{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,23]],"date-time":"2026-04-23T11:04:33Z","timestamp":1776942273991,"version":"3.51.4"},"reference-count":101,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2020,12,3]],"date-time":"2020-12-03T00:00:00Z","timestamp":1606953600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2021,8,3]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>The purpose of this paper is to develop a method for information classification. The proposed method draws on established standards, such as the ISO\/IEC 27002 and information classification practices. The long-term goal of the method is to decrease the subjective judgement in the implementation of information classification in organisations, which can lead to information security breaches because the information is under- or over-classified.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>The results are based on a design science research approach, implemented as five iterations spanning the years 2013 to 2019.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The paper presents a method for information classification and the design principles underpinning the method. The empirical demonstration shows that senior and novice information security managers perceive the method as a useful tool for classifying information assets in an organisation.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>Existing research has, to a limited extent, provided extensive advice on how to approach information classification in organisations systematically. The method presented in this paper can act as a starting point for further research in this area, aiming at decreasing subjectivity in the information classification process. Additional research is needed to fully validate the proposed method for information classification and its potential to reduce the subjective judgement.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>The research contributes to practice by offering a method for information classification. It provides a hands-on-tool for how to implement an information classification process. Besides, this research proves that it is possible to devise a method to support information classification. This is important, because, even if an organisation chooses not to adopt the proposed method, the very fact that this method has proved useful should encourage any similar endeavour.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>The proposed method offers a detailed and well-elaborated tool for information classification. The method is generic and adaptable, depending on organisational needs.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-07-2020-0110","type":"journal-article","created":{"date-parts":[[2020,12,3]],"date-time":"2020-12-03T09:53:42Z","timestamp":1606989222000},"page":"209-239","source":"Crossref","is-referenced-by-count":12,"title":["Developing an information classification method"],"prefix":"10.1108","volume":"29","author":[{"given":"Erik","family":"Bergstr\u00f6m","sequence":"first","affiliation":[]},{"given":"Fredrik","family":"Karlsson","sequence":"additional","affiliation":[]},{"given":"Rose-Mharie","family":"\u00c5hlfeldt","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2020,12,3]]},"reference":[{"key":"key2021080202131712100_ref001","article-title":"Modularization constructs in method engineering: towards common ground","volume-title":"Situational Method Engineering: Fundamentals and Experiences","year":"2007"},{"key":"key2021080202131712100_ref002","first-page":"1391","article-title":"Information security as utilization tool of enterprise information capital","year":"2011"},{"key":"key2021080202131712100_ref003","first-page":"335","article-title":"On information lifecycle management","volume-title":"Asia-Pacific Services Computing Conference, 2008, APSCC '08","year":"2008"},{"key":"key2021080202131712100_ref004","doi-asserted-by":"crossref","first-page":"243","DOI":"10.1007\/978-1-4614-0116-2_19","article-title":"Toward multi-service electronic medical records structure","volume-title":"Biomedical Engineering","year":"2011"},{"key":"key2021080202131712100_ref005","article-title":"Verksamhetsanalys","year":"2011"},{"key":"key2021080202131712100_ref006","article-title":"Information security management guidelines \u2013 Australian government security classification system version 2.2","author":"Australian Government","year":"2014"},{"key":"key2021080202131712100_ref007","doi-asserted-by":"crossref","first-page":"139","DOI":"10.1007\/978-3-8348-9634-6_4","article-title":"Analysis