Benchmarking Methodology for Information Security Policy (BMISP): Artifact Development and Evaluation

The benchmarking of information security policies has two challenges. Organizations are reluctant to share data regarding information security and no two organizations are identical. In this paper, we attempt to propose an artifact for a benchmarking method of information security policy, which can resolve the above challenges. We employ design science methodology, activity theory and international standards to design the artifact as a proof of concept. The artifact facilitates the implementation of efficient information security policies. Organizations can utilize the artifact to analyze and benchmark information security policies. We illustrate the completeness and reliability of the artifact through a case study using information security policies from six companies.

[1]  R. Dattakumar,et al.  A review of literature on benchmarking , 2003 .

[2]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[3]  Anat Hovav,et al.  Strategic value and drivers behind organizational adoption of enterprise DRM: The korean case , 2012, J. Serv. Sci. Res..

[4]  Y. Engeström,et al.  Activity theory as a framework for analyzing and redesigning work. , 2000, Ergonomics.

[5]  Jorge J. Gómez-Sanz,et al.  Social Analysis of Multi-agent Systems with Activity Theory , 2003, CAEPIA.

[6]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[7]  Stefan Strecker,et al.  RiskM: A multi-perspective modeling method for IT risk assessment , 2011, Inf. Syst. Frontiers.

[8]  D. Maclean,et al.  Mode 2 Management Research , 2002 .

[9]  James J. Odell,et al.  Advanced object-oriented analysis and design using UML , 1997 .

[10]  Mohamed Zairi,et al.  The art of benchmarking: Using customer feedback to establish a performance gap , 1992 .

[11]  Alan R. Hevner,et al.  POSITIONING AND PRESENTING DESIGN SCIENCE RESEARCH FOR MAXIMUM IMPACT 1 , 2013 .

[12]  Johann Amsenga An Introduction to Standards related to Information Security , 2008, ISSA.

[13]  Vijay K. Vaishnavi,et al.  Design Science Research Methods and Patterns: Innovating Information and Communication Technology, 2nd Edition , 2007 .

[14]  Joan Peckham,et al.  Semantic data models , 1988, CSUR.

[15]  Alfred A. Marcus,et al.  Achieving competitive advantage through implementing a replicable management standard: Installing and using ISO 9000 , 2005 .

[16]  Wei Liu,et al.  Empirical-Analysis Methodology for Information-Security Investment and Its Application to Reliable Survey of Japanese Firms , 2007 .

[17]  J. Talbot,et al.  Security Risk Management Body of Knowledge , 2009 .

[18]  William E. Lorensen,et al.  Object-Oriented Modeling and Design , 1991, TOOLS.

[19]  Roger King,et al.  Semantic database modeling: survey, applications, and research issues , 1987, CSUR.

[20]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[21]  Veda C. Storey,et al.  Genres of Inquiry in Design-Science Research: Justification and Evaluation of Knowledge Production , 2015, MIS Q..

[22]  LowryPaul Benjamin,et al.  Proposing the control-reactance compliance model CRCM to explain opposing motivations to comply with organisational information security policies , 2015 .

[23]  Stan Karanasios,et al.  HOW SHOULD TECHNOLOGY-MEDIATED ORGANIZATIONAL CHANGE BE EXPLAINED ? A COMPARISON OF THE CONTRIBUTIONS OF CRITICAL REALISM AND ACTIVITY THEORY 1 , 2013 .

[24]  Christopher J. Alberts,et al.  Managing Information Security Risks: The OCTAVE Approach , 2002 .

[25]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[26]  A. Hovav,et al.  Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures , 2009 .

[27]  Stan Karanasios,et al.  Critical Factors and Patterns in the Innovation Process , 2011 .

[28]  Sonja Kabicher,et al.  Evaluation Methods in Process-Aware Information Systems Research with a Perspective on Human Orientation , 2016, Bus. Inf. Syst. Eng..

[29]  Rabih Bashroush,et al.  Economic valuation for information security investment: a systematic literature review , 2016, Information Systems Frontiers.

[30]  Les Gasser,et al.  A Design Theory for Systems That Support Emergent Knowledge Processes , 2002, MIS Q..

[31]  Anastasia Papazafeiropoulou,et al.  Understanding governance, risk and compliance information systems (GRC IS): The experts view , 2016, Inf. Syst. Frontiers.

[32]  Daniel Bachlechner,et al.  To Invest or Not to Invest? Assessing the Economic Viability of a Policy and Security Configuration Management Tool , 2012, WEIS.

[33]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[34]  Samir Chatterjee,et al.  A Design Science Research Methodology for Information Systems Research , 2008 .

[35]  Lior Rokach,et al.  A Survey of Data Leakage Detection and Prevention Solutions , 2012, SpringerBriefs in Computer Science.

[36]  Kari Smolander,et al.  Lack of Communication and Collaboration in Enterprise Architecture Development , 2017, Information Systems Frontiers.

