Acceptable use policy and employee computer usage: case of Sri Lankan software development industry

Organizations introduce acceptable use policies to deter employee computer misuse. Despite the controlling, monitoring and other forms of interventions employed, some employees misuse the organizational computers to carry out their personal work such as sending emails, surfing internet, chatting, playing games etc. These activities not only waste productive time of employees but also bring a risk to the organization. A questionnaire was administrated to a random sample of employees selected from large and medium scale software development organizations, which measured the work computer misuse levels and the factors that influence such behavior. The presence of guidelines provided no evidence of significant effect on the level of employee computer misuse. Not having access to Internet /email away from work and organizational settings were identified to be the most significant influences of work computer misuse

Reinforcing the security of corporate information resources: a critical review of the role of the acceptable use policy

Increasingly users are seen as the weak link in the chain, when it comes to the security of corporate information. Should the users of computer systems act in any inappropriate or insecure manner, then they may put their employers in danger of financial losses, information degradation or litigation, and themselves in danger of dismissal or prosecution. This is a particularly important concern for knowledge-intensive organisations, such as Universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of inappropriate behaviours, and in so doing, protecting corporate information, is through the formulation and application of a formal ‘acceptable use policy (AUP). Whilst the AUP has attracted some academic interest, it has tended to be prescriptive and overly focussed on the role of the Internet, and there is relatively little empirical material that explicitly addresses the purpose, positioning or content of real acceptable use policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and composition of a sample of authentic policies – taken from the higher education sector - rather than simply making general prescriptions about what they ought to contain. There are two important conclusions to be drawn from this study: 1) the primary role of the AUP appears to be as a mechanism for dealing with unacceptable behaviour, rather than proactively promoting desirable and effective security behaviours, and 2) the wide variation found in the coverage and positioning of the reviewed policies is unlikely to be fostering a coherent approach to security management, across the higher education sector

The design and implementation of an agent-based framework for acceptable usage policy monitoring and enforcement

Reliance on the Internet in the workplace means that manually monitoring compliance with an Acceptable Usage Policy (AUP) is impractical given the volumes of data generated. Therefore, for such a system to function effectively, the processing of vast audit trails obtained must be processed by automated means. This paper introduces the incorporation of a novel user-monitoring framework into the domain of software agents for large-scale auditing of Internet use with possible extensions to general network use. It is intended that such an approach would replace current ad-hoc methods such as those based on perusing server logs with a more accurate representation of user activity. The system described herein is an experimental multi-agent one provisionally known as WebEngzilla, which actively monitors and reports on the Web browsing behaviour habits of network users unifying an ambient client monitoring system with a distributed data mining back end

Towards a risk assessment matrix for information security workarounds associated with acceptable use policies

Acceptable Use Policies (AUPs) are used to influence employees’ information security behaviour. Some employees feel that the AUPs and related procedures interfere with their ability to work efficiently and may, therefore, choose not to comply by utilising information security workarounds associated with the AUP. An AUP workaround is a form of information security non compliance that may result in unnecessary information security risk exposure for an organisation. Some AUP workarounds may be useful as they identify more efficient ways to complete tasks that may not impact the information security of an organisation. However, these efficiencies should only be considered for incorporation into standard procedures when the information security risk exposure of an AUP workaround is known. This leads to the problem statement. Many organisations do not have a formal way in which to assess the information security risks posed by workarounds associated with their Acceptable Use Policies, and related procedures. This study provides a solution to the identified problem through the primary objective, to develop a Risk Assessment Matrix for Information Security Workarounds associated with Acceptable Use Policies, and related procedures. Four secondary research objectives were proposed to achieve the primary research objective. The first secondary objective determines the role of information security risk management and how it relates to information security governance through the utilisation of a literature review. The second secondary objective firstly utilises a literature review to determine the role that the AUP and its related procedures play within an organisation, followed by a content analysis which identifies the key content that should be considered in a comprehensive AUP. The third secondary objective determines the factors that influence the use of AUP workarounds within an organisation through the utilisation of a literature review. Lastly, the fourth secondary objective utilises a literature review to determine the key components required for the development of the risk assessment matrix for information security workarounds. In addition, critical reasoning is used to create the risk assessment matrix for information security workarounds. The solution to this study contributes to the body of knowledge by proposing a risk assessment matrix to assess the information security risk exposure of AUP workarounds and find possible efficiency gains while keeping information security risk exposure to a minimum.Thesis (MTech) -- Faculty of Engineering, the Built Environment and Information Technology , Information Technology, 202

Towards a Risk Assessment Matrix for Information Security Workarounds Associated with Acceptable Use Policies

