Norwegian municipalities risk management of cyber-attacks through suppliers ICT systems
Master thesis
Permanent lenke
https://hdl.handle.net/11250/3023683Utgivelsesdato
2022Metadata
Vis full innførselSamlinger
- Studentoppgaver (TN-ISØP) [1601]
Sammendrag
This thesis has looked at “how Norwegian municipalities work with the risk of cyber attacks via suppliers' ICT services” and, by extension, what requirements they place on the supply chain, both through internal processes, as a client and what is within the regulations for public procurement. Finally, the thesis has also looked at how the municipalities experience the authorities' work in the area.
We as authors chose early on to split the theory chapter into several parts. Risk, information security, cybersecurity, and procurement. This division is made to cover the necessary spectrum to answer the broad research question.
As we have used the question form "how" in this research and have had a desire to study individual events, go in depth, shed light on small details and give informants freedom to express themselves, qualitative research method with interviews is used. In total, the thesis has 14 informants spread over several municipalities, an inter-municipal cooperation, Kommune-CSIRT and Orange Cyberdefence.
Our main finding in this thesis shows that the municipalities are partly aware of the risk of cyber attacks via the supply chains and are actively working to reduce it. As of today, the municipalities in this thesis, are in the lower tier of maturity when it comes to risk, but based on long-term plans, they are in the process of implementing a better management system with common definitions, methodology and understanding of how to work with the subject area. Furthermore, through this thesis we have found findings that indicate that the municipalities could with advantage integrate a better set of standard requirements for cyber and information security in their procurements. Finally, we want to highlight the thesis' findings where the municipalities experience that there are too many government actors within the subject area, who by extension use different approaches so that it becomes confusing for the municipalities to identify recommended best practice.