Search results

1 – 10 of over 68000
Article
Publication date: 8 February 2022

Harrison Stewart

This paper aims to develop an effective information security policy (ISP), which is an important mechanism to combat insider threats.

Abstract

Purpose

This paper aims to develop an effective information security policy (ISP), which is an important mechanism to combat insider threats.

Design/methodology/approach

A general framework based on the Nine-Five-circle was proposed for developing, implementing and evaluating an organisation's ISP.

Findings

The proposed framework outlines the steps involved in developing, implementing and evaluating a successful ISP.

Research limitations/implications

The study took place in Germany, and most of the data was collected virtually due to the different locations of the organisation.

Practical implications

In practice, this study can be a guide for managers to design a robust ISP that employees will read and follow.

Social implications

Employee compliance with the ISP is a critical aspect in any organisation and therefore a rigorous strategy based on a systematic approach is required.

Originality/value

The main contribution of the paper is the application of a comprehensive and coherent model that can be the first step in defining a “checklist” for creating and managing ISPs.

Open Access
Article
Publication date: 13 February 2023

Elham Rostami, Fredrik Karlsson and Shang Gao

This paper aims to propose a conceptual model of policy components for software that supports modularizing and tailoring of information security policies (ISPs).

1137

Abstract

Purpose

This paper aims to propose a conceptual model of policy components for software that supports modularizing and tailoring of information security policies (ISPs).

Design/methodology/approach

This study used a design science research approach, drawing on design knowledge from the field of situational method engineering. The conceptual model was developed as a unified modeling language class diagram using existing ISPs from public agencies in Sweden.

Findings

This study’s demonstration as proof of concept indicates that the conceptual model can be used to create free-standing modules that provide guidance about information security in relation to a specific work task and that these modules can be used across multiple tailored ISPs. Thus, the model can be considered as a step toward developing software to tailor ISPs.

Research limitations/implications

The proposed conceptual model bears several short- and long-term implications for research. In the short term, the model can act as a foundation for developing software to design tailored ISPs. In the long term, having software that enables tailorable ISPs will allow researchers to do new types of studies, such as evaluating the software's effectiveness in the ISP development process.

Practical implications

Practitioners can use the model to develop software that assist information security managers in designing tailored ISPs. Such a tool can offer the opportunity for information security managers to design more purposeful ISPs.

Originality/value

The proposed model offers a detailed and well-elaborated starting point for developing software that supports modularizing and tailoring of ISPs.

Details

Information & Computer Security, vol. 31 no. 3
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 1 December 2002

Richard Baskerville and Mikko Siponen

There is an increasing movement towards emergent organizations and an adaptation of Web‐based information systems (IS). Such trends raise new requirements for security policy

3285

Abstract

There is an increasing movement towards emergent organizations and an adaptation of Web‐based information systems (IS). Such trends raise new requirements for security policy development. One such requirement is that information security policy formulation must become federated and emergent. However, existing security policy approaches do not pay much attention to policy formulation at all – much less IS policy formulation for emergent organizations. To improve the situation, an information security meta‐policy is put forth. The meta‐policy establishes how policies are created, implemented and enforced in order to assure that all policies in the organization have features to ensure swift implementation and timely, ongoing validation.

Details

Logistics Information Management, vol. 15 no. 5/6
Type: Research Article
ISSN: 0957-6053

Keywords

Open Access
Article
Publication date: 6 June 2022

Lovisa Göransson Ording, Shang Gao and Weifeng Chen

The purpose of this paper is to investigate what role literature-based inputs have on the information security policy (ISP) development in practice.

1364

Abstract

Purpose

The purpose of this paper is to investigate what role literature-based inputs have on the information security policy (ISP) development in practice.

Design/methodology/approach

A literature review is carried out to identify commonly used inputs for ISP development in theory firstly. Secondly, through the lens of institutional theory, an interpretive approach is adapted to study the influence of literature-based inputs in the ISP development in practice. Semi-structured interviews with senior experienced information security officers and managers from the public sector in Sweden are carried out for this research.

Findings

According to the literature review, 10 inputs for ISP development have been identified. The results from the interviews indicate that the role inputs have on the ISP development serves as more than a rational tool, where organisational context, institutional pressures and the search for legitimacy play an important role.

Research limitations/implications

From the institutional perspective, this study signifies the influence of inputs on ISP development can be derived from institutionalised rules or practices established by higher authorities; actions and practices that are perceived as successful and often used by other organisations; the beliefs of what is viewed as appropriate to meet the specific pressures from stakeholders.