of data","volume-title":"Information Quality Management Capability Maturity Model","year":"2009"},{"issue":"1","key":"key2021080202131712100_ref008","doi-asserted-by":"crossref","first-page":"33","DOI":"10.1145\/3184444.3184448","article-title":"Integration of information systems and cybersecurity countermeasures: an exposure to risk perspective","volume":"49","year":"2018","journal-title":"Acm Sigmis Database: The Database for Advances in Information Systems"},{"key":"key2021080202131712100_ref009","first-page":"27","article-title":"Information classification issues","volume-title":"Secure IT Systems. NordSec 2014. Lecture Notes in Computer Science, Vol 8788","year":"2014"},{"key":"key2021080202131712100_ref010","first-page":"268","article-title":"Information classification enablers","volume-title":"Foundations and Practice of Security. FPS 2015. Lecture Notes in Computer Science","year":"2015"},{"key":"key2021080202131712100_ref011","article-title":"Informationsklassificering och s\u00e4kerhets\u00e5tg\u00e4rder [information classification and security controls]","year":"2016"},{"key":"key2021080202131712100_ref012","article-title":"Information classification policies: an exploratory investigation","year":"2018"},{"issue":"1","key":"key2021080202131712100_ref013","doi-asserted-by":"crossref","first-page":"128","DOI":"10.22619\/IJCSA.2019.100128","article-title":"Stress amongst novice information security risk management practitioners","volume":"4","year":"2019","journal-title":"International Journal on Cyber Situational Awareness"},{"issue":"3","key":"key2021080202131712100_ref014","doi-asserted-by":"crossref","first-page":"358","DOI":"10.1108\/ICS-09-2018-0106","article-title":"Revisiting information security risk management challenges: a practice perspective","volume":"27","year":"2019","journal-title":"Information and Computer Security"},{"issue":"3","key":"key2021080202131712100_ref015","doi-asserted-by":"crossref","first-page":"251","DOI":"10.1016\/0167-4048(95)00001-O","article-title":"Classification of objects for improved access control","volume":"14","year":"1995","journal-title":"Computers and Security"},{"key":"key2021080202131712100_ref016","first-page":"405","volume-title":"Assets Dependencies Model in Information Security Risk Management","year":"2014"},{"issue":"4","key":"key2021080202131712100_ref017","doi-asserted-by":"crossref","first-page":"275","DOI":"10.1016\/0950-5849(95)01059-9","article-title":"Method engineering: engineering of information systems development methods and tools","volume":"38","year":"1996","journal-title":"Information and Software Technology"},{"key":"key2021080202131712100_ref018","volume-title":"Business Research Methods","year":"2011"},{"issue":"1\/2","key":"key2021080202131712100_ref019","first-page":"19","article-title":"Technology is not enough: taking a holistic view for information assurance","volume":"17","year":"2012","journal-title":"Information Security Technical Report"},{"key":"key2021080202131712100_ref020","first-page":"65","article-title":"Self protecting data for de-perimeterised information sharing","year":"2009"},{"key":"key2021080202131712100_ref021","article-title":"Government Security Classifications May 2018","author":"Cabinet Office","year":"2018"},{"key":"key2021080202131712100_ref022","volume-title":"Introducing Octave Allegro: Improving the Information Security Risk Assessment Process","year":"2007"},{"key":"key2021080202131712100_ref023","article-title":"Systems thinking, systems practice","year":"1981"},{"issue":"4","key":"key2021080202131712100_ref024","doi-asserted-by":"crossref","first-page":"181","DOI":"10.1016\/j.istr.2010.04.005","article-title":"Information security management: an entangled research challenge","volume":"14","year":"2009","journal-title":"Information Security Technical Report"},{"issue":"4","key":"key2021080202131712100_ref025","first-page":"8","article-title":"Overcoming obstacles to data classification [information security]","volume":"28","year":"2006","journal-title":"Computer Economics Report (International Edition)"},{"issue":"2","key":"key2021080202131712100_ref026","doi-asserted-by":"crossref","first-page":"525","DOI":"10.25300\/MISQ\/2019\/15117","article-title":"Seeing the Forest and the trees: a meta-analysis of the antecedents to information security policy compliance","volume":"43","year":"2019","journal-title":"MIS Quarterly"},{"key":"key2021080202131712100_ref027","first-page":"238","article-title":"From ISO\/IEC 27002:2013 