dc.description.abstract | This thesis has looked at “how Norwegian municipalities work with the risk of cyber attacks
via suppliers' ICT services” and, by extension, what requirements they place on the supply
chain, both through internal processes, as a client and what is within the regulations for public
procurement. Finally, the thesis has also looked at how the municipalities experience the
authorities' work in the area.
We as authors chose early on to split the theory chapter into several parts. Risk, information
security, cybersecurity, and procurement. This division is made to cover the necessary
spectrum to answer the broad research question.
As we have used the question form "how" in this research and have had a desire to study
individual events, go in depth, shed light on small details and give informants freedom to
express themselves, qualitative research method with interviews is used. In total, the thesis
has 14 informants spread over several municipalities, an inter-municipal cooperation,
Kommune-CSIRT and Orange Cyberdefence.
Our main finding in this thesis shows that the municipalities are partly aware of the risk of
cyber attacks via the supply chains and are actively working to reduce it. As of today, the
municipalities in this thesis, are in the lower tier of maturity when it comes to risk, but based
on long-term plans, they are in the process of implementing a better management system with
common definitions, methodology and understanding of how to work with the subject area.
Furthermore, through this thesis we have found findings that indicate that the municipalities
could with advantage integrate a better set of standard requirements for cyber and information
security in their procurements. Finally, we want to highlight the thesis' findings where the
municipalities experience that there are too many government actors within the subject area,
who by extension use different approaches so that it becomes confusing for the municipalities
to identify recommended best practice. | |