Practical implications

This research recommends five practical implications for practitioners working with the ISP development. These recommendations aim to create an understanding of how an ISP could be developed, considering more than the rational functionalist perspective.

Originality/value

To the best of the authors’ knowledge, it is the first of its kind in examining the role of literature-based inputs in ISP development in practice through the lens of institutional theory.

Details

Transforming Government: People, Process and Policy, vol. 16 no. 4
Type: Research Article
ISSN: 1750-6166

Keywords

Open Access
Article
Publication date: 8 January 2020

Elham Rostami, Fredrik Karlsson and Ella Kolkowska

The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been…

1391

Abstract

Purpose

The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about.

Design/methodology/approach

The results are based on a literature review of ISP management research published between 1990 and 2017.

Findings

Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare.

Research limitations/implications

Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process.

Practical implications

The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners.

Originality/value

Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.

Details

Information & Computer Security, vol. 28 no. 2
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 23 March 2022

Eric Amankwa, Marianne Loock and Elmarie Kritzinger

This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information security

1239

Abstract

Purpose

This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information security policy compliance culture (ISPCC) in organisations.

Design/methodology/approach

Based on factors derived from the organisational culture theory, social bond theory and accountability theory, a testable research model was developed and evaluated in an online survey that involves the use of a questionnaire to collect quantitative data from 313 employees, from ten different organisations in Ghana. The data collected were analysed using the partial least squares-structural equation modelling approach, involving the measurement and structural model tests.

Findings

The study reveals that the individual measures of accountability – identifiability (2.4%), expectations of evaluation (38.8%), awareness of monitoring (55.7%) and social presence (−41.2%) – had weak to moderate effects on employees’ attitudes towards information security policy compliance. However, the combined effect showed a significant influence. In addition, organisational factors – supportive organisational culture (15%), security compliance leadership (2%) and user involvement (63%) – showed positive effects on employees’ attitudes. Further, employees’ attitudes had a substantial influence (65%), while behavioural intentions demonstrated a weak effect (24%) on the establishment of an ISPCC in the organisation. The combined effect also had a substantial statistical influence on the establishment of an ISPCC in the organisation.

Practical implications

Given the findings of the study, information security practitioners should implement organisational and behavioural factors that will have an impact on compliance, in tandem, with the organisational effort to build a culture of compliance for information security policies.

Originality/value

The study provides new insights on how to address the problem of non-compliance with regard to the information security policy in organisations through the combined application of organisational and behavioural factors to establish an information security policy compliance culture, which has not been considered in any past research.

Details

Information & Computer Security, vol. 30 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 12 November 2018

Zakarya A. Alzamil

Information security of an organization is influenced by the deployed policy and procedures. Information security policy reflects the organization’s attitude to the protection of…

Abstract

Purpose

Information security of an organization is influenced by the deployed policy and procedures. Information security policy reflects the organization’s attitude to the protection of its information assets. The purpose of this paper is to investigate the status of the information security policy at a subset of Saudi’s organizations by understanding the perceptions of their information technology’s employees.

Design/methodology/approach

A descriptive and statistical approach has been used to describe the collected data and characteristics of the IT employees and managers to understand the information security policy at the surveyed organizations. The author believes that understanding the IT employees’ views gives a better understanding of the organization’s status of information security policy.

Findings

It has been found that most of the surveyed organizations have established information security policy and deployed fair technology; however, many of such policies are not enforced and publicized effectively and efficiently which degraded the deployed technology for such protection. In addition, the clarity and the comprehensibility of such policies are questionable as indicated by most of the IT employees’ responses. A comparison with similar studies at Middle Eastern and European countries has shown similar findings and shares the same concerns.

Originality/value

The findings of this research suggest that the Saudi Communications and Information Technology Commission should develop a national framework for information security to guide the governmental and non-governmental organizations as well as the information security practitioners on the good information security practices in terms of policy and procedures to help the organizations to avoid any vulnerability that may lead to violations on the security of their information.

Article
Publication date: 7 November 2023

Marko Niemimaa

The purpose of this research is to study how compliance evaluation becomes performed in practice. Compliance evaluation is a common practice among organizations that need to…

Abstract

Purpose

The purpose of this research is to study how compliance evaluation becomes performed in practice. Compliance evaluation is a common practice among organizations that need to evaluate their posture against a set of criteria (e.g. a standard, legislative framework and “best practices”). The results of these evaluations have significant importance for organizations, especially in the context of information security and continuity. The author argues that how these evaluations become performed is not merely a “social” activity but shaped by the materiality of the evaluation criteria

Design/methodology/approach

The authors adopt a sociomaterial practice-based view to study the compliance evaluation through in situ participant observations from compliance evaluation workshops to evaluate organizational compliance against a information security and business continuity criteria. The empirical material was analyzed to construct vignettes that serve to illustrate the practice of compliance evaluation.

