The purpose of this research paper is to investigate how organizations design sustainable information security policies. Designing a sustainable information security policy is one of the most important issues facing organizations today. It should not only be the first step in an organization\u2019s information security policy program but a continuing process to ensure the policy should be maintained of high quality, it is clear, comprehensive and appropriate to the organization\u2019s specific business objectives, strategic goals and culture needs. This is a particularly salient issue in organizations that operate in numerous political, cultural, legal, geographic and economic environments and, by necessity, sometimes must have an information security policy that employees can follow and actually use. Information security represents a growing concern for organizations. As organizations are relying and becoming more dependent on information systems for staying competitive, gain strategic advantage and operations, the issue of effective information security policy also becomes important and the necessary foundation for organizational information security.<\/p>\n
In an organization, some unique challenges can arise in designing an information security policy, such as policy differences arising through the various threats, risk acceptance and tolerance levels among business units; internal and external requirements at a country, local and national level; human factors; and cultural differences. In some cases, an organization may require a region-specific information security policy that may be more restrictive than a global information security policy. However, the reason why an information security policy has to be enforced on an organization is because the information security policy requires an effort from them.<\/p>\n
The literature review and an experimental study will be used to investigate, explore and understand different factors such as ease of use, designer perceptions of user shortcomings, attitude toward usage, peer influence, perceived behavioral control usage, perceived ease of use, quality of working life, work attitude and intentions as to how to design a sustainable information security policy in an organization. <\/p>\n
The research problem of this study is to investigate how to design a sustainable information security policy in an organization. Surprisingly, not too much is known about how to design security policies that pay attention to unique organizational security features, employees and business needs (Siponen and Iivari, 2006). In business, an information security policy is a document that states in writing how an organization should plan to protect its information systems and technology assets, provides guidance based on standards, regulations and rules of what to and what not to do. However the information security policy quality, flexibility and usability are limited. Therefore employees do not pay attention, understand, follow abide and break the information security policy.<\/p>\n
An information security policy that is viewed as design product and that is normative lists actions that the employees should follow or should not perform. The design of an information security policy does not necessarily make it possible to address all situations reasonably. However, to guide the design of the information security policy, the product and an application principle should state how it needs to be applied, and a design method should state how it needs to be crafted (Siponen and Iivari, 2006). Product design and development is a complex and lengthy process for organizations since it involves multiple participants from several organizational departments who are required to make decisions outside their area of expertise. To address the problem organizations often purchase ready made information security policies from various sources such as ISO, text books or adopt information security policies from government and other online sources. This leads to incomplete activities and flaws which lead to difficult to follow information security policy.<\/p>\n
Sound information security policy should protect the information and systems, as well as the individual employees and the organization as a whole from a wide variety of threats (Veiga, Martins and Eloff, 2007). It also should serve as a prominent statement to the outside world about the organization\u2019s commitment to information security. An information security policy is often considered to be a \u201cliving document,\u201d meaning that the document is never finished but is continuously updated as technology, regulations and business requirements change. The information from systematic monitoring should serve as a critical input to evaluation, formulation, implementation and design of the information security policy. The information security policy should be seen not only as an artifact document of the organization to enforce best information security practices but also should identify details of what is acceptable or unacceptable and what is reasonable behavior from the employees in order to ensure sound security of information.<\/p>\n
Information security policy should be sustainable. Information security covers people and process issues as well as technology. The design of information security policy in an organization should be integrated into a process that involves employee usability testing and input from various regions, regulations, industry standards and business units. An information security policy is the necessary foundation for a sound organizational information security.<\/p>\n
Information security policy should be able to enhance business operations by reducing risk, ensuring protection of organizational critical information assets and decreasing information system\u2019s security management costs as well as to improve information system\u2019s operations while also supporting the demands of internal and external compliance. Since many of these policies require human involvement, for example employee and customer actions, the goals should be measured and checked if they are met only if such human activities can be influenced and monitored and if positive outcomes have incentives while negative actions are sanctioned.<\/p>\n
The goal of this research study is to investigate how to design, create and maintain a sustainable information security policy using experimental methods and control focus groups in an organization. An effective information security policy should be based on a usability standard that can be achieved during the design techniques appropriate to implement sustainable information security policy.<\/p>\n
The successful design of information security policy is critical in today\u2019s environment of rapid change and challenges in addressing information security policy compliance and effectiveness in organizations. The information security policy is the foundation on which a sound information security is built. As with any foundation, it must be well designed, and well constructed; it can then be trusted to support the organization\u2019s business objectives and goals effectively. It is essential that effective information security policy practices be in place in organizations to ensure the success of information security policy. Effective information security policy requires that users understand and follow the information security mission as described in the organization\u2019s information security policy.<\/p>\n
Flexibility and usability are essential elements of an information security policy life cycle, particularly of the design process of information security policy formulation and implementation. An information security policy needs to be sustainable and not rigid. While the importance of the information security policy in ensuring the security of information is acknowledged widely, to date, there has been little empirical analysis of its design, impact or effectiveness in this role. Designing sustainable information security policy is critical to protecting the organization\u2019s information systems and assets. The consequences of violating such as information security policy might be extensive and expensive. <\/p>\n
