scholarly journals It is not my job: exploring the disconnect between corporate security policies and actual security practices in SMEs

2020 ◽  
Vol 28 (3) ◽  
pp. 467-483 ◽  
Author(s):  
Moufida Sadok ◽  
Steven Alter ◽  
Peter Bednar
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Small And Medium Enterprises ◽  
Security Policies ◽  
Sensitive Information ◽  
Work Practices ◽  
Content Type ◽  
Empirical Results ◽  
Corporate Security ◽  
Security Practices

Purpose This paper aims to present empirical results exemplifying challenges related to information security faced by small and medium enterprises (SMEs). It uses guidelines based on work system theory (WST) to frame the results, thereby illustrating why the mere existence of corporate security policies or general security training often is insufficient for establishing and maintaining information security. Design/methodology/approach This research was designed to produce a better appreciation and understanding of potential issues or gaps in security practices in SMEs. The research team interviewed 187 employees of 39 SMEs in the UK. All of those employees had access to sensitive information. Gathering information through interviews (instead of formal security documentation) made it possible to assess security practices from employees’ point of view. Findings Corporate policies that highlight information security are often disconnected from actual work practices and routines and often do not receive high priority in everyday work practices. A vast majority of the interviewed employees are not involved in risk assessment or in the development of security practices. Security practices remain an illusory activity in their real-world contexts. Research limitations/implications This paper focuses only on closed-ended questions related to the following topics: awareness of existing security policy; information security practices and management and information security involvement. Practical implications The empirical findings show that corporate information security policies in SMEs often are insufficient for maintaining security unless those policies are integrated with visible and recognized work practices in work systems that use or produce sensitive information. The interpretation based on WST provides guidelines for enhancing information system security. Originality/value Beyond merely reporting empirical results, this research uses WST to interpret the results in a way that has direct implications for practitioners and for researchers.

scholarly journals A framework for reporting and dealing with end-user security policy compliance

2019 ◽  
Vol 27 (1) ◽  
pp. 2-25 ◽  
Author(s):  
Mutlaq Jalimid Alotaibi ◽  
Steven Furnell ◽  
Nathan Clarke
Keyword(s):  
Information Security ◽  
Security Policy ◽  
End Users ◽  
Response Strategy ◽  
Security Policies ◽  
Prototype System ◽  
Content Type ◽  
Novel Approach ◽  
Proposed Model ◽  
Security Policy Compliance

Purpose It is widely acknowledged that non-compliance of employees with information security polices is one of the major challenges facing organisations. This paper aims to propose a model that is intended to provide a comprehensive framework for raising the level of compliance amongst end-users, with the aim of monitoring, measuring and responding to users’ behaviour with an information security policy. Design/methodology/approach The proposed model is based on two main concepts: a taxonomy of the response strategy to non-compliant behaviour and a compliance points system. The response taxonomy comprises two categories: awareness raising and enforcement of the security policy. The compliance points system is used to reward compliant behaviour and penalise non-compliant behaviour. Findings A prototype system has been developed to simulate the proposed model and work as a real system that responds to the behaviour of users (reflecting both violations and compliance behaviour). In addition, the model has been evaluated by interviewing experts from academic and industry. They considered the proposed model to offers a novel approach for managing end users’ behaviour with the information security policies. Research limitations/implications Psychological factors were out of the research scope at this stage. The proposed model may have some psychological impacts upon users; therefore, this issue needs to be considered by studying the potential impacts and the best solutions. Originality/value Users being compliant with the information security policies of their organisation is the key to strengthen information security. Therefore, when employees have a good level of compliance with security policies, this positively affects the overall security of an organisation.

Information security policies and value conflict in multinational companies

2018 ◽  
Vol 26 (2) ◽  
pp. 230-245 ◽  
Author(s):  
Alper Yayla ◽  
Yu Lei
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Cultural Distance ◽  
Multinational Companies ◽  
Security Policies ◽  
Security Risk ◽  
Value Conflict ◽  
Value Conflicts ◽  
Content Type ◽  
Parent Companies

PurposeThe purpose of this paper is to examine challenges multinational companies face during the diffusion of their information security policies. Parent companies use these policies as their discourse for legitimization of their practices in subsidiaries, which leads to value conflicts in subsidiaries. The authors postulate that, when properly crafted, information security policies can also be used to reduce the very conflicts they are creating.Design/methodology/approachThe proposed framework is conceptualized based on the review of literatures on multinational companies, information security policies and value conflict.FindingsThe authors identified three factors that may lead to value conflict in subsidiary companies: cultural distance, institutional distance and stickiness of knowledge. They offer three recommendations based on organizational discourse, ambidexterity and resource allocation to reduce value conflict.Research limitations/implicationsThe authors postulate that information security policies are the sources of value conflict in subsidiary companies. Yet, when crafted properly, these policies can also offer solutions to minimize value conflict.Practical implicationsThe proposed framework can be used to increase policy diffusion success, minimize value conflict and, in turn, decrease information security risk.Originality/valueThe growing literature on information security policy literature is yet to examine the diffusion of policies within multinational companies. The authors argue that information security policies are the source of, and solution to, value conflict in multinational companies.

Variables influencing information security policy compliance

2014 ◽  
Vol 22 (1) ◽  
pp. 42-75 ◽  
Author(s):  
Teodor Sommestad ◽  
Jonas Hallberg ◽  
Kristoffer Lundholm ◽  
Johan Bengtsson
Keyword(s):  
Systematic Review ◽  
Information Security ◽  
Security Policy ◽  
Empirical Studies ◽  
Security Policies ◽  
Future Research ◽  
Policy Compliance ◽  
Content Type ◽  
Information Security Policy Compliance ◽  
Security Policy Compliance

Purpose – The purpose of this paper is to identify variables that influence compliance with information security policies of organizations and to identify how important these variables are. Design/methodology/approach – A systematic review of empirical studies described in extant literature is performed. This review found 29 studies meeting its inclusion criterion. The investigated variables in these studies and the effect size reported for them were extracted and analysed. Findings – In the 29 studies, more than 60 variables have been studied in relation to security policy compliance and incompliance. Unfortunately, no clear winners can be found among the variables or the theories they are drawn from. Each of the variables only explains a small part of the variation in people's behaviour and when a variable has been investigated in multiple studies the findings often show a considerable variation. Research limitations/implications – It is possible that the disparate findings of the reviewed studies can be explained by the sampling methods used in the studies, the treatment/control of extraneous variables and interplay between variables. These aspects ought to be addressed in future research efforts. Practical implications – For decision makers who seek guidance on how to best achieve compliance with their information security policies should recognize that a large number of variables probably influence employees' compliance. In addition, both their influence strength and interplay are uncertain and largely unknown. Originality/value – This is the first systematic review of research on variables that influence compliance with information security policies of organizations.

Identifying core control items of information security management and improvement strategies by applying fuzzy DEMATEL

2015 ◽  
Vol 23 (2) ◽  
pp. 161-177 ◽  
Author(s):  
Li-Hsing Ho ◽  
Ming-Tsai Hsu ◽  
Tieh-Min Yen
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Security Management ◽  
Fuzzy Dematel ◽  
Information Security Management ◽  
Content Type ◽  
Cause And Effect ◽  
Information Security Management System ◽  
Security Control ◽  
Improvement Strategies

Purpose – The purpose of this paper is to analyze the cause-and-effect relationship and the mutually influential level among information security control items, as well as to provide organizations with a method for analyzing and making systematic decisions for improvement. Design/methodology/approach – This study utilized the Fuzzy DEMATEL to analyze cause-and-effect relationships and mutual influence of the 11 control items of the International Organization for Standardization (ISO) 27001 Information Security Management System (ISMS), which are discussed by seven experts in Taiwan to identify the core control items for developing the improvement strategies. Findings – The study has found that the three core control items of the ISMS are security policy (SC1), access control (SC7) and human resource security (SC4). This study provides organizations with a direction to develop improvement strategies and effectively manage the ISMS of the organization. Originality/value – The value of this study is for an organization to effectively dedicate resources to core control items, such that other control items are driven toward positive change by analyzing the cause-and-effect relation and the mutual influential level among information security control items, through a cause-and-effect matrix and a systematic diagram.

Information security policy compliance: a higher education case study

2018 ◽  
Vol 26 (1) ◽  
pp. 91-108 ◽  
Author(s):  
Khaled A. Alshare ◽  
Peggy L. Lane ◽  
Michael R. Lane
Keyword(s):  
Higher Education ◽  
Information Security ◽  
Security Policy ◽  
Past Research ◽  
Faculty Members ◽  
Research Model ◽  
Security Measures ◽  
Timely Manner ◽  
Content Type

