Employee and Organization Security Value Alignment Through Value Sensitive Security Policy Design

Every member of the organization must be involved in proactively and consistently preventing data loss. Implementing a culture of security has proven to be a reliable method of enfranchising employees to embrace security behavior. However, it takes more than education and awareness of policies and directives to effect a culture of security. Research into organizational culture has shown that programs to promote organizational culture - and thus security behavior - are most successful when the organization\u27s values are congruent with employee values. What has not been clear is how to integrate the security values of the organization and its employees in a manner that promotes security culture. This study extended current research related to values and security culture by applying Value Sensitive Design (VSD) methodology to the design of an end user security policy. Through VSD, employee and organizational security values were defined and integrated into the policy. In so doing, the study introduced the concept of value sensitive security policy (VSP) and identified a method for using VSPs to promote a culture of security. At a time when corporate values are playing such a public role in defining the organization, improving security by increasing employee-organization value congruence is both appealing and practical

Profiling behaviour: The social construction of categories in the detection of financial crime.

Profiles are knowledge constructs that represent and identify a data subject. While not a new phenomenon, the use of profiling has exploded and its ubiquity is likely to increase, as a result of the widespread adoption of monitoring technology. The literature on profile development tends to refer to the practice, the technique or the technology of profiling, separately. Little has been written on how the perspectives interact with each other and, ultimately, shape the emerging behaviour profile. In order to map out the elements that impact on behaviour profiling, this thesis uses organisational semiotics, enhanced with classification theory, for key constructs. The study views profilers as agents who interpret and act on available information according to particular sets of technical, formal and informal factors and who, in the presence of incomplete or ambiguous stimuli, may fill in or distort information. Furthermore, the thesis examines how the position of the interpreter in the profiling process influences the result of the exercise. A case study conducted in a British financial institution demonstrates how technical systems and profilers acting in particular contexts influence each other in a dialectical process, whereby the characteristics of the data available impact the analysts' ability to interpret an event and, at the same time, the analysts tend to look for in the data only what they consider conceivable. The discussion centres on the influence of the type of stimuli available, the relational context and the actions of individual profilers in shaping the emerging meaning, in the context of financial crime detection. In addition, it considers the role of technical, formal and informal systems to overcome eventual variances in meaning. The thesis extends the applicability of organisational semiotics with classification theory. Inspired by models of sequential encounters, the thesis provides a methodological contribution by developing a tool for the analysis of sequential meaning making processes. A practical contribution emerges from mapping the impact of the profilers' perceptions into the emerging profile, and by suggesting mechanisms for shaping those perceptions

Exploring the Explanatory Power of Actability - The Case of Internet-based Software Artefacts

This paper is an inquiry into the empirical grounding of actability an important concept for the understanding of information systems pragmatics. The paper describes the structure and the application of an analytic framework based on actability and the semiotic framework. Actability has been proposed as an important concept for the understanding of information systems pragmatics and the semiotic framework provides a layered model of information systems that balances the technical and more social issues. The framework has been used as a tool to direct attention during a qualitative analysis of the Internet-based software artefact. The results show that actability and the semiotic framework can be used effectively to gain understanding of specific information systems phenomena