Practice-based discourse analysis of information security policies

We propose tentative quality criteria for design of information security policies.The criteria emphasise information security policies as useful tools for employees.The criteria are anchored in practice-based discourse analysis.We illustrate the usefulness of practice-based discourse analysis. To address the insider threat to information and information systems, an information security policy is frequently recommended as an organisational measure. However, having a policy in place does not necessarily guarantee information security. Employees' poor compliance with information security policies is a perennial problem for many organisations. It has been shown that approximately half of all security breaches caused by insiders are accidental, which means that one can question the usefulness of current information security policies. We therefore propose eight tentative quality criteria in order to support the formulation of information security policies that are practical from the employees' perspective. These criteria have been developed using practice-based discourse analysis on three information security policy documents from a health care organisation.

[1]  M. Angela Sasse,et al.  "Comply or Die" Is Dead: Long Live Security-Aware Principal Agents , 2013, Financial Cryptography Workshops.

[2]  Simon de Lusignan,et al.  The roles of policy and professionalism in the protection of processed clinical data: A literature review , 2007, Int. J. Medical Informatics.

[3]  Linda G. Wallace,et al.  Is Information Security Under Control?: Investigating Quality in Information Security Management , 2007, IEEE Security & Privacy.

[4]  Anselm L. Strauss,et al.  Basics of qualitative research : techniques and procedures for developing grounded theory , 1998 .

[5]  Jakob Nielsen,et al.  Improving a human-computer dialogue , 1990, CACM.

[6]  Karl Bühler,et al.  Theory of Language: The Representational Function of Language , 2011 .

[7]  R. Yin Case Study Research: Design and Methods , 1984 .

[8]  Isabel Maria Lopes,et al.  Information Security Policies: A Content Analysis , 2012, PACIS.

[9]  A. B. Ruighaver,et al.  Stakeholders in security policy development , 2011, AISM 2011.

[10]  Rossouw von Solms,et al.  Information Security Governance: A model based on the Direct-Control Cycle , 2006, Comput. Secur..

[11]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[12]  Pedro Oliveira,et al.  Architecture of Information Security Policies: A Content Analysis , 2016, WorldCIST.

[13]  Neil F. Doherty,et al.  The information security policy unpacked: A critical study of the content of university policies , 2009, Int. J. Inf. Manag..

[14]  Göran Goldkuhl,et al.  Towards a socio-pragmatic understanding of ePrescribing , 2008 .

[15]  Thomas Peltier,et al.  Information Security Policies and Procedures: A Practitioner's Reference, Second Edition , 2004 .

[16]  N. Hoffart Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory , 2000 .

[17]  Eugene H. Spafford,et al.  PFIRES: a policy framework for information security , 2003, CACM.

[18]  K. K. Cetina,et al.  The Practice Turn in Contemporary Theory , 2001 .

[19]  InduShobha N. Chengalur-Smith,et al.  Metrics for characterizing the form of security policies , 2010, J. Strateg. Inf. Syst..

[20]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[21]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[22]  Maritta Heisel,et al.  A comparison of security requirements engineering methods , 2010, Requirements Engineering.

[23]  Gordon B. Davis,et al.  Management information systems : conceptual foundations, structure, and development , 1985 .

[24]  Trudie Aberdeen Yin, R. K. (2009). Case study research: Design and methods (4th Ed.). Thousand Oaks, CA: Sage. , 2013, The Canadian Journal of Action Research.

[25]  Mark Christopher Shaw,et al.  Information security policies in the UK healthcare sector: a critical evaluation , 2012, Inf. Syst. J..

[26]  Göran Goldkuhl,et al.  The many facets of communication - a socio-pragmatic conceptualisation for information systems studies , 2005 .

[27]  Rossouw von Solms,et al.  Information security culture: A management perspective , 2010, Comput. Secur..

[28]  Anthony M. Townsend,et al.  Information Systems Security and the Need for Policy , 2001 .

[29]  R. Baskerville,et al.  An information security meta‐policy for emergent organizations , 2002 .

[30]  Jan H. P. Eloff,et al.  Information Security Policy - What do International Information Security Standards say? , 2002, ISSA.

[31]  Thomas Peltier Information Security: Policies and Procedures: A Practitioner's Reference , 1998 .

[32]  Lech J. Janczewski,et al.  Managing Security Functions Using Security Standards , 2000 .

[33]  Kat Krol,et al.  Productive Security: A Scalable Methodology for Analysing Employee Security Behaviours , 2016, SOUPS.

[34]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[35]  Rune Gustavsson,et al.  Agents with power , 1999, CACM.

[36]  Sebastiaan H. von Solms,et al.  Corporate Governance and Information Security , 2001, Comput. Secur..

[37]  Rossouw von Solms,et al.  Information Security Governance control through comprehensive policy architectures , 2011, 2011 Information Security for South Africa.

[38]  Harvey Sacks,et al.  Lectures on Conversation , 1995 .

[39]  J. Potter,et al.  Discourse and Social Psychology: Beyond Attitudes and Behaviour , 1987 .

[40]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[41]  Rossouw von Solms,et al.  From policies to culture , 2004, Comput. Secur..

[42]  E. H. Sibley Experiments in organizational policy representation: results to date , 1993, Proceedings of IEEE Systems Man and Cybernetics Conference - SMC.

[43]  Charles Cresson Wood,et al.  Writing infosec policies , 1995, Computers & security.

[44]  Charles C. Wood,et al.  Information Security Policies Made Easy , 1994 .

[45]  Neil F. Doherty,et al.  Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis , 2005, Inf. Resour. Manag. J..

[46]  P. D. Howard The Security Policy Life Cycle: Functions and Responsibilities , 2002 .

[47]  Stephen Hinde Security surveys spring crop , 2002, Comput. Secur..

[48]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティ管理策の実践のための規範 : ISO/IEC 27002 = Information technology-Security techniques-Code of practice for information security controls : ISO/IEC 27002 , 2013 .

[49]  Jan H. P. Eloff,et al.  Feature: What Makes an Effective Information Security Policy? , 2002 .

[50]  Charles Cresson Wood Information Security Policies Made Easy Version 8 , 2001 .

[51]  J. Dewey Logic, the theory of inquiry , 1938 .

[52]  L. R. Chao,et al.  An empirical study of information security policy on information security elevation in Taiwan , 2006, Inf. Manag. Comput. Secur..

[53]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[54]  Terry Anthony Byrd,et al.  Information security policy: An organizational-level process model , 2009, Comput. Secur..

[55]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..