Abstract
This paper presents an extensive systematic literature review with the aim of identifying and classifying issues in the information classification process. The classification selected uses human and organizational factors for grouping the identified issues. The results reveal that policy-related issues are most commonly described, but not necessarily the most crucial ones. Furthermore, gaps in the research field are identified in order to outline paths for further research.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Oscarson, P., Karlsson, F.: A National Model for Information Classification. In: AIS SIGSEC Workshop on Information Security & Privacy (WISP 2009), Phoenix, AZ, USA (2009)
ISO/IEC 27000: Information technology – Security techniques – Information security management systems – Overview and vocabulary. ISO/IEC (2014)
ISO/IEC 27002: Information technology – Security techniques – Code of practice for information security controls. ISO/IEC (2013)
Axelrod, C.W., Bayuk, J.L., Schutzer, D.: Enterprise Information Security and Privacy. Artech House (2009)
Bayuk, J.: The utility of security standards. In: 2010 IEEE International Carnahan Conference on Security Technology (ICCST), pp. 1–6 (2010)
Park, W.-S., Seo, S.-W., Son, S.-S., Lee, M.-J., Kim, S.-H., Choi, E.-M., Bang, J.-E., Kim, Y.-E., Kim, O.-N.: Analysis of Information Security Management Systems at 5 Domestic Hospitals with More than 500 Beds. Healthc. Inform. Res. 16, 89–99 (2010)
Luethi, M., Knolmayer, G.F.: Security in Health Information Systems: An Exploratory Comparison of U.S. and Swiss Hospitals. In: 42nd Hawaii International Conference on System Sciences, HICSS 2009, pp. 1–10 (2009)
Glynn, S.: Getting To Grips With Data Classification. Database and Network Journal 41, 8–9 (2011)
Ghernaouti-Helie, S., Simms, D., Tashi, I.: Protecting Information in a Connected World: A Question of Security and of Confidence in Security. In: 14th International Conference on Network-Based Information Systems (NBiS), pp. 208–212 (2011)
Collette, R.: Overcoming obstacles to data classification [information security]. Computer Economics Report (International Edition) 28, 8–11 (2006)
Hayes, J.: Have data will travel - [IT security]. Engineering & Technology 3, 60–61 (2008)
Kane, G., Koppel, L.: Information Protection Function One: Governance. In: Kane, G.K., Lorna (eds.) Information Security, ch. 1, pp. 1–11. Elsevier, Boston (2013)
Kitchenham, B., Charters, S.: Guidelines for performing Systematic Literature Reviews in Software Engineering. Keele University and Durham University Joint Report (2007)
Virtanen, T.: Design Criteria to Classified Information Systems Numerically. In: Dupuy, M., Pierre, P. (eds.) Trusted Information. IFIP, vol. 65, pp. 317–325. Springer, Boston (2001)
DuraiPandian, N., Chellappan, C.: Dynamic information security level reclassification. In: 2006 IFIP International Conference on Wireless and Optical Communications Networks, Bangalore, India (2006)
Hayat, Z., Reeve, J., Boutle, C., Field, M.: Information security implications of autonomous systems. In: Proceedings of the 2006 IEEE Conference on Military Communications, pp. 897–903. IEEE Press, Washington, D.C. (2006)
Eloff, J.H.P., Holbein, L.R., Teufel, S.: Security classification for documents. Computers & Security 15, 55–71 (1996)
Feuerlicht, J., Grattan, P.: The role of classification of information in controlling data proliferation in end-user personal computer environment. Computers & Security 8, 59–66 (1989)
Parker, D.B.: The classification of information to protect it from loss. Information Systems Security 5, 9–15 (1996)
Kwo-Jean, F., Shu-Kuo, L., Chi-Chun, L.: A study on e-Taiwan information system security classification and implementation. Computer Standards & Interfaces 30, 1–7 (2008)
Fernando, D., Zavarsky, P.: Secure decommissioning of confidential electronically stored information (CESI): A framework for managing CESI in the disposal phase as needed. In: 2012 World Congress on Internet Security (WorldCIS), pp. 218–222 (2012)
Fibikova, L., Müller, R.: A Simplified Approach for Classifying Applications. In: Pohlmann, N., Reimer, H., Schneider, W. (eds.) ISSE 2010 Securing Electronic Business Processes, pp. 39–49. Vieweg+Teubner (2011)
Everett, C.: Building solid foundations: the case for data classification. Computer Fraud & Security 2011, 5–8 (2011)
Wohlin, C., Runeson, P., da Mota Silveira Neto, P.A., Engström, E., do Carmo Machado, I., de Almeida, E.S.: On the reliability of mapping studies in software engineering. Journal of Systems and Software 86, 2594–2610 (2013)
Boell, S., Cezec-Kecmanovic, D.: Are systematic reviews better, less biased and of higher quality? In: European Conference on Information Systems (2011)
Lin, J.: Is searching full text more effective than searching abstracts? BMC Bioinformatics 10, 1–15 (2009)
Kraemer, S., Carayon, P., Clem, J.: Human and organizational factors in computer and information security: Pathways to vulnerabilities. Computers & Security 28, 509–520 (2009)
Strauss, A., Corbin, J.: Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory. Sage Publications, Inc., Thousand Oaks (1998)
Gantz, S.D., Philpott, D.R.: Federal Information Security Fundamentals. In: Gantz, S.D.P., Daniel, R. (eds.) FISMA and the Risk Management Framework, ch. 2, pp. 23–52. Syngress (2013)
Grandison, T., Bilger, M., O’Connor, L., Graf, M., Swimmer, M., Schunter, M., Wespi, A., Zunic, N.: Elevating the Discussion on Security Management: The Data Centric Paradigm. In: 2nd IEEE/IFIP International Workshop on Business-Driven IT Management, BDIM, pp. 84–93 (2007)
Jafari, M., Fathian, M.: Management Advantages of Object Classification in Role-Based Access Control (RBAC). In: Cervesato, I. (ed.) ASIAN 2007. LNCS, vol. 4846, pp. 95–110. Springer, Heidelberg (2007)
Lindup, K.R.: A new model for information security policies. Computers & Security 14, 691–695 (1995)
Parker, D.B.: The strategic values of information security in business. Computers & Security 16, 572–582 (1997)
Ramasamy, H.V., Schunter, M.: Multi-Level Security for Service-Oriented Architectures. In: Military Communications Conference, MILCOM 2006, pp. 1–7. IEEE (2006)
Bunker, G.: Technology is not enough: Taking a holistic view for information assurance. Information Security Technical Report 17, 19–25 (2012)
Winkler, V.: Chapter 3 - Security Concerns, Risk Issues, and Legal Aspects. In: Winkler, V. (ed.) Securing the Cloud, pp. 55–88. Syngress, Boston (2011)
Baškarada, S.: Analysis of Data. In: Information Quality Management Capability Maturity Model, pp. 139–221. Vieweg+Teubner (2009)
Booysen, H.A.S., Eloff, J.H.P.: Classification of objects for improved access control. Computers & Security 14, 251–265 (1995)
Ku, C.-Y., Chang, Y.-W., Yen, D.C.: National information security policy and its implementation: A case study in Taiwan. Telecommunications Policy 33, 371–384 (2009)
Puhakainen, P., Siponen, M.: Improving employees’ compliance through information systems security training: an action research study. MIS Q. 34, 757–778 (2010)
Janczewski, L., Xinli Shi, F.: Development of Information Security Baselines for Healthcare Information Systems in New Zealand. Computers & Security 21, 172–192 (2002)
Al-Fedaghi, S.: On Information Lifecycle Management. In: Asia-Pacific Services Computing Conference, APSCC 2008, pp. 335–342. IEEE (2008)
Aksentijevic, S., Tijan, E., Agatic, A.: Information security as utilization tool of enterprise information capital. In: MIPRO, 2011 Proceedings of the 34th International Convention, pp. 1391–1395 (2011)
Ager, T., Johnson, C., Kiernan, J.: Policy-Based Management and Sharing of Sensitive Information Among Government Agencies. In: Military Communications Conference, MILCOM 2006, pp. 1–9. IEEE (2006)
Arutyunov, V.V.: Identification and authentication as the basis for information protection in computer systems. Sci. Tech. Inf. Proc. 39, 133–138 (2012)
Seifert, J.W., Relyea, H.C.: Do you know where your information is in the homeland security era? Government Information Quarterly 21, 399–405 (2004)
Saxby, S.: News and comment on recent developments from around the world. Computer Law & Security Review 24, 95–110 (2008)
Feinberg, L.E.: FOIA, federal information policy, and information availability in a post-9/11 world. Government Information Quarterly 21, 439–460 (2004)
Velev, D., Zlateva, P.: Cloud Infrastructure Security. In: Camenisch, J., Kisimov, V., Dubovitskaya, M. (eds.) iNetSec 2010. LNCS, vol. 6555, pp. 140–148. Springer, Heidelberg (2011)
Wilson, P.: Positive perspectives on cloud security. Information Security Technical Report 16, 97–101 (2011)
Freeman, E.: Information and Computer Security Risk Management. In: Ghosh, S., Turrini, E. (eds.) Cybercrimes: A Multidisciplinary Analysis, pp. 151–163. Springer, Heidelberg (2011)
Everett, C.: Building solid foundations: the case for data classification. Computer Fraud & Security 2011(6), 5–8 (2011)
Adiraju, S.K.: Security Considerations in Integrating the Fragmented, Outsourced, ITSM Processes. In: 2012 Third International Conference on Services in Emerging Markets (ICSEM), pp. 175–182 (2012)
Chaput, S., Ringwood, K.: Cloud Compliance: A Framework for Using Cloud Computing in a Regulated World. In: Antonopoulos, N., Gillam, L. (eds.) Cloud Computing, pp. 241–255. Springer, London (2010)
Hilton, J.: Improving the secure management of personal data: Privacy on-line IS important, but it’s not easy. Information Security Technical Report 14, 124–130 (2009)
Wang, W., Peng, G., Lu, G.: Agricultural Informationization in China. In: Ordóñez de Pablos, P.L., Miltiadis, D. (eds.) The China Information Technology Handbook, pp. 271–297. Springer US (2009)
Boonstra, D., Schotanus, H.A., Verkoelen, C.A.A., Smulders, A.C.M.: A methodology for the structured security analysis of interconnections. In: Military Communications Conference - MILCOM 2011, pp. 1267–1272 (2011)
Wrona, K., Hallingstad, G.: Controlled information sharing in NATO operations. In: Military Communications Conference - MILCOM 2011, pp. 1285–1290 (2011)
Karat, J., Karat, C.-M., Brodie, C., Feng, J.: Privacy in information technology: Designing to enable privacy policy management in organizations. International Journal of Human-Computer Studies 63, 153–174 (2005)
Vrhovec, G.: Beating the privacy challenge. Computer Fraud & Security 2011, 5–8 (2011)
Kulkarni, A., Williams, E., Grimaila, M.R.: Mitigating Security Risks for End User Computing Application (EUCA) Data. In: 2010 IEEE Second International Conference on Social Computing (SocialCom), pp. 1171–1176 (2010)
Tsai, W.T., Wei, X., Chen, Y., Paul, R., Chung, J.-Y., Zhang, D.: Data provenance in SOA: security, reliability, and integrity. SOCA 1, 223–247 (2007)
Newman, A.R.: Confidence, pedigree, and security classification for improved data fusion. In: Proceedings of the Fifth International Conference on Information Fusion, vol. 2, 1402, pp. 1408–1415 (2002)
Taylor, L.P.: Chapter 8 - Categorizing Data Sensitivity. In: Taylor, L.P. (ed.) FISMA Compliance Handbook, 2nd edn., pp. 63–78. Syngress, Boston (2013)
Wei, W., Shengzhong, Y., Hong, H.: Design of Portal-Based Uniform Identity Authentication System in Campus Network. In: 2010 International Conference on Multimedia Communications (Mediacom),, pp. 112-115 (2010)
Blyth, A., Kovacich, G.L.: IA and Software. Information Assurance, pp. 191–212. Springer, London (2006)
Demsky, B.: Cross-application data provenance and policy enforcement. ACM Trans. Inf. Syst. Secur. 14, 1–22 (2011)
Ashley, P., Vandenwauver, M., Siebenlist, F.: Applying authorization to intranets: architectures, issues and APIs. Computer Communications 23, 1613–1620 (2000)
Burnap, P., Hilton, J.: Self Protecting Data for De-perimeterised Information Sharing. In: Third International Conference on Digital Society, ICDS 2009, pp. 65–70 (2009)
Alqudah, B.I., Nair, S.: Toward Multi-Service Electronic Medical Records Structure. In: Suh, S.C., Gurupur, V.P., Tanik, M.M. (eds.) Biomedical Engineering, pp. 243–254. Springer, New York (2011)
Etges, R., McNeil, K.: Understanding data classification based on business and security requirements. ISACA Information Systems Control Journal 5 (2006)
Fomin, V.V., de Vries, H.J., Barlette, Y.: ISO/IEC 27001 information systems security management standard: exploring the reasons for low adoption. In: EUROMOT 2008 Conference, Nice, France (2008)
Siponen, M., Willison, R.: Information security management standards: Problems and solutions. Information & Management 46, 267–270 (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Bergström, E., Åhlfeldt, RM. (2014). Information Classification Issues. In: Bernsmed, K., Fischer-Hübner, S. (eds) Secure IT Systems. NordSec 2014. Lecture Notes in Computer Science(), vol 8788. Springer, Cham. https://doi.org/10.1007/978-3-319-11599-3_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-11599-3_2
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11598-6
Online ISBN: 978-3-319-11599-3
eBook Packages: Computer ScienceComputer Science (R0)