Findings

The research analysis shows how the information security and business continuity criteria themselves partake in the compliance evaluations by operating through (ventriloqually) the evaluators on three strata: the material, the textual and the structural. The author also provides a conceptualization of a hybrid agency.

Originality/value

This research contributes to lack of studies on the organizational-level compliance. Further, the research is an original contribution to information security and business continuity management by focusing on the practices of compliance evaluation. Further, the research has theoretical novelty by adopting the ventriloqual agency as a hybrid agency to study the sociomateriality of a phenomenon.

Details

Information Technology & People, vol. ahead-of-print no. ahead-of-print
Type: Research Article
ISSN: 0959-3845

Keywords

Article
Publication date: 5 October 2012

Vinod Pathari and Rajendra Sonar

The information security policy document of an organization needs to be translated into controls and procedures at the implementation level. The technical and business personnel…

1461

Abstract

Purpose

The information security policy document of an organization needs to be translated into controls and procedures at the implementation level. The technical and business personnel in‐charge of implementing the controls and procedures need to consider a large number of security‐related statements from a heterogeneous pool of security documentation and decide on the implementation plan. The purpose of this paper is to propose an approach to analyze a set of security statements to establish an implicit hierarchy and relative importance among them.

Design/methodology/approach

A set of statements relevant to e‐mail service security is chosen from the classified documentation of an IT firm. The authors contacted the technical person who was the owner of this service to obtain a one‐on‐one comparison between the policies. These policies and their inter‐relationships are represented as a graph. Centrality measures based on the in and out degrees of a node are used to calculate the relative importance of a policy. The authors present an improved approach based on DEMATEL, which considers the level of influence of one policy on another.

Findings

Security statements fall into different categories based on their relative intensity and nature. They could be of high importance or low on one axis and of driving or receiving nature on the other. The driver policies are the action items that could be implemented to satisfy a large number of other security requirements. The policies that are predominantly receiver in nature, for their fulfillment, need many other requirements to be satisfied.

Practical implications

The intense driver policies are the ones to be considered for immediate implementation so as to achieve maximum benefits. If such an action item cannot be implemented at the level of consideration, it needs to be communicated to the appropriate level where it could be addressed effectively. An orphaned policy statement can indicate to a high‐level requirement left without any action plan or an unnecessary control. Establishing clear linkages between the implemented controls and the organization's security policy document could be very effective in convincing the employees to adhere to security practices.

Originality/value

Analyzing a set of informal security statements to identify the linkages between them is a novel idea. While other works establish the need for translating the security policy to lower levels of implementation, the authors propose an approach to identify the existence or absence of an effective translation. The graph representation with associated centrality measures, and the application of DEMATEL technique to deduce the nature and intensity of security statements are not yet found in literature.

Open Access
Article
Publication date: 5 October 2023

Peter Dornheim and Ruediger Zarnekow

The human factor is the most important defense asset against cyberattacks. To ensure that the human factor stays strong, a cybersecurity culture must be established and cultivated…

Abstract

Purpose

The human factor is the most important defense asset against cyberattacks. To ensure that the human factor stays strong, a cybersecurity culture must be established and cultivated in a company to guide the attitudes and behaviors of employees. Many cybersecurity culture frameworks exist; however, their practical application is difficult. This paper aims to demonstrate how an established framework can be applied to determine and improve the cybersecurity culture of a company.

Design/methodology/approach

Two surveys were conducted within eight months in the internal IT department of a global software company to analyze the cybersecurity culture and the applied improvement measures. Both surveys comprised the same 23 questions to measure cybersecurity culture according to six dimensions: cybersecurity accountability, cybersecurity commitment, cybersecurity necessity and importance, cybersecurity policy effectiveness, information usage perception and management buy-in.

Findings

Results demonstrate that cybersecurity culture maturity can be determined and improved if accurate measures are derived from the results of the survey. The first survey showed potential for improving the dimensions of cybersecurity accountability, cybersecurity commitment and cybersecurity policy effectiveness, while the second survey proved that these dimensions have been improved.

Originality/value

This paper proves that practical application of cybersecurity culture frameworks is possible if they are appropriately tailored to a given organization. In this regard, scientific research and practical application combine to offer real value to researchers and cybersecurity executives.

Details

Information & Computer Security, vol. ahead-of-print no. ahead-of-print
Type: Research Article
ISSN: 2056-4961

Keywords

1 – 10 of over 68000