Journal articles on the topic 'Information systems security policy'
To see the other types of publications on this topic, follow the link: Information systems security policy.
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 journal articles for your research on the topic 'Information systems security policy.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse journal articles on a wide variety of disciplines and organise your bibliography correctly.
1
Nsoh, Michael Warah, Kathleen Hargiss, and Caroline Howard. "Information Systems Security Policy Compliance." International Journal of Strategic Information Technology and Applications 6, no. 2 (April 2015): 12–39. http://dx.doi.org/10.4018/ijsita.2015040102.
Full textAbstract:
The article describes research conducted to assess and address some key security issues surrounding the use of information technology from employee behavioral standpoint. The aim of the study was to determine additional security measures to reduce security incidents and maximize effective use of information systems. The research is an extension of several recent empirical studies in information systems security policy behavioral compliance, which have generally found people to be a weak link in information security. A mix of theoretical frameworks resulted in a model based on the Theory of Planned Behavior (TPB), which was used to test the impact that management and employee relationship has on deterrence. Results indicate that management has a significant stake in influencing the behavior of their employees, and that the issue of employee disgruntlement nevertheless is not paramount of top management's Information systems security challenges.
2
Henderson, Stuart. "The Information Systems Security Policy Statement." EDPACS 23, no. 12 (June 1996): 9–18. http://dx.doi.org/10.1080/07366989609451717.
Full text
3
Saadat, Maryam, and Muhammad Umar Abbasi. "Information Security Policy Development: the Mechanism to Ensure Security Over Information Technology Systems." Global International Relations Review IV, no. III (September 30, 2021): 22–30. http://dx.doi.org/10.31703/girr.2021(iv-iii).04.
Full textAbstract:
Information security is still in its embryonic phase. The reason is that there are certain malevolent actors in the network that are always looking for loopholes in the system and can harm organizations with their malicious activities. The development of information security policy is very important. It lays the foundations of certain significant standards and procedures that help mitigate the potential risks associated with the organization or its network. The following article has discussed information security policy and its respective development cycle for the implementation of policy infrastructure that could help secure vital data and information in an organization. A framework is explained that demonstrates the construction of a policy, keeping in mind the implementation of an effective security policy. It has elaborated the significance of auditing measures focusing on ISO-27001, the policy specifically designed for information security.
4
Amankwa, Eric, Marianne Loock, and Elmarie Kritzinger. "Information Security Policy Compliance Culture." International Journal of Technology and Human Interaction 17, no. 4 (October 2021): 75–91. http://dx.doi.org/10.4018/ijthi.2021100105.
Full textAbstract:
Information security policy (ISP) noncompliance is a growing problem that accounts for a significant number of security breaches in organizations. Existing strategies for changing employees' behavior intentions towards compliance have not been effective. It is therefore imperative to identify other effective strategies to address the problem. This article investigates the effect accountability constructs on employees' attitudes and behavior intentions towards establishing ISP compliance as a culture. In addition, the authors validate a testable research model for predicting employees' compliance behavior intentions in a field survey involving 313 employees from selected Ghanaian companies. The overall effect showed that measures of accountability significantly influenced employees' attitudes and behavior intentions to ISP compliance while the establishment of ISP compliance culture largely depended on the existence of a conducive information security culture and positive employee behavior intentions.
5
Truchan, Jarosław Radosław. "Selected Security Information Systems." Internal Security 12, no. 2 (December 30, 2020): 38–39. http://dx.doi.org/10.5604/01.3001.0014.6695.
Full textAbstract:
At present, one of the main areas ensuring the proper functioning of services responsible for security is ICT systems, which are used to obtain, store and process relevant information and to support the performance of statutory tasks. When carrying out their statutory tasks, the Polish police use centralised, advanced IT systems and databases, e.g. the National Police Information System (hereinafter referred to as the KSIP). At the same time, the development of technology generates the need to constantly modify this line of activity. The necessity of being adaptable to the ever-changing environment has encouraged the Police Academy in Szczytno and its partners to launch the project entitled: Information and analysis system to support risk management when planning and carrying out police operations (hereinafter referred to as the SIA). Innovative in nature, the project is being implemented based on, among others, expert interviews conducted among police commanding officers. The SIA is being built using the data collected and stored in the police ICT systems and obtained from other sources. The works will result in the development of a possibly full application with planning and decision-making mechanisms and forecasting algorithms, which will provide information on probable successes and necessary investments in possible scenarios of police activities to be undertaken in a specific situation of massive disturbance to public order and safety. The proposed solution is the IT system that serves both as a presentation and simulation of possible incidents in the virtual environment. The author presents the functioning of selected modern ICT systems, and their role and importance in supporting decision-making processes when ensuring public order and safety.
6
Lapke, Michael, and Gurpreet Dhillon. "Disassociations in Security Policy Lifecycles." International Journal of Information Security and Privacy 9, no. 1 (January 2015): 62–77. http://dx.doi.org/10.4018/ijisp.2015010104.
