Logo: to the web site of the Swedish Defence University

Digital vulnerabilities pose a major threat to keeping information secure in modern societies, yet the understanding of norms regarding information security and how they are affected by major incidents remains fairly unexplored. This thesis examines how constitutive norms and regulative norms, within the field of information security, have changed following major IT-related incidents. The thesis covers two incidents, the Swedish Transport Agency’s IT-scandal 2017 and the 1177’s data leak 2019 and aims to contribute to the under-examined field of norms in information security. Using discourse analysis, the study seeks to uncover empirical examples to identify how constitutive norms and regulative norms emerge, spread and are internalised post major Swedish IT-incidents. Utilising a constructivist approach and Sikkink & Finnemore’s norm life cycle theory, the thesis tracks the emergence and spread of norms through the discourse following the incidents. The study shows that regulative norms, such as stricter security analysis and mandatory background checks, have emerged and been strengthened in the aftermath of the incidents. The findings also suggest that it is uncertain whether long term internalisation of regulative norms on a national level has been successfully achieved or if such norms require continuous reinforcement in order to maintain effectiveness. Furthermore, this thesis finds a shift in constitutive norms where public organisations are placing more focus on security rather than cost-efficiency. These findings highlight the importance of both strengthening regulative norms and fostering a deeper cultural shift in constitutive norms to ensure sustainable improvements in information security practices within public organisations.