It is well-known that Information Security Risk Management (ISRM) activities can be challenging to perform and that tool support could provide support in diferent ways, for example, by automating tasks, guiding the user, or helping with documentation. Despite the need for tools, there is a lack of studies investigating ISRM tool usage. This paper contributes by presenting the results from one of the ifrst studies targeting information classification and ISRM tool usage in practice. The study is based on a survey sent to government agencies in Sweden and was answered by 139 respondents (67%). The survey targeted the type of tools used and the perceptions of those tools. Findings include a list of tools perceived to contribute to performing ISRM activities, such as information classification, the reasons why the tools were selected, and how well they fulfil their needs. More specifically, we found that spreadsheets and document templates are the most common tools used - despite not being perceived as fulfilling the needs. We also found that taking on an even more holistic view might be needed when considering functionality in ISRM tools.
Information assets are crucial to most organisations, and much efort and money are spent
to secure them. Information Security Risk Management (ISRM) can be applied to do so in
a structured way. There is a plethora of ISRM methods to choose from, and they can be
quantitative, qualitative, or semi-quantitative [
ceur-ws.org ISSN1613-0073
Tools can support the ISRM work in various ways, for example, by automating tasks [
This paper is organized as follows; the next section discusses ISRM and information classification and how tools support ISRM and the information classification activity. The following section introduces the study approach, followed by the results. The next section discusses the results, while the last section concludes the study.
This section focuses primarily on ISRM and information classification and how tools can support the work.
Several risk-based standards and methods exist that help organisations identify and value assets and select security controls to protect those assets [13]. Shameli-Sendi et al. [14] have identified over 30 such methods and standards published by professional organisations and researchers. Examples include the Central Computer and Telecommunications Agency Risk Analysis and Management Method (CRAMM), Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), and NIST 800-30. It can be dificult for organisations to choose among the methods, and it is an important choice as it can afect the end result [ 15]. However, organisations might not have many alternatives in practice as they may be mandated to follow international standards, e.g., for getting government contracts [16]. Hence, for many organisations, there are only the ISO/IEC standards to choose from, and even if they use another standard, they might need to consider them to be compliant.
The diferences between ISRM methods have been described as minor [ 17], and here we
consider the general ISRM process to consist of the activities information classification, risk
analysis, and the selection of security controls. After the selection of security controls, there is
a feedback operation to the classification to review the classification and thereby continuously
improve the controls. The exact tasks performed in the activities could difer, but what is
covered in the process is similar [
In this work, we focus on information classification as it has not attracted as much attention as other ISRM activities [7], especially from a practice perspective [10]. Shedden et al. [8] concluded in their study that most ISRM methods were limited regarding asset management and classification, suggesting that less attention has been directed towards this topic compared to other ISRM activities. According to ISO/IEC 27002 [18], information classification has the purpose to ”ensure identification and understanding of protection needs of information in accordance with its importance to the organization” [18, p.23]. The literature has identified several challenges related to information classification, including subjective judgement [ 19], what and how to document [10, 20], and what security aspects to consider [21, 22], all of which tool support could have the potential to alleviate.
It is not precisely clear what tool support implies in an ISRM context, and we have kept an
inclusive approach to what it could be. A broad description of a tool is ”something that helps
you to do a particular activity” [23]. In an ISRM context, that implies tool support can be either
a dedicated tool or something more rudimentary, such as spreadsheets, document templates
or other supplementary support that helps the practitioner in their work [
Gritzalis et al. [
Literature also mentions other issues with both standards and tools; that they generally fail to answer fundamental questions regarding tasks performed in ISRM activities, for example, how to separate critical and non-critical resources and how to calculate the likelihood of a threat [14], and the order to perform tasks [15].
There is very little literature on tool support for information classification [
In order to capture tool usage and the perception of using the tools, a survey was selected as the method. The survey was constructed in two parts, one part focusing on the information classification activity and one part focusing on the overall ISRM work. Each part had a set of questions targeting both quantitative and qualitative data. We wanted to find out what tools are used for supporting the information classification and overall ISRM work and how common those respective tools are. Because the study is explorative and we knew beforehand that respondents could interpret what a tool is diferently, we clarified the questions by explicitly mentioning that, for example, spreadsheets count as tool support. We did, however, not mention any specific product to lead the respondents. In addition, did we also want to investigate the perception of those tools, i.e., why the tools were selected and how well they fulfilled their needs. Finally, if no tools were used in their classification or ISRM work, we asked why they chose not to use any.
