Practice-Based Discourse Analysis of InfoSec Policies

Employees’ poor compliance with information security policies is a perennial problem for many organizations. Existing research shows that about half of all breaches caused by insiders are accidental, which means that one can question the usefulness of information security policies. In order to support the formulation of practical, from the employees’ perspective, information security policies, we propose eight tentative quality criteria. These criteria were developed using practice-based discourse analysis on three information security policy documents from a health care organisation.

[1]  Simon de Lusignan,et al.  The roles of policy and professionalism in the protection of processed clinical data: A literature review , 2007, Int. J. Medical Informatics.

[2]  Anselm L. Strauss,et al.  Basics of qualitative research : techniques and procedures for developing grounded theory , 1998 .

[3]  Sebastiaan H. von Solms,et al.  Corporate Governance and Information Security , 2001, Comput. Secur..

[4]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[5]  Ken Lindup The role of information security in corporate governance , 1996, Comput. Secur..

[6]  Karl Bühler,et al.  Theory of Language: The Representational Function of Language , 2011 .

[7]  Terry Anthony Byrd,et al.  Information security policy: An organizational-level process model , 2009, Comput. Secur..

[8]  Harvey Sacks,et al.  Lectures on Conversation , 1995 .

[9]  Rossouw von Solms,et al.  From policies to culture , 2004, Comput. Secur..

[10]  Maritta Heisel,et al.  A comparison of security requirements engineering methods , 2010, Requirements Engineering.

[11]  Mikko T. Siponen,et al.  Policies for Construction of Information Systems' Security Guidelines: Five Approaches , 2000, SEC.

[12]  E. H. Sibley Experiments in organizational policy representation: results to date , 1993, Proceedings of IEEE Systems Man and Cybernetics Conference - SMC.

[13]  J. Dewey Logic, the theory of inquiry , 1938 .

[14]  Rossouw von Solms,et al.  Information Security Governance: A model based on the Direct-Control Cycle , 2006, Comput. Secur..

[15]  Charles Cresson Wood,et al.  Writing infosec policies , 1995, Computers & security.

[16]  Lech J. Janczewski,et al.  Managing Security Functions Using Security Standards , 2000 .

[17]  R. Yin Case Study Research: Design and Methods , 1984 .

[18]  R. Baskerville,et al.  An information security meta‐policy for emergent organizations , 2002 .

[19]  A. Strauss,et al.  Basics of Qualitative Research , 1992 .

[20]  Roger Frost,et al.  International Organization for Standardization (ISO) , 2004 .

[21]  Charles C. Wood,et al.  Information Security Policies Made Easy , 1994 .

[22]  Neil F. Doherty,et al.  The information security policy unpacked: A critical study of the content of university policies , 2009, Int. J. Inf. Manag..

[23]  Gordon B. Davis,et al.  Management information systems : conceptual foundations, structure, and development , 1985 .

[24]  Mark Christopher Shaw,et al.  Information security policies in the UK healthcare sector: a critical evaluation , 2012, Inf. Syst. J..

[25]  J. Potter,et al.  Discourse and Social Psychology: Beyond Attitudes and Behaviour , 1987 .

[26]  Thomas Peltier Information Security: Policies and Procedures: A Practitioner's Reference , 1998 .

[27]  Daniel Mellado,et al.  A systematic review of security requirements engineering , 2010, Comput. Stand. Interfaces.

[28]  J. Habermas Theory of Communicative Action , 1981 .

[29]  Göran Goldkuhl,et al.  The many facets of communication - a socio-pragmatic conceptualisation for information systems studies , 2005 .

[30]  Jürgen Habermas,et al.  Reason and the rationalization of society , 1984 .

[31]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[32]  K. K. Cetina,et al.  The Practice Turn in Contemporary Theory , 2001 .