information security controls to personal data protection controls: guidelines for GDPR compliance","year":"2020"},{"key":"key2021080202131712100_ref028","volume-title":"Business Process Model and Notation","year":"2011"},{"key":"key2021080202131712100_ref029","volume-title":"Fundamentals of Business Process Management","year":"2013"},{"issue":"1","key":"key2021080202131712100_ref030","doi-asserted-by":"crossref","first-page":"55","DOI":"10.1016\/0167-4048(95)00023-2","article-title":"Security classification for documents","volume":"15","year":"1996","journal-title":"Computers and Security"},{"key":"key2021080202131712100_ref031","unstructured":"ENISA (2014), \u201cENISA Threat Landscape 2014. Overview of current and emerging cyber-threats\u201d, European Union Agency for Network and Information Security."},{"key":"key2021080202131712100_ref032","unstructured":"Ernst and Young (2008), \u201cErnst and Young 2008 Global Information Security Survey\u201d, Ernst and Young."},{"key":"key2021080202131712100_ref033","unstructured":"Ernst and Young (2010), \u201cBorderless security - Ernst and Young\u2019s 2010 Global Information Security Survey\u201d, Ernst and Young."},{"key":"key2021080202131712100_ref034","article-title":"Understanding data classification based on business and security requirements","volume":"5","year":"2006","journal-title":"ISACA Information Systems Control Journal"},{"issue":"6","key":"key2021080202131712100_ref035","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1016\/S1361-3723(11)70060-4","article-title":"Building solid foundations: the case for data classification","volume":"2011","year":"2011","journal-title":"Computer Fraud and Security"},{"issue":"1\/2","key":"key2021080202131712100_ref036","first-page":"1","article-title":"A study on e-Taiwan information system security classification and implementation","volume":"30","year":"2008","journal-title":"Computer Standards and Interfaces"},{"key":"key2021080202131712100_ref037","doi-asserted-by":"crossref","first-page":"542","DOI":"10.1109\/INTECH.2016.7845064","article-title":"Complex vs. simple asset modeling approaches for information security risk assessment: evaluation with MAGERIT methodology","volume-title":"2016 Sixth International Conference on Innovative Computing Technology (INTECH)","year":"2016"},{"key":"key2021080202131712100_ref038","doi-asserted-by":"crossref","first-page":"39","DOI":"10.1007\/978-3-8348-9788-6_4","article-title":"A simplified approach for classifying applications","volume-title":"ISSE 2010 Securing Electronic Business Processes","year":"2011"},{"key":"key2021080202131712100_ref039","article-title":"Information asset valuation method for information technology security risk assessment","year":"2008"},{"key":"key2021080202131712100_ref040","doi-asserted-by":"crossref","first-page":"23","DOI":"10.1016\/B978-1-59-749641-4.00002-3","article-title":"Chapter 2 - federal information security fundamentals","volume-title":"FISMA and the Risk Management Framework","year":"2013"},{"key":"key2021080202131712100_ref041","first-page":"208","article-title":"Protecting information in a connected world: a question of security and of confidence in security","year":"2011","journal-title":"14th International Conference on Network-Based Information Systems (NBiS)"},{"issue":"5","key":"key2021080202131712100_ref042","article-title":"Method engineering as design science","volume":"21","year":"2020","journal-title":"Journal of the Association for Information Systems"},{"issue":"4","key":"key2021080202131712100_ref043","doi-asserted-by":"crossref","first-page":"113","DOI":"10.1049\/ip-sen:19982197","article-title":"Method integration: the need for a learning perspective","volume":"145","year":"1998","journal-title":"IEE Proceedings - Software"},{"key":"key2021080202131712100_ref044","volume-title":"Situational Method Engineering","year":"2014"},{"issue":"1","key":"key2021080202131712100_ref045","doi-asserted-by":"crossref","first-page":"75","DOI":"10.2307\/25148625","article-title":"Design science in information systems research","volume":"28","year":"2004","journal-title":"MIS Quarterly"},{"key":"key2021080202131712100_ref046","unstructured":"ISACA (2012), COBIT 5 Enabling Processes, ISACA, Rolling Meadows, IL."},{"key":"key2021080202131712100_ref047","unstructured":"ISO\/IEC 27001 (2017), \u201cInformation technology \u2013 Security techniques \u2013 Information security management systems \u2013 Requirements\u201d, ISO\/IEC."