Six Design Theories for IS Security Policies and Guidelines

The unpredictability of the business environment drives organizations to make rapid business decisions with little preparation. Exploiting sudden business opportunities may require a temporary violation of predefined information systems (IS) security policies. Existing research on IS security policies pays little attention to how such exceptional situations should be handled. We argue that normative theories from philosophy offer insights on how such situations can be resolved. Accordingly, this paper advances six design theories (the conservative-deontological, liberal-intuitive, prima-facie, virtue, utilitarian and universalizability theories) and outlines the use of their distinctive application principles in guiding the application of IS security policies. Based on the testable design product hypotheses of the six design theories, we derive a theoretical model to explain the influence of the different normative theories on the ¡°success¡± of IS security policies and guidelines

Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach

To Follow the Rules or Break Them: A Rule Following Perspective

Because most security breaches are caused by human error, employees are perceived as the first line of defense against threats. Accordingly, organizations invest in information security policy (ISP) creation, implementation, and training initiatives. However, despite a vast stream of research, employee compliance with the information security policy remains an issue. We argue that it is not enough to study the motivations behind ISP compliance, since the motivation for adaptive behavior (ISP compliance) may be different from maladaptive behaviors (avoidance and non-compliance); therefore, we take a rule-following perspective to study both. We argue that when the requirements of ISP disrupt their work, employees face rule tension. In response to rule tension, they are less likely to exhibit adaptive behaviors and more likely to exhibit maladaptive behaviors. In addition, we propose that two common governance approaches - (1) command-and-control, and (2) self-regulatory approach moderate the relationship between rule tension and adaptive and maladaptive behaviors in the context of ISP rule-following

Knowledge for Managing Information System Security: Review and Future Research Directions

Information systems (IS) security is traditionally seen as technically-oriented. Technologies alone, however, cannot secure an organization’s information systems at an optimal level. As such, scholars have called for more research on non-technical factors that play an important role in IS security, including human, managerial, and organizational issues. This paper aims to review and synthesize those studies that have been done on non-technical issues by applying knowledge management concepts as a tool and lens. It also identifies some issues that require further research

Moving Towards Information System Security Accreditation within Australian State Government Agencies

This paper investigates the current status of Information System Security (ISS) within New South Wales State government agencies in Australia. A 3-year longitudinal survey was used to increase awareness and motivate ISS managers. In addition, the survey was used as a management tool to monitor compliance with ISS standard’s controls (AS/NZS17799:2001). In 2004 an amendment to the standard added critical success factors (CSFs) as being necessary for an agency’s movement to accreditation. An analysis of the CSFs results was undertaken to determine the status of an independently acting agency’s security readiness and they were summarized to then provide an overall measure. This measure provided a ‘benchmark’ for an agency’s security readiness to the standard’s CSFs (AS/NZS17799:2004.AMDT). While the process for improving security based on CSFs is adequate, actual improvement in ISS across government requires further effort. This research contributes to the level of understanding of ISS compliance within e-Government

An Organizational Level Advancement Ofmis and Its Security Milestones Intechnological Era

Today the most vital asset of any enterprise is its data and to maintain its security. In order to make your business successful in this era of modern economy and to compete with the advancing world, one must have to understand the importance of data management. Management Information System is a source of managing large amount of data of any firm and it has a powerful influence on the performance of an organization by maintaining its data electronically. This paper discusses the impact of MIS on performing various functions of an organization and how this software can increase the profitability, growth and innovation of an organization. In short, a positive relationship between an organization and MIS is discussed. With the increasing complexity in technology, there arise some serious issues of security which includes hacking, spoofing, cybercrime etc that needs to be catered. This research therefore covers possible solutions to such security threats along with some techniques and also discusses various types of information systems. The need therefore is to produce a way that encourages operating a secure information system for an organization

A PRACTICE LENS FOR UNDERSTANDING THE ORGANIZATIONAL AND SOCIAL CHALLENGES OF INFORMATION SECURITY MANAGEMENT

As the cost and amount of information security breaches continue to rise, information security management becomes vital for organizations. Often organization seek advice from information security management standards and other frameworks to manage their information security. Such standards and frameworks depict information security management as a rational, systematic and linear process and leave out the complexity and uncertainty of real-life settings. In particular, they pay little attention to the organizational and social challenges inherent in information security management. Therefore, this study draws on the practice theory to develop a practice lens for understanding how people, practices and what happens in practice interact and create such challenges. This lens depicts information security management as emerging from mundane aspects of information security management work and from the enacted social structures of and events arising at an organization and its environment and enables a deeper understanding of the organizational and social challenges. After developing this lens, it is illustrated and elaborated through an ethnographic study at an IT service provider, and its contributions to research and practice discussed

Development of virtue ethics based security constructs for information systems trusted workers

Despite an abundance of research on the problem of insider threats only limited success has been achieved in preventing trusted insiders from committing security violations. Virtue ethics may be a new approach that can be utilized to address this issue. Human factors such as moral considerations and decisions impact information system design, use, and security; consequently they affect the security posture and culture of an organization. Virtue ethics based concepts have the potential to influence and align the moral values and behavior of Information Systems workers with those of an organization in order to provide increased protection of IS assets. This study examines factors that affect and shape the ethical perspectives of individuals trusted with privileged access to personal, sensitive, and classified information. An understanding of these factors can be used by organizations to assess and influence the ethical intentions and commitment of information systems trusted workers. The overall objective of this study’s research is to establish and refine validated virtue ethics based constructs which can be incorporated into theory development and testing of the proposed Information Systems security model. The expectation of the researcher is to better understand the personality and motivations of individuals who pose an insider threat by providing a conceptual analysis of character traits which influence the ethical behavior of trusted workers and ultimately Information System security