DiVA

diva-portal.org

Digitala Vetenskapliga Arkivet

EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Tailoring policies and involving users in constructing security policies: A mapping study
Örebro University, Örebro University School of Business. (CERIS)ORCID iD: 0000-0002-4439-4713
2019 (English)In: Proceeding of the Thirteen International Syposium on Human Aspect of Information Security & Assurance, 2019Conference paper, Published paper (Refereed)
Abstract [en]

The purpose of this study is to survey existing information security policy (ISP) construction research to understand to what extent the concept of tailored ISP and user involvement have been considered by researchers. The results are based on a literature mapping study of ISP construction between 1990 and 2017 in Scopus and Web of Science databases. The findings show that researchers have not given tailoring of ISPs any attention and there are only a few researchers that paid attention to involving users in constructing ISPs. This research has implications for both researchers and practitioners and shows the way for the future researches by focusing on the concept of tailored policy and how it can be achieved as well as involving users in such tailoring.
Place, publisher, year, edition, pages
2019.
Keywords [en]
Information security policy, Policy construction, Tailored policy, User involvement, Mapping study
National Category
Information Systems
Identifiers
URN: urn:nbn:se:oru:diva-75891OAI: oai:DiVA.org:oru-75891DiVA, id: diva2:1345646
Conference
HAISA 2019, Nicosia, Cyprus, 15th - 17th July, 2019
Available from: 2019-08-26 Created: 2019-08-26 Last updated: 2023-02-22Bibliographically approved
In thesis
1. Tailoring information security policies: a computerized tool and a design theory
Open this publication in new window or tab >>Tailoring information security policies: a computerized tool and a design theory
2023 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Protecting information assets in organizations is a must and one way for doing it is developing information security policy (ISP) to direct employees’ behavior and define acceptable procedures that employees have to comply with on a daily basis. However, compliance with the ISP is a perennial problem. Non-compliance with ISPs is at least related to two factors: 1) employees’ behavior, and 2) the design of ISPs. Although much attention has been given to understanding and changing employees’ behavior, designing ISPs that are easy to follow has received less attention. Existing research has suggested designing such ISPs using a tailoring approach where the ISP is designed in several versions that fulfill the needs of different target groups of employees. At the same time, tailoring means increased design complexity for information security managers as the designer of ISPs, where computerized tool can aid. Thus, the aim of this thesis is to develop a computerized tool to support information security managers’ tailoring of ISPs and the design principles that such a tool can be based on. To this end, a design science research approach was employed. Using the knowledge from the Situational Method Engineering field as the kernel theory for the design science research project, a set of design principles and a conceptual model were developed in terms of a Unified Modeling Language class diagram. Subsequently, a web-based software (POLCO) was developed based on the proposed conceptual model to support information security managers to design tailored ISPs. The conceptual model and POLCO were developed, demonstrated, and evaluated as a proof-of-concept in three DSR cycles.

The thesis contribute to research and practice by proposing the design principles and the conceptual model that can be considered as: 1) a new theory on how to design ISPs, 2) a way to develop software to assist information security managers in designing tailored ISPs. Meanwhile, POLCO as an artifactual contribution can be considered as a starting point for researchers to do studies in the ISP design area.
Place, publisher, year, edition, pages
Örebro: Örebro universitet, 2023. p. 149
Series
Örebro Studies in Informatics ; 21
Keywords
Information security management software, tailorable information security policy, policy component, design science, POLCO
National Category
Information Systems, Social aspects
Identifiers
urn:nbn:se:oru:diva-103050 (URN)9789175294896 (ISBN)
Public defence
2023-03-21, Örebro universitet, Forumhuset, Hörsal F, Fakultetsgatan 1, Örebro, 13:15 (English)
Opponent
Supervisors
Available from: 2023-01-12 Created: 2023-01-12 Last updated: 2025-05-19Bibliographically approved

Open Access in DiVA

Tailoring policies and involving users in constructing security policies – A mapping study(259 kB)454 downloads
File information
File name FULLTEXT01.pdfFile size 259 kBChecksum SHA-512
69e40271a49d3a485bb0eeaa7544651e6dfa7fd1c97722c11c6aed03ccd0e61649e29eeb67e57ea37175fa04ead4fbf6a1aed12f525b526b90be0e006d4c1c54
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Rostami, Elham
By organisation
Örebro University School of Business
Information Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 455 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 597 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.46.0
|
WCAG
|
About DiVA Portal
|
About the DiVA Consortium