},{"key":"key2021080202131712100_ref048","unstructured":"ISO\/IEC 27002 (2017), \u201cInformation technology \u2013 Security techniques \u2013 Code of practice for information security controls\u201d, ISO\/IEC."},{"key":"key2021080202131712100_ref049","unstructured":"ISO\/IEC 27003 (2017), \u201cInformation technology \u2013 Security techniques \u2013 Information security management systems \u2013 Guidance\u201d, ISO\/IEC."},{"key":"key2021080202131712100_ref050","unstructured":"ISO\/IEC 27005 (2018), \u201cInformation technology \u2013 Security techniques \u2013 Information security risk management\u201d, ISO\/IEC."},{"key":"key2021080202131712100_ref051","unstructured":"IT Governance Ltd (2016), \u201cISO 27001 Global Report 2016\u201d."},{"issue":"3","key":"key2021080202131712100_ref052","doi-asserted-by":"crossref","first-page":"45","DOI":"10.1109\/MSP.2009.77","article-title":"Security through information risk management","volume":"7","year":"2009","journal-title":"Security and Privacy, IEEE"},{"key":"key2021080202131712100_ref053","first-page":"145","article-title":"Cracks in the security foundation: employee judgments about information sensitivity","year":"2015"},{"issue":"9","key":"key2021080202131712100_ref054","doi-asserted-by":"crossref","first-page":"619","DOI":"10.1016\/j.infsof.2003.12.004","article-title":"Method configuration: adapting to situational characteristics while creating reusable assets","volume":"46","year":"2004","journal-title":"Information and Software Technology"},{"issue":"3","key":"key2021080202131712100_ref055","doi-asserted-by":"crossref","first-page":"51","DOI":"10.4018\/jdm.2009070103","article-title":"Towards structured flexibility in information systems development: devising a method for method configuration","volume":"20","year":"2009","journal-title":"Journal of Database Management"},{"key":"key2021080202131712100_ref056","unstructured":"Kindervag, J., Shey, H. and Mak, K. (2015), The Future Of Data Security And Privacy: Growth And Competitive Differentiation, Cambridge, MA."},{"key":"key2021080202131712100_ref057","volume-title":"A Method for Analyzing Value-Based Compliance in Systems Security","year":"2013"},{"issue":"5","key":"key2021080202131712100_ref058","doi-asserted-by":"crossref","first-page":"597","DOI":"10.1016\/j.im.2003.08.001","article-title":"Why there aren't more information security research studies","volume":"41","year":"2004","journal-title":"Information and Management"},{"issue":"7","key":"key2021080202131712100_ref059","doi-asserted-by":"crossref","first-page":"371","DOI":"10.1016\/j.telpol.2009.03.002","article-title":"National information security policy and its implementation: a case study in Taiwan","volume":"33","year":"2009","journal-title":"Telecommunications Policy"},{"issue":"6","key":"key2021080202131712100_ref060","article-title":"A framework for theory development in design science research: multiple perspectives","volume":"13","year":"2012","journal-title":"Journal of the Association for Information Systems"},{"key":"key2021080202131712100_ref061","first-page":"1","article-title":"ARiMA - a new approach to implement ISO\/IEC 27005","year":"2009"},{"issue":"2","key":"key2021080202131712100_ref062","doi-asserted-by":"crossref","first-page":"212","DOI":"10.1504\/IJRAM.2019.101287","article-title":"Dynamic interplay in the information security risk management process","volume":"22","year":"2019","journal-title":"International Journal of Risk Assessment and Management"},{"key":"key2021080202131712100_ref063","doi-asserted-by":"crossref","unstructured":"McDonald, G. (2019), \u201cA framework for technology-assisted sensitivity review: using sensitivity classification to prioritise documents for review\u201d, University of Glasgow.","DOI":"10.1145\/3458537.3458544"},{"key":"key2021080202131712100_ref064","doi-asserted-by":"crossref","unstructured":"McDonald, G., Macdonald, C., Ounis, I. and Gollins, T. (2014), \u201cTowards a Classifier for Digital Sensitivity Review\u201d, Cham, pp. 500-506.","DOI":"10.1007\/978-3-319-06028-6_48"},{"issue":"12","key":"key2021080202131712100_ref065","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1016\/S1353-4858(16)30116-7","article-title":"Data classification: keeping track of your most precious asset","volume":"2016","year":"2016","journal-title":"Network Security"},{"key":"key2021080202131712100_ref066","article-title":"Our digital legacy: an archival perspective","volume":"4","year":"2017","journal-title":"The Journal of Contemporary Archival Studies"},{"key":"key2021080202131712100_ref067","article-title":"Myndigheten f\u00f6r samh\u00e4llsskydd och beredskaps f\u00f6reskrifter om statliga myndigheters informationss\u00e4kerhet [the swedish civil contingencies agency's regulations on government agencies security information security]","author":"MSBFS 2016:1","year":"2016"},{"key":"key2021080202131712100_ref068","unstructured":"National Institute of Standards and Technology (2004), \u201cFIPS Publication 199: Standards for Security Categorization of Federal Information and Information Systems\u201d, National Institute of Standards and Technology, Gaithersburg, MD."