The organization\u2019s information security policy should be written with a clear understanding of the expected outcome and the need to be flexible and usable. The information security policy should incorporate clear definitions and user responsibilities (Gaunt 1998). It should also aim to influence behavior and turn employees into participants in the organization\u2019s efforts to secure its information assets.<\/p>\n
Information security policy plays an important role in preventing, detecting and responding to security threats and breaches. Organizations should have security controls to protect their information. One of the most important controls, according to Hone and Eloff (2002), is the information security policy. The information security policy is likely to be ineffective if it is not written well, understood, followed and accepted by all employees.<\/p>\n
The results of this study will help practitioners understand how an organization can design sustainable information security policy to achieve effective information security.<\/p>\n
The information security of an organization might be left in a less effective state in situations where information security policy is not followed by employees. Employee perception, in some instances, is that following the rules in information security policy interferes and gets in the way of doing their day-to-day work and their ability to accomplish their job tasks. This is because they feel as though this approach is cumbersome and a waste of time. An employee\u2019s failure to comply with the information security policy is a key concern of information security practitioners and organizations. According to Desman (2002) information security is not a technical issue, but rather a human issue, therefore the most significant threat to the security of information in an organization is its employees (Gaunt 1998). <\/p>\n
Information security policy should be fair, reasonable, understandable, flexible and usable. If an information security policy is not flexible and usable, employees will not follow it and it will break. According to Besnard and Arief (2004), the design of security products and information security policy should rely more on the rules of human-computer interaction. The employees, independent of their knowledge and intellect, should be able to read an organization\u2019s information security policy understand, follow, comply and adhere to it.<\/p>\n
One of the ways to implement good information security practices in an organization is to ensure that a detailed information security policy is in place. The content of the information security policy is particularly significant, as it should be monitored for any changes after it is adopted to attain relevance and an understanding of whether there were changes due to the policy or program. According to Gaunt (2000) user participation in the development of an organization information security is necessary if it is to achieve wide acceptance.<\/p>\n
According to Hone and Eloff (2002) one of the most important information security controls in an organization is the information security policy. However, this important document it is not always easy to put together and develop. Some organizations derive their information policy from business goals, service level agreements, industry best practices, and International Standard Organization standards such as ISO 27000, or copy paste from other ready made policy templates found or procured from textbooks or online resources.<\/p>\n
Content in information security policies differ according to the type of organization: for example, corporations, academic institutions, government, and within departments such as information technology, human resources, legal, and finance to name a few. The degree of guidance varies from very specific references of what to do or not to do and sanctions of not following the rules. Sanctions affect employees\u2019 actual compliance with information security policy. According to Bia and Kalika (2007), the decision to formulate an information security policy, for example, a policy of acceptable use, occurs when the organization has experienced problems, conflict, damage, or business loss because of improper use of information security rules.<\/p>\n
The application of a security policy is considered essential for managing the security of information systems. Implementing a successful information security policy in an organization, however, is not a straightforward task and depends on many factors (Karyda, Kiountouzis and Kokolakis, 2004). Sometimes, employees view the information security policy as an obstacle and a barrier to progress and, in an effort, to do their job more efficiently, employees might not follow the rules set in the information security policy document. Despite the fact that organizations have information security policy in place, more often than not, the application of information security policy fails to attain its goals. To ensure that information security policy is effective, information security professionals must first understand the social elements, including cultural and generational variances that affect employee behavior and perceptions about information security policy (Cisco, 2008).<\/p>\n
According to Baskerville and Siponen (2002), strict access controls imposed during fast growing organizational changes can become an obstacle by limiting access to information thereby threatening the organizations survival. This problem is one of limiting organizational emergence because of limited information access and presents conflicting and stringent demands for security policy making. Unexpected business opportunities may require actions that conflict with their information security policy.<\/p>\n
Some of the problems facing organizations are of employees not following the information security policy, which reflects the social nature of human beings. According to Kabay (2002), an information security policy challenges employees to change the way they think about their own responsibility for protecting the organization\u2019s valuable information. Attempting to impose information security policy on unwilling employees results in resistance both because stricter information security procedures make jobs more difficult and because people do not like to be told what to do. The process of design and development of information security policy plays an important role in the life cycle of an information security policy and affects how people feel about the information security policy and whether they see rules as a needless imposition of power or an expression of their own values. Unfortunately, an information security policy conflicts with most people\u2019s view of reality: for example, an employee showing sensitive information to someone who does not have the appropriate level of authorization to view such information because they both work on the same project team. However, if users fail to comply with the rules, an information security policy can help deter abuse (Straub and Nance 1990).<\/p>\n
Although having an information security policy in an organization is essential, it is not enough to ensure an employee\u2019s compliance with it. Therefore, the aim of this paper is to understand what factors should be considered in the design of a sustainable information security policy in order to motivate employees to comply with the information security policy and understand how important it is. <\/p>\n
For the purposes of this paper:<\/p>\n
The main research question for this study is formulated as:<\/p>\n
Hypothesis:<\/p>\n
Agarwal, R and Sambamurthy, V. (2002). Principles and models for organizing the IT function. MIS Quarterly Executive, 1(1), 1-16.<\/p>\n
Baskerville, R., and Siponen, M. (2002). An information security meta-policy for emergent organizations. Logistics Information Management, 15(5\/6), 337-346.<\/p>\n
Besnard, D. and Arief, B. (2004). Computer security impaired by legal users. Computers & Security, 23(3), 253-26.<\/p>\n
Bia, M., and Kalika, M. (2007). Adopting an ICT code of conduct: An empirical study of organizational factors. Journal of Enterprise Information Management, 20(4), 432-446.<\/p>\n