Information Classification Issues

  • Erik BergströmEmail author
  • Rose-Mharie Åhlfeldt
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8788)


This paper presents an extensive systematic literature review with the aim of identifying and classifying issues in the information classification process. The classification selected uses human and organizational factors for grouping the identified issues. The results reveal that policy-related issues are most commonly described, but not necessarily the most crucial ones. Furthermore, gaps in the research field are identified in order to outline paths for further research.


information classification systematic literature review information security management systems 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Oscarson, P., Karlsson, F.: A National Model for Information Classification. In: AIS SIGSEC Workshop on Information Security & Privacy (WISP 2009), Phoenix, AZ, USA (2009)Google Scholar
  2. 2.
    ISO/IEC 27000: Information technology – Security techniques – Information security management systems – Overview and vocabulary. ISO/IEC (2014)Google Scholar
  3. 3.
    ISO/IEC 27002: Information technology – Security techniques – Code of practice for information security controls. ISO/IEC (2013)Google Scholar
  4. 4.
    Axelrod, C.W., Bayuk, J.L., Schutzer, D.: Enterprise Information Security and Privacy. Artech House (2009)Google Scholar
  5. 5.
    Bayuk, J.: The utility of security standards. In: 2010 IEEE International Carnahan Conference on Security Technology (ICCST), pp. 1–6 (2010)Google Scholar
  6. 6.
    Park, W.-S., Seo, S.-W., Son, S.-S., Lee, M.-J., Kim, S.-H., Choi, E.-M., Bang, J.-E., Kim, Y.-E., Kim, O.-N.: Analysis of Information Security Management Systems at 5 Domestic Hospitals with More than 500 Beds. Healthc. Inform. Res. 16, 89–99 (2010)CrossRefGoogle Scholar
  7. 7.
    Luethi, M., Knolmayer, G.F.: Security in Health Information Systems: An Exploratory Comparison of U.S. and Swiss Hospitals. In: 42nd Hawaii International Conference on System Sciences, HICSS 2009, pp. 1–10 (2009)Google Scholar
  8. 8.
    Glynn, S.: Getting To Grips With Data Classification. Database and Network Journal 41, 8–9 (2011)Google Scholar
  9. 9.
    Ghernaouti-Helie, S., Simms, D., Tashi, I.: Protecting Information in a Connected World: A Question of Security and of Confidence in Security. In: 14th International Conference on Network-Based Information Systems (NBiS), pp. 208–212 (2011)Google Scholar
  10. 10.
    Collette, R.: Overcoming obstacles to data classification [information security]. Computer Economics Report (International Edition) 28, 8–11 (2006)Google Scholar
  11. 11.
    Hayes, J.: Have data will travel - [IT security]. Engineering & Technology 3, 60–61 (2008)CrossRefGoogle Scholar
  12. 12.
    Kane, G., Koppel, L.: Information Protection Function One: Governance. In: Kane, G.K., Lorna (eds.) Information Security, ch. 1, pp. 1–11. Elsevier, Boston (2013)Google Scholar
  13. 13.
    Kitchenham, B., Charters, S.: Guidelines for performing Systematic Literature Reviews in Software Engineering. Keele University and Durham University Joint Report (2007)Google Scholar
  14. 14.
    Virtanen, T.: Design Criteria to Classified Information Systems Numerically. In: Dupuy, M., Pierre, P. (eds.) Trusted Information. IFIP, vol. 65, pp. 317–325. Springer, Boston (2001)CrossRefGoogle Scholar
  15. 15.
    DuraiPandian, N., Chellappan, C.: Dynamic information security level reclassification. In: 2006 IFIP International Conference on Wireless and Optical Communications Networks, Bangalore, India (2006)Google Scholar
  16. 16.
    Hayat, Z., Reeve, J., Boutle, C., Field, M.: Information security implications of autonomous systems. In: Proceedings of the 2006 IEEE Conference on Military Communications, pp. 897–903. IEEE Press, Washington, D.C. (2006)Google Scholar
  17. 17.
    Eloff, J.H.P., Holbein, L.R., Teufel, S.: Security classification for documents. Computers & Security 15, 55–71 (1996)CrossRefGoogle Scholar
  18. 18.
    Feuerlicht, J., Grattan, P.: The role of classification of information in controlling data proliferation in end-user personal computer environment. Computers & Security 8, 59–66 (1989)CrossRefGoogle Scholar
  19. 19.
    Parker, D.B.: The classification of information to protect it from loss. Information Systems Security 5, 9–15 (1996)Google Scholar
  20. 20.
    Kwo-Jean, F., Shu-Kuo, L., Chi-Chun, L.: A study on e-Taiwan information system security classification and implementation. Computer Standards & Interfaces 30, 1–7 (2008)CrossRefGoogle Scholar
  21. 21.
    Fernando, D., Zavarsky, P.: Secure decommissioning of confidential electronically stored information (CESI): A framework for managing CESI in the disposal phase as needed. In: 2012 World Congress on Internet Security (WorldCIS), pp. 218–222 (2012)Google Scholar
  22. 22.
    Fibikova, L., Müller, R.: A Simplified Approach for Classifying Applications. In: Pohlmann, N., Reimer, H., Schneider, W. (eds.) ISSE 2010 Securing Electronic Business Processes, pp. 39–49. Vieweg+Teubner (2011)Google Scholar
  23. 23.
    Everett, C.: Building solid foundations: the case for data classification. Computer Fraud & Security 2011, 5–8 (2011)Google Scholar
  24. 24.
    Wohlin, C., Runeson, P., da Mota Silveira Neto, P.A., Engström, E., do Carmo Machado, I., de Almeida, E.S.: On the reliability of mapping studies in software engineering. Journal of Systems and Software 86, 2594–2610 (2013)CrossRefGoogle Scholar
  25. 25.
    Boell, S., Cezec-Kecmanovic, D.: Are systematic reviews better, less biased and of higher quality? In: European Conference on Information Systems (2011)Google Scholar
  26. 26.
    Lin, J.: Is searching full text more effective than searching abstracts? BMC Bioinformatics 10, 1–15 (2009)CrossRefGoogle Scholar
  27. 27.
    Kraemer, S., Carayon, P., Clem, J.: Human and organizational factors in computer and information security: Pathways to vulnerabilities. Computers & Security 28, 509–520 (2009)CrossRefGoogle Scholar
  28. 28.
    Strauss, A., Corbin, J.: Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory. Sage Publications, Inc., Thousand Oaks (1998)Google Scholar
  29. 29.
    Gantz, S.D., Philpott, D.R.: Federal Information Security Fundamentals. In: Gantz, S.D.P., Daniel, R. (eds.) FISMA and the Risk Management Framework, ch. 2, pp. 23–52. Syngress (2013)Google Scholar
  30. 30.
    Grandison, T., Bilger, M., O’Connor, L., Graf, M., Swimmer, M., Schunter, M., Wespi, A., Zunic, N.: Elevating the Discussion on Security Management: The Data Centric Paradigm. In: 2nd IEEE/IFIP International Workshop on Business-Driven IT Management, BDIM, pp. 84–93 (2007)Google Scholar
  31. 31.
    Jafari, M., Fathian, M.: Management Advantages of Object Classification in Role-Based Access Control (RBAC). In: Cervesato, I. (ed.) ASIAN 2007. LNCS, vol. 4846, pp. 95–110. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  32. 32.
    Lindup, K.R.: A new model for information security policies. Computers & Security 14, 691–695 (1995)CrossRefGoogle Scholar
  33. 33.
    Parker, D.B.: The strategic values of information security in business. Computers & Security 16, 572–582 (1997)CrossRefGoogle Scholar
  34. 34.
    Ramasamy, H.V., Schunter, M.: Multi-Level Security for Service-Oriented Architectures. In: Military Communications Conference, MILCOM 2006, pp. 1–7. IEEE (2006)Google Scholar
  35. 35.
    Bunker, G.: Technology is not enough: Taking a holistic view for information assurance. Information Security Technical Report 17, 19–25 (2012)CrossRefGoogle Scholar
  36. 36.
    Winkler, V.: Chapter 3 - Security Concerns, Risk Issues, and Legal Aspects. In: Winkler, V. (ed.) Securing the Cloud, pp. 55–88. Syngress, Boston (2011)CrossRefGoogle Scholar
  37. 37.
