Influences of Frame Incongruence on Information Security Policy Outcomes

2013 ◽  
Vol 3 (3) ◽  
pp. 33-50 ◽  
Author(s):  
Anna Elina Laaksonen ◽  
Marko Niemimaa ◽  
Dan Harnesk
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Cognitive Theory ◽  
Security Policies ◽  
Policy Outcomes ◽  
Information Security Policy ◽  
Internet Service ◽  
Policy Frames ◽  
Concept Of Information

Despite the significant resources organizations devote to information security policies, the policies rarely produce intended outcome. Prior research has sought to explain motivations for non-compliance and suggested approaches for motivating employees for compliance using theories largely derived from psychology. However, the socio-cognitive structures that shape employees' perceptions of the policies and how they influence policy outcomes have received only modest attention. In this study, the authors draw on the socio-cognitive theory of frames and on literature on information security policies in order to suggest a theoretical and analytical concept of Information Security Policy Frames of Reference (ISPFOR). The concept is applied as a sensitizing device, in order to systematically analyze and interpret how the perceptions of policies are shaped by the frames and how they influence policy outcomes. The authors apply the sensitizing device in an interpretive case study conducted at a large multinational internet service provider. The authors’ findings suggest the frames shape the perceptions and can provide a socio-cognitive explanation for unanticipated policy outcomes. Implications for research and practice are discussed.

Impact of Deterrence and Inertia on Information Security Policy Changes

2019 ◽  
Vol 34 (1) ◽  
pp. 123-134
Author(s):  
Kalana Malimage ◽  
Nirmalee Raddatz ◽  
Brad S. Trinkle ◽  
Robert E. Crossler ◽  
Rebecca Baaske
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Online Survey ◽  
Security Policies ◽  
Security Measures ◽  
Policy Changes ◽  
Information Security Policy ◽  
Improve Compliance ◽  
The Impact

ABSTRACT This study examines the impact of deterrence and inertia on information security policy changes. Corporations recognize the need to prioritize information security, which sometimes involves designing and implementing new security measures or policies. Using an online survey, we investigate the effect of deterrent sanctions and inertia on respondents' intentions to comply with modifications to company information security policies. We find that certainty and celerity associated with deterrent sanctions increase compliance intentions, while inertia decreases respondents' compliance intentions related to modified information security policies. Therefore, organizations must work to overcome employees' reluctance to change in order to improve compliance with security policy modifications. They may also consider implementing certain and timely sanctions for noncompliance.

National information security policy and its implementation: A case study in Taiwan

2009 ◽  
Vol 33 (7) ◽  
pp. 371-384 ◽  
Author(s):  
Cheng-Yuan Ku ◽  
Yi-Wen Chang ◽  
David C. Yen
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Information Security Policy ◽  
National Information

scholarly journals State Information Security Policy (Comparative Legal Aspect)

2021 ◽  
Vol 39 (71) ◽  
pp. 166-186
Author(s):  
Viacheslav B. Dziundziuk ◽  
Yevgen V. Kotukh ◽  
Olena M. Krutii ◽  
Vitalii P. Solovykh ◽  
Oleksandr A. Kotukov
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Rapid Development ◽  
Legal Aspect ◽  
Public Information ◽  
Security Policies ◽  
The European Union ◽  
Public Authorities ◽  
Information Security Policy ◽  
State Information

The rapid development of information technology and the problem of its rapid implementation in all spheres of public life, the growing importance of information in management decisions to be made by public authorities, a new format of media — these and other factors urge the problem of developing and implementing quality state information security policy. The aim of the article was to conduct a comparative analysis of the latest practices of improving public information security policies in the European Union, as well as European countries such as Poland, Germany, Great Britain, and Ukraine. The formal-logic, system-structural and problem-theoretical methods were the leading methodological tools. The analysis of regulatory legal acts showed that there is a single concept of international information security at the global and regional levels, which requires additional legal instruments for its implementation. It is stated that the reform of national information security policies has a direct impact on the formation of a single global information space. According to the results of the study, it is substantiated that the United Kingdom is characterized by the most promising information security policy.

Designing an Effective Information Security Policy for Public Organizations

2021 ◽  
pp. 1176-1193
Author(s):  
Yassine Maleh ◽  
Mustapha Belaissaoui
Keyword(s):  
Middle East ◽  
Information Security ◽  
North Africa ◽  
Security Policy ◽  
Success Factors ◽  
Public Organizations ◽  
Security Policies ◽  
Information Security Policy ◽  
Specific Focus ◽  
Iso 27001

This chapter aims to study the success factors of the ISO 27001 framework related to the implementation of information security in organizations, with particular emphasis on the different maturity controls of ISO 27001 in the implementation of information security policies in organizations. The purpose of this paper is to investigate what controls are commonly used and how they are selected to the implementation of information security in large public organizations in Middle East and North Africa MENA through ISO 27001, with a specific focus on practical framework for the implementation of an effective information security policy through ISO27001. The finding will help organizations to assess organizations to implement an effective information security policy.

scholarly journals Smart City Development in Taiwan: From the Perspective of the Information Security Policy

2020 ◽  
Vol 12 (7) ◽  
pp. 2916 ◽  
Author(s):  
Yung Chang Wu ◽  
Rui Sun ◽  
Yenchun Jim Wu
Keyword(s):  
Information Security ◽  
Smart City ◽  
Security Policy ◽  
Smart Cities ◽  
Mobile Internet ◽  
Security Policies ◽  
Information Security Policy ◽  
Organizational Information ◽  
The Impact ◽  
The Relationship

