Reinforcing the security of corporate information resources: A critical review of the role of the acceptable use policy

Increasingly users are seen as the weak link in the chain, when it comes to the security of corporate information. Should the users of computer systems act in any inappropriate or insecure manner, then they may put their employers in danger of financial losses, information degradation or litigation, and themselves in danger of dismissal or prosecution. This is a particularly important concern for knowledge-intensive organisations, such as universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of inappropriate behaviours, and in so doing, protecting corporate information, is through the formulation and application of a formal 'acceptable use policy (AUP). Whilst the AUP has attracted some academic interest, it has tended to be prescriptive and overly focussed on the role of the Internet, and there is relatively little empirical material that explicitly addresses the purpose, positioning or content of real acceptable use policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and composition of a sample of authentic policies - taken from the higher education sector - rather than simply making general prescriptions about what they ought to contain. There are two important conclusions to be drawn from this study: (1) the primary role of the AUP appears to be as a mechanism for dealing with unacceptable behaviour, rather than proactively promoting desirable and effective security behaviours, and (2) the wide variation found in the coverage and positioning of the reviewed policies is unlikely to be fostering a coherent approach to security management, across the higher education sector.

[1]  Sharman Lichtenstein Internet acceptable usage policy , 1996 .

[2]  N. Doherty,et al.  Aligning the information security policy with the strategic information systems plan , 2006, Comput. Secur..

[3]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[4]  Gavriel Salvendy,et al.  Perception of information security , 2010, Behav. Inf. Technol..

[5]  John E. Anderson,et al.  Why users (fail to) read computer usage policies , 2008, Ind. Manag. Data Syst..

[6]  Lykourgos Petropoulakis,et al.  The design and implementation of an agent-based framework for acceptable usage policy monitoring and enforcement , 2007, J. Netw. Comput. Appl..

[7]  G. Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[8]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[9]  Chris Bryden,et al.  I can see you: harassment and stalking on the Internet , 2009 .

[10]  V. Lim The IT way of loafing on the job: cyberloafing, neutralizing and organizational justice , 2002 .

[11]  W. M. J. I. Wijayanayake,et al.  Computer misuse in the workplace , 2009 .

[12]  Wendi J. Everton,et al.  Personality Correlates of Employees' Personal Use of Work Computers , 2005, Cyberpsychology Behav. Soc. Netw..

[13]  Neil F. Doherty,et al.  The information security policy unpacked: A critical study of the content of university policies , 2009, Int. J. Inf. Manag..

[14]  Eugene H. Spafford,et al.  PFIRES: a policy framework for information security , 2003, CACM.

[15]  Jason Edwin Stamp,et al.  Framework for SCADA Security Policy , 2005 .

[16]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[17]  Joseph Migga Kizza Proceedings of the conference on Ethics in the computer age , 1994 .

[18]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[19]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[20]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[21]  D. Pinto Secrets and Lies: Digital Security in a Networked World , 2003 .

[22]  Keng Siau,et al.  Acceptable internet use policy , 2002, CACM.

[23]  K. Mok Fostering entrepreneurship : changing role of government and higher education governance in Hong Kong , 2005 .

[24]  Ashish Garg,et al.  Quantifying the financial impact of IT security breaches , 2003, Inf. Manag. Comput. Secur..

[25]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[26]  Mohsen Attaran Managing legal liability of the Net: a ten step guide for IT managers , 2000, Inf. Manag. Comput. Secur..

[27]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[28]  Jody Patilla,et al.  Information Security Policy Framework: Best Practices for Security Policy in the E-commerce Age , 2001, Inf. Secur. J. A Glob. Perspect..

[29]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[30]  Paula M. C. Swatman,et al.  Internet acceptable usage policy for organizations , 1997, Inf. Manag. Comput. Secur..

[31]  Gurpreet Dhillon,et al.  Value‐focused assessment of information system security in organizations , 2006, Inf. Syst. J..

[32]  Sandip C. Patel,et al.  Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancements , 2008, Int. J. Inf. Manag..

[33]  Michael D. Scott Liability in cyberspace - III: Creating a corporate internet acceptable use policy , 1997, Comput. Law Secur. Rev..

[34]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[35]  Michael E. Whitman,et al.  In defense of the realm: understanding the threats to information security , 2004, Int. J. Inf. Manag..

[36]  Neil F. Doherty,et al.  Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis , 2005, Inf. Resour. Manag. J..

[37]  Anthony M. Townsend,et al.  Considerations for an effective telecommunications-use policy , 1999, Commun. ACM.

[38]  Thomas J. Scott,et al.  Ethics and the 7 “P's” of computer use policies , 1994, ECA '94.

[39]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[40]  Tsong Yueh Chen,et al.  Improving the cost-effectiveness of a test suite for user acceptance tests , 2000 .

[41]  Farley Stewart,et al.  Internet Acceptable Use Policies: Navigating the Management, Legal, and Technical Issues , 2000, Inf. Secur. J. A Glob. Perspect..

[42]  Vivien K. G. Lim,et al.  Cyberloafing at the workplace: gain or drain on work? , 2012, Behav. Inf. Technol..

[43]  Murugan Anandarajan INTERNET ABUSE IN THE WORKPLACE , 2002 .

[44]  James Backhouse,et al.  Risks in the use of information technology within organizations , 1996 .

[45]  David Turner,et al.  World University rankings , 2008 .