Six Design Theories for IS Security Policies and Guidelines

The unpredictability of the business environment drives organizations to make rapid business decisions with little preparation. Exploiting sudden business opportunities may require a temporary violation of predefined information systems (IS) security policies. Existing research on IS security policies pays little attention to how such exceptional situations should be handled. We argue that normative theories from philosophy offer insights on how such situations can be resolved. Accordingly, this paper advances six design theories (the conservative-deontological, liberal-intuitive, prima-facie, virtue, utilitarian and universalizability theories) and outlines the use of their distinctive application principles in guiding the application of IS security policies. Based on the testable design product hypotheses of the six design theories, we derive a theoretical model to explain the influence of the different normative theories on the ¡°success¡± of IS security policies and guidelines

Is Polyinstantation Morally Blameworthy?

In the area of database/computer security the problem of polyinstantiation is widely recognized. The research on polyinstantiation can be considered morally questionable, since it involves lying. This paper analyses whether the research and practice on the problem of polyinstantiation is morally blameworthy or praiseworthy in a general sense. The morality of polyinstantiation shall be critically analysed from the viewpoint of a moral philosophical framework. The moral philosophical framework used includes 1) Kantian ethics, 2) the impartial universality thesis advocated by Hare, Rawls, Gewirth, Jewish- Christian ethics, and Confucian ethics, 3) utilitarianism, and 4) Theory of Information Ethics (IE) by Floridi. The result of this analysis suggests that polyinstantiation is morally questionable, at least in the light of the chosen moral philosophical theories. The aim of the paper is not, however, to deem polyinstantiation as morally wrong altogether, but to provide researchers and practitioners with tools and insights for analysing the morality of polyinstantiation in different cases. Moreover, this paper sheds new light on the relevance of IE. The results suggest that, as far as polyinstantiation is concerned, traditional theories seem to be at least as adequate as IE

A Critical Assessment of IS Security Research between 1990-2004

This paper reviews the IS security literature for the period 1990-2004. More specifically three security journals and the top twenty IS journals were examined. In total 1280 IS security papers were analysed in terms of theories, research methods and research topics. Our research found that 1043 of the papers contained no theory. In addition, almost 1000 of the papers were categorized as ‘subjectiveargumentative’ in terms of methodology, with field experiments, surveys, case studies and action research accounting for less that 10% (8.10%) of all the papers. Fifty nine research topics were identified with fourteen of these topics totaling 71.05% of the articles. This papers offers implications for future research directions on IS security, scholars to publish IS security research, tenure practice, and IS security classification schemas

Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches

Employees’ non-compliance with IS security procedures is a key concern for organizations. To tackle this problem, there exist several training approaches aimed at changing employees’ behavior. However, the extant literature does not examine the elementary characteristics of IS security training, such as the ways in which IS security training differs from other forms of training. We argue that IS security training needs a theory that both lays down these elementary characteristics and explains how these characteristics shape IS security training principles in practice. We advance a theory that suggests that IS security training has certain elementary characteristics that separate it from other forms of training, and we set a fundamental direction for IS security training practices. Second, the theory defines four pedagogical requirements for designing and evaluating IS security training approaches. We point out that no existing IS security training approach meets all of these requirements and demonstrate how to design an IS security training approach that does meet these requirements. Implications for research and practice are discussed

Organization Members Developing Information Security Policies: a Case Study

Information security policies (ISPs) have a key role in organizational information security. Research has introduced processes for ISP development, including lifecycle models. There are also recommendations to include contextual issues in the ISP development to ensure that the ISP provides tailored protection to the organization’s assets. One way of ensuring this is to include organization members in the development efforts. We identified six functions for the organization member participation from the research literature. Then, we presented two case studies of organizations where the personnel was included in the ISP development process. We found that the participation of the organization members did add value to the process through these functions but that there were also some negative effects. The inclusion of organization members in ISP development can help in gathering feedback directly at the beginning of the lifecycle without the need to go through the entire cycle to identify issues

Towards a A New Meta-Theory for Designing IS Security Training Approaches

Employee non-compliance with information systems (IS) security policies is a key concern for organisations. To tackle this problem, scholars have advanced several IS security training approaches. Despite the fact that the importance of having effective training is understood by scholars and practitioners, IS security training is largely a theoretically underdeveloped area. To this end, we advance a meta-theory for IS security training, based on Hare’s theory of three levels of thinking. It is a meta-theory because it suggests that IS security training has certain fundamental characteristics which separate it from other forms of training, and it advances pedagogical requirements for the design and evaluation of IS security training approaches. After sketching this meta-theory, including four pedagogical requirements for IS security training approaches, we show that no existing IS security training approach meets all of these requirements. To this end, we put forth an IS security training approach which meets all these requirements.For scholars, this study offers new theoretical insights into the fundamental characteristics of IS security training; a set of principles for designing and evaluating IS security training approaches; and an agenda for future research on IS security training. For practitioners designing and implementing IS security training at organisations, this study offers principles for designing effective IS security training approaches in practice

On IS Students’ Intentions to Use Theories of Ethics in Resolving Moral Conflicts

It is widely agreed that ethics teaching should have an important role in Information Systems (IS) teaching. Yet, there are no studies exploring how students apply theories of ethics in their decision-making. This is unfortunate, because teaching ethics is of little practical use if the students do not utilise the acquired knowledge in practice. In order to bridge this significant gap in the literature, we introduced IS students to the following theories: utilitarianism, Kantian ethics, virtue ethics, prima-facie principles, and Rawls\u27 veil of ignorance. We then asked them (n=75) to apply these theories to a given moral conflict, and to assess whether they intended to use the theories in real life. Phenomenographic analysis revealed four developing levels in the students’ perceptions: 1) rejection (the student trusts his or her intuition, consciousness or feelings rather than the theories); 2) latent use (the student recognizes that the theories may be latently present in intuitive deliberation); 3) conscious use (the student uses the theories to support intuitive deliberation); and 4) internalised use (the student has internalised the theories to such an extent that he or she does need to consciously steer his or her deliberation to their use). These findings entail recommendations to IS educators on how to educate students to address ethical issues through the application of theories