    Baškarada, S.: Analysis of Data. In: Information Quality Management Capability Maturity Model, pp. 139–221. Vieweg+Teubner (2009)Google Scholar
  38. 38.
    Booysen, H.A.S., Eloff, J.H.P.: Classification of objects for improved access control. Computers & Security 14, 251–265 (1995)CrossRefGoogle Scholar
  39. 39.
    Ku, C.-Y., Chang, Y.-W., Yen, D.C.: National information security policy and its implementation: A case study in Taiwan. Telecommunications Policy 33, 371–384 (2009)CrossRefGoogle Scholar
  40. 40.
    Puhakainen, P., Siponen, M.: Improving employees’ compliance through information systems security training: an action research study. MIS Q. 34, 757–778 (2010)Google Scholar
  41. 41.
    Janczewski, L., Xinli Shi, F.: Development of Information Security Baselines for Healthcare Information Systems in New Zealand. Computers & Security 21, 172–192 (2002)CrossRefGoogle Scholar
  42. 42.
    Al-Fedaghi, S.: On Information Lifecycle Management. In: Asia-Pacific Services Computing Conference, APSCC 2008, pp. 335–342. IEEE (2008)Google Scholar
  43. 43.
    Aksentijevic, S., Tijan, E., Agatic, A.: Information security as utilization tool of enterprise information capital. In: MIPRO, 2011 Proceedings of the 34th International Convention, pp. 1391–1395 (2011)Google Scholar
  44. 44.
    Ager, T., Johnson, C., Kiernan, J.: Policy-Based Management and Sharing of Sensitive Information Among Government Agencies. In: Military Communications Conference, MILCOM 2006, pp. 1–9. IEEE (2006)Google Scholar
  45. 45.
    Arutyunov, V.V.: Identification and authentication as the basis for information protection in computer systems. Sci. Tech. Inf. Proc. 39, 133–138 (2012)MathSciNetCrossRefGoogle Scholar
  46. 46.
    Seifert, J.W., Relyea, H.C.: Do you know where your information is in the homeland security era? Government Information Quarterly 21, 399–405 (2004)CrossRefGoogle Scholar
  47. 47.
    Saxby, S.: News and comment on recent developments from around the world. Computer Law & Security Review 24, 95–110 (2008)CrossRefGoogle Scholar
  48. 48.
    Feinberg, L.E.: FOIA, federal information policy, and information availability in a post-9/11 world. Government Information Quarterly 21, 439–460 (2004)CrossRefGoogle Scholar
  49. 49.
    Velev, D., Zlateva, P.: Cloud Infrastructure Security. In: Camenisch, J., Kisimov, V., Dubovitskaya, M. (eds.) iNetSec 2010. LNCS, vol. 6555, pp. 140–148. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  50. 50.
    Wilson, P.: Positive perspectives on cloud security. Information Security Technical Report 16, 97–101 (2011) Google Scholar
  51. 51.
    Freeman, E.: Information and Computer Security Risk Management. In: Ghosh, S., Turrini, E. (eds.) Cybercrimes: A Multidisciplinary Analysis, pp. 151–163. Springer, Heidelberg (2011)Google Scholar
  52. 52.
    Everett, C.: Building solid foundations: the case for data classification. Computer Fraud & Security 2011(6), 5–8 (2011)CrossRefGoogle Scholar
  53. 53.
    Adiraju, S.K.: Security Considerations in Integrating the Fragmented, Outsourced, ITSM Processes. In: 2012 Third International Conference on Services in Emerging Markets (ICSEM), pp. 175–182 (2012)Google Scholar
  54. 54.
    Chaput, S., Ringwood, K.: Cloud Compliance: A Framework for Using Cloud Computing in a Regulated World. In: Antonopoulos, N., Gillam, L. (eds.) Cloud Computing, pp. 241–255. Springer, London (2010)CrossRefGoogle Scholar
  55. 55.
    Hilton, J.: Improving the secure management of personal data: Privacy on-line IS important, but it’s not easy. Information Security Technical Report 14, 124–130 (2009)CrossRefGoogle Scholar
  56. 56.
