INFORMATION SECURITY POLICY: A CRITICAL STUDY OF THE CONTENT OF UNIVERSITY POLICY

2021 ◽  
Vol 27 (4) ◽  
pp. 55-72
Author(s):  
T. Beydina ◽  
◽  
A. Kukharsky ◽  
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Security Management ◽  
Security Policies ◽  
Critical Study ◽  
Information Security Policy ◽  
University Policy ◽  
Security Breaches ◽  
Research Activities ◽  
Corporate Information

The article is relevant, as it provides an assessment of the information security of universities. Ensuring the security of corporate information, which is increasingly stored, processed and disseminated using information and communication technologies (ICT). This is a particularly important problem for knowledge-intensive organizations such as universal ones; the effective conduct of their main educational activities and research activities increasingly depends on the availability, integrity and accuracy of computer information resources. One of the more important mechanisms to reduce the number of security breaches, and thus corporate information, is the development and implementation of a formal information security policy (ISP). Although much has now been written about the importance and role of information security policies and approaches to formulating them, there is relatively little empirical material that is incorporated into the structure or content of security policies. The purpose of the article is to fill this gap in the literature through this method of using the structure and methods of authentic information security policies. Having established the parameters and key features of university policies, the article critically examines the concept of information security embedded in the policy. Two important conclusions can be drawn from this study: 1) the wide variety of disparate policies and standards used, whether there will be a consistent approach to security management; and 2) the range of specific issues explicitly covered by university policy, a surprisingly low and highly technocentric view of information security management. This article is one of the first to objectively, rigorously and independently assess the content of authentic information security policies and information security documentation frameworks in a well-organized organizational environment. The article notes that there are four different levels of information policy: “system security policy, product security policy, community security policy, and corporate information security policy.” All policies involve: personal use of information systems, information disclosure, physical security, breaches and hacks, viruses, system access control, mobile computing, internet access, software development, encryption and contingency planning

Impact of Deterrence and Inertia on Information Security Policy Changes

2019 ◽  
Vol 34 (1) ◽  
pp. 123-134
Author(s):  
Kalana Malimage ◽  
Nirmalee Raddatz ◽  
Brad S. Trinkle ◽  
Robert E. Crossler ◽  
Rebecca Baaske
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Online Survey ◽  
Security Policies ◽  
Security Measures ◽  
Policy Changes ◽  
Information Security Policy ◽  
Improve Compliance ◽  
The Impact

ABSTRACT This study examines the impact of deterrence and inertia on information security policy changes. Corporations recognize the need to prioritize information security, which sometimes involves designing and implementing new security measures or policies. Using an online survey, we investigate the effect of deterrent sanctions and inertia on respondents' intentions to comply with modifications to company information security policies. We find that certainty and celerity associated with deterrent sanctions increase compliance intentions, while inertia decreases respondents' compliance intentions related to modified information security policies. Therefore, organizations must work to overcome employees' reluctance to change in order to improve compliance with security policy modifications. They may also consider implementing certain and timely sanctions for noncompliance.

scholarly journals State Information Security Policy (Comparative Legal Aspect)

2021 ◽  
Vol 39 (71) ◽  
pp. 166-186
Author(s):  
Viacheslav B. Dziundziuk ◽  
Yevgen V. Kotukh ◽  
Olena M. Krutii ◽  
Vitalii P. Solovykh ◽  
Oleksandr A. Kotukov
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Rapid Development ◽  
Legal Aspect ◽  
Public Information ◽  
Security Policies ◽  
The European Union ◽  
Public Authorities ◽  
Information Security Policy ◽  
State Information

The rapid development of information technology and the problem of its rapid implementation in all spheres of public life, the growing importance of information in management decisions to be made by public authorities, a new format of media — these and other factors urge the problem of developing and implementing quality state information security policy. The aim of the article was to conduct a comparative analysis of the latest practices of improving public information security policies in the European Union, as well as European countries such as Poland, Germany, Great Britain, and Ukraine. The formal-logic, system-structural and problem-theoretical methods were the leading methodological tools. The analysis of regulatory legal acts showed that there is a single concept of international information security at the global and regional levels, which requires additional legal instruments for its implementation. It is stated that the reform of national information security policies has a direct impact on the formation of a single global information space. According to the results of the study, it is substantiated that the United Kingdom is characterized by the most promising information security policy.

Influences of Frame Incongruence on Information Security Policy Outcomes

2013 ◽  
Vol 3 (3) ◽  
pp. 33-50 ◽  
Author(s):  
Anna Elina Laaksonen ◽  
Marko Niemimaa ◽  
Dan Harnesk
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Cognitive Theory ◽  
Security Policies ◽  
Policy Outcomes ◽  
Information Security Policy ◽  
Internet Service ◽  
Policy Frames ◽  
Concept Of Information

Despite the significant resources organizations devote to information security policies, the policies rarely produce intended outcome. Prior research has sought to explain motivations for non-compliance and suggested approaches for motivating employees for compliance using theories largely derived from psychology. However, the socio-cognitive structures that shape employees' perceptions of the policies and how they influence policy outcomes have received only modest attention. In this study, the authors draw on the socio-cognitive theory of frames and on literature on information security policies in order to suggest a theoretical and analytical concept of Information Security Policy Frames of Reference (ISPFOR). The concept is applied as a sensitizing device, in order to systematically analyze and interpret how the perceptions of policies are shaped by the frames and how they influence policy outcomes. The authors apply the sensitizing device in an interpretive case study conducted at a large multinational internet service provider. The authors’ findings suggest the frames shape the perceptions and can provide a socio-cognitive explanation for unanticipated policy outcomes. Implications for research and practice are discussed.

