Search results

Introduces a series of contributions on computer security. Begins by pointing out that information is an organizational asset which needs to be protected. Policies are the primary building blocks for every information security effort. In order to be successful with information security, every organization must have a set of policies which establishes both direction and management support. Discusses the role and function of the information security management specialist within the organization. Finally outlines possible exceptions to information security policies.

With the popularity of electronic commerce, many organizations are facing unprecedented security challenges. Security techniques and management tools have caught a lot of attention from both academia and practitioners. However, there is lacking a theoretical framework for information security management. This paper attempts to integrate security policy theory, risk management theory, control and auditing theory, management system theory and contingency theory in order to build a comprehensive theory of information security management (ISM). This paper suggests that an integrated system theory is useful for understanding information security management, explaining information security management strategies, and predicting management outcomes. This theory may lay a solid theoretical foundation for further empirical research and application.

This paper aims to propose a conceptual model of policy components for software that supports modularizing and tailoring of information security policies (ISPs).

This study used a design science research approach, drawing on design knowledge from the field of situational method engineering. The conceptual model was developed as a unified modeling language class diagram using existing ISPs from public agencies in Sweden.

This study’s demonstration as proof of concept indicates that the conceptual model can be used to create free-standing modules that provide guidance about information security in relation to a specific work task and that these modules can be used across multiple tailored ISPs. Thus, the model can be considered as a step toward developing software to tailor ISPs.

The proposed conceptual model bears several short- and long-term implications for research. In the short term, the model can act as a foundation for developing software to design tailored ISPs. In the long term, having software that enables tailorable ISPs will allow researchers to do new types of studies, such as evaluating the software's effectiveness in the ISP development process.

Practitioners can use the model to develop software that assist information security managers in designing tailored ISPs. Such a tool can offer the opportunity for information security managers to design more purposeful ISPs.

The proposed model offers a detailed and well-elaborated starting point for developing software that supports modularizing and tailoring of ISPs.

Employee security behaviors are the cornerstone for achieving holistic organizational information security. Recent studies in the information systems (IS) security literature have used neutralization and moral disengagement (MD) perspectives to examine employee rationalizations of noncompliant security behaviors. Extending this prior work, the purpose of this paper is to identify mechanisms of security education, training, and awareness (SETA) programs and deterrence as well as employees’ organizational commitment in influencing MD of security policy violations and develop a theoretical model to test the proposed relationships.

The authors validate and test the model using the data collected from six large multinational organizations in Korea using survey-based methodology. The model was empirically analyzed by structural equation modeling.

The results suggest that security policy awareness (PA) plays a central role in reducing MD of security policy violations and that the certainty of punishment and immediacy of enforcing penalties are instrumental toward reducing such MD; however, the higher severity of penalties does not have an influence. The findings also suggest that SETA programs are an important mechanism in creating security PA.

The paper expands the literature in IS security that has examined the role of moral evaluations. Drawing upon MD theory and social cognitive theory, the paper points to the central role of SETA and security PA in reducing MD of security policy violations, and ultimately the likelihood of this behavior. The paper not only contributes to theory but also provides important insights for practice.

This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information security policy compliance culture (ISPCC) in organisations.

Based on factors derived from the organisational culture theory, social bond theory and accountability theory, a testable research model was developed and evaluated in an online survey that involves the use of a questionnaire to collect quantitative data from 313 employees, from ten different organisations in Ghana. The data collected were analysed using the partial least squares-structural equation modelling approach, involving the measurement and structural model tests.

The study reveals that the individual measures of accountability – identifiability (2.4%), expectations of evaluation (38.8%), awareness of monitoring (55.7%) and social presence (−41.2%) – had weak to moderate effects on employees’ attitudes towards information security policy compliance. However, the combined effect showed a significant influence. In addition, organisational factors – supportive organisational culture (15%), security compliance leadership (2%) and user involvement (63%) – showed positive effects on employees’ attitudes. Further, employees’ attitudes had a substantial influence (65%), while behavioural intentions demonstrated a weak effect (24%) on the establishment of an ISPCC in the organisation. The combined effect also had a substantial statistical influence on the establishment of an ISPCC in the organisation.

Given the findings of the study, information security practitioners should implement organisational and behavioural factors that will have an impact on compliance, in tandem, with the organisational effort to build a culture of compliance for information security policies.

The study provides new insights on how to address the problem of non-compliance with regard to the information security policy in organisations through the combined application of organisational and behavioural factors to establish an information security policy compliance culture, which has not been considered in any past research.

