Exploring the Effect of Knowledge Transfer Practices on User Compliance to IS Security Practices

2014 ◽  
Vol 10 (2) ◽  
pp. 62-78 ◽  
Author(s):  
Tonia San Nicolas-Rocca ◽  
Benjamin Schooley ◽  
Janine L. Spears
Keyword(s):  
Security Policy ◽  
Security Policies ◽  
End User ◽  
New Approach ◽  
Security Practices ◽  
Is Security ◽  
User Knowledge ◽  
And Training ◽  
User Compliance

Institutions of higher education capture, store and disseminate information that is protected by state and federal regulations. As a result, IS security policies are developed and implemented to ensure end user compliance. This case study investigates end user knowledge of their university's IS security policy and proposes a new approach to improve end user compliance. The results of this study suggest that users may be contributors to the transfer of IS security policies when provided with an opportunity to participate in the development of an IS security awareness and training program.

An Examination of Global Municipal Government Privacy and Security Policies

2013 ◽  
pp. 102-114
Author(s):  
Aroon Manoharan ◽  
Marc Fudge
Keyword(s):  
Longitudinal Study ◽  
Security Policy ◽  
Municipal Government ◽  
Security Policies ◽  
The Internet ◽  
Privacy And Security ◽  
Security Practices ◽  
The World ◽  
Research Findings ◽  
Number Of Individuals

This chapter highlights the research findings of a longitudinal study of online privacy and security practices among global municipalities conducted in 2005 and 2007. As cities worldwide implement sophisticated e-government platforms to increasingly provide services online, many barriers still inhibit the adoption of such strategies by the citizen users, and one such factor is the availability of a comprehensive privacy policy. The survey examines cities throughout the world based upon their population size, the total number of individuals using the Internet, and the percentage of individuals using the Internet. Specifically, we examined if the website has a privacy or security policy, does the website utilize digital signatures and if the website has a policy addressing the use of cookies to track users. Overall, results indicate that cities are increasingly emphasizing on privacy and security policies with major improvements in 2007, along with significant changes in the top ranking cities in when compared to the 2005 study.

Security Policies and Procedures

2011 ◽  
pp. 2352-2364
Author(s):  
Yvette Ghormley
Keyword(s):  
Information Systems ◽  
Security Policy ◽  
Security Policies ◽  
Human Element ◽  
Weakest Link ◽  
Adoption And Implementation ◽  
Policies And Procedures ◽  
Management Commitment ◽  
Physical Assets ◽  
And Training

The number and severity of attacks on computer and information systems in the last two decades has steadily risen and mandates the use of security policies by organizations to protect digital as well as physical assets. Although the adoption and implementation of such policies still falls far short, progress is being made. Issues of management commitment, flexibility, structural informality, training, and compliance are among the obstacles that currently hinder greater and more comprehensive coverage for businesses. As security awareness and security-conscious cultures continue to grow, it is likely that research into better methodologies will increase with concomitant efficiency of security policy creation and implementation. However, attacks are becoming increasingly more sophisticated. While the human element is often the weakest link in security, much can be done to mitigate this problem provided security policies are kept focused and properly disseminated, and training and enforcement are applied.

Influences of Frame Incongruence on Information Security Policy Outcomes

2013 ◽  
Vol 3 (3) ◽  
pp. 33-50 ◽  
Author(s):  
Anna Elina Laaksonen ◽  
Marko Niemimaa ◽  
Dan Harnesk
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Cognitive Theory ◽  
Security Policies ◽  
Policy Outcomes ◽  
Information Security Policy ◽  
Internet Service ◽  
Policy Frames ◽  
Concept Of Information

Despite the significant resources organizations devote to information security policies, the policies rarely produce intended outcome. Prior research has sought to explain motivations for non-compliance and suggested approaches for motivating employees for compliance using theories largely derived from psychology. However, the socio-cognitive structures that shape employees' perceptions of the policies and how they influence policy outcomes have received only modest attention. In this study, the authors draw on the socio-cognitive theory of frames and on literature on information security policies in order to suggest a theoretical and analytical concept of Information Security Policy Frames of Reference (ISPFOR). The concept is applied as a sensitizing device, in order to systematically analyze and interpret how the perceptions of policies are shaped by the frames and how they influence policy outcomes. The authors apply the sensitizing device in an interpretive case study conducted at a large multinational internet service provider. The authors’ findings suggest the frames shape the perceptions and can provide a socio-cognitive explanation for unanticipated policy outcomes. Implications for research and practice are discussed.

