Information Security Policy Development and Implementation Piggybacking onto Finnish National Security Auditing Criteria KATAKRI

The “weakest link” of security is the human and organizational aspects of information security. Nowadays, risk assessment methods and information security plans and policies are an essential part of many organizations. However, the managerial aspects of information security often remain challenging, especially in emerging technological contexts, and management executives lack an understanding of information security requirements and importance. KATAKRI is a Finnish national security auditing criteria that is based on several information security management system standards and best practices, including four main areas: (1) administrative security, (2) personnel security, (3) physical security, and (4) information security. This multiple case study analysis consists of five individual cases studies that research how KATAKRI is suitable for different types of organizations. The cross-case conclusions examine what type of usability KATAKRI has in information security policy development and implementation in general. The results revealed that organizations have deemed the security policy useful. However, the individual contents and practices of the different security policies differed quite a lot from each other. In particular, the companies found particularly the implementation of security policies within their organizations to be a challenge. Key-words: Case study; Cyber security; Information security; Multiple case study analysis; KATAKRI; Security policy; Security audit