Search results

This paper aims to present empirical results exemplifying challenges related to information security faced by small and medium enterprises (SMEs). It uses guidelines based on work system theory (WST) to frame the results, thereby illustrating why the mere existence of corporate security policies or general security training often is insufficient for establishing and maintaining information security.

This research was designed to produce a better appreciation and understanding of potential issues or gaps in security practices in SMEs. The research team interviewed 187 employees of 39 SMEs in the UK. All of those employees had access to sensitive information. Gathering information through interviews (instead of formal security documentation) made it possible to assess security practices from employees’ point of view.

Corporate policies that highlight information security are often disconnected from actual work practices and routines and often do not receive high priority in everyday work practices. A vast majority of the interviewed employees are not involved in risk assessment or in the development of security practices. Security practices remain an illusory activity in their real-world contexts.

This paper focuses only on closed-ended questions related to the following topics: awareness of existing security policy; information security practices and management and information security involvement.

The empirical findings show that corporate information security policies in SMEs often are insufficient for maintaining security unless those policies are integrated with visible and recognized work practices in work systems that use or produce sensitive information. The interpretation based on WST provides guidelines for enhancing information system security.

Beyond merely reporting empirical results, this research uses WST to interpret the results in a way that has direct implications for practitioners and for researchers.

The purpose of this study was to investigate the difference between South Africa (SA) and the United Kingdom (UK) in terms of data protection compliance with the aim to establish if a country that has had data protection in place for a longer period of time has a higher level of compliance with data protection requirements in comparison with a country that is preparing for compliance.

An insurance industry multi-case study within the online insurance services environment was conducted. Personal information of four newly created consumer profiles was deposited to 10 random insurance organisation websites in each country to evaluate a number of data privacy requirements of the Data Protection Act and Protection of Personal Information Act.

The results demonstrate that not all the insurance organisations honored the selected opt-out preference for receiving direct marketing material. This was evident in direct marketing material that was sent from the insurance organisations in the sample to both the SA and UK consumer profiles who opted out for it. A total of 42 unsolicited third-party contacts were received by the SA consumer profiles, whereas the UK consumer profiles did not receive any third-party direct marketing. It was also found that the minimality principle is not always met by both SA and UK organisations.

As a jurisdiction with a heavy stance towards privacy implementation and regulation, it was found that the UK is more compliant than SA in terms of implementation of the evaluated data protection requirements included in the scope of this study, however not fully compliant.

Based upon the results obtained from this research, it suggests that the SA insurance organisations should ensure that the non-compliance aspects relating to direct marketing and sharing data with third parties are addressed. SA insurance companies should learn from the manner in which the UK insurance organisations implement these privacy requirements. Furthermore, the UK insurance organisations should focus on improved compliance for direct marking and the minimality principle. The study indicates the positive role that data protection legislation plays in a county like the UK, with a more mature stance toward compliance with data protection legislation.

The purpose of this study is to use a developed and pre-tested scenario-based measurement instrument for policy compliance and determine whether policy compliance measurements in the current policy compliance research are biased as has been postulated during a pre-study. The expected biases are because of social desirability and because of biases based on identity theory.

A survey was conducted (n = 54) that used policy compliance scales from literature and the developed self-reporting policy compliance (SRPC) scale, along with the Marlow–Crowne social desirability (MC-SDB) scale. Differences between the policy compliance scales were assessed. Moreover, a transformation of the SRPC measurements into the literature-based scales was examined using pair-wise t-testing. Finally, correlations between the MC-SDB and the policy compliance scales were examined.

There are no significant influences on the desire for social approval of the respondents as was exhibited by the MC-SDB values and policy compliance on either scale. However, the SRPC scale measurements show deviations from the literature-based policy compliance scales. Individuals that exhibit secure behaviour, which is not rooted in a policy but rather in anything but the policy, are also captured as being policy compliant in the current scales. This shows that a response bias exists in current scales. Respondents, who perceive to exhibit secure behaviours, may think that they are in compliance with the policy, even when they are not.

These findings mean that several contributions in the field of policy compliance must be questioned and that a revisit of several factors influencing policy compliance may be required.

To the best of the authors’ knowledge, response biases in policy compliance research have not been considered to date.

Colleges and universities across the USA have seen data breaches and intellectual property theft rise at a heightened rate over the past several years. An integral step in the first line of defense against various forms of attacks are (written) security policies designed to prescribe the construction and function of a technical system, while simultaneously guiding the actions of individuals operating within said system. Unfortunately, policy analysis is an insufficiently discussed topic in many academic communities with very little research being conducted in this space.

This work aims to assess the current state of information security policies by analyzing in-use policies from 200 universities and colleges in the USA with the goal of identifying important features and general attributes of these documents. The authors accomplish this through a series of analyzes designed to examine the language and construction of these policies.

To summarize high-level results, the authors found that only 54 per cent of the top 200 universities had publicly accessible information security policies, and the policies that were examined lacked consistency with little shared source material. The authors also found that the tonal makeup of these policies lacked a great deal of emotion, but contained a high amount of tentative or ambiguous language leading toward policies that could be viewed as “unclear.”

This work is an extension of a paper that was presented at ECIS 2018. The authors have added additional analyzes including a cross-policy content and tonal analysis to strengthen the findings and implications of this work for the wider research audience.