Six Design Theories for IS Security Policies and Guidelines

The unpredictability of the business environment drives organizations to make rapid business decisions with little preparation. Exploiting sudden business opportunities may require a temporary violation of predefined information systems (IS) security policies. Existing research on IS security policies pays little attention to how such exceptional situations should be handled. We argue that normative theories from philosophy offer insights on how such situations can be resolved. Accordingly, this paper advances six design theories (the conservative-deontological, liberal-intuitive, prima-facie, virtue, utilitarian and universalizability theories) and outlines the use of their distinctive application principles in guiding the application of IS security policies. Based on the testable design product hypotheses of the six design theories, we derive a theoretical model to explain the influence of the different normative theories on the “success” of IS security policies and guidelines.

[1]  G. Hofstede,et al.  Measuring organizational cultures: A qualitative and quantitative study across twenty cases. , 1990 .

[2]  Karl E. Weick,et al.  Socio-technical design: Strategies in multidisciplinary research. , 1976 .

[3]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[4]  W. J. Friedl,et al.  The computer security framework , 1990, IEEE International Carnahan Conference on Security Technology, Crime Countermeasures.

[5]  J. Bentham An Introduction to the Principles of Morals and Legislation , 1945, Princeton Readings in Political Thought.

[6]  Chris Hare,et al.  Policy Development , 2007, Information Security Management Handbook, 6th ed..

[7]  Chris Pounder,et al.  First steps towards a european union policy on the securing of electronic communications , 1997, Comput. Secur..

[8]  B. Boyd,et al.  Executive Scanning and Perceived Uncertainty: A Multidimensional Model , 1996 .

[9]  L. Floridi © 1999 Kluwer Academic Publishers. Printed in the Netherlands. Information ethics: On the philosophical foundation of computer ethics ⋆ , 2022 .

[10]  I. Ajzen The theory of planned behavior , 1991 .

[11]  Julie D Nosworthy,et al.  Implementing Information Security In The 21st Century Do You Have the Balancing Factors? , 2000, Comput. Secur..

[12]  A. Stinchcombe Information and Organizations , 2019 .

[13]  A. Adam Whatever happened to information systems ethics? Caught between the devil and the deep blue sea , 2004 .

[14]  K. Miller,et al.  Intrinsic Motivation and Self-Determination in Human Behavior , 1975, Perspectives in Social Psychology.

[15]  Ron Hale,et al.  End-User Computing Security Guidelines , 1996, Inf. Secur. J. A Glob. Perspect..

[16]  B. Postow Moral Thinking: Its Levels, Method, and Point , 1986 .

[17]  Kenneth R. Lindup,et al.  Special features: A new model for information security policies , 1995 .

[18]  Mikko T. Siponen,et al.  Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods , 2005, Inf. Organ..

[19]  Jenny E. Walter,et al.  Security in unattended computing labs—safeguarding users as well as machines , 1993, SIGUCCS '93.

[20]  Charles Cresson Wood,et al.  A policy for sending secret information over communications networks , 1996, Inf. Manag. Comput. Secur..

[21]  L. Kohlberg,et al.  The psychology of moral development : the nature and validity of moral stages , 1984 .

[22]  Jody Patilla,et al.  Information Security Policy Framework: Best Practices for Security Policy in the E-commerce Age , 2001, Inf. Secur. J. A Glob. Perspect..

[23]  Richard Baskerville,et al.  The Second-Order Security Dilemma , 1996 .

[24]  R. M. Hare Freedom and reason , 1964 .

[25]  Evangelos A. Kiountouzis,et al.  Content, Context, Process Analysis of IS Security Policy Formation , 2003, SEC.

[26]  Stephen D. Schwarz The Right and the Good , 1992 .

[27]  Ritu Agarwal,et al.  The Role of Innovation Characteristics and Perceived Voluntariness in the Acceptance of Information Technologies , 1997 .

[28]  Edward L. Deci,et al.  Intrinsic Motivation and Self-Determination in Human Behavior , 1975, Perspectives in Social Psychology.

[29]  R. Daft,et al.  Chief executive scanning, environmental characteristics, and company performance: An empirical study , 1988 .

[30]  Petri Puhakainen,et al.  A design theory for information security awareness , 2006 .

[31]  L. Kohlberg Essays On Moral Development , 1981 .

[32]  Richard Baskerville,et al.  Growing systems in emergent organizations , 1999, CACM.

[33]  Helen Meyer,et al.  A computer emergency response team policy , 1996 .

[34]  Karen D. Loch,et al.  Evaluating ethical decision making and computer use , 1996, CACM.

[35]  J. Habermas Moral Consciousness and Communicative Action , 1990 .