It is well-known that it is a hard challenge to collect data in the information security field [
All answers from the survey were collected in a large spreadsheet, and the statistics on tool
usage supporting information classification (see results in 4.1.1) and ISRM (see 4.2.1) were put
together. In order to get a better understanding of the tools, all collected tools were investigated
by visiting the respective software developer’s web page. The free-text answers were separated
per question and divided into groups based on whether or not Microsoft Excel was used as a
tool. The questions on the reasons for selecting the tools (see 4.1.2 for information classification
tools and 4.2.2 for ISRM tools) were thematically analysed [
The survey was sent to 255 governmental agencies. Out of those, 48 were excluded as they lacked their own administration (most had zero employees), or their information security work was performed through another agency, leaving the group in focus at 207 agencies. Out of those, 139 answered the survey (67%).
The result section is divided into three parts: tools supporting information classification, tools supporting the overall ISRM work, and finally, one section on why organisations had chosen not to use tool support.
This section presents an overview of the tool support for information classification.
As can be seen in Table 1, the survey revealed the usage of 18 tools supporting classification. Microsoft Excel is the most common tool, and Microsoft Word is the second most used. Twentysix organisations used a combination of tools, i.e., several tools were mentioned in their response, such as spreadsheets combined with a document management system.
Based on the description of the respective tools’ websites, we can see that most of the tools are not specifically developed for the information classification activity. Of the 18 diferent tools, only four were related to information classification. Apart from the traditional ofice suite tools, two main categories of tools were mentioned: tools that support process management and document management tools. Developer - Tool Microsoft – Excel Microsoft – Word VisAlfa – VisAlfa The Swedish Civil 4 Contingencies Agency Infosäkkollen [Infosec check] Atlassian – Confluence 2 https://www.msb.se/infosakkollen https://www.atlassian.com Microsoft – Sharepoint 2
https://www.microsoft.com Users Link to the web page of the tool/note
Seventy-five respondents answered the survey question on why they selected their classification tool. Following a thematic analysis, eight themes emerged, as seen in Table 2.
The most common reason had to do with user-friendliness or ease of use. A common argument among Microsoft Excel users was that it has a familiar interface that most recognize and can
Spreadsheet Word processor
Process-based information identification and management Follow-up and comparison with other similar organisations (related to baselining) Wiki (knowledge management, collaboration) Content management system ISMS support Process mapping and modelling Management system support (e.g., document, case and process management) Case management and registration Document management system and registration Case management and archiving Presentation Diagramming
Enterprise content management Enterprise management system GRC (Governance, Risk management, and Compliance) management Information classification and GAP analysis use. The second most mentioned reason (all by Microsoft Excel users) was that the tool was available for most users. Several in this group also mentioned that it was a file format that was accessible to many. Next came a group of users claiming they selected the tool because it was good enough. It helped them to solve the task. Eight organisations either inherited their tool or got a recommendation (from consultants or colleagues in other organisations) to use it. One group selected the tool because it provided structure and contributed to a more coherent ISMS process. In this group, only two used spreadsheets. Finally, one group chose their tool because of the flexibility to adapt the structure and content in spreadsheets, and one group referred to the low cost of using an already installed tool.
One free-text question was asked to investigate how well the classification tool fulfils their needs. Sixty-five answers were given, and in the analysis, we divided the responses into three groups (not acceptable, marginal, and acceptable) based on a scale inspired by SUS (Brooke, 1996). An overview of the result can be seen in Fig. 1.
The not acceptable group (examples of adjectives used: bad, poor, not well) (n=23) contained many reasons why their tool did not fulfil their needs. Common causes of why the tool support was not perceived as fulfilling their needs included that it was not easy to use, not mature enough, lacked a central repository for classified assets, and was not created for classification. Some also reflected that the tool didn’t support the classification itself or, as they put it: “The support works well for documenting the classification, but not for the classification activity.” 0% 20%
40% Not acceptable
60% Marginal
80% Acceptable 100%
The marginal group (examples of adjectives used: ok, well enough, satisfactory) was the largest (n=31) and a relatively homogenous group. Several respondents reflected that the tool was satisfactory, but they would prefer even more support. The Microsoft Excel users mainly reflected that the tool was not developed specifically to support classification. Also, mentions of having tools supporting more activities than just the classification decreased the tool perception.
The acceptable group (examples of adjectives used: good, excellent, very well) (n=13) was the smallest group and the group that provided the shortest answers. The few reasons given included the possibilities to adapt the tool.
This section presents an overview of tool support for the overall ISRM work.
Forty-nine respondents answered the survey question on why they selected their classification tool. The eight themes identified for classification tools were used to classify the results for ISRM tools. Table 4 shows an overview of the results.
