Implementation of information security policies in public organizations : Top management as a success factor

Sammanfattning: The purpose of this thesis is to investigate potential success factors related to the implementation of an information security in organizations, with a specific focus on the role of top management in implementing information security policies in organizations. The following are the research questions: What are the factors related to the implementation of an information security in organization according to the literature and what is the organization’s view of these factors? What is the role of the top management in implementing an information security policy in an organization according to the literature and what is the organization’s view of the role? A case study approach was implemented in this study, collecting data from both primary and secondary sources by doing a literature review, and interviews. A document analysis was done as well as a field visit.Based on the literature, the success factors related to the implementation of an information security in organization are: management support, security awareness and training, budget, information security policy enforcement, organization objectives and goals. Based on the interviews, both two organizations agree with those success factors found in the literature. Regarding the role of the top management in implementing an information security policy in organization, the two organizations have different views on that role. For one organization, the successful implementation of an information security policy does not need the involvement of the top management, and for the other one, in order to achieve a successful implementation of an information security policy, there must be involvement of the top management. Suggestions for further researcher are: Future researchers interested in this field may include to conduct a qualitative research in different public organizations, also including private organizations but for a longer period of time, so the researcher can make a comparison of the top management’s role in implementing an information security policy between public and private organizations. The researcher can also try to find other success factors related to the implementation of an information security.