Search results

This paper aims to propose a conceptual model of policy components for software that supports modularizing and tailoring of information security policies (ISPs).

This study used a design science research approach, drawing on design knowledge from the field of situational method engineering. The conceptual model was developed as a unified modeling language class diagram using existing ISPs from public agencies in Sweden.

This study’s demonstration as proof of concept indicates that the conceptual model can be used to create free-standing modules that provide guidance about information security in relation to a specific work task and that these modules can be used across multiple tailored ISPs. Thus, the model can be considered as a step toward developing software to tailor ISPs.

The proposed conceptual model bears several short- and long-term implications for research. In the short term, the model can act as a foundation for developing software to design tailored ISPs. In the long term, having software that enables tailorable ISPs will allow researchers to do new types of studies, such as evaluating the software's effectiveness in the ISP development process.

Practitioners can use the model to develop software that assist information security managers in designing tailored ISPs. Such a tool can offer the opportunity for information security managers to design more purposeful ISPs.

The proposed model offers a detailed and well-elaborated starting point for developing software that supports modularizing and tailoring of ISPs.

This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.

The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy.

The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance.

The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance.

Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations.

Few information security policy compliance studies exist on the consequences of different organizational/information cultures.

The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about.

The results are based on a literature review of ISP management research published between 1990 and 2017.

Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare.

Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process.

The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners.

Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.

Social return on investment (SROI) is a systematic way of incorporating social values of different stakeholders into public sector decision-making on sustainability. This study aims to identify salient factors that influence SROI implementation.

The interactions of four Dutch municipalities and their social enterprises were examined, by analyzing relevant documents and interviewing key actors.

External forces appear to have little influence on SROI implementation. Management systems, legal restrictions in relation to privacy and the administrative burden appear to hinder SROI implementation. Findings suggest that trust among the parties involved and their representatives is a major driver for SROI development. SROI is not measured well enough, which complicates analyzing and reporting its development.

Achieving collaboration through trust is a characteristic of stewardship theory, and therefore useful for studying social sustainability. Combining agency and stewardship theory provides useful insights concerning the application of control mechanisms versus empowerment.

Barriers can be overcome by informing and engaging suppliers in SROI initiatives. Furthermore, findings of this study suggest that it is easier for municipalities to incorporate SROI when social firm activities are insourced. An independent procurement function stimulates SROI development. Engaged professionals can make the difference in SROI policy implementation, more so than written policies.

SROI enables social sustainability. SROI can be used by public agencies to provide meaningful activities for the long-term unemployed and underprivileged adolescents.

The study is the first empirical work that relates public procurement to SROI implementation and its effect on suppliers. The findings provide valuable insights into government influence on social enterprises.

This paper aims to investigate the impact of corporate dividend policy on the capital structure in the Korean stock market. To distinctly discern the voluntariness of changes in corporate dividend policy, we analyze companies that, following a substantial increase, do not reduce dividends for the subsequent two years or, after a significant decrease, do not raise dividends for the following two years. Our empirical findings indicate that companies that increase dividends experience a significant decrease in both book and market leverage, even after controlling for variables such as target leverage ratios. This result suggests that a large increase in dividends can effectively reduce information asymmetry, leading to a lower cost of equity. On the contrary, after a decrease in dividends, both book leverage and market leverage significantly increase, revealing a symmetric relationship between dividend policy and capital structure. In conclusion, large dividend increases in Korean companies not only reduce information asymmetry but also lower the cost of equity capital, resulting in observable changes in the leverage ratio.

This paper aims to investigate how congruent keywords are used in information security policies (ISPs) to pinpoint and guide clear actionable advice and suggest a metric for measuring the quality of keyword use in ISPs.

A qualitative content analysis of 15 ISPs from public agencies in Sweden was conducted with the aid of Orange Data Mining Software. The authors extracted 890 sentences from these ISPs that included one or more of the analyzed keywords. These sentences were analyzed using the new metric – keyword loss of specificity – to assess to what extent the selected keywords were used for pinpointing and guiding actionable advice. Thus, the authors classified the extracted sentences as either actionable advice or other information, depending on the type of information conveyed.

The results show a significant keyword loss of specificity in relation to pieces of actionable advice in ISPs provided by Swedish public agencies. About two-thirds of the sentences in which the analyzed keywords were used focused on information other than actionable advice. Such dual use of keywords reduces the possibility of pinpointing and communicating clear, actionable advice.