Similarly to the classification tool support analysis, user-friendliness is the main reason for the tool selection. The other two top three reasons were that the tool was readily available for most or all users and good enough for the activities.
In total, 43 free-text answers were given to this question. Four themes emerged during the thematic analysis of the responses. The most common reason (16 answers) for not using any tool support was that the organisation had not started classifying their information or systematically started their ISRM work yet. A typical response was: “unfortunately, we are far behind with the information classification work largely due to a lack of resources. We have had problems recruiting staf.” Ten respondents felt manual work was suficient and did not need tool support. Eight respondents answered that they wanted to use a tool but could not find one that fulfilled their requirements. The reasons for this varied, but six lacked a tool that supported and incorporated the entire information security management system with its associated activities. Two of the respondents were in the process of developing their own tool support, and five respondents could not give a reason. Microsoft – Excel 47 Microsoft – Word 16 The Swedish Civil 5 Contingencies Agency– Infosäkkollen [Infosec check] Stratsys – GRC Manage- 4 ment 2c8 – 2c8 Apps 1 iFACTS Microsoft – Sharepoint Microsoft – Visio Omegapoint – Ciso Mural – Mural Swedish Association of Local Authorities and Regions – Klassa [Classify] Visma Draftit – Draftit DPIA Addsystems – ADD
https://www.addsystems.com Atlassian – Confluence
https://www.atlassian.com 1 1 1 1 1 1 1 1 1
https://www.ifacts.se https://www.microsoft.com https://www.microsoft.com https://ciso.se https://www.mural.co https://klassa-info.skr.se https://www.visma.se
The results have several interesting findings regarding the tools used to support classification
and ISRM. First and foremost, Microsoft Excel was found to be the most well-used tool. It is
unsurprising as Microsoft Ofice-based templates are available at a national site [27], giving
practical advice for working systematically with information security. The intention is to
help turn standards into practice, which has been described as extra dificult for information
classification [
When looking at the most common reasons why the tools were selected, most respondents stated that they picked them because they were user-friendly, easy to use, readily available, and good enough. All these reasons indicate a positive experience that at least gets the job done. On the other hand, when we questioned how well the tool fulfils their needs, less than 20% used positive adjectives such as good and excellent. In addition, a large group uses their tool because there are no viable alternatives, and some non-tool users do manual work because they do not ifnd a tool that supports them. These results suggest that there is indeed a need for tools, but the tools used do not deliver what is needed from an organisational perspective for most users. The reasons for this could include limitations in the available tools.
Several tools were neither dedicated ISRM tools nor ofice suite tools, and those tools helped organisations in other ways. Based on the type of tools mentioned and responses in the free-text questions, it is possible to point towards some needs. There is a need to support the whole life cycle of information classification and ISRM. The input to information classification is often a process, and if the process mapping/modelling and process management are in another tool, that tool also supports the classification. That could explain the usage of process management software. Similarly, after a classification, you will have a filled spreadsheet or another document containing documentation that must be stored somewhere. Hence, respondents mentioning case management systems, document management systems, and archiving software point towards a documentation support need. To have a broader lifecycle perspective for classification is not a new belief [9], but how it is enacted in practice is still not evident. For ISRM tools, the situation is similar, but a few more references to dedicated ISRM software were found among the responses.
This study is one of the first studies presenting an overview of what tools are used to support information classification and the overall ISRM work in practice. This paper shows that most investigated organisations use Microsoft Ofice products to support their classification or other ISRM activities. The rest of the tools used are a mix of dedicated ISRM tools and other tools. A number of reasons for tool selection were found, but at the same time, we could conclude that, in general, the users perceived the tools did not fulfil their needs. We recommend that future studies focus more on the underlying reasons, perhaps using interviews or another approach that could shed more light on the underlying motivations for ISRM tool selection. We have also seen a need to narrow down the requirements for tools supporting ISRM and its activities, such as information classification. This is especially important since we investigated the need among organisations using the ISO/IEC standards that come without dedicated tool support or specific tool recommendations.
It would also be interesting to investigate why many organisations perceive that there are no viable tool alternatives to support their ISRM. Are there tool requirements that make some of the existing tools impossible to use in the public sector? Is it a communication issue or something else? One can also reflect on the situation where spreadsheets of document templates are given as examples, e.g., as described previously in the example from the ATM domain or as seen in this study. If templates are given, do the organisations perceive them as an example, or do they believe they provide enough support to complete the task rather than exemplify it? There is an obvious risk that the availability of templates and rudimentary tools that rather exemplify functionality is seen as a full-fledged tool that inhibits the use of dedicated ISRM tools. Here, we cannot provide any definitive answer, and future studies are suggested, especially as spreadsheets are used in other domains as support for turning standards into practice or for providing tool support.
