Challenges of Managing Information Security during the Pandemic

: The COVID-19 pandemic of 2019 surprised information security practitioners in the organizations due to the change imposed on employees’ work routines. Employees were asked to work from home, and therefore changes were necessary to reduce information security risks actively. The abrupt change of work environments brought many challenges to the practitioners, which caused them to make decisions regarding organizational information security. This article aims to uncover those challenges through an ethnography study within an organization during the fourteen months of teleworking. On an overarching level, we found four challenges to be of concern: technical security, regulations and policies, employee awareness of security issues, and, ﬁnally, preparedness for the new work environment of teleworking. We believe that the challenges brought by the analysis will inspire discussions about the future of research and practice regarding information security management in case of disasters.


Introduction
In mid-January 2020, the public health agency of Sweden [1] reported on their official website for the first time that there was a new virus spreading through China. Because of the problematic situation, a recommendation from the Sweden's public health agency was presented on March 16 [2], which encouraged everyone to work from home to prevent any further spread of the coronavirus. This recommendation would affect information security in many organizations because the pandemic presented new challenges and reshuffled priorities of issues concerning information security [3]. A reason for the potential effect on information security could be that more employees started working from home, and the way employees handled information was new to them [4].
The unprecedented number of employees who started to work from home put immense pressure on the organizations' infrastructure, equipment, and information security [5,6]. For example, the insecure nature of private home networks puts high demands on securing access to the organization's network, and one way of addressing this could be to use encrypted communication such as a virtual private network (VPN) connection. Private networks are estimated to have over 20 connected devices, and an alarming number of these are neither secure nor regularly updated [5]. Ultimately, these devices could compromise the network and make it more accessible for vulnerable points to be exploited during a cyberattack. Beyond the IT-security-related issues with employees working from home, there are also risks regarding information security and how to manage the possibility of employees accessing sensitive information safely from home [7].
Many organizations have implemented various security countermeasures to respond to the teleworking challenges [8,9]. For example, Furnell and Shah (2020) emphasize educating all employees with the necessary knowledge applicable in different situations rather than having a handful of well-educated employees [10]. It is essential to mention that the organization should strive to achieve a comprehensive information security awareness, which starts at the workplace and must be transferred into employees' homes. When educating employees on information security awareness, one must also examine what is taught, when it is taught, and how employees will likely learn [11]. On the other hand, focusing on the employees is only part of the solution, and the security is only adequate when all countermeasures, including IT security, work in harmony [7,12].
The COVID-19 pandemic significantly impacted employees' working habits, and those changes are likely to last long. The increased popularity of teleworking correlates with the alarming surge of cyberattacks, making it challenging for organizations to ensure information assets are well protected [9,10,13,14]. However, research in this area lacks empirical studies on how such challenges surfaced during the practice of managing information security during the teleworking shift of the COVID-19 pandemic. Thus, this study examines the effects of changes to the work environment on information security during COVID-19 within a group of IT professionals in the healthcare sector. The study is carried out in collaboration with a special unit within one of the biggest counties in Sweden that specializes in IT and supports many departments with, e.g., their information systems, risk analysis, system development, and procurement of technical-medical equipment. Therefore, this study poses the following research question to fulfil the study's aims: How has the abrupt change in the work environment and processes affected information security during COVID-19? This research takes us on a journey of the challenges experienced by an organization in practicing information security for over a year of teleworking. The research contributes by providing knowledge on handling abrupt changes in the work environment and processes while safeguarding information security.

Information and IT Security
Information security is meant to ensure business continuity and minimize potential business damage by limiting the impact of security incidents [15]. Organizations of all sizes handle large amounts of information, which means that they need to apply various technical and administrative measures to uphold an optimal level of confidentiality, integrity, and availability of information [16,17]. Confidentiality itself is defined as the property that information is not made available or disclosed to unauthorized individuals, entities, or processes. Moreover, the definition of integrity is coupled with the property of accuracy and completeness. Lastly, availability is defined as being accessible and usable on demand by an authorized entity. Ultimately, information security is the protection of information and its critical elements, such as any system or hardware that uses, stores, or transmits information [16][17][18].
Often associated with information security is IT security, which is a term that encompasses the technology which is meant to support the process of electronically safeguarding the information. If information security is more focused on creating policies and guidelines to protect the assets, IT security is focused on protecting the confidentiality, integrity, availability, and traceability in the information systems [16]. In the digital age, vast amounts of information are processed, stored, communicated, and multiplied across the businesses, authorities, and organizations, small or large, in our society. Information security as a practice also involves the necessary applications and management of appropriate controls to identify and analyze a wide range of threats. Ultimately, information security aims to limit the effect and consequences of information security incidents [17].
Organizations have subsequently implemented information security solutions. However, their effectiveness depends on various technical and administrative countermeasures [19]. Moreover, the users can become a threat to any information security solution, and therefore, they are the weakest link in information security [20].