The suggested metric provides a means to assess the quality of how keywords are used in ISPs for different purposes. The results show that more research is needed on how keywords are used in ISPs.

The authors recommended that ISP designers exercise caution when using keywords in ISPs and maintain coherency in their use of keywords. ISP designers can use the suggested metrics to assess the quality of actionable advice in their ISPs.

The keyword loss of specificity metric adds to the few quantitative metrics available to assess ISP quality. To the best of the authors’ knowledge, applying this metric is a first attempt to measure the quality of actionable advice in ISPs.

This study aims to investigate how a policy framework can be applied in the use of artificial intelligence (AI) for the management of records at the Council for Scientific and Industrial Research (CSIR) in South Africa. A policy and legal framework enables the records divisions to protect, administer and make their records available in a safe and professional way. Policies play a crucial role in ensuring that records are properly managed.

Convergent mixed-methods research was conducted, and data were collected using interviews and questionnaires. Data were analysed thematically and statistically and presented in tables and figures.

The study reveals that the policy framework should also include the application of AI for the management of records. Therefore, this study further concludes that the CSIR should review their policy framework to ensure the application of AI for the management of records is accommodated.

The study proposed a framework to guide the application of the policy framework in using AI for the management of records at CSIR. It is hoped that the proposed framework will serve as a guideline for the implementation of a policy framework in the utilisation of AI in the archives and records management sector.

The purpose of this paper is to investigate what role literature-based inputs have on the information security policy (ISP) development in practice.

A literature review is carried out to identify commonly used inputs for ISP development in theory firstly. Secondly, through the lens of institutional theory, an interpretive approach is adapted to study the influence of literature-based inputs in the ISP development in practice. Semi-structured interviews with senior experienced information security officers and managers from the public sector in Sweden are carried out for this research.

According to the literature review, 10 inputs for ISP development have been identified. The results from the interviews indicate that the role inputs have on the ISP development serves as more than a rational tool, where organisational context, institutional pressures and the search for legitimacy play an important role.

From the institutional perspective, this study signifies the influence of inputs on ISP development can be derived from institutionalised rules or practices established by higher authorities; actions and practices that are perceived as successful and often used by other organisations; the beliefs of what is viewed as appropriate to meet the specific pressures from stakeholders.

This research recommends five practical implications for practitioners working with the ISP development. These recommendations aim to create an understanding of how an ISP could be developed, considering more than the rational functionalist perspective.

To the best of the authors’ knowledge, it is the first of its kind in examining the role of literature-based inputs in ISP development in practice through the lens of institutional theory.

The study investigates the influence of financial transparency on citizens' trust and revenue paying behaviour of citizens of local governments in sub-Saharan Africa. It relies on the theories of stewardship and public choice in explaining the relationship between financial transparency, trust and willingness to pay.

The study applied a Partial Least Square Structural Equation Model (PLS-SEM) to survey data of 404 respondents selected from four Metropolitan and Municipal Assemblies of Ghana to test the hypotheses of the study.

It establishes the fact that financial transparency positively influences trust of citizens in local government and their willingness to pay taxes and levies. The study also found that both financial transparency and trust are low in the local governments of Ghana.

The study emphasises the importance of financial transparency in improving trust and willingness to pay. Thus, local governments are encouraged to seek innovative ways to enhance the quality and access to financial information by the citizens.

While prior studies focus on the measurement and determinant of financial transparency, this study links financial transparency to revenue mobilisation in the local government of sub-Saharan Africa.

This study is aimed at assessing the information security management practice with a focus on banking card security in selected financial institutions in Ethiopia, using an international information security standard as a benchmark. It is to identify the gaps and recommend best security practices to help financial institutions meet the required security compliance.

Two financial sectors were purposively selected. A total of twenty-five respondents (IT executives and IT staff) were included in the study. Quantitative data was collected using the PCI-DSS (Payment Card Industry Data Security Standard) security standard questionnaire. In addition, observation and document analysis were made.

The result shows that most of the essential security management activities in the financial sectors do not comply with the international security standard. Similarly, the level of most of the indispensable security requirements that should be in place is found to be below the acceptable level. The study also revealed major security factors that prohibit the financial sectors from PCI-DSS security standard compliance.

This study assessed the information security management practice with a focus on banking card security and tried to figure out the limitations of security practices of the organizations surveyed based on the standard adopted. The topic has not been well explored especially in the Ethiopia context. Hence, the result can positively influence security policies, particularly in the banking sector.