Purpose The purpose of this case study is to examine the factors that impact higher education employees’ violations of information security policy by developing a research model based on grounded theories such as deterrence theory, neutralization theory and justice theory. Design/methodology/approach The research model was tested using 195 usable responses. After conducting model validation, the hypotheses were tested using multiple linear regression. Findings The results of the study revealed that procedural justice, distributive justice, severity and celerity of sanction, privacy, responsibility and organizational security culture were significant predictors of violations of information security measures. Only interactional justice was not significant. Research limitations/implications As with any exploratory case study, this research has limitations such as the self-reported information and the method of measuring the violation of information security measures. The method of measuring information security violations has been a challenge for researchers. Of course, the best method is to capture the actual behavior. Another limitation to this case study which might have affected the results is the significant number of faculty members in the respondent pool. The shared governance culture of faculty members on a US university campus might bias the results more than in a company environment. Caution should be applied when generalizing the results of this case study. Practical implications The findings validate past research and should encourage managers to ensure employees are involved with developing and implementing information security measures. Additionally, the information security measures should be applied consistently and in a timely manner. Past research has focused more on the certainty and severity of sanctions and not as much on the celerity or swiftness of applying sanctions. The results of this research indicate there is a need to be timely (swift) in applying sanctions. The importance of information security should be grounded in company culture. Employees should have a strong sense of treating company data as they would want their own data to be treated. Social implications Engaging employees in developing and implementing information security measures will reduce employees’ violations. Additionally, giving employees the assurance that all are given the same treatment when it comes to applying sanctions will reduce the violations. Originality/value Setting and enforcing in a timely manner a solid sanction system will help in preventing information security violations. Moreover, creating a culture that fosters information security will help in positively affecting the employees’ perceptions toward privacy and responsibility, which in turn, impacts information security violations. This case study applies some existing theories in the context of the US higher education environment. The results of this case study contributed to the extension of existing theories by including new factors, on one hand, and confirming previous findings, on the other hand.

Impact of Deterrence and Inertia on Information Security Policy Changes

2019 ◽  
Vol 34 (1) ◽  
pp. 123-134
Author(s):  
Kalana Malimage ◽  
Nirmalee Raddatz ◽  
Brad S. Trinkle ◽  
Robert E. Crossler ◽  
Rebecca Baaske
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Online Survey ◽  
Security Policies ◽  
Security Measures ◽  
Policy Changes ◽  
Information Security Policy ◽  
Improve Compliance ◽  
The Impact

ABSTRACT This study examines the impact of deterrence and inertia on information security policy changes. Corporations recognize the need to prioritize information security, which sometimes involves designing and implementing new security measures or policies. Using an online survey, we investigate the effect of deterrent sanctions and inertia on respondents' intentions to comply with modifications to company information security policies. We find that certainty and celerity associated with deterrent sanctions increase compliance intentions, while inertia decreases respondents' compliance intentions related to modified information security policies. Therefore, organizations must work to overcome employees' reluctance to change in order to improve compliance with security policy modifications. They may also consider implementing certain and timely sanctions for noncompliance.

An Examination of Global Municipal Government Privacy and Security Policies

2013 ◽  
pp. 102-114
Author(s):  
Aroon Manoharan ◽  
Marc Fudge
Keyword(s):  
Longitudinal Study ◽  
Security Policy ◽  
Municipal Government ◽  
Security Policies ◽  
The Internet ◽  
Privacy And Security ◽  
Security Practices ◽  
The World ◽  
Research Findings ◽  
Number Of Individuals

This chapter highlights the research findings of a longitudinal study of online privacy and security practices among global municipalities conducted in 2005 and 2007. As cities worldwide implement sophisticated e-government platforms to increasingly provide services online, many barriers still inhibit the adoption of such strategies by the citizen users, and one such factor is the availability of a comprehensive privacy policy. The survey examines cities throughout the world based upon their population size, the total number of individuals using the Internet, and the percentage of individuals using the Internet. Specifically, we examined if the website has a privacy or security policy, does the website utilize digital signatures and if the website has a policy addressing the use of cookies to track users. Overall, results indicate that cities are increasingly emphasizing on privacy and security policies with major improvements in 2007, along with significant changes in the top ranking cities in when compared to the 2005 study.

Modeling Access Control in Healthcare Organizations

2011 ◽  
pp. 23-44
Author(s):  
Efstratia Mourtou
Keyword(s):  
Information Security ◽  
Access Control ◽  
Security Policy ◽  
Healthcare Professionals ◽  
Vital Role ◽  
Sensitive Information ◽  
Healthcare Organizations ◽  
Security Issues ◽  
Efficiency And Effectiveness ◽  
The Status

Since Hospital Information Systems (HIS) are designed to support doctors and healthcare professionals in their daily activities, information security plays a vital role in managing access control. Efficiency and effectiveness of information security policy is crucial, especially when dealing with situations that affect the status and life-history of the patient. In addition, the rules and procedures to follow, in order to provide confidentiality of sensitive information, have to focus on management of events on any table of the HIS. On the other hand, control and statement constraints, as well as events and security auditing techniques, play also an important role, due to the heterogeneity of healthcare professionals’ roles, actions and physical locations, as well as to the specific characteristics and needs of the healthcare organizations. This chapter will first explore issues in managing access control and security of healthcare information by reviewing the possible threats and vulnerabilities as well as the basic attributes of the hospital’s security plan. The authors will then present a hierarchical access model that, from a security policy perspective, refers to data ownership and access control issues. The authors conclude the chapter with discussions of upcoming security issues.