},{"issue":"1","key":"key2021080202131712100_ref069","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1057\/s41303-016-0025-y","article-title":"Information systems security policy implementation in practice: from best practices to situated practices","volume":"26","year":"2017","journal-title":"European Journal of Information Systems"},{"issue":"6","key":"key2021080202131712100_ref070","doi-asserted-by":"crossref","first-page":"592","DOI":"10.1057\/ejis.2012.3","article-title":"Conceptualising improvisation in information systems security","volume":"21","year":"2012","journal-title":"European Journal of Information Systems"},{"issue":"3","key":"key2021080202131712100_ref071","first-page":"89","article-title":"Systems development in information systems research","volume":"7","year":"1991","journal-title":"Journal of Management Information Systems Development"},{"key":"key2021080202131712100_ref072","article-title":"A national model for information classification","volume-title":"AIS SIGSEC Workshop on Information Security and Privacy (WISP2009)","year":"2009"},{"issue":"2","key":"key2021080202131712100_ref073","first-page":"9","article-title":"The classification of information to protect it from loss","volume":"5","year":"1996","journal-title":"Information Systems Security"},{"issue":"7","key":"key2021080202131712100_ref074","doi-asserted-by":"crossref","first-page":"572","DOI":"10.1016\/S0167-4048(97)80793-6","article-title":"The strategic values of information security in business","volume":"16","year":"1997","journal-title":"Computers and Security"},{"issue":"3\/4","key":"key2021080202131712100_ref075","first-page":"1","article-title":"Comparison of risk-based and diligence-based idealized security reviews","volume":"36","year":"2007","journal-title":"EDPACS"},{"issue":"3","key":"key2021080202131712100_ref076","doi-asserted-by":"crossref","first-page":"45","DOI":"10.2753\/MIS0742-1222240302","article-title":"A design science research methodology for information systems research","volume":"24","year":"2007","journal-title":"Journal of Management Information Systems"},{"key":"key2021080202131712100_ref077","first-page":"012010","article-title":"A comparison of BPMN and UML 2.0 activity diagrams","volume":"56","year":"2008","journal-title":"VII Simposio Brasileiro de Qualidade de Software"},{"key":"key2021080202131712100_ref078","article-title":"Managing cyber risks in an interconnected world \u2013 key findings from the global state of information security survey 2015","author":"PwC","year":"2014"},{"key":"key2021080202131712100_ref079","first-page":"267","volume-title":"An Assembly Process Model for Method Engineering","year":"2001"},{"issue":"12","key":"key2021080202131712100_ref080","doi-asserted-by":"crossref","first-page":"9","DOI":"10.1016\/S1361-3723(19)30127-7","article-title":"Why enterprises need to adopt \u2018need-to-know\u2019 security","volume":"2019","year":"2019","journal-title":"Computer Fraud and Security"},{"key":"key2021080202131712100_ref081","article-title":"Generisk flexibilitet \u2013 P\u00e5 v\u00e4g mot en komponentbaserad metodsyn [generic flexibility - towards a component-based method view]","volume-title":"VITS H\u00f6stseminarium","year":"1994"},{"issue":"1","key":"key2021080202131712100_ref082","first-page":"15","article-title":"Asset identification in information security risk assessment: a business practice approach","volume":"39","year":"2016","journal-title":"Communications of the Association for Information Systems"},{"key":"key2021080202131712100_ref083","first-page":"119","article-title":"Information security risk assessment: towards a business practice perspective","volume-title":"Australian Information Security Management Conference 2010","year":"2010"},{"key":"key2021080202131712100_ref084","unstructured":"Shey, H. (2016), Understand The State Of Data Security And Privacy: 2015 To 2016, Cambridge, MA."