Exploring the Effectiveness of Information Security Policies

2011 ◽  
pp. 43-66
Author(s):  
Neil F. Doherty ◽  
Heather Fulford
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Human Error ◽  
Security Policies ◽  
Unexpected Finding ◽  
Security Breaches ◽  
The United Kingdom ◽  
Significant Relationships ◽  
It Managers ◽  
Information Assets

Ensuring the security of corporate information assets has become an extremely complex, challenging and high-priority activity, due partly to their growing organizational importance, but also because of their increasing vulnerability to attacks from viruses, hackers, criminals, and human error. Consequently, organizations are having to prioritise the security of their computer systems, to ensure that their information assets retain their accuracy, confidentiality, and availability. Whilst the importance of the information security policy (InSPy) in ensuring the security of information is widely acknowledged, there has, to date, been little empirical analysis of its impact or effectiveness in this role. To help fill this gap an exploratory study was initiated that sought to investigate the relationship between the uptake and application of information security policies and the accompanying levels of security breaches. To this end a questionnaire was designed, validated, and then targeted at IT managers within large organisations in the United Kingdom. The findings, presented in this chapter, are somewhat surprising, as they show no statistically significant relationships between the adoption of information security policies and the incidence or severity of security breaches. The chapter concludes by exploring the possible interpretations of this unexpected finding, and its implications for the practice of information security management.

Information Security Policies in Large Organizations

2011 ◽  
pp. 238-260
Author(s):  
Neil F. Doherty ◽  
Heather Fulford
Keyword(s):  
United Kingdom ◽  
Information Security ◽  
Conceptual Framework ◽  
Security Policy ◽  
Progress Report ◽  
Security Policies ◽  
Security Breaches ◽  
The United Kingdom ◽  
It Managers ◽  
The Relationship

While the importance of the information security policy (ISP) is widely acknowledged in the academic literature, there has, to date, been little empirical analysis of its impact. To help fill this gap a study was initiated that sought to explore the relationship between the uptake, scope and dissemination of information security policies and the accompanying levels of security breaches. To this end, a questionnaire was designed, validated and then targeted at IT managers within large organisations in the United Kingdom. The aim of this chapter is to provide a progress report on this study by describing the objectives of the research and the design of the conceptual framework.

scholarly journals Hospital Staff’s Adherence to Information Security Policy: A Quest for the Antecedents of Deterrence Variables

2021 ◽  
Vol 58 ◽  
pp. 004695802110295
Author(s):  
Kuang-Ming Kuo ◽  
Paul C. Talley ◽  
Dyi-Yih Michael Lin
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Structural Equation ◽  
International Standards ◽  
Equation Modeling ◽  
Management Support ◽  
Internal Auditing ◽  
Information Security Policy ◽  
Security Breaches ◽  
Upper Echelon Theory

Information security has come to the forefront as an organizational priority since information systems are considered as some of the most important assets for achieving competitive advantages. Despite huge capital expenditures devoted to information security, the occurrence of security breaches is still very much on the rise. More studies are thus required to inform organizations with a better insight on how to adequately promote information security. To address this issue, this study investigates important factors influencing hospital staff’s adherence to Information Security Policy (ISP). Deterrence theory is adopted as the theoretical underpinning, in which punishment severity and punishment certainty are recognized as the most significant predictors of ISP adherence. Further, this study attempts to identify the antecedents of punishment severity and punishment certainty by drawing from upper echelon theory and well-acknowledged international standards of IS security practices. A survey approach was used to collect 299 valid responses from a large Taiwanese healthcare system, and hypotheses were tested by applying partial least squares-based structural equation modeling. Our empirical results show that Security Education, Training, and Awareness (SETA) programs, combined with internal auditing effectiveness are significant predictors of punishment severity and punishment certainty, while top management support is not. Further, punishment severity and punishment certainty are significant predictors of hospital staff’s ISP adherence intention. Our study highlights the importance of SETA programs and internal auditing for reinforcing hospital staff’s perceptions on punishment concerning ISP violation, hospitals can thus propose better internal strategies to improve their staff’s ISP compliance intention accordingly.

Information Security Policy Compliance Culture

2021 ◽  
Vol 17 (4) ◽  
pp. 75-91
Author(s):  
Eric Amankwa ◽  
Marianne Loock ◽  
Elmarie Kritzinger
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Information Security Policy ◽  
Security Breaches ◽  
Effective Strategies ◽  
Behavior Intentions ◽  
And Behavior ◽  
Attitudes And Behavior ◽  
Information Security Policy Compliance ◽  
Security Policy Compliance

Information security policy (ISP) noncompliance is a growing problem that accounts for a significant number of security breaches in organizations. Existing strategies for changing employees' behavior intentions towards compliance have not been effective. It is therefore imperative to identify other effective strategies to address the problem. This article investigates the effect accountability constructs on employees' attitudes and behavior intentions towards establishing ISP compliance as a culture. In addition, the authors validate a testable research model for predicting employees' compliance behavior intentions in a field survey involving 313 employees from selected Ghanaian companies. The overall effect showed that measures of accountability significantly influenced employees' attitudes and behavior intentions to ISP compliance while the establishment of ISP compliance culture largely depended on the existence of a conducive information security culture and positive employee behavior intentions.

Sign in / Sign up

Export Citation Format

Share Document