Search results

This paper aims to propose a conceptual model of policy components for software that supports modularizing and tailoring of information security policies (ISPs).

This study used a design science research approach, drawing on design knowledge from the field of situational method engineering. The conceptual model was developed as a unified modeling language class diagram using existing ISPs from public agencies in Sweden.

This study’s demonstration as proof of concept indicates that the conceptual model can be used to create free-standing modules that provide guidance about information security in relation to a specific work task and that these modules can be used across multiple tailored ISPs. Thus, the model can be considered as a step toward developing software to tailor ISPs.

The proposed conceptual model bears several short- and long-term implications for research. In the short term, the model can act as a foundation for developing software to design tailored ISPs. In the long term, having software that enables tailorable ISPs will allow researchers to do new types of studies, such as evaluating the software's effectiveness in the ISP development process.

Practitioners can use the model to develop software that assist information security managers in designing tailored ISPs. Such a tool can offer the opportunity for information security managers to design more purposeful ISPs.

The proposed model offers a detailed and well-elaborated starting point for developing software that supports modularizing and tailoring of ISPs.

This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.

The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy.

The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance.

The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance.

Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations.

Few information security policy compliance studies exist on the consequences of different organizational/information cultures.

The purpose of this paper is to examine the challenges that arise when introducing an electronic identification (eID) card for professional use in a health-care setting.

This is a case study of an eID implementation project in healthcare. Data were collected through interviews with key actors in a project team and with eID end users. The authors viewed the eID card as a boundary object intersecting social worlds. For this analysis, the authors combined this with an electronic government initiative challenge framework.

The findings of this paper illustrate the interpretative flexibility of eID cards and how eID cards as boundary objects intersect social worlds. The main challenges of implementing and using eID cards in healthcare are usability, user behaviour and privacy. However, the way in which these challenges are interpreted varies between different social worlds.

One of the implications for future practice is to increase our understanding of the eID card as a socio-technical artefact, where the social and technical is intertwined, at the same time as the eID card affects the social as well as the technical. By using a socio-technical perspective, it is possible to minimise the potential problems related to the implementation and use of eID.

Previous research has highlighted the need for more empirical research on identity management. The authors contextualise and analyse the implementation and use of eID cards within healthcare. By viewing the eID card as a boundary object, the authors have unveiled its interpretative flexibility and how it is translated across different social worlds.

This paper aims to investigate how congruent keywords are used in information security policies (ISPs) to pinpoint and guide clear actionable advice and suggest a metric for measuring the quality of keyword use in ISPs.

A qualitative content analysis of 15 ISPs from public agencies in Sweden was conducted with the aid of Orange Data Mining Software. The authors extracted 890 sentences from these ISPs that included one or more of the analyzed keywords. These sentences were analyzed using the new metric – keyword loss of specificity – to assess to what extent the selected keywords were used for pinpointing and guiding actionable advice. Thus, the authors classified the extracted sentences as either actionable advice or other information, depending on the type of information conveyed.

The results show a significant keyword loss of specificity in relation to pieces of actionable advice in ISPs provided by Swedish public agencies. About two-thirds of the sentences in which the analyzed keywords were used focused on information other than actionable advice. Such dual use of keywords reduces the possibility of pinpointing and communicating clear, actionable advice.

The suggested metric provides a means to assess the quality of how keywords are used in ISPs for different purposes. The results show that more research is needed on how keywords are used in ISPs.

The authors recommended that ISP designers exercise caution when using keywords in ISPs and maintain coherency in their use of keywords. ISP designers can use the suggested metrics to assess the quality of actionable advice in their ISPs.

The keyword loss of specificity metric adds to the few quantitative metrics available to assess ISP quality. To the best of the authors’ knowledge, applying this metric is a first attempt to measure the quality of actionable advice in ISPs.

This paper aims to investigate two different types of compliance measures: the first measure is a value-monistic compliance measure, whereas the second is a value-pluralistic measure, which introduces the idea of competing organisational imperatives.

A survey was developed using two sets of items to measure compliance. The survey was sent to 600 white-collar workers and analysed through ordinary least squares.

The results suggest that when using the value-monistic measure, employees’ compliance was a function of employees’ intentions to comply, their self-efficacy and awareness of information security policies. In addition, compliance was not related to the occurrence of conflicts between information security and other organisational imperatives. However, when the dependent variable was changed to a value-pluralistic measure, the results suggest that employees’ compliance was, to a great extent, a function of the occurrence of conflicts between information security and other organisational imperatives, indirect conflicts with other organisational values.

The results are based on small survey; yet, the findings are interesting and justify further investigation. The results suggest that relevant organisational imperatives and value systems, along with information security values, should be included in measures for employees’ compliance with information security policies.

Practitioners and researchers should be aware that there is a difference in measuring employees’ compliance using value monistic and value pluralism measurements.

Few studies exist that critically compare the two different compliance measures for the same population.

The purpose of this paper is to survey existing inter-organisational information security research to scrutinise the kind of knowledge that is currently available and the way in which this knowledge has been brought about.

The results are based on a literature review of inter-organisational information security research published between 1990 and 2014.

The authors conclude that existing research has focused on a limited set of research topics. A majority of the research has focused management issues, while employees’/non-staffs’ actual information security work in inter-organisational settings is an understudied area. In addition, the majority of the studies have used a subjective/argumentative method, and few studies combine theoretical work and empirical data.

The findings suggest that future research should address a broader set of research topics, focusing especially on employees/non-staff and their use of processes and technology in inter-organisational settings, as well as on cultural aspects, which are lacking currently; focus more on theory generation or theory testing to increase the maturity of this sub-field; and use a broader set of research methods.

The authors conclude that existing research is to a large extent descriptive, philosophical or theoretical. Thus, it is difficult for practitioners to adopt existing research results, such as governance frameworks, which have not been empirically validated.

Few systematic reviews have assessed the maturity of existing inter-organisational information security research. Findings of authors on research topics, maturity and research methods extend beyond the existing knowledge base, which allow for a critical discussion about existing research in this sub-field of information security.

The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about.

The results are based on a literature review of ISP management research published between 1990 and 2017.

Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare.

Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process.

The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners.

Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.

The purpose of this paper is to develop a method for information classification. The proposed method draws on established standards, such as the ISO/IEC 27002 and information classification practices. The long-term goal of the method is to decrease the subjective judgement in the implementation of information classification in organisations, which can lead to information security breaches because the information is under- or over-classified.

The results are based on a design science research approach, implemented as five iterations spanning the years 2013 to 2019.

The paper presents a method for information classification and the design principles underpinning the method. The empirical demonstration shows that senior and novice information security managers perceive the method as a useful tool for classifying information assets in an organisation.

Existing research has, to a limited extent, provided extensive advice on how to approach information classification in organisations systematically. The method presented in this paper can act as a starting point for further research in this area, aiming at decreasing subjectivity in the information classification process. Additional research is needed to fully validate the proposed method for information classification and its potential to reduce the subjective judgement.

The research contributes to practice by offering a method for information classification. It provides a hands-on-tool for how to implement an information classification process. Besides, this research proves that it is possible to devise a method to support information classification. This is important, because, even if an organisation chooses not to adopt the proposed method, the very fact that this method has proved useful should encourage any similar endeavour.

The proposed method offers a detailed and well-elaborated tool for information classification. The method is generic and adaptable, depending on organisational needs.