Teleworking
The International Organization for Standardization [21] specifies that all types of work done outside the office, including from home, are collectively referred to as teleworking. The importance of ensuring security requirements for teleworking to guard the sensitive information accessed and passed over the communication links has been discussed by many studies [11,[22][23][24]. One of the most outstanding issues with teleworking is ensuring information security is regarding employees not using a VPN. Another reason for this issue, which is often overlooked, is that many employees share their home space with other people, such as roommates, family, friends, or partners. The potential of these individuals gaining access to an unattended or open computer is a significant security risk. To address this, organizations invest in advanced technology and provide awareness and training programs to teach their employees the proper protocol for teleworking [24].
Because of the COVID-19 pandemic, there was an unforeseen increase of employees transitioning from working in-office to teleworking. In the US prepandemic, around 10% of employees worked from home full-time, and another 20% would work from home from time to time. In comparison, during COVID-19, almost all employees who could work from home began to do so [24]. In the EU, before the pandemic, less than 10% of the employees worked from home daily, compared to 38% by April 2020 [25].
Since the outbreak of COVID-19, the Swedish civil contingencies agency (MSB) has provided guidance and recommendations on teleworking, both for the people within organizations who coordinate the information security work and employees who are teleworking. MSB is a governmental agency responsible for issues concerning civil protection, public safety, emergency management and civil defense before, during and after an emergency or crisis in Sweden. Organizations are recommended to take action and assess their information security practices related to teleworking by asking questions such as [26,27]: • What rules apply to teleworking and the use of IT systems outside the organization? • What capacity does the organization have for how many people can work remotely? • Has the organization adopted continuity plans?
Furthermore, MSB has also provided further information on the proper safety and infrastructure when working from home on their website www.cert.se (accessed on 28 August 2021). On this website, more direct information is provided on the consequences of working from home and what to consider from both the organization's and employee's perspectives. Examples of measures to consider are [5]:

•
Only allow users to run approved applications by blocking unauthorized software. • Ensure the equipment employees use for work at home is up to date (hardware, operating systems, third-party applications, and antivirus signatures). • All communication with the organization's network and services should be secured by, for example, using VPN.

Increase of Incidents during the COVID-19 Pandemic
During the COVID-19 pandemic, there has been an increase in incidents regarding information security throughout the Swedish network [28]. Furthermore, in the annual review by the National Cyber Security Centre (NCSC), it is revealed that there has been a record number of cybersecurity incidents that occurred between September 2019 and August 2020 [29]. In addition, researchers at IT security companies report that there has been a 45% increase of cyberattacks directed at health care worldwide, and the healthcare sector tops the list for cybercriminals compared to other industries [7,30]. Concerning Sweden, during COVID-19, the number of cyberattacks has increased by 32% [30].
One reason for the increase in incidents is the transition from working in an office environment to working from home [29,31,32]. Moreover, it has been found that the vulnerabilities of organizations' systems have not increased, but the change in the work environment and work processes have affected the opportunity to exploit the vulnerabilities. The fact that employees work more from home has shifted the attack surface and made it possible for threat actors to succeed more easily with the existing vulnerabilities. In addition, the risk of human error is higher, and many organizations have been forced to come up with solutions quickly to allow their employees to complete their tasks. This ultimately means that the solutions for working from home have not been set up securely [6,31,32].
Specific organizations have been targeted primarily during COVID-19, including hospitals, medical centers, and public institutions. Cybercriminals have used ransomware attacks on these organizations. An example of such an attack is the incident in the Czech Republic on 12 March 2020, which led to the Brno University Hospital being forced to shut down its entire IT network, which also impacted the Children's Hospital and the Maternity Hospital [33]. Furthermore, from the beginning of the pandemic, cybercriminals have carried out social engineering attacks by using themes around the pandemic to distribute various malware packages. An example of this was presented in early 2020 when cybercriminals had started using fake versions of decease spread maps to gain access to personal data stored in users web browsers. With this attack, criminals got access to users credentials and credit card data [33].