A smart city is developed through the Internet of Things (IoT), cloud computing, big data, mobile Internet, and other new generation technologies regarding information and communication, and data resources in various fields are integrated and applied. The issue of information security in the network era is the strategic focus, as well as the focus of people’s attention, during Taiwan’s smart city construction. Information security policies are the information security guidelines for organizations, and are key to the organization’s information security performance; moreover, such policies show the organization’s support and commitment to the information security of smart cities. This paper discusses the model of information security policy in Taiwan’s smart cities, uses Path Analysis to explore the characteristics of information security policy in smart cities, and examines the relationship between the formulation, implementation, maintenance, and effectiveness of information security policies. Furthermore, this study examines the impact on the effectiveness of organizational information security policies and information security performance from the following aspects: The length of information security policy publication time, policy review, policy advocacy, employee compliance, fair law enforcement, etc., which are all concrete manifestations of the formulation, implementation, and maintenance of information security policy models. Through a questionnaire survey, the correlation between various assumptions, as well as the relationship between organizational information security characteristics, information security policies, and the effectiveness of information security, are verified one by one during the implementation of information security policies. Finally, conclusions and implications are put forward.

Engaging Remote Employees

2013 ◽  
Vol 25 (1) ◽  
pp. 1-23 ◽  
Author(s):  
Allen C. Johnston ◽  
Barbara Wech ◽  
Eric Jack
Keyword(s):  
Social Learning ◽  
Information Security ◽  
Social Cognitive Theory ◽  
Security Policy ◽  
Social Cognitive ◽  
Cognitive Theory ◽  
Equation Modeling ◽  
Information Security Policy ◽  
Remote Employees ◽  
Policy Awareness

Using social cognitive theory as a framework, this study proposes and tests a behavioral model to predict how “remote” status impacts the manner in which social learning cues influence employee awareness of information security policies and ultimately differentiates him or her from in-house employees in terms of information security policy awareness. Based on data acquired from an online sample of 435 fulltime employees across numerous industries and structural equation modeling analysis, the findings suggest that, compared to their in-house counterparts, remote employees experience lower levels of vicarious experiences, verbal persuasion, and situational support, thereby resulting in diminished levels of information security policy awareness. These findings have strong implications for managers of remote employees and for organizations seeking to reduce the risk associated with an ever-increasing remote workforce. The findings also advance social cognitive theory by incorporating information security policy awareness as an important outcome formed from perceptions of social learning cues external to the individual, but present within the organization.

Information security practice in Saudi Arabia: case study on Saudi organizations

2018 ◽  
Vol 26 (5) ◽  
pp. 568-583 ◽  
Author(s):  
Zakarya A. Alzamil
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Middle Eastern ◽  
Information Security Policy ◽  
Content Type ◽  
Governmental Organizations ◽  
Non Governmental Organizations ◽  
It Employees ◽  
The Status

Purpose Information security of an organization is influenced by the deployed policy and procedures. Information security policy reflects the organization’s attitude to the protection of its information assets. The purpose of this paper is to investigate the status of the information security policy at a subset of Saudi’s organizations by understanding the perceptions of their information technology’s employees. Design/methodology/approach A descriptive and statistical approach has been used to describe the collected data and characteristics of the IT employees and managers to understand the information security policy at the surveyed organizations. The author believes that understanding the IT employees’ views gives a better understanding of the organization’s status of information security policy. Findings It has been found that most of the surveyed organizations have established information security policy and deployed fair technology; however, many of such policies are not enforced and publicized effectively and efficiently which degraded the deployed technology for such protection. In addition, the clarity and the comprehensibility of such policies are questionable as indicated by most of the IT employees’ responses. A comparison with similar studies at Middle Eastern and European countries has shown similar findings and shares the same concerns. Originality/value The findings of this research suggest that the Saudi Communications and Information Technology Commission should develop a national framework for information security to guide the governmental and non-governmental organizations as well as the information security practitioners on the good information security practices in terms of policy and procedures to help the organizations to avoid any vulnerability that may lead to violations on the security of their information.

INFORMATION SECURITY POLICY: A CRITICAL STUDY OF THE CONTENT OF UNIVERSITY POLICY

2021 ◽  
Vol 27 (4) ◽  
pp. 55-72
Author(s):  
T. Beydina ◽  
◽  
A. Kukharsky ◽  
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Security Management ◽  
Security Policies ◽  
Critical Study ◽  
Information Security Policy ◽  
University Policy ◽  
Security Breaches ◽  
Research Activities ◽  
Corporate Information

The article is relevant, as it provides an assessment of the information security of universities. Ensuring the security of corporate information, which is increasingly stored, processed and disseminated using information and communication technologies (ICT). This is a particularly important problem for knowledge-intensive organizations such as universal ones; the effective conduct of their main educational activities and research activities increasingly depends on the availability, integrity and accuracy of computer information resources. One of the more important mechanisms to reduce the number of security breaches, and thus corporate information, is the development and implementation of a formal information security policy (ISP). Although much has now been written about the importance and role of information security policies and approaches to formulating them, there is relatively little empirical material that is incorporated into the structure or content of security policies. The purpose of the article is to fill this gap in the literature through this method of using the structure and methods of authentic information security policies. Having established the parameters and key features of university policies, the article critically examines the concept of information security embedded in the policy. Two important conclusions can be drawn from this study: 1) the wide variety of disparate policies and standards used, whether there will be a consistent approach to security management; and 2) the range of specific issues explicitly covered by university policy, a surprisingly low and highly technocentric view of information security management. This article is one of the first to objectively, rigorously and independently assess the content of authentic information security policies and information security documentation frameworks in a well-organized organizational environment. The article notes that there are four different levels of information policy: “system security policy, product security policy, community security policy, and corporate information security policy.” All policies involve: personal use of information systems, information disclosure, physical security, breaches and hacks, viruses, system access control, mobile computing, internet access, software development, encryption and contingency planning

Sign in / Sign up

Export Citation Format

Share Document