Digital India, the flagship programme of Government of India (GoI) originated from National e-Governance Project (NeGP) in the year 2014. The programme has important aspect of information security and implementation of IT policy which supports e-Governance in a focused approach of Mission Mode. In this context, there is a need to assess situation of the programme which covers a study of initiatives and actions taken by various actor involved and processes which are responsible for overall e-Governance. Therefore, the purpose of this case study is to develop a Situation-Actor-Process (SAP), Learning-Action-Performance (LAP) based inquiry model to synthesize situation of information security governance, IT policy and overall e-Governance.

In this case study both systematic inquiry and matrices based SAP-LAP models are developed. Actors are classified who are found responsible and engaged in IT policy framing, infrastructure development and also in e-Governance implementation. Based on a synthesis of SAP components, various LAP elements were then synthesized then which further led to learning from the case study. Suitable actions and performance have also been highlighted, followed by a statement of the impact of the efficacy i.e. transformation of information security, policy and e-Governance on the Digital India programme.

On developing the SAP-LAP framework, it was found that actors like the Ministry of Electronics and Information Technology of the Govt. of India secures a higher rank in implementing various initiatives and central sector schemes to accelerate the agenda of e-Governance. Actions of other preferred actors include more investments in IT infrastructure, policy development and a mechanism to address cyber security threats for effective implementation of e-Governance. It was found that actors should be pro-active on enhancing technical skills, capacity building and imparting education related to ICT applications and e-Governance. Decision making should be based on the sustainable management practices of e-Governance projects implementation to manage change, policy making and the governmental process of the Indian administration and also to achieve Sustainable Development Goals by the Indian economy.

The SAP-LAP synthesis is used to develop the case study. However, few other qualitative and quantitative multi criteria decision making approaches could also be explored for the development of IT security based e-Governance framework in the Indian context.

The synthesis of SAP leads to LAP components which can bridge the gaps between information security, IT policy governance and e-Governance process. Based on the learning from the Situation, it is said that the case study can provide decision making support and has impact on the e-Governance process i.e. may enhance awareness about e-services available to the general public. Such work is required to assess the transparency and accountability on the Government.

Learning based on the SAP-LAP framework could provide decision making support to the administrators, policy makers and IT sector stakeholders. Thus, the case study would further help in addressing the research gaps, accelerating e-Governance initiatives and in capturing cyber threats.

The SAP-LAP model is found as an intuitive approach to analyze the present status of information security governance, IT policy and e-Governance in India in a single unitary model.

There is an increasing movement towards emergent organizations and an adaptation of Web‐based information systems (IS). Such trends raise new requirements for security policy development. One such requirement is that information security policy formulation must become federated and emergent. However, existing security policy approaches do not pay much attention to policy formulation at all – much less IS policy formulation for emergent organizations. To improve the situation, an information security meta‐policy is put forth. The meta‐policy establishes how policies are created, implemented and enforced in order to assure that all policies in the organization have features to ensure swift implementation and timely, ongoing validation.

This study aims, firstly, to determine what influence the information security policy has on the information security culture by comparing the culture of employees who read the policy to those who do not, and, secondly, whether a stronger information security culture is embedded over time if more employees have read the information security policy.

An empirical study is conducted at four intervals over eight years across 12 countries using a validated information security culture assessment (ISCA) questionnaire.

The overall information security culture average scores as well as individual statements for all four survey assessments were significantly more positive for employees who had read the information security policy compared with employees who had not. The overall information security culture also improved from one assessment to the next.

The information security culture should be measured and benchmarked over time to monitor change and identify and prioritise actions to improve the information security culture. If employees read the information security policy, it has a positive influence on the information security culture of an organisation.

Organisations should ensure that employees have read the information security policy to aid in minimising the human risk, related errors and incidents and, ultimately, to instil a stronger information security culture with a higher level of compliant behaviour.

This research confirms theoretical research indicating that the information security policy could influence the information security culture positively. It provides novel and statistical evidence illustrating that if employees read the information security policy, they have a stronger information security culture and that the culture can be improved through targeted interventions using an ISCA.

The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset.

Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B.

Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own.

The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings.

In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed.

The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps.

The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

Despite its widely acknowledged importance, the information security policy has not, to date, been the subject of explicit, empirical scrutiny, in the academic literature. To help fill this gap an exploratory research project was initiated that sought to investigate the uptake, content, dissemination and impact of information security policies. To this end, a questionnaire was mailed to senior IS executives, in large UK‐based organizations, and 208 valid responses were received. The results of this research have indicated that, while policies are now fairly common, at least amongst the sample, there is still a high degree of variety in terms of their content and dissemination.