Information Security Policies and Procedures Guidance for Agencies

2020 ◽  
pp. 47-62
Author(s):  
Dasari Kalyani
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Large Scale ◽  
Management Strategies ◽  
Security Policies ◽  
Risk Levels ◽  
Security Models ◽  
Policies And Procedures ◽  
Good Policy ◽  
The Right

In today's digital e-commerce and m-commerce world, the information itself acts as an asset and exists in the form of hardware, software, procedure, or a person. So the security of these information systems and management is a big challenging issue for small and large-scale agencies. So this chapter discusses the major role and responsibility of the organization's management in identifying the need for information security policy in today's world of changing security principles and controls. It focuses on various policy types suitable for all kinds of security models and procedures with the background details such as security policy making, functionality, and its impact on an agency culture. Information security policies are helpful to identify and assess risk levels with the available set of technological security tools. The chapter describes the management strategies to write a good policy and selection of the right policy public announcement. The agencies must also ensure that the designed policies are properly implemented and ensure compliance through frequent intermediate revisions.

Security monitoring and information security assurance behaviour among employees

2019 ◽  
Vol 27 (2) ◽  
pp. 165-188 ◽  
Author(s):  
Zauwiyah Ahmad ◽  
Thian Song Ong ◽  
Tze Hui Liew ◽  
Mariati Norhashim
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Social Cognitive ◽  
Cognitive Learning ◽  
Content Type ◽  
Security Monitoring ◽  
Security Assurance ◽  
The Social ◽  
Social Cognitive Learning Theory ◽  
Learning Factors

Purpose The purpose of this research is to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour. Security assurance behaviour represents employees’ intentional and effortful actions aimed towards protecting information systems. The behaviour is highly desired as it tackles the human factor within the information security framework. The authors posited that security assurance behaviour is a learned behaviour that can be enhanced by the implementation of information security monitoring. Design/methodology/approach Theoretical framework underlying this study with six constructs, namely, subjective norm, outcome expectation, information security monitoring, information security policy, self-efficacy and perceived inconvenience, were identified as significant in determining employees’ security assurance behaviour (SAB). The influence of these constructs on SAB could be explained by social cognitive theory and is empirically supported by past studies. An online questionnaire survey as the main research instrument is adopted to elicit information on the six constructs tested in this study. Opinion from industry and academic expert panels on the relevance and face validity of the questionnaire were obtained prior to the survey administration. Findings Findings from this research indicate that organisations will benefit from information security monitoring by encouraging security behaviours that extend beyond the security policy. This study also demonstrates that employees tend to abandon security behaviour when the behaviour is perceived as inconvenient. Hence, organisations must find ways to reduce the perceived inconvenience using various security automation methods and specialised security training. Reducing perceived inconvenience is a challenge to information security practitioners. Research limitations/implications There are some limitations in the existing work that could be addressed in future studies. One of them is the possible social desirability bias due to the self-reported measure adopted in the study. Even though the authors have made every effort possible to collect representative responses via anonymous survey, it is still possible that the respondents may not reveal true behaviour as good conduct is generally desired. This may lead to a bias towards favourable behaviour. Practical implications In general, the present research provides a number of significant insights and valuable information related to security assurance behaviour among employees. The major findings could assist security experts and organisations to develop better strategies and policies for information security protection. Findings of this research also indicate that organisations will benefit from information security monitoring by encouraging security behaviours that extend beyond the security policy. Social implications In this research, the social cognitive learning theory is used to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour; the finding implies that monitoring emphases expected behaviours and helps to reinforce organisational norms. Monitoring may also accelerate learning when employees become strongly mindful of their behaviours. Hence, it is important for organisations to communicate the monitoring practices implemented, even more imperative whenever security monitoring employed is unobtrusive in nature. Nonetheless, care must be taken in this communication to avoid resentment and mistrust among employees. Originality/value This study is significant in a number of ways. First, this study highlights significant antecedents of security assurance behaviour, which helps organisations to assess their current practices, which may nurture or suppress information security. Second, using users’ perspective, this study provides recommendations pertaining to monitoring as a form of information security measure. Third, this study provides theoretical contribution to the existing information security literature via the application of the social cognitive learning theory.

Sign in / Sign up

Export Citation Format

Share Document