A Semiotic Examination of the Security Policy Lifecycle

2021 ◽  
pp. 1-17
Author(s):  
Michael Lapke
Keyword(s):  
Security Policy ◽  
Policy Formulation ◽  
Information Systems Security ◽  
Significant Issue ◽  
Security Breaches ◽  
Systems Security ◽  
Is Security ◽  
Security Problem ◽  
Worrying Trend

Major security breaches continue to plague organizations decades after best practices, standards, and technical safeguards have become commonplace. This worrying trend clearly demonstrates that information systems security remains a significant issue within organizations. As policy forms the basis for practice, a major contributor to this ongoing security problem is a faulty security policy lifecycle. This can lead to an insufficient or worse, a failed policy. This chapter is aimed at understanding the lifecycle by analyzing the meanings that are attributed to policy formulation and implementation by the stakeholders involved in the process. A case study was carried out and a “snapshot in time” of the lifecycle of IS security policy lifecycle at the organization revealed that a disconnect is evident in the security policy lifecycle.

scholarly journals It is not my job: exploring the disconnect between corporate security policies and actual security practices in SMEs

2020 ◽  
Vol 28 (3) ◽  
pp. 467-483 ◽  
Author(s):  
Moufida Sadok ◽  
Steven Alter ◽  
Peter Bednar
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Small And Medium Enterprises ◽  
Security Policies ◽  
Sensitive Information ◽  
Work Practices ◽  
Content Type ◽  
Empirical Results ◽  
Corporate Security ◽  
Security Practices

Purpose This paper aims to present empirical results exemplifying challenges related to information security faced by small and medium enterprises (SMEs). It uses guidelines based on work system theory (WST) to frame the results, thereby illustrating why the mere existence of corporate security policies or general security training often is insufficient for establishing and maintaining information security. Design/methodology/approach This research was designed to produce a better appreciation and understanding of potential issues or gaps in security practices in SMEs. The research team interviewed 187 employees of 39 SMEs in the UK. All of those employees had access to sensitive information. Gathering information through interviews (instead of formal security documentation) made it possible to assess security practices from employees’ point of view. Findings Corporate policies that highlight information security are often disconnected from actual work practices and routines and often do not receive high priority in everyday work practices. A vast majority of the interviewed employees are not involved in risk assessment or in the development of security practices. Security practices remain an illusory activity in their real-world contexts. Research limitations/implications This paper focuses only on closed-ended questions related to the following topics: awareness of existing security policy; information security practices and management and information security involvement. Practical implications The empirical findings show that corporate information security policies in SMEs often are insufficient for maintaining security unless those policies are integrated with visible and recognized work practices in work systems that use or produce sensitive information. The interpretation based on WST provides guidelines for enhancing information system security. Originality/value Beyond merely reporting empirical results, this research uses WST to interpret the results in a way that has direct implications for practitioners and for researchers.

Disassociations in Security Policy Lifecycles

2015 ◽  
Vol 9 (1) ◽  
pp. 62-77 ◽  
Author(s):  
Michael Lapke ◽  
Gurpreet Dhillon
Keyword(s):  
Information Systems ◽  
Security Policy ◽  
Policy Formulation ◽  
Information Systems Security ◽  
Security Breaches ◽  
High Profile ◽  
Systems Security ◽  
Is Security ◽  
Two Sides

Continued high profile security breaches indicate that Information Systems Security remains a significant problem within organizations. The authors argue that one of the major contributors to this ongoing problem is a disconnect between security policy formulation and implementation. This disconnect can lead to a failure of policy. This paper is aimed at understanding the disconnect by analyzing the meanings that are attributed to policy formulation and implementation by the stakeholders involved in the process. A case study was carried out and a “snapshot in time” of the lifecycle of IS Security Policy formulation at the organization under study demonstrated that a disconnect is evident between these two sides of security policy.

