Skip to main content
SpringerLink
Log in

Policy Components - A Conceptual Model for Tailoring Information Security Policies

  • Conference paper
  • First Online:
Human Aspects of Information Security and Assurance (HAISA 2022)

Part of the book series: IFIP Advances in Information and Communication Technology ((IFIPAICT,volume 658))

  • 555 Accesses

Abstract

Today, many business processes are propelled by critical information that needs safeguarding. Procedures on how to achieve this end are found in information security policies (ISPs) that are rarely tailored to different target groups in organizations. The purpose of this paper is therefore to propose a conceptual model of policy components for software that supports modularizing and tailoring of ISPs. We employed design science research to this end. The conceptual model was developed as a Unified Modeling Language class diagram using existing ISPs from public agencies in Sweden. The conceptual model can act as a foundation for developing software to tailor ISPs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 129.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Dhillon, G.: Information Security - Text & Cases Prospect Press, Burlington (2017)

    Google Scholar 

  2. Whitman, M.E.: Security policy - from design to maintenance. In: Straub, D.W., Goodman, S., Baskerville, R. (eds.) Information Security - Policy, Processes, and Practices, pp. 123–151. M E Sharpe, New York (2008)

    Google Scholar 

  3. PwC: The information security breaches survey - Technical report. Department for Business, Innovation and Skills (BIS) (2014)

    Google Scholar 

  4. PwC: The Global State of Information Security Survey 2018. PriceWaterhouseCoopers (2018)

    Google Scholar 

  5. ENISA: ENISA Threat Landscape 2014. Overview of current and emerging cyber-threats. European Union Agency for Network and Information Security (2014)

    Google Scholar 

  6. Karlsson, F., Hedström, K., Goldkuhl, G.: Practice-based discourse analysis of information security policies. Comput. Secur. 67(June 2017), 267–279 (2017)

    Google Scholar 

  7. Stahl, B.C., Doherty, N.F., Shaw, M.: Information security policies in the UK healthcare sector: a critical evaluation. Inf. Syst. J. 22, 77–94 (2012)

    Article  Google Scholar 

  8. Rostami, E.: Tailoring policies and involving users in constructing security policies: a mapping study. In: Furnell, S., Clarke, N.L. (eds.) Proceedings of Thirteenth International Symposium on Human Aspects of Information Security & Assurance, HAISA 2019, Nicosia, Cyprus, 15–16 July 2019, pp. 1–11. University of Plymouth, Plymouth (2019)

    Google Scholar 

  9. Cosic, Z., Boban, M.: Information security management—defining approaches to Information Security policies in ISMS. In: IEEE 8th International Symposium on Intelligent Systems and Informatics, pp. 83–85. IEEE (2010)

    Google Scholar 

  10. Kinnunen, H., Siponen, M.T.: Developing organization-specific information security policies. In: PACIS 2018, pp. 1–13 (2018)

    Google Scholar 

  11. Coertze, J., von Solms, R.: A software gateway to affordable and effective information security governance in SMMEs. In: 2013 Information Security for South Africa, pp. 1–8. IEEE (2013)

    Google Scholar 

  12. Syamsuddin, I., Hwang, J.: The use of AHP in security policy decision making: an Open Office Calc application. J. Softw. 5(10), 1162–1169 (2010)

    Article  Google Scholar 

  13. Rostami, E., Karlsson, F., Shang, G.: Requirements for computerized tools to design information security policies. Comput. Secur. 99(December 2020), Article number 102063 (2020)

    Google Scholar 

  14. Rostami, E., Karlsson, F., Kolkowska, E.: The hunt for computerized support in information security policy management: a literature review. Inf. Comput. Secur. 28(2), 215–259 (2020)

    Article  Google Scholar 

  15. Vermeulen, C., von Solms, R.: The information security management toolbox - taking the pain out of security management. Inf. Manag. Comput. Secur. 10(3), 119–125 (2002)

    Article  Google Scholar 

  16. Coertze, J., van Niekerk, J., von Solms, R.: A web-based information security management toolbox for small-to-medium enterprises in Southern Africa. In: Venter, H.S., Coetzee, M., Loock, M. (eds.) 2011 Information Security for South Africa (ISSA 2011), Johannesburg, South Africa, pp. 1–8. IEEE (2011)