Research Gap and Motivation
Several researchers have recognized that the crisis of COVID-19 sped up the deployment of new working methods and the adoption of teleworking. Different countries have adapted to the new situation on varying levels, depending on their readiness [34,35]. Organizations that invested effort, time, and sufficient budget into their digitalization avoided greater abruptions to their operations [33]. Research shows that a remarkable number of organizations, due to the crisis of COVID-19, adopted a higher level of teleworking than what they were prepared for [34,35].
Some studies have warned that organizations did not sufficiently equip employees from working in-office to teleworking. A survey study by Georgiadou, Mouzakitis and Askounis [33] aimed to evaluate the cybersecurity culture exhibited by organizations from different countries and business domains when teleworking became a necessity due to the COVID-19 crisis. One of the most stunning results of that study was that 53% of the participants had not received any security guidelines from their employers in preparation for working from home during the pandemic. Perhaps this result reflects that organizations mainly think of information security from technological security solutions, such as firewalls, antivirus software, intrusion detection systems, and security operation centers (SOCs). At the same time, the human factor is overlooked in the context of information security, even though humans and their behavior can make up the biggest threats to information security [33]. Another finding shows that in three-quarters (75%) of businesses, there are no explicit cyber security-framed, written rules that employees are expected to follow when working at home [10]. These findings are compounded by the fact that only 6% of businesses say they are 'open' to investing in cyber security training [36].
The sudden transition from office-based working to working from home dramatically changed the cyber threat landscape, leading to new cyber risks. With employees accessing the organizational resources from private units and networks, governmental agencies, cybersecurity firms, and in-house cybersecurity specialists must outline proper guidelines for the employees working from home [37]. Attempts to set up such guidelines and achieve cybersecurity throughout the organization might fail due to various reasons; among others, the solutions do not consider organizations cybersecurity requirements and the expectations of the employees working from home [38,39], or lack of employee support [10].
Previous studies concerning teleworking and information security have researched the topic from different angles. One stream of research has focused on organizational readiness to protect the data from cybercriminals while teleworking [33,40]. In those studies, the focus was on the most common cyberattacks during the pandemic. Among the cyberattacks that have technical origins, ransomware and DDoS were prevalent [7]. On the other hand, the most common techniques for social engineering used are phishing, scamming, spamming, smishing, and vishing [41]. Drawing on the trends of common security vulnerabilities and cyber threats towards teleworking, another stream of research has proposed various security controls that can reduce the risk of cyberattacks while teleworking [39]. To name a few of these controls, user education, VPN, multifactor authentication, firmware updates, software updates, antimalware software, strong security policies, and the physical security of the home office have been suggested by previous studies [7,10,38].
However, there are several gaps in the literature concerning the cybersecurity challenges of teleworking. Most of the research on teleworking has been focused on the prepandemic era when organizations had the choice, budget, and time required to prepare and facilitate an environment where employees could work from home. Thus, organizations had the opportunity to investigate how teleworking could be secured gradually. However, the COVID-19 crisis imposed the need for the mass transition to teleworking, even organizations unprepared for such a sudden transition. In this regard, the first gap involves the abrupt changes to the organization's information security practices to such changes. Moreover, extant research has paid less attention to the perspectives of employees and those who play an essential role in the rapid adaptability of teleworking. While scholars emphasize recognizing the necessity of investing in human capital to tackle information security threats [35,42,43], previous research in this area is often disconnected from employees' perspectives and how the organizational practices of teleworking take shape. Moreover, there is a discrepancy between formal processes and those used in practice, i.e., the actual processes are shaped within the enactment of day-to-day activities and their respective challenges [44][45][46]. Therefore, the second gap pinpoints the lack of empirical investigation into unraveling the complexities of information security in everyday teleworking practices during the pandemic.

Theoretical Framework
Practice theory is a prominent analytical tool for analyzing contemporary organizations, as it is generally understood to be complex, dynamic, distributed, and transient [47]. The premise of practice theory is the human agency in organizational life that performs activities that share meanings and understanding [48]. The perspective also entails exploring what people in an organization actually do instead of what they are supposed to do [49]. As opposed to the technology determinant views, which "posits technology as an external, largely independent, and irrevocable force for change" [47], the practice perspective explores the implications of information technologies for practices. It offers a distinct conception of when people actually engage with the technology in practice [50].
Various studies show that introducing best practices to an organization does not guarantee the expected results from before (e.g., [51,52]). What matters is knowing in practice; it implies that knowledge(ability) and practices are mutually constitutive "so it does not make sense to talk about either knowledge or practice without each other" [53]. The practice perspective has been employed in various areas within information security, such as risk management [54], policy development [44], and information security training [55]. The results from these studies imply that people in the organizations do not slavishly follow the imposed practices, but information security practices matter when they are enacted in practice (cf. [56]). When information security policy and business requirements conflict, individuals must find innovative ways to address the business requirements while not undermining information security [57].

