A Study That Connects Bounded Rationality and Information Security

As my final thesis in Business Administration at Stockholm University, I, together with Caroline Larsson, wrote a paper examining the decision-making processes surrounding information security inside Swedish governmental organizations.

Read the full paper here.

Abstract [en]

This study investigates the impact of bounded rationality on information security decisions in public Swedish authorities. The research addresses how cognitive limitations and organizational dynamics shape decisions in this area. Utilizing qualitative research methods, in-depth interviews and document analysis, the study provides nuanced insights into decision-making processes. A thematic analysis identifies six recurring themes influencing decision-making: Awareness & Knowledge, Individual Characteristics, Organizational Culture & Behavioral Patterns, Organization & Execution, Regulatory Frameworks & Management, Responsibility & Obligation. 

The findings reveal significant influences and barriers in implementing effective security strategies, making a theoretical contribution to information security management in public sectors. This research highlights the importance of understanding human behavior in information security, offering insights to shape strategic directions for policy and practical implementation to enhance organizational and national cybersecurity resilience.