Abstract
Today, many business processes are propelled by critical information that needs safeguarding. Procedures on how to achieve this end are found in information security policies (ISPs) that are rarely tailored to different target groups in organizations. The purpose of this paper is therefore to propose a conceptual model of policy components for software that supports modularizing and tailoring of ISPs. We employed design science research to this end. The conceptual model was developed as a Unified Modeling Language class diagram using existing ISPs from public agencies in Sweden. The conceptual model can act as a foundation for developing software to tailor ISPs.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Dhillon, G.: Information Security - Text & Cases Prospect Press, Burlington (2017)
Whitman, M.E.: Security policy - from design to maintenance. In: Straub, D.W., Goodman, S., Baskerville, R. (eds.) Information Security - Policy, Processes, and Practices, pp. 123–151. M E Sharpe, New York (2008)
PwC: The information security breaches survey - Technical report. Department for Business, Innovation and Skills (BIS) (2014)
PwC: The Global State of Information Security Survey 2018. PriceWaterhouseCoopers (2018)
ENISA: ENISA Threat Landscape 2014. Overview of current and emerging cyber-threats. European Union Agency for Network and Information Security (2014)
Karlsson, F., Hedström, K., Goldkuhl, G.: Practice-based discourse analysis of information security policies. Comput. Secur. 67(June 2017), 267–279 (2017)
Stahl, B.C., Doherty, N.F., Shaw, M.: Information security policies in the UK healthcare sector: a critical evaluation. Inf. Syst. J. 22, 77–94 (2012)
Rostami, E.: Tailoring policies and involving users in constructing security policies: a mapping study. In: Furnell, S., Clarke, N.L. (eds.) Proceedings of Thirteenth International Symposium on Human Aspects of Information Security & Assurance, HAISA 2019, Nicosia, Cyprus, 15–16 July 2019, pp. 1–11. University of Plymouth, Plymouth (2019)
Cosic, Z., Boban, M.: Information security management—defining approaches to Information Security policies in ISMS. In: IEEE 8th International Symposium on Intelligent Systems and Informatics, pp. 83–85. IEEE (2010)
Kinnunen, H., Siponen, M.T.: Developing organization-specific information security policies. In: PACIS 2018, pp. 1–13 (2018)
Coertze, J., von Solms, R.: A software gateway to affordable and effective information security governance in SMMEs. In: 2013 Information Security for South Africa, pp. 1–8. IEEE (2013)
Syamsuddin, I., Hwang, J.: The use of AHP in security policy decision making: an Open Office Calc application. J. Softw. 5(10), 1162–1169 (2010)
Rostami, E., Karlsson, F., Shang, G.: Requirements for computerized tools to design information security policies. Comput. Secur. 99(December 2020), Article number 102063 (2020)
Rostami, E., Karlsson, F., Kolkowska, E.: The hunt for computerized support in information security policy management: a literature review. Inf. Comput. Secur. 28(2), 215–259 (2020)
Vermeulen, C., von Solms, R.: The information security management toolbox - taking the pain out of security management. Inf. Manag. Comput. Secur. 10(3), 119–125 (2002)
Coertze, J., van Niekerk, J., von Solms, R.: A web-based information security management toolbox for small-to-medium enterprises in Southern Africa. In: Venter, H.S., Coetzee, M., Loock, M. (eds.) 2011 Information Security for South Africa (ISSA 2011), Johannesburg, South Africa, pp. 1–8. IEEE (2011)
Hoppe, O.A., van Niekerk, J., von Solms, R.: The effective implementation of information security in organizations. In: Ghonaimy, M.A., El-Hadidi, M.T., Aslan, H.K. (eds.) Security in the Information Society - Visions and Perspective, pp. 1–18. Springer, Boston (2002). https://doi.org/10.1007/978-0-387-35586-3_1
Coertze, J., von Solms, R.: A model for information security governance in developing countries. In: Jonas, K., Rai, I.A., Tchuente, M. (eds.) AFRICOMM 2012. LNICSSITE, vol. 119, pp. 279–288. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41178-6_29
Ismail, W.B.W., Widyarto, S.A.: Formulation and development process of information security policy in higher education. In: 1st International Conference on Engineering Technology and Applied Sciences, Afyonkarahisar, Turkey (2016)
Flowerday, S.V., Tuyikeze, T.: Information security policy development and implementation: the what, how and who. Comput. Secur. 61, 169–183 (2016)
Peffers, K., Tuunanen, T., Rothenberger, M.A., Chatterjee, S.: A design science research methodology for information systems research. J. Manag. Inf. Syst. 24(3), 45–77 (2007)
Glaser, B.G., Strauss, A.L.: The Discovery of Grounded Theory: Strategies for Qualitative Research. Aldine, New York (1967)
Nunamaker, J.F., Briggs, R.O.: Toward a broader vision for information systems. ACM Trans. Manag. Inf. Syst. 2(4), Article 20 (2011)
Hedström, K., Kolkowska, E., Karlsson, F., Allen, J.P.: Value conflicts for information security management. J. Strat. Inf. Syst. 20(4), 373–384 (2011)
Davis, G.B., Olson, M.H.: Management Information Systems: Conceptual Foundations, Structure, and Development. McGraw-Hill, Inc., New York (1985)
D’Arcy, J.D., Devaraj, S.: Employee misuse of information technology resources: testing a contemporary deterrence model. Decis. Sci. J. 43(6), 1091–1124 (2012)
Buthelezi, M.P., Van der Poll, J.A., Ochala, E.O.: Ambiguity as a barrier to information security policy compliance: a content analysis. In: International Conference on Computational Science and Computational Intelligence 2016, Las Vegas, NV, USA, pp. 1361–1367. IEEE (2016)
ISO: ISO/IEC 27000:2014, Information technology—Security techniques—Information security management systems—Overview and vocabulary. International Organization for Standardization (ISO) (2014)
Tuyikeze, T., Flowerday, S.: Information security policy development and implementation: a content analysis approach. In: HAISA 2014, pp. 11–20 (2014)
Höne, K., Eloff, J.H.P.: Information security policy – what do international information security standards say? Comput. Secur. 21(5), 402–409 (2002)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 IFIP International Federation for Information Processing
About this paper
Cite this paper
Rostami, E., Karlsson, F., Gao, S. (2022). Policy Components - A Conceptual Model for Tailoring Information Security Policies. In: Clarke, N., Furnell, S. (eds) Human Aspects of Information Security and Assurance. HAISA 2022. IFIP Advances in Information and Communication Technology, vol 658. Springer, Cham. https://doi.org/10.1007/978-3-031-12172-2_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-12172-2_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-12171-5
Online ISBN: 978-3-031-12172-2
eBook Packages: Computer ScienceComputer Science (R0)