Ethnography
Ethnography is the study of "a group in its natural setting for a lengthy time period, often several months or several years" [58]. Central to the ethnographic approach is the context of practice in which a researcher attempts to investigate. "Understanding actions and beliefs in their proper context provides the key to unravelling the unwritten rules and taken-for-granted assumptions in an organization" [59]. The ethnographic approach in this study allowed us to gain a deep understanding of the people who were somewhat affected by the abrupt change of working from the office to teleworking and how employees perceived information security decisions. Our investigation started in March 2020, when the Swedish health authority gave recommendations to all organizations to switch to teleworking due to the spread of the Coronavirus. The study continued till May 2021 in which the government waived such restrictions. During this period, one of the authors followed the transition to teleworking and interacted with employees, attended meetings, had conversations with them, and closely followed the information security decisions.

Research Setting
Our research study setting has been Alpha (a pseudonym), which consists of IT professionals working within one of the biggest counties in Sweden. Alpha provides support for several different healthcare departments, i.e., information systems and IT-dependent medicine technical products. As part of Alpha s responsibility, it assists other departments with risk management, implementation projects, and procurements of IT-dependable products. Furthermore, employees at Alpha have backgrounds in areas differing from computer engineer to systems science.
The majority of Alpha' staff had been working from home since the spring of 2020 in adherence to the recommendations of Sweden's public health agency. Teleworking impacted these employees' work environments and work processes.
The unit that works with information security within the county, primarily for one of the larger hospitals, states in their guidelines that ensuring the information generated and used within the healthcare must be an integral part of the departments' processes. The guidelines ultimately mean that all people who in some way manage this information have a responsibility to safeguard it. However, when browsing the county s intranet, most of the information regarding working safely from home is copied from the MSB's website. In some instances, the employees are simply directed to use a provided link that redirects them to MSB s website. There is, however, some guidance given by the county s IT department countermeasures to consider before teleworking to safeguard the information. The guidance is given more from the perspective of IT security and not information security.
Because of the laws and regulations to consider with healthcare, while upholding a complex information flow between the municipalities, primary caregivers, private clinics, and patients and staff, it is not easy to maintain acceptable information security. Furthermore, some of the issues with information security in healthcare are that the different parties do not have access to the same information systems and that they might not have the proper knowledge on information security in general, but also on what their technology needs are and what they must do with that technology to preserve, e.g., the confidentiality of their assets. Another issue could be that the departments hold onto old routines, perhaps without a reasonable cause, and then incorporate new technology, leading to unforeseen problems because of mismatch in need and solution [16].
One of the most demanding challenges for public actors is maintaining adequate resources to secure their IT environments, which has led them to deal with different and sometimes contradictory requirements and recommendations from both national and regional levels. The effect of this is that both the work with and the level of attained information security differs significantly among different public actors. Moreover, the challenges build on all operations undergoing a rushed digitalization due to the pandemic [60].

Data Collection
Below we present the sources and procedure of the data collection. The data were gathered qualitatively using different techniques explained in the following sections. By applying different data collection methods, the study benefited from methodological triangulation, which gives the credibility of the results [61][62][63].

Internal Documents
Document analysis is a type of qualitative research that applies a systematic procedure to analyze documentary data to answer specific research questions [63], a method used for several years in qualitative research [62]. As with other methods in qualitative research, document analysis is an iterative process that involves repeated review and interpretation of the data to enable empirical knowledge to be gained [63].
This method is effective because it can provide the researcher with insight and understanding of the roots of the phenomena of the study [62]. The researcher can also apply this data collection method to track change and development by comparing available documents related to the research topic [62]. Moreover, by reviewing periodic and final reports, the researcher can picture how an organization has performed over time [62].
Document analysis can result in citations, quotations, or even complete passages drawn from, i.e., records, correspondence, and official reports [64,65]. Moreover, using data analysis collectively with another data collection method, the researcher can contextualize data collected during interviews by drawing data from documents [62].
Therefore, as part of the data collection, internal documents available to Alpha were analyzed. Internal newsletters were analyzed to understand when the employees started teleworking and which information was given in the process of moving from working in-office to from home. The first newsletter mentioning COVID-19 was published at the end of February 2020, and from 13 March, Alpha started teleworking as much as possible to avoid spreading the virus in the workplace.
Moreover, different websites of the county s intranet have been reviewed to gain insight into the information available to employees regarding information security and news related to information security during COVID. For example, one webpage (last updated 31 March 2020) provides information on information security during the pandemic. However, this webpage is mainly made up of links to other sites to get advice, information on malicious emails, or incidents linked to information security and COVID-19. An example of one of the external sites that are linked is informationssakerhet.se. This gives off the impression that the county itself has no information of its own to provide but relies heavily on external sources and primarily directs its employees to these external sources.
Available policies regarding teleworking have also been included. One of which deals with teleworking with mobile equipment, and another explains the routine for teleworking within the county. The one about mobile equipment predated the pandemic and was last updated 5 July 2019. This policy only mentions information security once, which is linked to the general policy on information security within the county, which does not even include teleworking. The second routine on teleworking was last updated on 14 January 2019, and in this one, information security is mentioned twice. The main message is that the same degree of information security must be upheld when teleworking as when working in the office, but the focus is on the technical aspect of teleworking. The routines that were in place before the pandemic provided the employees with simple conditions to handle computer and information appropriately when teleworking, which included: To be mindful of where in the home to telework (i.e., not angled towards a window).
In addition, tips provided by the county s IT department were analyzed. These tips are limited to IT security and what the employee should think of when starting to work from home, i.e., they need a computer provided by the employer and access to a stable ethernet connection.
Lastly, guidelines were analyzed to better understand the prerequisites of the employees transitioning from working in the office to teleworking. For example, in March 2020, the county published guidelines concerning how some departments, including Alpha, would work during the COVID-19 crisis. This showed us that the focus was on how the employees would have to analyze their health to help stop the spread of the virus, but the information about teleworking was limited. The county primarily referred to the older routine mentioned above and the technical requirement such as a VPN connection to access the intranet. Some information was also provided about statutory and contractual rules and insurance, with no mention of information security.

Diaries
The analyzed diaries entail minutes of meetings and thoughts written down in retrospect. The meeting minutes provided insight into the different types of meetings being held and the different parties participating. The thoughts written down in retrospect provided insight into when the pandemic started to affect Alpha, both concerning their work environment and processes. Furthermore, these thoughts included observations of other employees' behavior and actions regarding information security. For example, in some instances, family members of participants in digital meetings could be heard in the background, which would question the environment the employee worked in where sensitive information might be discussed or handled. A complimentary interview was done with another expert within the county, who reviewed and confirmed the findings to minimize the researchers' bias.

Focus Groups
During our data-gathering period, the employees at Alpha were teleworking. Therefore, it was not possible to have conversations with them while working in the office. We sought a technique to involve them more actively. In this regard, a focus group technique is a feasible approach to interview several participants simultaneously [58]. A focus group method is a qualitative data-gathering technique that involves participants in a planned discussion to explore a specific topic [66]. Moreover, the method is an interactive discussion between participants, led by a moderator, focusing on a specific set of issues [67].
The focus group sessions were conducted by a moderator responsible for running the session and guiding the participants through the questions and discussions. This approach requires the moderator to be highly involved to make sure that all participants get a chance to voice their thoughts. Moreover, it is up to the moderator to interject in the discussion and probe for deeper discussions based on the answers when it is appropriate [68]. The level of involvement by the moderator depends on the openness of the research questions [69].
This research method highlights the interaction between participants and what they may reveal about shared ideas, reactions, or opinions on the topic discussed. Furthermore, this allows for the participants to follow up on each other's answers [66]. Typically, for documentation, the focus group sessions are recorded in some way, either with just audio or also with video, which can be done with several types of equipment or tools. This allows for the material to be analyzed once the sessions are concluded. The approach is similar to how other qualitative data collection approaches document their sessions, for example, interviews and observations [70]. In addition, the collected data from these sessions are not limited to the transcripts of the session but may also include notes taken by the moderator, body language, results from debriefing sessions, or any presession questionnaires [66]. Furthermore, the analysis process of the material starts while conducting the sessions, which is done by listening for inconsistent, vague, or cryptic comments [71]. Some additional tips for developing focus group questions are avoiding vague wording, phrasing the questions as open-ended, and designing the questions from general to more specific [72].
The procedure of each session was as follows. First, the facilitator gave a brief introduction to the practicalities of the session. Second, we started the discussion by asking the participants about their experience of working with different platforms during the pandemic and what they think of information security in general. Third, we deepened the discussion on information security practices during teleworking, and the work situation and the work environment have affected information security. Next, we asked the participants how they perceived the guidelines and regulations regarding a secure teleworking environment. The rest of the session was dedicated to understanding information security awareness among the participants. In this regard, we presented them with three scenarios in which the use of IT systems was deemed risky. After each scenario, we asked them about their reaction to a presented situation and what security risks they see relevant to the case. We closed the session by having a general discussion focused on reflecting upon their attitude toward information security after the pandemic and what improvements they could suggest.

Data Analysis
Qualitative data from the documents, diaries, and transcripts from the focus group sessions allowed us to create a "thick" description of events concerning the practice of information security for safeguarding teleworking during the data-gathering phase [73]. We sought to question what information security challenges surfaced and how the employees at Alpha reacted to them. Next, we adhered to the guidelines of thematic analysis for coding and reporting the results [74]. The process involves assigning codes to the transcribed data and then grouping the codes into themes for analysis. First, the authors read through the documents and transcripts to understand the events and key activities. Second, the materials were analyzed by applying codes to every passage of the transcript. Next, after coding all contents, the codes were compared to each other, and in case there was an association with each other, higher-order categories were created.

