Empowering Information Security Managers: Tailored Information Security Policy Design with POLCO Software

Information security is crucial for protecting an organization\u27s information assets, and information security policies (ISPs) are formal controls that provide guidance in this regard. However, employees\u27 non-compliance with ISPs is a persistent issue, and the design of ISPs can contribute to this problem. Tailored ISP design theory, which includes four design principles and a conceptual model, offers a solution by allowing information security managers to create ISPs that are relevant for different groups of employees. This research introduces POLCO, a software developed based on tailored ISP design theory, to systematically tailor ISPs. The evaluation of functionality of POLCO as a proof of concept was conducted with master students in an information security management program, and the results showed that POLCO fulfils the design principles, making it a potential tool for reducing employee non-compliance with ISPs

VISTA:an inclusive insider threat taxonomy, with mitigation strategies

Insiders have the potential to do a great deal of damage, given their legitimate access to organisational assets and the trust they enjoy. Organisations can only mitigate insider threats if they understand what the different kinds of insider threats are, and what tailored measures can be used to mitigate the threat posed by each of them. Here, we derive VISTA (inclusiVe InSider Threat tAxonomy) based on an extensive literature review and a survey with C-suite executives to ensure that the VISTA taxonomy is not only scientifically grounded, but also meets the needs of organisations and their executives. To this end, we map each VISTA category of insider threat to tailored mitigations that can be deployed to reduce the threat

Information security standards and policies compliance by Nigerian banks.

Doctoral Degrees. University of KwaZulu-Natal, Durban.The modern banking sector is highly dependent on customer information to carry out its daily business. Such information is thus an asset which must be protected from threats; hence banks have adopted policies and standards in this regard. The Nigerian banking sector is characterised by on-going information security breaches. The reasons include low levels of individual and corporate compliance with information security standards and policies and procedures (ISSsPs), as well as the fact that banks focus on data usage optimisation rather than the privacy and security of customer information. This study examined the extent to which Nigerian bank employees comply with information security standards and policies and whether or not a relationship exists between the level of compliance and information security breaches. The theories of planned behaviour, protection motivation and self-efficacy were employed to identify the factors that motivate such compliance. The results show that all the motivational factors influence employee behavioural intention (EBI) to comply with ISSsPs. In the same vein, employee behavioural intention was found to influence such standards and policies. Hypotheses were also developed to investigate the mediating effect of EBI on the relationship between motivational factors and ISSsPs. The analysis showed that EBI has a partial mediation effect on the relationship between motivational factors and compliance with ISSsPs. The analysis of the effect of the motivational factors on ISSsPs revealed that the perceived severity of a penalty has a significant influence on compliance with ISSsPs. Certainty of detection was then regressed on employee intention to comply with ISSsPs and the results show that it has a significant effect. Furthermore, it was established that normative beliefs, the perceived effectiveness of information security standards, an awareness of information security threats, and perceived bias have a positive influence on an employee’s intention to comply with ISSsPs. The study also investigated the relationship between the compliance rate and experience of information security breaches. The analysis showed that there is a positive relationship between banks reviewing their ISSsPs and their experience of information security breaches. Thus, the more banks experience information security breaches, the more they review their standards. It was found that Nigerian banks review their information security codes and standards at least once a year. Finally, the study proposes and validated an employees’ compliance framework that has the potential to significantly improve employees’ compliance with ISSsPs, thus mitigating the effects of information security threats on Nigerian banks