Dissertation: Information security is often based on general guidelines – study helps target security investments better in organizations

In his doctoral thesis, M.Sc. Riku Nykänen studied the selection of information security controls in companies and organisations. The effective selection of information security measures requires knowledge of both the security objectives of the organisation and subjects that are to be protected. This allows for cost-effective management of security risks. In his thesis, Nykänen developed models to align security investments with organisational objectives better than just with general guidelines available.
Dissertation Event
In his doctoral thesis, M.Sc. Riku Nykänen studied the choice of information security measures in companies and organisations.
Published
23.9.2024

Effective risk management is becoming increasingly more important in ensuring business continuity in organisations as various information and cybersecurity threats continue to grow. The objective of risk management in organisations is to ensure that they can effectively identify vulnerable assets and select cost-effective controls to protect them. However, small organisations in particular find it difficult to protect themselves against security threats.

“Almost all security risk management measures are designed for larger companies. However, small and medium-sized enterprises would benefit from more support to ensure information security since they have fewer resources at their disposal,” Nykänen explains.

Smaller businesses may not be able to afford continuous investments in information security, making it critical for them to properly allocate available resources to protect critical assets.

“For instance, if a small company has limited resources available, is it worth spending resources on security training for staff or on backing up laptops? In practice, the optimal choice depends on various factors. Current standards and guidelines are limited in their ability to take into account the different characteristics of organisations and their security objectives, so their use requires expertise that small businesses might often lack,” Nykänen continues.

Study provides concrete help in choosing security tools

The results of the study were used in the development of the Finnish Assessment criteria for information security in public administration, Julkri. The criteria are used to assess the measures required to ensure information security in public administrative units, such as wellbeing service counties, cities and municipalities.

“Organizations will also benefit from the Julkri evaluation criteria. The pre-conditions used in Julkri will allow small and medium sized enterprises to benefit from Julkri and to choose more effectively the appropriate methods for their individual security objectives,” Nykänen says.

The results of the study will allow the development of new tools and the improvement of existing methods to help especially smaller organisations to target their security efforts to the most relevant areas.

The results can also be used to further improve language models so that AI solutions can in the future provide better answers to information security management and thereby help smaller companies in security management.

More information

M.Sc. Riku Nykänen defends his doctoral dissertation “Supporting control selection in information security”. The opponent is Professor Juha Röning (University of Oulu) and the custos is Professor Tommi Kärkkäinen (University of Jyväskylä). The language of the dissertation is Finnish.

Riku Nykänen
riku.nykanen@gmail.com