Results
Alpha encountered different challenges regarding the secure management of work routines when transferred to a home environment. Those challenges relate to how the organization prepared itself regarding teleworking on a general level. Examples of this are the perceived levels of how good and stable the IT tools and security were at the pandemic's beginning, dealing with rules and regulations, awareness of secure teleworking practices, and, lastly, preparedness after the pandemic. Below we present these challenges in great detail.

Challenges with the Technical Security
Various IT-related challenges surfaced throughout the teleworking period. The county had many IT tools in place but lacked the means to create a secure teleworking environment. Alpha expressed concerns regarding which tools are deemed secure to use in which situations while the county had not yet had resources to assess all the risks associated with the IT environment. For example, Alpha was using all or some of the same meeting platforms available within the whole county; Skype for Business, Teams, Cisco VMR (Virtual Meeting Room), Zoom, and Cisco Video Conferencing. The work routines dictated them to choose from a pool of various communication tools since various authorities and organizations within the county use different tools. The challenge for Alpha was to answer users' (i.e., other employees within the county) questions regarding the security of different tools and platforms since the tools assessments have either not been widely known within the county or simply have not been completed.
We get many questions about platforms and whether they are secure or not and what types of information classes they can be used for. And not least considering that we currently have a Skype to Teams transition, which is admittedly paused, and that is one of the reasons why we used Cisco VMR sometimes because we at least got it verbally that it is more secure because the IT environment is here [administered and located within the county and not outsourced].
On the other hand, participants from Alpha have brought up the issue of employees being confused about which platform to choose since Teams is the standard meeting platform in the county. Therefore, employees had little to no time pondering about the characteristics of meetings and which platform to use since they can only arrange meetings with Teams. The other platforms most often hinge on employees being invited from other parties such as foreign companies, other counties, or authorities.
Another challenge was related to maintaining the same level of protection, because the IT used to telework should be handled in the same way as it would have been in the office; kept out of reach of unauthorized people, locked, and kept separate to the smart card which, i.e., allows connecting to the VPN service. However, Alpha could not manage all aspects of employees home offices, as two experts brought up the issue at Alpha: If there is a print queue and paper come out even if the computer is locked.
There may be a document waiting in the printer queue that is patient-sensitive and that could be printed with the other documents that the family member wanted to print out.

Challenges with the Policies and Regulations
This challenge relates to the rules and regulations in place regarding information security when teleworking within the county. In general, it was observed that the employees had not spent any time before the focus group session to reflect on the rules for teleworking. This finding came as a surprise because cyberattacks have been a hot topic within the county during the pandemic. The situation could be related to the fact that no rules or regulations regarding information security when teleworking could be found on the county s intranet or that the information was not accessible to all. Instead, employees are expected to act with common sense and adapt their security behavior from in-office to teleworking. This might be a reasonable expectation of employees at Alpha owing to their technical competencies. However, in the broader perspective, this is not sufficient for employees that do not work with information security or questions related to information security. Participants from the focus groups believed that this situation needs to be improved and demanded: Develop a more structured and organized work with information and education in information security for the employees. And how we should act when we work from home.
However, top-down policies and regulations are deemed part of the solution, and it should be complemented a knowledge-sharing platform where employees and experts can exchange information as a unit. Alpha revealed that they have identified that they too should aim to get better at educating themselves on information security: We belong to a group that has better knowledge of information security than others, but it is important to continue to keep the dialogue open and remind each other of what applies.
Therefore, other challenges surface when there is no face-to-face contact as opposed to the office-presence which requires good communication between the team members and the team with other employees: Perhaps we should also be better at transferring knowledge, especially to new employees. Then we also need to think about how we can help each other in work on information security when we are not sitting in the same corridor.