},{"issue":"8","key":"key2021080202131712100_ref085","doi-asserted-by":"crossref","first-page":"97","DOI":"10.1145\/1145287.1145316","article-title":"Information security standards focus on the existence of process, not its content","volume":"49","year":"2006","journal-title":"Communications of the ACM"},{"key":"key2021080202131712100_ref086","article-title":"Using artificial intelligence to identify state secrets","year":"2016"},{"key":"key2021080202131712100_ref087","unstructured":"Swedish Civil Contingencies Agency (2018), \u201cMetodst\u00f6d f\u00f6r systematiskt informationss\u00e4kerhetsarbete [Method support for systematic information security work]\u201d, Swedish Civil Contingencies Agency."},{"issue":"4","key":"key2021080202131712100_ref088","first-page":"37","article-title":"Modeling design processes","volume":"11","year":"1990","journal-title":"AI Magazine"},{"key":"key2021080202131712100_ref089","first-page":"286","article-title":"An hierarchical asset valuation method for information security risk analysis","volume-title":"2012 International Conference on Information Society (i-Society)","year":"2012"},{"issue":"1","key":"key2021080202131712100_ref090","article-title":"Fact or fiction? A study of managerial perceptions applied to an analysis of organizational security risk","volume":"16","year":"2012","journal-title":"Journal of Organizational Culture, Communications and Conflict"},{"issue":"3","key":"key2021080202131712100_ref091","doi-asserted-by":"crossref","first-page":"245","DOI":"10.1002\/asi.20121","article-title":"Sensitive information: a review and research agenda","volume":"56","year":"2005","journal-title":"Journal of the American Society for Information Science and Technology"},{"key":"key2021080202131712100_ref092","article-title":"Design research in information systems","year":"2004"},{"key":"key2021080202131712100_ref093","volume-title":"Design Science Research Methods and Patterns: Innovating Information and Communication Technology","year":"2015","edition":"2nd ed."},{"key":"key2021080202131712100_ref094","doi-asserted-by":"crossref","first-page":"167","DOI":"10.1016\/B978-0-444-81594-1.50016-7","article-title":"A method engineering approach to information systems development","volume-title":"Information System Development Process","year":"1993"},{"key":"key2021080202131712100_ref095","unstructured":"Veritas Technologies (2016), \u201cThe Databerg Report: see what others don\u2019t: Identify the value, risk and cost of your data\u201d."},{"issue":"2\/3","key":"key2021080202131712100_ref096","article-title":"Calculating the value of information assets","volume":"1","year":"2010","journal-title":"Newport Business School Working Paper Series"},{"issue":"3","key":"key2021080202131712100_ref097","doi-asserted-by":"crossref","first-page":"191","DOI":"10.1016\/j.cose.2004.01.012","article-title":"Towards information security behavioural compliance","volume":"23","year":"2004","journal-title":"Computers and Security"},{"issue":"1","key":"key2021080202131712100_ref098","doi-asserted-by":"crossref","first-page":"36","DOI":"10.1287\/isre.3.1.36","article-title":"Building information system design theory for vigilant EIS","volume":"3","year":"1992","journal-title":"Information Systems Research"},{"issue":"6","key":"key2021080202131712100_ref099","doi-asserted-by":"crossref","first-page":"681","DOI":"10.1007\/s10207-017-0382-0","article-title":"A framework for estimating information security risk assessment method completeness","volume":"17","year":"2018","journal-title":"International Journal of Information Security"},{"key":"key2021080202131712100_ref0100","volume-title":"Principles of Information Security","year":"2014"},{"key":"key2021080202131712100_ref0101","first-page":"1","article-title":"Research on supply chain information classification based on information value and information sensitivity","volume-title":"Service Systems and Service Management, 2007 International Conference on","year":"2007"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-07-2020-0110\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-07-2020-0110\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:03Z","timestamp":1753406583000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/29\/2\/209-239\/117722"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,12,3]]},"references-count":101,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2020,12,3]]},"published-print":{"date-parts":[[2021,8,3]]}},"alternative-id":["10.1108\/ICS-07-2020-0110"],"URL":"https:\/\/doi.org\/10.1108\/ics-07-2020-0110","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2020,12,3]]}}}