The purpose of this research paper is to investigate how organizations design sustainable information security policies. Designing a sustainable information security policy is one of the most important issues facing organizations today. It should not only be the first step in an organization’s information security policy program but a continuing process to ensure the policy should be maintained of high quality, it is clear, comprehensive and appropriate to the organization’s specific business objectives, strategic goals and culture needs. This is a particularly salient issue in organizations that operate in numerous political, cultural, legal, geographic and economic environments and, by necessity, sometimes must have an information security policy that employees can follow and actually use. Information security represents a growing concern for organizations. As organizations are relying and becoming more dependent on information systems for staying competitive, gain strategic advantage and operations, the issue of effective information security policy also becomes important and the necessary foundation for organizational information security.
In an organization, some unique challenges can arise in designing an information security policy, such as policy differences arising through the various threats, risk acceptance and tolerance levels among business units; internal and external requirements at a country, local and national level; human factors; and cultural differences. In some cases, an organization may require a region-specific information security policy that may be more restrictive than a global information security policy. However, the reason why an information security policy has to be enforced on an organization is because the information security policy requires an effort from them.
The literature review and an experimental study will be used to investigate, explore and understand different factors such as ease of use, designer perceptions of user shortcomings, attitude toward usage, peer influence, perceived behavioral control usage, perceived ease of use, quality of working life, work attitude and intentions as to how to design a sustainable information security policy in an organization.
The research problem of this study is to investigate how to design a sustainable information security policy in an organization. Surprisingly, not too much is known about how to design security policies that pay attention to unique organizational security features, employees and business needs (Siponen and Iivari, 2006). In business, an information security policy is a document that states in writing how an organization should plan to protect its information systems and technology assets, provides guidance based on standards, regulations and rules of what to and what not to do. However the information security policy quality, flexibility and usability are limited. Therefore employees do not pay attention, understand, follow abide and break the information security policy.
An information security policy that is viewed as design product and that is normative lists actions that the employees should follow or should not perform. The design of an information security policy does not necessarily make it possible to address all situations reasonably. However, to guide the design of the information security policy, the product and an application principle should state how it needs to be applied, and a design method should state how it needs to be crafted (Siponen and Iivari, 2006). Product design and development is a complex and lengthy process for organizations since it involves multiple participants from several organizational departments who are required to make decisions outside their area of expertise. To address the problem organizations often purchase ready made information security policies from various sources such as ISO, text books or adopt information security policies from government and other online sources. This leads to incomplete activities and flaws which lead to difficult to follow information security policy.
Sound information security policy should protect the information and systems, as well as the individual employees and the organization as a whole from a wide variety of threats (Veiga, Martins and Eloff, 2007). It also should serve as a prominent statement to the outside world about the organization’s commitment to information security. An information security policy is often considered to be a “living document,” meaning that the document is never finished but is continuously updated as technology, regulations and business requirements change. The information from systematic monitoring should serve as a critical input to evaluation, formulation, implementation and design of the information security policy. The information security policy should be seen not only as an artifact document of the organization to enforce best information security practices but also should identify details of what is acceptable or unacceptable and what is reasonable behavior from the employees in order to ensure sound security of information.
Information security policy should be sustainable. Information security covers people and process issues as well as technology. The design of information security policy in an organization should be integrated into a process that involves employee usability testing and input from various regions, regulations, industry standards and business units. An information security policy is the necessary foundation for a sound organizational information security.
Information security policy should be able to enhance business operations by reducing risk, ensuring protection of organizational critical information assets and decreasing information system’s security management costs as well as to improve information system’s operations while also supporting the demands of internal and external compliance. Since many of these policies require human involvement, for example employee and customer actions, the goals should be measured and checked if they are met only if such human activities can be influenced and monitored and if positive outcomes have incentives while negative actions are sanctioned.
The goal of this research study is to investigate how to design, create and maintain a sustainable information security policy using experimental methods and control focus groups in an organization. An effective information security policy should be based on a usability standard that can be achieved during the design techniques appropriate to implement sustainable information security policy.
The successful design of information security policy is critical in today’s environment of rapid change and challenges in addressing information security policy compliance and effectiveness in organizations. The information security policy is the foundation on which a sound information security is built. As with any foundation, it must be well designed, and well constructed; it can then be trusted to support the organization’s business objectives and goals effectively. It is essential that effective information security policy practices be in place in organizations to ensure the success of information security policy. Effective information security policy requires that users understand and follow the information security mission as described in the organization’s information security policy.