Acceptable Use Policies (AUPs) are used to influence employees’ information security behaviour. Some employees feel that the AUPs and related procedures interfere with their ability to work efficiently and may, therefore, choose not to comply by utilising information security workarounds associated with the AUP. An AUP workaround is a form of information security non-compliance that may result in unnecessary information security risk exposure for an organisation. Some AUP workarounds may be useful as they identify more efficient ways to complete tasks that may not impact the information security of an organisation. However, these efficiencies should only be considered for incorporation into standard procedures when the information security risk exposure of an AUP workaround is known. This leads to the problem statement. Many organisations do not have a formal way in which to assess the information security risks posed by workarounds associated with their Acceptable Use Policies, and related procedures. This study provides a solution to the identified problem through the primary objective, to develop a Risk Assessment Matrix for Information Security Workarounds associated with Acceptable Use Policies, and related procedures. Four secondary research objectives were proposed to achieve the primary research objective. The first secondary objective determines the role of information security risk management and how it relates to information security governance through the utilisation of a literature review. The second secondary objective firstly utilises a literature review to determine the role that the AUP and its related procedures play within an organisation, followed by a content analysis which identifies the key content that should be considered in a comprehensive AUP. The third secondary objective determines the factors that influence the use of AUP workarounds within an organisation through the utilisation of a literature review. Lastly, the fourth secondary objective utilises a literature review to determine the key components required for the development of the risk assessment matrix for information security workarounds. In addition, critical reasoning is used to create the risk assessment matrix for information security workarounds. The solution to this study contributes to the body of knowledge by proposing a risk assessment matrix to assess the information security risk exposure of AUP workarounds and find possible efficiency gains while keeping information security risk exposure to a minimum.Thesis (MA) -- Faculty of Engineering, the Built Environment, and Technology, 202

Towards a Risk Assessment Matrix for Information Security Workarounds Associated with Acceptable Use Policies

Acceptable Use Policies (AUPs) are used to influence employees’ information security behaviour. Some employees feel that the AUPs and related procedures interfere with their ability to work efficiently and may, therefore, choose not to comply by utilising information security workarounds associated with the AUP. An AUP workaround is a form of information security non-compliance that may result in unnecessary information security risk exposure for an organisation. Some AUP workarounds may be useful as they identify more efficient ways to complete tasks that may not impact the information security of an organisation. However, these efficiencies should only be considered for incorporation into standard procedures when the information security risk exposure of an AUP workaround is known. This leads to the problem statement. Many organisations do not have a formal way in which to assess the information security risks posed by workarounds associated with their Acceptable Use Policies, and related procedures. This study provides a solution to the identified problem through the primary objective, to develop a Risk Assessment Matrix for Information Security Workarounds associated with Acceptable Use Policies, and related procedures. Four secondary research objectives were proposed to achieve the primary research objective. The first secondary objective determines the role of information security risk management and how it relates to information security governance through the utilisation of a literature review. The second secondary objective firstly utilises a literature review to determine the role that the AUP and its related procedures play within an organisation, followed by a content analysis which identifies the key content that should be considered in a comprehensive AUP. The third secondary objective determines the factors that influence the use of AUP workarounds within an organisation through the utilisation of a literature review. Lastly, the fourth secondary objective utilises a literature review to determine the key components required for the development of the risk assessment matrix for information security workarounds. In addition, critical reasoning is used to create the risk assessment matrix for information security workarounds. The solution to this study contributes to the body of knowledge by proposing a risk assessment matrix to assess the information security risk exposure of AUP workarounds and find possible efficiency gains while keeping information security risk exposure to a minimum.Thesis (MA) -- Faculty of Engineering, the Built Environment, and Technology, 202

Towards a risk assessment matrix for information security workarounds associated with acceptable use policies

Acceptable Use Policies (AUPs) are used to influence employees’ information security behaviour. Some employees feel that the AUPs and related procedures interfere with their ability to work efficiently and may, therefore, choose not to comply by utilising information security workarounds associated with the AUP. An AUP workaround is a form of information security non compliance that may result in unnecessary information security risk exposure for an organisation. Some AUP workarounds may be useful as they identify more efficient ways to complete tasks that may not impact the information security of an organisation. However, these efficiencies should only be considered for incorporation into standard procedures when the information security risk exposure of an AUP workaround is known. This leads to the problem statement. Many organisations do not have a formal way in which to assess the information security risks posed by workarounds associated with their Acceptable Use Policies, and related procedures. This study provides a solution to the identified problem through the primary objective, to develop a Risk Assessment Matrix for Information Security Workarounds associated with Acceptable Use Policies, and related procedures. Four secondary research objectives were proposed to achieve the primary research objective. The first secondary objective determines the role of information security risk management and how it relates to information security governance through the utilisation of a literature review. The second secondary objective firstly utilises a literature review to determine the role that the AUP and its related procedures play within an organisation, followed by a content analysis which identifies the key content that should be considered in a comprehensive AUP. The third secondary objective determines the factors that influence the use of AUP workarounds within an organisation through the utilisation of a literature review. Lastly, the fourth secondary objective utilises a literature review to determine the key components required for the development of the risk assessment matrix for information security workarounds. In addition, critical reasoning is used to create the risk assessment matrix for information security workarounds. The solution to this study contributes to the body of knowledge by proposing a risk assessment matrix to assess the information security risk exposure of AUP workarounds and find possible efficiency gains while keeping information security risk exposure to a minimum.Thesis (MTech) -- Faculty of Engineering, the Built Environment and Information Technology , Information Technology, 202