A Semiotic Examination of the Security Policy Lifecycle

2018 ◽  
pp. 237-253
Author(s):  
Michael Lapke
Keyword(s):  
Security Policy ◽  
Policy Formulation ◽  
Information Systems Security ◽  
Significant Issue ◽  
Security Breaches ◽  
Systems Security ◽  
Is Security ◽  
Security Problem ◽  
Worrying Trend

Major security breaches continue to plague organizations decades after best practices, standards, and technical safeguards have become commonplace. This worrying trend clearly demonstrates that information systems security remains a significant issue within organizations. As policy forms the basis for practice, a major contributor to this ongoing security problem is a faulty security policy lifecycle. This can lead to an insufficient or worse, a failed policy. This chapter is aimed at understanding the lifecycle by analyzing the meanings that are attributed to policy formulation and implementation by the stakeholders involved in the process. A case study was carried out and a “snapshot in time” of the lifecycle of IS security policy lifecycle at the organization revealed that a disconnect is evident in the security policy lifecycle.

scholarly journals Constructing resilience through security and surveillance: The politics, practices and tensions of security-driven resilience

2015 ◽  
Vol 46 (1) ◽  
pp. 86-105 ◽  
Author(s):  
Jon Coaffee ◽  
Pete Fussey
Keyword(s):  
High Resolution ◽  
Social Control ◽  
Social Cohesion ◽  
Security Policy ◽  
Spatial Scales ◽  
Community Resilience ◽  
Muslim Population ◽  
Security Practices ◽  
Local Areas

This article illuminates how, since 9/11, security policy has gradually become more central to a range of resilience discourses and practices. As this process draws a wider range of security infrastructures, organizations and approaches into the enactment of resilience, security practices are enabled through more palatable and legitimizing discourses of resilience. This article charts the emergence and proliferation of security-driven resilience logics, deployed at different spatial scales, which exist in tension with each other. We exemplify such tensions in practice through a detailed case study from Birmingham, UK: ‘Project Champion’ an attempt to install over 200 high-resolution surveillance cameras, often invisibly, around neighbourhoods with a predominantly Muslim population. Here, practices of security-driven resilience came into conflict with other policy priorities focused upon community-centred social cohesion, posing a series of questions about social control, surveillance and the ability of national agencies to construct community resilience in local areas amidst state attempts to label the same spaces as ‘dangerous’. It is argued that security-driven logics of resilience generate conflicts in how resilience is operationalized, and produce and reproduce new hierarchical arrangements which, in turn, may work to subvert some of the founding aspirations and principles of resilience logic itself.

IS Security Policy Violations

2012 ◽  
Vol 24 (1) ◽  
pp. 21-41 ◽  
Author(s):  
Anthony Vance ◽  
Mikko T. Siponen
Keyword(s):  
Empirical Research ◽  
Security Policy ◽  
Rational Choice Theory ◽  
Choice Theory ◽  
Criminological Theory ◽  
Security Policies ◽  
Research And Practice ◽  
Moral Beliefs ◽  
Is Security ◽  
Research Gap

Employee violations of IS security policies are reported as a key concern for organizations. Although behavioral research on IS security has received increasing attention from IS scholars, little empirical research has examined this problem. To address this research gap, the authors test a model based on Rational Choice Theory (RCT)—a prominent criminological theory not yet applied in IS—which explains, in terms of a utilitarian calculation, an individual’s decision to commit a violation. Empirical results show that the effects of informal sanctions, moral beliefs, and perceived benefits convincingly explain employee IS security policy violations, while the effect of formal sanctions is insignificant. Based on these findings, the authors discuss several implications for research and practice.

Security Policies and Procedures

2009 ◽  
pp. 320-330
Author(s):  
Yvette Ghormley
Keyword(s):  
Information Systems ◽  
Security Policy ◽  
Security Policies ◽  
Human Element ◽  
Weakest Link ◽  
Adoption And Implementation ◽  
Policies And Procedures ◽  
Management Commitment ◽  
Physical Assets ◽  
And Training

The number and severity of attacks on computer and information systems in the last two decades has steadily risen and mandates the use of security policies by organizations to protect digital as well as physical assets. Although the adoption and implementation of such policies still falls far short, progress is being made. Issues of management commitment, flexibility, structural informality, training, and compliance are among the obstacles that currently hinder greater and more comprehensive coverage for businesses. As security awareness and security-conscious cultures continue to grow, it is likely that research into better methodologies will increase with concomitant efficiency of security policy creation and implementation. However, attacks are becoming increasingly more sophisticated. While the human element is often the weakest link in security, much can be done to mitigate this problem provided security policies are kept focused and properly disseminated, and training and enforcement are applied.

Sign in / Sign up

Export Citation Format

Share Document