Flexibility and usability are essential elements of an information security policy life cycle, particularly of the design process of information security policy formulation and implementation. An information security policy needs to be sustainable and not rigid. While the importance of the information security policy in ensuring the security of information is acknowledged widely, to date, there has been little empirical analysis of its design, impact or effectiveness in this role. Designing sustainable information security policy is critical to protecting the organization’s information systems and assets. The consequences of violating such as information security policy might be extensive and expensive.
The organization’s information security policy should be written with a clear understanding of the expected outcome and the need to be flexible and usable. The information security policy should incorporate clear definitions and user responsibilities (Gaunt 1998). It should also aim to influence behavior and turn employees into participants in the organization’s efforts to secure its information assets.
Information security policy plays an important role in preventing, detecting and responding to security threats and breaches. Organizations should have security controls to protect their information. One of the most important controls, according to Hone and Eloff (2002), is the information security policy. The information security policy is likely to be ineffective if it is not written well, understood, followed and accepted by all employees.
The results of this study will help practitioners understand how an organization can design sustainable information security policy to achieve effective information security.
The information security of an organization might be left in a less effective state in situations where information security policy is not followed by employees. Employee perception, in some instances, is that following the rules in information security policy interferes and gets in the way of doing their day-to-day work and their ability to accomplish their job tasks. This is because they feel as though this approach is cumbersome and a waste of time. An employee’s failure to comply with the information security policy is a key concern of information security practitioners and organizations. According to Desman (2002) information security is not a technical issue, but rather a human issue, therefore the most significant threat to the security of information in an organization is its employees (Gaunt 1998).
Information security policy should be fair, reasonable, understandable, flexible and usable. If an information security policy is not flexible and usable, employees will not follow it and it will break. According to Besnard and Arief (2004), the design of security products and information security policy should rely more on the rules of human-computer interaction. The employees, independent of their knowledge and intellect, should be able to read an organization’s information security policy understand, follow, comply and adhere to it.
One of the ways to implement good information security practices in an organization is to ensure that a detailed information security policy is in place. The content of the information security policy is particularly significant, as it should be monitored for any changes after it is adopted to attain relevance and an understanding of whether there were changes due to the policy or program. According to Gaunt (2000) user participation in the development of an organization information security is necessary if it is to achieve wide acceptance.
According to Hone and Eloff (2002) one of the most important information security controls in an organization is the information security policy. However, this important document it is not always easy to put together and develop. Some organizations derive their information policy from business goals, service level agreements, industry best practices, and International Standard Organization standards such as ISO 27000, or copy paste from other ready made policy templates found or procured from textbooks or online resources.
Content in information security policies differ according to the type of organization: for example, corporations, academic institutions, government, and within departments such as information technology, human resources, legal, and finance to name a few. The degree of guidance varies from very specific references of what to do or not to do and sanctions of not following the rules. Sanctions affect employees’ actual compliance with information security policy. According to Bia and Kalika (2007), the decision to formulate an information security policy, for example, a policy of acceptable use, occurs when the organization has experienced problems, conflict, damage, or business loss because of improper use of information security rules.
The application of a security policy is considered essential for managing the security of information systems. Implementing a successful information security policy in an organization, however, is not a straightforward task and depends on many factors (Karyda, Kiountouzis and Kokolakis, 2004). Sometimes, employees view the information security policy as an obstacle and a barrier to progress and, in an effort, to do their job more efficiently, employees might not follow the rules set in the information security policy document. Despite the fact that organizations have information security policy in place, more often than not, the application of information security policy fails to attain its goals. To ensure that information security policy is effective, information security professionals must first understand the social elements, including cultural and generational variances that affect employee behavior and perceptions about information security policy (Cisco, 2008).
According to Baskerville and Siponen (2002), strict access controls imposed during fast growing organizational changes can become an obstacle by limiting access to information thereby threatening the organizations survival. This problem is one of limiting organizational emergence because of limited information access and presents conflicting and stringent demands for security policy making. Unexpected business opportunities may require actions that conflict with their information security policy.
Some of the problems facing organizations are of employees not following the information security policy, which reflects the social nature of human beings. According to Kabay (2002), an information security policy challenges employees to change the way they think about their own responsibility for protecting the organization’s valuable information. Attempting to impose information security policy on unwilling employees results in resistance both because stricter information security procedures make jobs more difficult and because people do not like to be told what to do. The process of design and development of information security policy plays an important role in the life cycle of an information security policy and affects how people feel about the information security policy and whether they see rules as a needless imposition of power or an expression of their own values. Unfortunately, an information security policy conflicts with most people’s view of reality: for example, an employee showing sensitive information to someone who does not have the appropriate level of authorization to view such information because they both work on the same project team. However, if users fail to comply with the rules, an information security policy can help deter abuse (Straub and Nance 1990).