    Wang, W., Peng, G., Lu, G.: Agricultural Informationization in China. In: Ordóñez de Pablos, P.L., Miltiadis, D. (eds.) The China Information Technology Handbook, pp. 271–297. Springer US (2009)Google Scholar
  57. 57.
    Boonstra, D., Schotanus, H.A., Verkoelen, C.A.A., Smulders, A.C.M.: A methodology for the structured security analysis of interconnections. In: Military Communications Conference - MILCOM 2011, pp. 1267–1272 (2011)Google Scholar
  58. 58.
    Wrona, K., Hallingstad, G.: Controlled information sharing in NATO operations. In: Military Communications Conference - MILCOM 2011, pp. 1285–1290 (2011)Google Scholar
  59. 59.
    Karat, J., Karat, C.-M., Brodie, C., Feng, J.: Privacy in information technology: Designing to enable privacy policy management in organizations. International Journal of Human-Computer Studies 63, 153–174 (2005)CrossRefGoogle Scholar
  60. 60.
    Vrhovec, G.: Beating the privacy challenge. Computer Fraud & Security 2011, 5–8 (2011)CrossRefGoogle Scholar
  61. 61.
    Kulkarni, A., Williams, E., Grimaila, M.R.: Mitigating Security Risks for End User Computing Application (EUCA) Data. In: 2010 IEEE Second International Conference on Social Computing (SocialCom), pp. 1171–1176 (2010)Google Scholar
  62. 62.
    Tsai, W.T., Wei, X., Chen, Y., Paul, R., Chung, J.-Y., Zhang, D.: Data provenance in SOA: security, reliability, and integrity. SOCA 1, 223–247 (2007)CrossRefGoogle Scholar
  63. 63.
    Newman, A.R.: Confidence, pedigree, and security classification for improved data fusion. In: Proceedings of the Fifth International Conference on Information Fusion, vol. 2, 1402, pp. 1408–1415 (2002)Google Scholar
  64. 64.
    Taylor, L.P.: Chapter 8 - Categorizing Data Sensitivity. In: Taylor, L.P. (ed.) FISMA Compliance Handbook, 2nd edn., pp. 63–78. Syngress, Boston (2013)CrossRefGoogle Scholar
  65. 65.
    Wei, W., Shengzhong, Y., Hong, H.: Design of Portal-Based Uniform Identity Authentication System in Campus Network. In: 2010 International Conference on Multimedia Communications (Mediacom),, pp. 112-115 (2010) Google Scholar
  66. 66.
    Blyth, A., Kovacich, G.L.: IA and Software. Information Assurance, pp. 191–212. Springer, London (2006)Google Scholar
  67. 67.
    Demsky, B.: Cross-application data provenance and policy enforcement. ACM Trans. Inf. Syst. Secur. 14, 1–22 (2011)CrossRefGoogle Scholar
  68. 68.
    Ashley, P., Vandenwauver, M., Siebenlist, F.: Applying authorization to intranets: architectures, issues and APIs. Computer Communications 23, 1613–1620 (2000)CrossRefGoogle Scholar
  69. 69.
    Burnap, P., Hilton, J.: Self Protecting Data for De-perimeterised Information Sharing. In: Third International Conference on Digital Society, ICDS 2009, pp. 65–70 (2009)Google Scholar
  70. 70.
    Alqudah, B.I., Nair, S.: Toward Multi-Service Electronic Medical Records Structure. In: Suh, S.C., Gurupur, V.P., Tanik, M.M. (eds.) Biomedical Engineering, pp. 243–254. Springer, New York (2011)CrossRefGoogle Scholar
  71. 71.
    Etges, R., McNeil, K.: Understanding data classification based on business and security requirements. ISACA Information Systems Control Journal 5 (2006)Google Scholar
  72. 72.
    Fomin, V.V., de Vries, H.J., Barlette, Y.: ISO/IEC 27001 information systems security management standard: exploring the reasons for low adoption. In: EUROMOT 2008 Conference, Nice, France (2008)Google Scholar
  73. 73.
    Siponen, M., Willison, R.: Information security management standards: Problems and solutions. Information & Management 46, 267–270 (2009)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Informatics Research CentreUniversity of SkövdeSkövdeSweden

Personalised recommendations