Effects of COVID-19 to organization’s security culture : A case study on a Swedish organization with a focus on device security

Sammanfattning: COVID-19 pandemic was one of the most devastating events that happened in the 21st century. It created a lot of changes both socially and economically. For example, a lot of employees had to be laid off due to financial reasons. Also, a considerable amount of organisations had to employ working from home culture or hybrid work culture that are still in effect. All these changes have affected the device threat landscape as well. There were new vulnerabilities that surfaced due to working from home. For example, employees had to work in unmonitored networks. On top of that there were changes in attack trends as well. The ransom attacks became more destructive after COVID-19 pandemic.  This study analyzed the effects of the change in threat landscape on the organization’s device security culture. A literature review was conducted to define the changes in the threat landscape through changes in vulnerabilities and changes in attack trends after the COVID-19 pandemic. As a result of the literature review, it was observed that working from home culture created a lot of vulnerabilities for the organisations that adopted it. Also, it was noticed  that there were changes in ransomware and phishing trends. To observe the possible effects of those changes to the organisation’s device security culture, a case study was conducted on a Swedish organisation that underwent numerous transformations after the COVID-19 pandemic. The data for the case study was collected through interviews with various participants with different roles in the organisation. The results from the literature review regarding the changes in the device threat landscape helped formulate the interview questions. The case study showed that even though the changes in the threat landscape had affected the organisation’s security culture, other factors, such as the organization's goals and experiences, played a big part in the change of the organization’s device security culture.