Fragmented information security regulation does not effectively protect organisations’ confidential information

Our cyber space is subject to threats that have a significant impact on the operations of organisations, the functioning of society and the rights of individuals. Cybercrime has taken up space from more traditional forms of crime, and with globalisation, online threats are not limited to national borders. 

“In a networked, system-dependent society, information security should not be the sole responsibility of critical sectors and the public sector. In information security, the weakest link in the chain also endangers the information security of other actors. Therefore, the achievement of a minimum level of security should be ensured in all organisations. Typically, information security regulation leads to positive effects, in terms of improving information security,” says Jenna Andersson, who will defend her dissertation at the University of Vaasa on 11 October.

Current regulatory framework for information security needs clarification

Our national legislation does not have a general information security law that is binding on all organisations. Instead, there are numerous provisions on information security that are scattered around different regulations, and they are not necessarily binding on all organisations. For example, the comprehensive cybersecurity act enforced through the NIS 2 directive directly applies only to essential and important entities in critical sectors.

The information security requirements of the EU General Data Protection Regulation improve the domestic regulatory situation, as the requirements for the protection of personal data extend to all organisations regardless of their size and importance. One of the purposes of the research was to bring together the information security requirements binding on organisations in national legislation and compare them with good information security practices. In this way, the research can also be utilised in practical work. 

The current fragmented regulation hinders things such as the accessibility and understandability of the information security requirements in the legislation. 

“Information security norms are not just for lawyers to interpret. Legal texts must be understandable to everyone,” says Andersson. 

According to Andersson, the number of information security regulations has been continuously increasing, which requires organisations to have high legislative knowledge. In companies that do not have such a good level of information security or where information security is not a “core activity” of the company, it can be difficult to understand the overall picture of the information security requirements of the current legislation. 

A general information security act could be used to clarify the current regulatory system for information security and to reduce any overlapping and fragmented regulation. 

Fundamental rights must be realised in the operations and services of organisations

Image

“With digitalisation, different functions have moved to information networks, which highlights the fact that the fundamental rights of individuals must also be protected there. We have a fundamental right to the protection of our personal data, and similarly, everyone should have the right to cyber security,” says Andersson.

According to Andersson, the digitalised society of today must have an information security legislation that efficiently protects the confidential information and continuity of all organisations as well as the personal data and other rights of individuals.

The research utilised a legal research method with which the research compiled and systematised parts of the valid national information security legislation and compared the information security regulations that are binding on organisations in the legislation with good information security practices. 

In the research, the elements of a good regulatory system for information security are: technology neutrality, proactivity, taking good practices into account, moderateness and fairness, accessibility and understandability, consistency and unity, as well as taking individuals and fundamental rights into account. These have been used as norm-centric criteria for examining legislation when answering the research questions: is the current regulatory system for information security in organisations good and is a national information security act necessary in Finland?

Doctoral thesis defence

BSc (Econ) Jenna Andersson’s doctoral dissertation ”Organisaation hyvä tietoturvan sääntelyjärjestelmä” (“good regulatory system for information security in an organisation”) will be reviewed on Friday 11 October 2024 at noon in the Kurtén auditorium of the University of Vaasa.

The public doctoral thesis defence can also be followed remotely (Zoom, password: 943080)

Professor emeritus Ahti Saarenpää (University of Lapland) will act as the opponent and professor Vesa Annola as the presiding official.

Doctoral dissertation

Andersson, Jenna (2024) Organisaation hyvä tietoturvan sääntelyjärjestelmä. Acta Wasaensia 536. Doctoral dissertation. University of Vaasa

Publication PDF