Is IT good enough: An analysis of Swedish universities information security

Sammanfattning: Previous research in information security research has pointed out the importance of aware employees, while practitioners have focused on technical safety measures, this while the geopolitical situation has rapidly changed. In this paper the public Swedish institutions of higher education are investigated to gain a more complete picture of the potential pitfalls that exist in Swedish government agencies. The study uses a mixed method approach, first a qualitative content analysis of ten Swedish institutions of higher education information security policy to identify any problem areas, further a quantitative survey was sent out to 85 IT-managers at thirty of the thirty-two Swedish institutions of higher education to investigate what issues they had observed. The findings show that information security awareness and education programs seem to have been neglected among the Swedish institutions of higher education, even though researchers have stressed their importance. The new geopolitical situation and the high return of investment on socially engineered attacks, highlights the importance of information security awareness, this before an information security crisis occurs