Finally, it is evident that there is a need to not see the activities in ISRM as isolated activities that individually need tool support, but rather a holistic approach with a more encompassing tool would be preferred. Exactly where the limitations should be drawn is unclear from this study, and it is suggested for future researchers to help identify. However, this study indicates that tools should support process management and document management, i.e., a bit wider view than the traditional lifecycle view.
We gratefully acknowledge the grant from the Swedish Civil Contingencies Agency (MSB), project VISKA (MSB 2021–14650). Management 30 (2010) 567–572. URL: http://www.sciencedirect.com/science/article/pii/ S0268401210001222. doi:h t t p : / / d x . d o i . o r g / 1 0 . 1 0 1 6 / j . i j i n f o m g t . 2 0 1 0 . 0 8 . 0 0 7 . [6] C. Everett, Building solid foundations: the case for data classification, Computer Fraud Security 2011 (2011) 5–8. URL: http://www.sciencedirect.com/science/article/pii/ S1361372311700604. doi:h t t p : / / d x . d o i . o r g / 1 0 . 1 0 1 6 / S 1 3 6 1 - 3 7 2 3 ( 1 1 ) 7 0 0 6 0 - 4 . [7] J.-H. Bergquist, S. Tinet, S. Gao, An information classification model for public sector organizations in sweden: a case study of a swedish municipality, Information Computer Security 30 (2021) 153–172. URL: https://doi.org/10.1108/ICS-03-2021-0032. doi:1 0 . 1 1 0 8 / I C S - 0 3 - 2 0 2 1 - 0 0 3 2 . [8] P. Shedden, A. Ahmad, W. Smith, H. Tscherning, R. Scheepers, Asset identification in information security risk assessment: A business practice approach, Communications of the Association for Information Systems 39 (2016) 15. [9] E. Bergström, R.-M. Åhlfeldt, Information Classification Issues, Lecture Notes in Computer Science, Springer International Publishing, 2014, pp. 27–41. URL: http://dx.doi.org/10.1007/ 978-3-319-11599-3_2. doi:1 0 . 1 0 0 7 / 9 7 8 - 3 - 3 1 9 - 1 1 5 9 9 - 3 _ 2 . [10] E. Bergström, Supporting Information Security Management: Developing a Method for
Information Classification, Ph.D. thesis, University of Skövde, Skövde, Sweden, 2020. [11] E. Bergström, M. Lundgren, K. Bernsmed, G. Bour, “check, check, check, we got those” – catalogue use in information security risk management, in: S. Furnell, N. Clarke (Eds.), Human Aspects of Information Security and Assurance, Springer Nature Switzerland, ????, pp. 181–191. doi:h t t p s : / / d o i . o r g / 1 0 . 1 0 0 7 / 9 7 8 - 3 - 0 3 1 - 3 8 5 3 0 - 8 _ 1 5 . [12] R. Baskerville, F. Rowe, F.-C. Wolf, Integration of information systems and cybersecurity countermeasures: An exposure to risk perspective, SIGMIS Database 49 (2018) 33–52. doi:1 0 . 1 1 4 5 / 3 1 8 4 4 4 4 . 3 1 8 4 4 4 8 . [13] R. Baskerville, P. Spagnoletti, J. Kim, Incident-centered information security: Managing a strategic balance between prevention and response, Information Management 51 (2014) 138–151. URL: http://www.sciencedirect.com/science/article/pii/S0378720613001171. doi:h t t p s : / / d o i . o r g / 1 0 . 1 0 1 6 / j . i m . 2 0 1 3 . 1 1 . 0 0 4 . [14] A. Shameli-Sendi, R. Aghababaei-Barzegar, M. Cheriet, Taxonomy of information security risk assessment (isra), Computers Security 57 (2016) 14–30. URL: http://www.sciencedirect. com/science/article/pii/S0167404815001650. doi:h t t p s : / / d o i . o r g / 1 0 . 1 0 1 6 / j . c o s e . 2 0 1 5 . 1 1 . 0 0 1 . [15] G. Wangen, Information security risk assessment: A method comparison, Computer 50 (2017) 52–61. doi:1 0 . 1 1 0 9 / m c . 2 0 1 7 . 1 0 7 . [16] A. Gillies, Improving the quality of information security management systems with iso27000, The TQM Journal 23 (2011) 367–376. URL: http://www.emeraldinsight.com/doi/ abs/10.1108/17542731111139455. doi:d o i : 1 0 . 