Although having an information security policy in an organization is essential, it is not enough to ensure an employee’s compliance with it. Therefore, the aim of this paper is to understand what factors should be considered in the design of a sustainable information security policy in order to motivate employees to comply with the information security policy and understand how important it is.
For the purposes of this paper:
- Information security policy: by definition, an information security policy refers to a clear, understandable comprehensive and well-defined plan, rules, and practices that regulate access to an organization’s system and the information included in it. It is defined as the security policy in a document that states in writing how an organization plans to protect the company’s physical and information technology assets.
- Information policy: is defined as the combination of laws, regulations, rules, and guidelines that steer the creation, management, and use of information that greatly shapes the roles of information in society. Information policy includes a range of issues related to freedom of information, privacy, secrecy, security, intellectual property, and information and communication technologies among other policy areas.
- Information system security: is defined as the state of being free from unacceptable risk. Thus, information security focuses on reducing the risk of computing and communication systems, especially in regard to the misuse, destruction, modification or inappropriate disclosure of information either by intent or accident.
- Product design and development: in this paper refers primarily to the design and development of new information security policy.
The main research question for this study is formulated as:
- How to design sustainable information security policy in an organization?
- H1: Is there a significant difference between flexibility and usability?
- H2: Is there a significant relationship between flexibility and usability?
- H3: If an information security policy is usable then is there a need for sanctions?
- H4: If an information security policy is flexible then is there a need for rewards?
Agarwal, R and Sambamurthy, V. (2002). Principles and models for organizing the IT function. MIS Quarterly Executive, 1(1), 1-16.
Baskerville, R., and Siponen, M. (2002). An information security meta-policy for emergent organizations. Logistics Information Management, 15(5/6), 337-346.
Besnard, D. and Arief, B. (2004). Computer security impaired by legal users. Computers & Security, 23(3), 253-26.
Bia, M., and Kalika, M. (2007). Adopting an ICT code of conduct: An empirical study of organizational factors. Journal of Enterprise Information Management, 20(4), 432-446.
CISCO. Data leakage worldwide: The effectiveness of security policies, 2008, Retrieved March 29 2010 http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-503131.pdf
Da Veiga, A., Martins, N., and Eloff, JHP. (2007). Information security culture – validation of an assessment instrument. Southern African Business Review, 11(1), 147-166.
Desman, M.B. (2002). Building an information security awareness program. Boca Raton, FL, Auerbach Publications.
Doherty, NF., and Fulford, H. (2006). Aligning the information security policy with the strategic information systems plan. Computers & Security, 25(1), 55-63.
Eloff, JHP., Labuschagne L, and Badenhorst KP. (1993) A comparative framework for risk analysis methods. Computers and Security, 12(6), 597-603.
Gaunt, N. (1998). Installing an appropriate IS security policy in hospitals. International Journal of Medical Informatics, 49(1), 131-134.
Gaunt N. (2000). Practical approaches to creating a security culture. International Journal of Medical Informatics, 60(2), 151-157.
Hone, K., and Eloff, JHP. (2002). Information security policy – what do international security standards say? Computers and Security, 21(5), 402-9.
Kabay, M. (1994). Psychological factors in the implementation of information security policy. EDPACS, The EDP Audit, Control, and Security Newsletter, 11(10), 1-10.
Karyda, M., Kiountouzis, E., Kokolakis, S. (2005). Information systems security policies: a contextual perspective, Computers and Security, 24(3), 246-260.
Lapke M., and Dhillon, G. (2008). Power relationships in information systems security policy formulation and implementation. European Conference on Information Systems, 16, 1358-1369.
Siponen, M., and Iivari, J. (2006). Six design theories for IS security policies and guidelines. Journal of the Association for Information System,s 7(7), 445-472.
Thomson, K. L., von Solms, R., and Louw, L. (2006). Cultivating an organizational information security culture. Computer Fraud and Security, 10, 7-11.
Straub, D.W., and Nance, W.D. (1990). Discovering and disciplining computer abuse in organizations: A field study. MIS Quarterly, 14(1), 45-60.
Warman, AR. (1992). Organizational computer security policy: the reality. European Journal of Information Systems, 1(5), 305-10.
Zhang, Y., Liu, X., and Wang, W. (2005). Policy lifecycle model for systems management. IT Professional, 7(2), 50-54.