[37]  Austen Rainer,et al.  Case Study Research in Software Engineering - Guidelines and Examples , 2012 .

[38]  Anat Hovav,et al.  Deterring internal information systems misuse , 2007, CACM.

[39]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[40]  Didar Zowghi,et al.  Requirements Elicitation: A Survey of Techniques, Approaches, and Tools , 2005 .

[41]  M. Eric Johnson,et al.  Embedding Information Security into the Organization , 2007, IEEE Security & Privacy.

[42]  John McCumber Assessing and Managing Security Risk in IT Systems: A Structured Methodology , 2004 .

[43]  M. Whitman,et al.  Management Of Information Security , 2004 .

[44]  Ravi S. Behara,et al.  An economic analysis of the optimal information security investment in the case of a risk-averse firm , 2008 .

[45]  Paul Benjamin Lowry,et al.  Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies , 2015, Inf. Syst. J..

[46]  Anat Hovav,et al.  Empowerment or Control: Reconsidering Employee Security Policy Compliance in Terms of Authorization , 2015, 2015 48th Hawaii International Conference on System Sciences.

[47]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[48]  Ulrich Frank,et al.  Components of a multi-perspective modeling method for designing and managing IT security systems , 2016, Inf. Syst. E Bus. Manag..

[49]  Yuval Elovici,et al.  Optimizing Investment Decisions in Selecting Information Security Remedies , 2011, Inf. Manag. Comput. Secur..

[50]  Jan H. P. Eloff,et al.  Information Security Culture , 2002, SEC.

[51]  Victor Kaptelinin,et al.  Activity Theory: Basic Concepts and Applications , 1995, EWHCI.

[52]  Mahmoud M. Yasin,et al.  A framework for benchmarking in the public sector , 1998 .

[53]  Elizabeth S. Guy,et al.  "...real, concrete facts about what works...": integrating evaluation and design through patterns , 2005, GROUP.

[54]  V. Kaptelinin The Object of Activity: Making Sense of the Sense-Maker , 2005 .

[55]  Sandeep Purao,et al.  The Sciences of Design: Observations on an Emerging Field , 2008, Commun. Assoc. Inf. Syst..

[56]  Omar El Sawy,et al.  Building an Information System Design Theory for Vigilant EIS , 1992, Inf. Syst. Res..

[57]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[58]  Izak Benbasat,et al.  Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources , 2015, Inf. Manag..

[59]  Y. Engeström,et al.  Learning by expanding: An activity-theoretical approach to developmental research , 2014 .

[60]  Y. Engeström,et al.  Perspectives on activity theory: Play, learning, and instruction , 1999 .

[61]  Robert O. Briggs,et al.  On Expanding the Scope of Design Science in IS Research , 2011, DESRIST.

[62]  J. Aken Management Research as a Design Science: Articulating the Research Products of Mode 2 Knowledge Production in Management , 2005 .

[63]  Roger S. Pressman,et al.  Software Engineering: A Practitioner's Approach , 1982 .

[64]  Zongmin Ma,et al.  Object-stack: An object-oriented approach for top-k keyword querying over fuzzy XML , 2017, Inf. Syst. Frontiers.

[65]  N. Doherty,et al.  Aligning the information security policy with the strategic information systems plan , 2006, Comput. Secur..

[66]  Y. Engeström Expansive learning at work: Toward an activity theoretical reconceptualization. , 2001 .

[67]  Yusep Rosmansyah,et al.  The measurement design of information security management system , 2014, 2014 8th International Conference on Telecommunication Systems Services and Applications (TSSA).

[68]  Gurpreet Dhillon,et al.  Realizing benefits of an information security program , 2004 .

[69]  Vijay K. Vaishnavi,et al.  Design Science Research Methods and Patterns: Innovating Information and Communication Technology , 2007 .

[70]  Jan Pries-Heje,et al.  Explanatory Design Theory , 2010, Bus. Inf. Syst. Eng..

[71]  Thomas Nowey,et al.  A Closer Look at Information Security Costs , 2012, WEIS.

[72]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[73]  Jan H. P. Eloff,et al.  Information Security Policy - What do International Information Security Standards say? , 2002, ISSA.

[74]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[75]  Anat Hovav,et al.  This is my device! Why should I follow your rules? Employees' compliance with BYOD security policy , 2016, Pervasive Mob. Comput..

[76]  Stefanie Rinderle-Ma,et al.  A systematic review on security in Process-Aware Information Systems - Constitution, challenges, and future directions , 2014, Inf. Softw. Technol..

[77]  CavusogluHasan,et al.  Institutional pressures in security management , 2015 .

[78]  Mahmoud M. Yasin,et al.  The theory and practice of benchmarking: then and now , 2002 .

[79]  L. Vygotsky Mind in Society: The Development of Higher Psychological Processes: Harvard University Press , 1978 .

[80]  Fedinand Jaiventume Kongnso Best Practices to Minimize Data Security Breaches for Increased Business Performance , 2015 .