1 1 0 8 / 1 7 5 4 2 7 3 1 1 1 1 1 3 9 4 5 5 . [17] S. Fenz, J. Heurix, T. Neubauer, F. Pechstein, Current challenges in information security risk management, Information Management Computer Security 22 (2014) 410–430. URL: https://www.emeraldinsight.com/doi/abs/10.1108/IMCS-07-2013-0053. doi:d o i : 1 0 . 1 1 0 8 / I M C S - 0 7 - 2 0 1 3 - 0 0 5 3 . [18] ISO/IEC 27002, Information security, cybersecurity and privacy protection — Information security controls, Standard ISO/IEC 27002:2022, International Organization for Standardization, Geneva, CH, 2022. URL: https://www.iso.org/standard/75652.html. [19] M. L. Kaarst-Brown, E. D. Thompson, Cracks in the security foundation: Employee judgments about information sensitivity, in: Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research, ACM, 2009, pp. 145–151. doi:1 0 . 1 1 4 5 / 2 7 5 1 9 5 7 . 2 7 5 1 9 7 7 . [20] M. R. Grimaila, L. W. Fortson, Towards an information asset-based defensive cyber damage assessment process, in: 2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications, 2007, pp. 206–212. doi:1 0 . 1 1 0 9 / C I S D A . 2 0 0 7 . 3 6 8 1 5 5 . [21] O. Na, L. W. Park, H. Yu, Y. Kim, H. Chang, The rating model of corporate information for economic security activities, Security Journal 32 (2019) 435–456. URL: https://doi.org/10. 1057/s41284-019-00171-z. doi:1 0 . 1 0 5 7 / s 4 1 2 8 4 - 0 1 9 - 0 0 1 7 1 - z . [22] M. E. Whitman, H. J. Mattord, Principles of Information Security, fith ed., Cengage
Learning, 2014. [23] Cambridge University Press Assessment, TOOL | English meaning - Cambridge Dictionary, 2023. URL: https://dictionary.cambridge.org/dictionary/english/tool. [24] G. Wangen, C. Hallstensen, E. Snekkenes, A framework for estimating information security risk assessment method completeness, International Journal of Information Security 17 (2018) 681–699. URL: https://doi.org/10.1007/s10207-017-0382-0. doi:1 0 . 1 0 0 7 / s 1 0 2 0 7 - 0 1 7 - 0 3 8 2 - 0 . [25] European Union Agency for Cybersecurity (ENISA), RM/RA Tools, 2023. URL: https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/ current-risk/risk-management-inventory/rm-ra-tools. [26] C. Lambrinoudakis, S. Gritzalis, C. Xenakis, S. Katsikas, M. Karyda, A. Tsochou, K. Papadatos, K. Rantos, Y. Pavlosoglou, S. Gasparinatos, A. Pantazis, A. Zacharis, Compendium of Risk Management Frameworks with Potential Interoperability: Supplement to the Interoperable EU Risk Management Framework Report, Report, European Union Agency for Cybersecurity (ENISA), 2022. URL: https://www.enisa.europa.eu/publications/ compendium-of-risk-management-frameworks. [27] L. Coles-Kemp, Information security management: An entangled research challenge, Information Security Technical Report 14 (2009) 181–185. URL: http://www.sciencedirect. com/science/article/pii/S1363412710000063. doi:h t t p : / / d x . d o i . o r g / 1 0 . 1 0 1 6 / j . i s t r . 2 0 1 0 . 0 4 . 0 0 5 . [28] D. B. Parker, Comparison of risk-based and diligence-based idealized security reviews, EDPACS 36 (2007) 1–12. URL: https://doi.org/10.1080/07366980701804805. doi:1 0 . 1 0 8 0 / 0 7 3 6 6 9 8 0 7 0 1 8 0 4 8 0 5 . [29] K. Njenga, I. Brown, Conceptualising improvisation in information systems security, European Journal of Information Systems 21 (2012) 592–607. URL: https://doi.org/10.1057/ ejis.2012.3. doi:1 0 . 1 0 5 7 / e j i s . 2 0 1 2 . 3 . [30] P. Shedden, W. Smith, A. Ahmad, Information security risk assessment: towards a business practice perspective, in: Proceedings of the 8th Australian Information Security Management Conference, School of Computer and Information Science, Edith Cowan University, Perth, 2010, pp. 119–130. doi:1 0 . 4 2 2 5 / 7 5 / 5 7 b 6 7 6 9 3 3 4 7 8 7 . [31] R. G. Taylor, J. Brice, Jef, Fact or fiction? a study of managerial perceptions applied to an analysis of organizational security risk, Journal of Organizational Culture, Communications and Conflict 16 (2012). URL: https://www.proquest.com/docview/1037691839.