Risikovurdering af fagsystemer
Oversat titel
Risk assessment of it-systems
Forfatter
Nøhr, Emma Juhl
Semester
4. semester
Udgivelsesår
2019
Afleveret
2019-05-27
Abstract
Denne kandidatafhandling (forår 2019) har til formål at udvikle en risikovurderingsmetode og et risikovurderingsværktøj til Hjørring Kommune. Arbejdet er inspireret af Design-Based Learning og en fænomenologisk tilgang, der fokuserer på de ansattes oplevelser i praksis. Projektet følger fire faser: 1) Et feltstudie i efteråret 2018 undersøgte, hvordan Hjørring Kommune udfører risikovurderinger gennem interviews, deltagerobservation og dokumentanalyse. Det viste behov for en mere organiseret proces og for tæt samarbejde mellem informationssikkerhedskoordinatoren og brugerne af it-systemerne. Som led heri blev der også lavet en state-of-the-art-analyse af andre risikovurderingsmetoder for at vurdere, hvordan de lever op til ISO 27001, og hvordan en ny metode kan adskille sig. 2) Udvikling af en risikovurderingsmetode og et Excel-baseret risikovurderingsværktøj. 3) Afprøvning af metoden i praksis gennem faciliterede workshops, hvor medarbejdere blev oplært i at gennemføre en risikovurdering. 4) Evaluering af afprøvningen med kvalitative metoder: interview via Google Analysis formula med to spørgsmål (hvad fungerede, og hvad gjorde ikke) samt deltagerobservation. Resultaterne viste, at medarbejderne gerne vil deltage igen, men at metoden har problemer: særligt sårbarhedsklassifikationen af it-systemer passer ikke til kommunen og er svær at bruge i praksis. Konklusionen er, at der er behov for en ny designiteration for at identificere og rette problemerne. Det Excel-baserede værktøj blev ikke afprøvet i denne afhandling og skal testes i næste iteration.
This master’s thesis (spring 2019) aims to develop a risk assessment method and a risk assessment tool for Hjørring Municipality. The work is inspired by Design-Based Learning and a phenomenological approach that focuses on people’s experiences in practice. The project follows four phases: 1) A field study in autumn 2018 examined how the municipality conducts risk assessments using interviews, participant observation, and document analysis. It showed a need for a more organized process and for closer collaboration between the information security coordinator and the users of the IT systems. This led to a state-of-the-art analysis of other risk assessment methods to see how they align with ISO 27001 and how a new method could differ. 2) Development of a risk assessment method and an Excel-based risk assessment tool. 3) Practical testing of the method in a facilitated workshop where employees were taught how to perform a risk assessment. 4) Evaluation of the test with qualitative methods: an interview conducted via Google Analysis formula with two questions (what worked in the workshop and what did not) and participant observation. Findings indicate that employees would like to participate again, but the method has issues. The main problem is the vulnerability classification of IT systems: the categories do not fit the organization and are hard to use. The conclusion is that a second design iteration is needed to identify new issues and fix the ones found. The tool was not tested in practice in this thesis and should be tested in the next iteration.
[Dette resumé er genereret ved hjælp af AI]