Challenges with the Information Security Awareness
As part of their tasks prior to the pandemic, Alpha had previously worked continuously to raise employees' awareness regarding information and IT security practices to safeguard the information. However, broadening that awareness to be applied while teleworking has not been a focus. Internally, Alpha has discussed issues related to teleworking from various perspectives, such as IT security and information security. However, they have not identified similar discussions being held in a significant number of Alpha's departments within the county. The responsibility of ensuring that employees follow regulations and policies regarding information security lies with the individual department managers, and they are tasked with following up that their employees follow the established regulations. However, no follow-ups have been made in connecting to the increase of teleworking.
When Alpha transferred into teleworking, its first activity was to re-educate its employees, and the second was to ensure that the organizational awareness would remain effective. However, there were various bumps in the road regarding keeping up with the information security work when working with their users. The previous awareness (i.e., before the pandemic) regarding working securely with confidential information should be transferred to the new way of working. Nevertheless, Alpha had a hard time changing the mindset of the employees so that they were compliant with the best practices. For example, a challenge was to get a message across when working with the patient's data from home: These are the kind of things that you sit at work and have paperwork on patients that you've been given paper, so you can't take them home. The papers are going to stay at work and be locked up. Similarly, it should be with a laptop. You are not allowed to download patient information on a laptop and bring them home to work with them. Then you've taken them out of the workplace. I don't think people are aware that this is the case. There is no awareness of it.
The most significant challenge for the county regarding rules, regulations, and policies regarding teleworking was to provide clear and easy-to-read rules for the employees to follow while also ensuring that each individual has the opportunity to follow the rules and make a choice to follow them. The process of following up is an integral part of allowing employees to telework, and therefore, the challenge was to involve the managers in this as well.
Moreover, there were some challenges to measuring the effectiveness of information security awareness due to various reasons. One reason was related to the fact that monitoring employees is more difficult in the home environment. Security in the office environment is much more restrictive due to the physical and administrative countermeasures that Alpha could check were in place: I have reflected about how I know who is in the meeting and that no one else is listening. The rooms [meetings] do not have four walls in the same way as physical meetings.
However, there were uncertainties concerning monitoring if employees apply their security training and education at home. For example, security experts at Alpha could not observe if employees would write their username/password for any tools, platforms, or systems on sticky notes. An expert at Alphas brought up the pre-existing issue with computer locking during lunchtime and how that could escalate when teleworking: Considering how difficult it is for healthcare departments to secure information when people are at work, for example, to lock the computer when you go to lunch, it will not be easier when people work from home.

Challenges with the Preparedness
This theme deals with the level of preparedness on information security and teleworking before the pandemic and the continued preparedness for potential issues after the pandemic.
An example of the issues Alpha experienced was that the VPN was not dimensioned for the increased number of users and forced the IT department to quickly upgrade and divide the users into different connections. If the county did not have the tools and culture for teleworking, issues like the VPN might not have been surprising. However, considering the efforts towards digitalization and the many collaborations within Sweden and internationally, this was unexpected.
I do not think that instructions or recommendations on how to work at home have kept pace with the change in the work environment. I think there is a lack of information material.
Furthermore, the focus group sessions revealed a gap in information security knowledge between the participants. When asked, most participants could not define information security, nor what activities they perform in their roles as part of Alpha related to informa-tion security. The following is an example of one of the answers given when asked how they work with information security: Like a little all the time depending on how you define information security. It is infrequent during a day that it is stated that 'this is about information security'.
However, a few more experienced employees could give a fair definition of information security and answer what activities relate to information security they perform internally at Alpha, with users, and for customers. In combination with answers given when asked about scenarios regarding teleworking, it was inferred that the participants firstly think about IT security and secondly information security. Consequently, Alpha was more prepared for handling IT security issues than information security-related issues.
Moreover, a subtheme emerged: the new normal. This subtheme was identified through the discussions on teleworking on a broader scale and the fact that many organizations within the county have found ways of continuing working without employees' in-office presence. This new normal state for some departments may not change once the pandemic is over. For example, both from an environmental and economic perspective, allowing employees that spend many hours in meetings to work from home and using digital meeting platforms (i.e., Teams) is quite appealing. It would not come as a surprise if the county makes it a rule to use digital meetings as a first choice and meet face-to-face as a second choice if participants must travel to participate. Furthermore, as can be seen below, the participants in the focus group agreed that this new normal is not something that will go away once the pandemic is over: I have been thinking that it will never be the same after the pandemic because many will not come back [to work in the office].
Relating to the central theme of preparedness, with the new normal of increased use of teleworking on a broader scale, Alpha anticipated a need for the county to review its policies, guidelines, tools, and education to prevent any incidents regarding information security from occurring. When experts from Alpha were asked if they believed that there would be any incidents in need of handling once the pandemic has passed, one replied: On the other hand, I think it is something that you have to work with and put in place rules about this because I am convinced that sitting at home and working has come to stay. I think there will be a lot of this in the future. And we notice that using these tools for meetings in the region has made it much easier. You don't have to go to meet and such, but then you actually need to reason about the prerequisites to be able to do it.
In Table 1, we summarize the challenges experienced by Alpha:

Discussion and Conclusions
Understanding abrupt changes in the work environment imposed by the COVID-19 pandemic on IT and information security management is crucial, given the consequences of increased cyberattacks globally during this period. Analyzing the challenges of such abrupt changes in security management paves the way towards better preparedness for future crises and a secure transition to teleworking. Our investigation of Alpha during 14 months of teleworking resulted in four broad categories of security management challenges: technical security, rules and regulations, information security awareness, and preparedness. Our study contributed to security research in two ways. First, most studies done in the context of teleworking during the COVID-19 pandemic are disconnected from the organization's context and how practices take form [47]. While prior studies on cybersecurity challenges of teleworking before, this study is among the first that has empirically investigated this topic. Our results give a detailed view of the security challenges that have emerged through the abrupt changes in the working environment. Second, our study complements previous studies by reinforcing the involuntary aspect of teleworking. Previous studies have focused on home-user and telework groups who willingly change the work environment, who might not be necessarily the same, for example, in a pandemic situation in which in-office employees were forced to work from home. Below, we discuss each challenge in the light of literature and the analytical lens of practice theory.
Concerning the technical challenges experienced by Alpha, two aspects seemed prominent. First, Alpha dealt with technical difficulties of teleworking (e.g., accessing and using a stable VPN) that affected all employees teleworking within the county. Second, Alpha had challenges regarding technical security outside its control zones, such as employees' working devices and external organizations. The abrupt changes to teleworking made it challenging to immediately respond to such considerations' various technicalities for technical security controls. Various research has pinpointed the technical controls as a requirement of teleworking [7,13]. However, our research showed that in practice, technical security does not always stem from the organizational premises, but the chain of stakeholders' IT devices and infrastructure should be focused on too. One example is that, despite providing a secure VPN to employees, a simple DNS poisoning attack on the home router will simply circumvent all the confidentiality and integrity security provided by the VPN tunnel. From a practice perspective, our result strengthened the need for more empirical research on practical challenges instead of focusing only on the prescriptions of best practices or what actors aspire to do [75].
Concerning policies and regulations of teleworking, our result shows that policies regarding secure teleworking were perceived differently among the top management and the employees. On the one hand, managers believed that prepandemic policies and regulations regarding secure teleworking were deemed sufficient, contrary to what employees brought up during the focus group sessions. Moreover, another challenge that could be the reason behind this discrepancy of viewpoints was the lack of follow-up routines to monitor if the teleworking policies were followed. It is crucial to mention that lack of communication from top-down and bottom-up contributed significantly to dislodging the role of the policies and regulations [44,76,77]. Previous studies suggest having policies in place to ensure physically protect home office devices [7,10]. However, the inherent practice challenge we found in a teleworking situation is the difficulty of follow-up if physical home space and working environment comply with the policies.
The major challenge regarding raising employees' awareness of secure teleworking was the county s overreliance on employees' knowledge of teleworking before the pandemic since the culture of working from home existed at many departments within the county, albeit not all employees had this experience. Such a mindset underestimated the need for new and updated security awareness, mainly ignoring that many employees were working from home for the first time. The result agrees with the low security awareness and training programs during the pandemic [36,37]. Our analysis shows that the challenge lies within a strategic approach towards security management decoupled from organizational practices [78]. While strategic enforcement on protecting high-impact areas (e.g., the confidentiality of patient data) existed at Alpha, devising controls (e.g., security awareness) was not in line with the new means of change in the work environment, i.e., teleworking. Therefore, our result points to the situated challenges and practical resolutions introducing conflicting priorities which is in agreement with the practice theory: shifting of structures must take place in everyday crises of routines and the inadequacy of knowledge with which the agent, carrying out a practice, is confronted in the face of a situation [79]. The contribution, herein, is the challenge of misalignment of security practices with the changing of routines when shifting towards teleworking.
Concerning the preparedness theme found for our empirical investigation, it seemed that Alpha's prior culture of teleworking helped with the forced transition at the beginning of the pandemic. As many scholars agree that teleworking will become a new norm in many organizations [9,10], there is still a lack of knowledge if the management of securing has kept up with the speed of transition. Particular attention should be given to the lessons learned during the pandemic period regarding the effects of IT and information security decisions on the organizations' overall security posture. Our study contributes to this debate by theorizing the interaction between changes to work routines and InfoSec management. The implication of this research is to fill the gap between the challenges that emerge from the practice compared to the prescription of best practices. While the traditional view on security management indicates best practices resemble situated practices [76,80], the combination of findings supports the conceptual premise that it is crucial to account for the challenges that emerge from work practices.
We acknowledge some of the limitations of this study which will hopefully lead to a natural progression of this work. This study was limited to one unit; thus, the findings cannot be generalized. A more extensive sampling would provide statistical generalizations into how organizations have experienced the changes due to the pandemic. One example could be to test whether there is a statistically meaningful relationship between preparedness and security incidents. Future research could look further into how other organizations have experienced changes in information security during the pandemic, how challenges were addressed, and present recommendations for organizations to mitigate the challenges brought by this study. Moreover, our studied organization did not experience any apparent cyberattack during the pandemic. While some cyberattacks are passive and go undetected, it could be interesting to study organizations that experienced cyberattacks during the teleworking period and study the relationship between teleworking practices and cyberattack success.