[36]  Martin Bichler,et al.  Design science in information systems research , 2006, Wirtschaftsinf..

[37]  R. Hursthouse,et al.  Normative Virtue Ethics , 1998 .

[38]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[39]  Jon David,et al.  Policy enforcement in the workplace , 2002, Comput. Secur..

[40]  Donald Davidson,et al.  How Is Weakness of the Will Possible , 2001 .

[41]  李幼升,et al.  Ph , 1989 .

[42]  L. Kohlberg The Philosophy of Moral Development Moral Stages and the Idea of Justice , 1981 .

[43]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[44]  Juhani Iivari,et al.  Why are CASE tools not used? , 1996, CACM.

[45]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[46]  Jan H. P. Eloff,et al.  Information Security Policy - What do International Information Security Standards say? , 2002, ISSA.

[47]  J. Stuart Broderick,et al.  VPN Security Policy , 2001, Inf. Secur. Tech. Rep..

[48]  Charles Cresson Wood,et al.  Writing infosec policies , 1995, Computers & security.

[49]  John O. Wylder,et al.  Improving Security from the Ground Up , 2003, Inf. Secur. J. A Glob. Perspect..

[50]  Charles Cresson Wood,et al.  A secure password storage policy , 1997, Inf. Manag. Comput. Secur..

[51]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[52]  Philip Pettit,et al.  Rawls: A Theory of Justice and Its Critics , 1990 .

[53]  Wayne Madsen,et al.  Reinventing Federal Security Policy: A Failed Effort , 1995, Inf. Secur. J. A Glob. Perspect..

[54]  W. Orlikowski,et al.  Information Technology and Changes in Organizational Work , 1996, IFIP Advances in Information and Communication Technology.

[55]  Chris Pounder,et al.  The European Union Proposal for a Policy Towards Network and Information Security , 2001, Comput. Secur..

[56]  Donn B. Parker,et al.  Information Security in a Nutshell , 1997, Inf. Secur. J. A Glob. Perspect..

[57]  Saad Haj Bakry,et al.  Development of security policies for private networks , 2003, Int. J. Netw. Manag..

[58]  Charles Cresson Wood,et al.  Part of the foundation for secure systems: separation of duties policy , 1997, Inf. Manag. Comput. Secur..

[59]  Les Gasser,et al.  A Design Theory for Systems That Support Emergent Knowledge Processes , 2002, MIS Q..

[60]  Charles Cresson Wood,et al.  Policies alone do not constitute a sufficient awareness effort , 1997 .

[61]  Izak Benbasat,et al.  Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation , 1991, Inf. Syst. Res..

[62]  Neil F. Doherty,et al.  The application of information security policies in large UK-based organizations: an exploratory investigation , 2003, Inf. Manag. Comput. Secur..

[63]  Chris Pounder Security policy update , 2002, Comput. Secur..

[64]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[65]  J. Mackie,et al.  Ethics: Inventing Right and Wrong , 1977 .

[66]  R. M. Hare Objective prescriptions, and other essays , 1999 .

[67]  Toni M. Somers,et al.  Impact of Environmental Uncertainty and Task Characteristics on User Satisfaction with Data , 2004, Inf. Syst. Res..

[68]  Diane M. Strong,et al.  Exceptions and exception handling in computerized information processes , 1995, TOIS.

[69]  G. Dhillon Managing information system security , 1997 .

[70]  Keith Osborne,et al.  Auditing the IT security function , 1998, Comput. Secur..

[71]  Nigel Hickson,et al.  Encryption policy - A UK perspective , 1997, Comput. Secur..

[72]  A. Macintyre,et al.  After Virtue: A Study in Moral Theory. , 1981 .

[73]  S. Toulmin The Language of Morals , 1954, Philosophy.

[74]  Tero Vartiainen,et al.  Teaching End-User Ethics: Issues and a Solution Based on Universalizability , 2002, Commun. Assoc. Inf. Syst..

[75]  Bart Victor,et al.  The Organizational Bases of Ethical Work Climates , 1988 .

[76]  DeWitt H. Parker,et al.  Ethics and Language. , 1946 .

[77]  R. Baskerville,et al.  An information security meta‐policy for emergent organizations , 2002 .

[78]  Omar El Sawy,et al.  Building an Information System Design Theory for Vigilant EIS , 1992, Inf. Syst. Res..

[79]  Detmar W. Straub,et al.  Information Technology Adoption Across Time: A Cross-Sectional Comparison of Pre-Adoption and Post-Adoption Beliefs , 1999, MIS Q..

[80]  A. R. Warman,et al.  Organizational computer security policy: the reality , 1992 .

[81]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[82]  Charles Cresson Wood Constructing difficult-to-guess passwords , 1996, Inf. Manag. Comput. Secur..