    Google Scholar 

  17. Hoppe, O.A., van Niekerk, J., von Solms, R.: The effective implementation of information security in organizations. In: Ghonaimy, M.A., El-Hadidi, M.T., Aslan, H.K. (eds.) Security in the Information Society - Visions and Perspective, pp. 1–18. Springer, Boston (2002). https://doi.org/10.1007/978-0-387-35586-3_1

    Chapter  Google Scholar 

  18. Coertze, J., von Solms, R.: A model for information security governance in developing countries. In: Jonas, K., Rai, I.A., Tchuente, M. (eds.) AFRICOMM 2012. LNICSSITE, vol. 119, pp. 279–288. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41178-6_29

    Chapter  Google Scholar 

  19. Ismail, W.B.W., Widyarto, S.A.: Formulation and development process of information security policy in higher education. In: 1st International Conference on Engineering Technology and Applied Sciences, Afyonkarahisar, Turkey (2016)

    Google Scholar 

  20. Flowerday, S.V., Tuyikeze, T.: Information security policy development and implementation: the what, how and who. Comput. Secur. 61, 169–183 (2016)

    Article  Google Scholar 

  21. Peffers, K., Tuunanen, T., Rothenberger, M.A., Chatterjee, S.: A design science research methodology for information systems research. J. Manag. Inf. Syst. 24(3), 45–77 (2007)

    Article  Google Scholar 

  22. Glaser, B.G., Strauss, A.L.: The Discovery of Grounded Theory: Strategies for Qualitative Research. Aldine, New York (1967)

    Google Scholar 

  23. Nunamaker, J.F., Briggs, R.O.: Toward a broader vision for information systems. ACM Trans. Manag. Inf. Syst. 2(4), Article 20 (2011)

    Google Scholar 

  24. Hedström, K., Kolkowska, E., Karlsson, F., Allen, J.P.: Value conflicts for information security management. J. Strat. Inf. Syst. 20(4), 373–384 (2011)

    Article  Google Scholar 

  25. Davis, G.B., Olson, M.H.: Management Information Systems: Conceptual Foundations, Structure, and Development. McGraw-Hill, Inc., New York (1985)

    Google Scholar 

  26. D’Arcy, J.D., Devaraj, S.: Employee misuse of information technology resources: testing a contemporary deterrence model. Decis. Sci. J. 43(6), 1091–1124 (2012)

    Article  Google Scholar 

  27. Buthelezi, M.P., Van der Poll, J.A., Ochala, E.O.: Ambiguity as a barrier to information security policy compliance: a content analysis. In: International Conference on Computational Science and Computational Intelligence 2016, Las Vegas, NV, USA, pp. 1361–1367. IEEE (2016)

    Google Scholar 

  28. ISO: ISO/IEC 27000:2014, Information technology—Security techniques—Information security management systems—Overview and vocabulary. International Organization for Standardization (ISO) (2014)

    Google Scholar 

  29. Tuyikeze, T., Flowerday, S.: Information security policy development and implementation: a content analysis approach. In: HAISA 2014, pp. 11–20 (2014)

    Google Scholar 

  30. Höne, K., Eloff, J.H.P.: Information security policy – what do international information security standards say? Comput. Secur. 21(5), 402–409 (2002)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. CERIS, Informatics, Örebro University, Örebro, Sweden

    Elham Rostami, Fredrik Karlsson & Shang Gao

Authors
  1. Elham Rostami
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fredrik Karlsson
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shang Gao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Elham Rostami .

Editor information

Editors and Affiliations

  1. University of Plymouth, Plymouth, UK

    Nathan Clarke

  2. University of Nottingham, Nottingham, UK

    Steven Furnell

Rights and permissions

Reprints and permissions

Copyright information

© 2022 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Rostami, E., Karlsson, F., Gao, S. (2022). Policy Components - A Conceptual Model for Tailoring Information Security Policies. In: Clarke, N., Furnell, S. (eds) Human Aspects of Information Security and Assurance. HAISA 2022. IFIP Advances in Information and Communication Technology, vol 658. Springer, Cham. https://doi.org/10.1007/978-3-031-12172-2_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-12172-2_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-12171-5

  • Online ISBN: 978-3-031-12172-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation