanced systems engineering methods, techniques for project planning and method engineering; systems engineering project still struggle to deliver on time and budget, and with sufficient quality. Existing research stresses that time leakage has a lever e...
Conference Paper
End user development has grown in strength during the last decades. The advantages and disadvantages of this phenomenon have been debated over the years, but not extensively from an information security culture point of view. We therefore investigate information security design decisions made by an end user during an end user development project. T...
Article
Full-text available
Requirements engineering is a key activity in systems development. This paper examines six systems development projects that have used end user development (EUD) as a requirements engineering technique for communicating across social worlds. For this purpose, we employed the theoretical lens of design boundary object in order to focus on functional...
Article
Full-text available
Purpose – Employees' compliance with information security policies is considered an essential component of information security management. The research aims to illustrate the usefulness of social action theory (SAT) for management of information security. Design/methodology/approach – This research was carried out as a longitudinal case study at...
Article
Organizations that implement a company-wide method to standardize the way that systems development is carried out still have a need to adapt this method to specific projects. When adapting this method the end results should align with the basic philosophy of the original method. To this end, goal-driven situational method engineering has been propo...
Article
ContextMethod engineering approaches are often based on the assumption that method users are able to explicitly express their situational method requirements. Similar to systems requirements, method requirements are often vague and hard to explicate. In this paper we address the issue of involving method users early in method configuration. This is...
Conference Paper
Full-text available
Today there is an increased interest in user participation in development of public e-services, since it is expected to bring similar value as it has done in other types of systems development. Existing research, however, has shown that introducing user participation to public e-service development is associated with a number of challenges. In this...
Chapter
One of the problems highlighted within the area of information security is that international standards are implemented in organisations without adopting them to special organisational settings. In this chapter the authors analyse information security goals found in hospital settings. They found that the CIA-triad fails to cover organisational spec...
Article
Full-text available
Method configuration is a specific type of Method Engineering (ME) that takes an existing organization-wide Information Systems Development Method (ISDM) as its point of departure. Existing assembly-based ME approaches are not well suited to this task. As an alternative, this article suggests a metamethod approach to tailoring organization-wide ISD...
Chapter
Method configuration is a specific type of Method Engineering (ME) that takes an existing organization-wide Information Systems Development Method (ISDM) as its point of departure. Existing assembly-based ME approaches are not well suited to this task. As an alternative, this paper suggests a metamethod approach to tailoring organization-wide ISDMs...
Conference Paper
Full-text available
New technology means new ways of both developing, providing and consuming services. In the strive for government organizations to build and maintain relationships with its citizens, e-presence is highly important. E-services are one way to go, and it has been argued that user participation is an important part of developing said services. In this p...
Conference Paper
Full-text available
This paper presents an Actor Network Theory (ANT) analysis of a computer hack at a large university. Computer hacks are usually addressed through technical means thus ensuring that perpetrators are unable to exploit system vulnerabilities. We however argue that a computer hack is a result of different events in a heterogeneous network embodying hum...
Chapter
Research has shown that traditional education in systems development has its limitations. This chapter draws on recent research on a component-based view of systems development methods. The aim is to explore the impact of applying a method rationale perspective during method teaching with regards to student’s abilities to reason about the suitabili...
Chapter
Full-text available
Systems development methods (or methods) are often applied in tailored version to fit the actual situation. Method tailoring is in most the existing literature viewed as either (a) a highly rational process with the method engineer as the driver where the project members are passive information providers or (b) an unstructured process where the sys...
Article
The Method for Method Configuration (MMC) has been proposed as a method engineering approach to tailoring information systems development methods. This meta-method has been used on a variety of methods, but none of these studies have focused on the ability to manage method tailoring with the intention to promote specific values and goals, such as a...
Article
Full-text available
Method configuration is a specific type of Method Engineering (ME) that takes an existing organization-wide Information Systems Development Method (ISDM) as its point of departure. Existing assembly-based ME approaches are not well suited to this task. As an alternative, this article suggests a metamethod approach to tailoring organization-wide ISD...
Conference Paper
The Method for Method Configuration (MMC) has been proposed as a method engineering approach to tailoring software development methods. This paper evaluates MMC during three software development projects where it was used to tailor eXtreme Programming (XP). The study has been justified by the need to complement earlier evaluations of MMC and provid...
Conference Paper
Full-text available
Group development has been proposed as a way of improving quality in end user development. Earlier experiments have shown promising results on error rates. However, these studies have been carried out on students, often, in laboratory settings. This study reports on a field experiment on group development during spreadsheeting. Experienced business...
Conference Paper
Full-text available
The need for method tailoring is widely accepted in the field of information systems development methods. Today much attention has been devoted to viewing method tailoring either as (a) a highly rational process with the method engineer as the driver where the method users are passive information providers, or (b) as an unstructured process where t...
Conference Paper
Tailoring systems development methods is a challenge. Both the research of method engineering and method-in-action have put much effort into this issue. State-of-the art Computer-Aided Method Engineering tools for situational method engineering often requires specific competences in meta modelling languages. Together with the tool investments they...
Conference Paper
Full-text available
Although the Method Engineering (ME) research community has reached considerable maturity, it has not yet been able to agree on the granularity and definition of the configurable parts of methods. This state of affairs is causing unnecessary confusion, especially with an ever increasing number of people contributing to ME research. There are severa...
Conference Paper
Full-text available
There appears to be two schools of information systems development methods research that largely pursue their own agendas without many cross-references. On the one hand there is the method engineering research and on the other hand there is the method-in-action research. There seems to be much to be gained from integrating these two schools, develo...
Article
Full-text available
The complex and demanding business of developing information systems often involves the use of different systems development methods such as the Rational Unified Process or the Microsoft Solution Framework. Through these methods the development organisation can be viewed as a collective of actors following different rules in the form of prescribed...
Chapter
Method engineering is a design research discipline with a focus on providing support for method engineers and systems developers. (1996) defines it as ‘the engineering discipline to design, construct and adapt methods, techniques and tools for the development of information systems.’ Such support is provided in the form of frameworks (e.g. Agerfalk...
Article
The world of systems engineering methods is changing as rigorous ‘off-the-shelf’ methods gain popularity. The need for configuration of such methods is increasing accordingly. In this paper, method configuration is treated as a kind of method engineering, focusing on adaptation of a base method. A meta-method based on the concepts of Configuration...
Conference Paper
Full-text available
The configuration of systems engineering methods is a challenging task. As a method engineer it is essential to have conceptual constructs capable of reducing the burden of details during method configuration and thus make it possible to create a balance between precision and cost. In this paper we present the method component construct, which seem...
Article
Software process, Process configuration, Method Engineering, Unified Process, RUP, Technology Transfer. This paper outlines a joint industry-academia research project in the area of method engineering. Founded in practical experiences and emerging theoretical constructs, the project aims at developing theories, methods and tools to support the adap...
Conference Paper
This paper outlines a joint industry-academia research project in the area of method engineering. Founded in practical experiences and emerging theoretical constructs, the project aims at developing theories, methods and tools to support the adaptation, integration and construction of method components for flexible configuration of system developme...
Article
Full-text available
There is a growing interest in information systems implemented as Internet-based software artefacts. Little attention has been paid to a comprehensive picture of such artefacts and their difference in relationship to traditional software artefacts. This paper presents an analysis of the Internet-based software artefact in order to expose difference...
Article
Full-text available
The world of system development methods is changing as rigorous off-the-shelf methods become more popular. The need for configuration of such methods in a structured way is increasing accordingly. In this paper, method configuration is considered as a particular kind of method engineering focusing on adaptation of a base method. We propose a method...
Article
Full-text available
This paper is an inquiry into the empirical grounding of actability an important concept for the understanding of information systems pragmatics. The paper describes the structure and the application of an analytic framework based on actability and the semiotic framework. Actability has been proposed as an important concept for the understanding of...
Conference Paper
Full-text available
This paper is an enquiry into the empirical grounding of actability. In the paper the operationalization and application of an analytic framework based on actability and organisational semiotics is described. The analytic framework has been used as a tool in a qualitative analysis of the Internet-based software artefact. The results show that actab...
Article
Full-text available
Method engineering approaches are often based on the assumption that method users are able to explicitly express their situational method requirements. However, similar to software re-quirements, situational method requirements are often vague and hard to explicate. In this paper we address the issue of involving method users early during method co...
Article
Full-text available
Working with a socio-technical view on information systems security is a challenge. Existing studies show that a great number of security incidents are caused by trusted personnel within organizations due to the tension between the design of information systems security policies, guidelines, rules and tools, and how they actually are used. This pap...
Article
Full-text available
This paper presents findings of information systems security (ISS) goals found in policies, guidelines, and routines, i.e. in the formal system, at a Swedish hospital. The purpose of the paper is to analyze the ISS goals and relate them to confidentiality, integrity and availability (CIA) that are traditional objectives for managing ISS in organiza...
Article
Full-text available
The world of systems engineering methods is changing as rigorous ‘off- the-shelf’ systems engineering methods become more popular. One example of such a systems engineering method is Rational Unified Process. In order to cover all phases in a software development process, and a wide range of project-types, such methods need to be of an impressive s...

Network

Cited By

Projects

Projects (6)
Archived project
The aim of the Interorg project is to develop knowledge of the character of conflicts between information security cultures in inter-organizational contexts. The results from this study increase awareness of how information security culture affects collaboration in inter-organizational settings. Such awareness is important and can help information security managers in their work with cultivating information security cultures in organizations. Furthermore, we also create a more nuanced understanding of how information security culture in an organisation evolves, and that it is not isolated from what happens in other organisations.