Full textAbstract:
Continued high profile security breaches indicate that Information Systems Security remains a significant problem within organizations. The authors argue that one of the major contributors to this ongoing problem is a disconnect between security policy formulation and implementation. This disconnect can lead to a failure of policy. This paper is aimed at understanding the disconnect by analyzing the meanings that are attributed to policy formulation and implementation by the stakeholders involved in the process. A case study was carried out and a “snapshot in time” of the lifecycle of IS Security Policy formulation at the organization under study demonstrated that a disconnect is evident between these two sides of security policy.
7
Njenga, Kennedy. "Understanding Internal Information Systems Security Policy Violations as Paradoxes." Interdisciplinary Journal of Information, Knowledge, and Management 12 (2017): 001–15. http://dx.doi.org/10.28945/3639.
Full textAbstract:
Aim/Purpose: Violations of Information Systems (IS) security policies continue to generate great anxiety amongst many organizations that use information systems, partly because these violations are carried out by internal employees. This article addresses IS security policy violations in organizational settings, and conceptualizes and problematizes IS security violations by employees of organizations from a paradox perspective. Background: The paradox is that internal employees are increasingly being perceived as more of a threat to the security of organizational systems than outsiders. The notion of paradox is exemplified in four organizational contexts of belonging paradox, learning paradox, organizing paradox and performing paradox. Methodology : A qualitative conceptual framework exemplifying how IS security violations occur as paradoxes in context to these four areas is presented at the end of this article. Contribution: The article contributes to IS security management practice and suggests how IS security managers should be positioned to understand violations in light of this paradox perspective. Findings: The employee generally in the process of carrying out ordinary activities using computing technology exemplifies unique tensions (or paradoxes in belonging, learning, organizing and performing) and these tensions would generally tend to lead to policy violations when an imbalance occurs. Recommendations for Practitioners: IS security managers must be sensitive to employees tensions. Future Research: A quantitative study, where statistical analysis could be applied to generalize findings, could be useful.
8
Doherty, Neil F., and Heather Fulford. "Aligning the information security policy with the strategic information systems plan." Computers & Security 25, no. 1 (February 2006): 55–63. http://dx.doi.org/10.1016/j.cose.2005.09.009.
Full text
9
Butusov, Igor, Pavel Nashchekin, and Aleksandr Romanov. "Theoretical-Semantic Aspects of Integrated Information Systems Security Policy." Voprosy kiberbezopasnosti, no. 1(14) (2016): 9–16. http://dx.doi.org/10.21681/2311-3456-2016-1-9-16.
Full text
10
Gritzalis, Dimitris. "A baseline security policy for distributed healthcare information systems." Computers & Security 16, no. 8 (January 1997): 709–19. http://dx.doi.org/10.1016/s0167-4048(97)00009-6.
Full text
11
Kamariotou, Maria, and Fotis Kitsios. "Information Systems Strategy and Security Policy: A Conceptual Framework." Electronics 12, no. 2 (January 11, 2023): 382. http://dx.doi.org/10.3390/electronics12020382.
Full textAbstract:
As technology evolves, businesses face new threats and opportunities in the areas of information and information assets. These areas include information creation, refining, storage, and dissemination. Governments and other organizations around the world have begun prioritizing the protection of cyberspace as a pressing international issue, prompting a renewed emphasis on information security strategy development and implementation. While every nation’s information security strategy is crucial, there has not been much work conducted to define a method for gauging national cybersecurity attitudes that takes into account factors and indicators that are specific to that nation. In order to develop a framework that incorporates issues based on the current research in this area, this paper will examine the fundamentals of the information security strategy and the factors that affect its integration. This paper contributes by providing a model based on the ITU cybersecurity decisions, with the goal of developing a roadmap for the successful development and implementation of the National Cybersecurity Strategy in Greece, as well as identifying the factors at the national level that may be aligned with a country’s cybersecurity level.
12
Tamrin, Suraya Ika, Azah Anir Norman, and Suraya Hamid. "Information systems security practices in social software applications." Aslib Journal of Information Management 69, no. 2 (March 20, 2017): 131–57. http://dx.doi.org/10.1108/ajim-08-2016-0124.
Full textAbstract:
Purpose The purpose of this paper to investigate the current information systems security (ISS) practices of the social software application (SSA) users via the internet. Design/methodology/approach The paper opted for a systematic literature review survey on ISS and its practices in SSAs between 2010 and 2015. The study includes a set of 39 papers from among 1,990 retrieved papers published in 35 high-impact journals. The selected papers were filtered using the Publish or Perish software by Harzing and Journal Citation Report (JCR) with an inclusion criterion of least one citation per article. Findings The practice of ISS is driven by the need to protect the confidentiality, integrity, and availability of the data from being tampered. It is coherent with the current practice as reported by many researchers in this study. Four important factors lead to the ISS practice in SSA: protection tools offered, ownership, user behaviour, and security policy. Practical implications The paper highlights the implication of successful ISS practices is having clear security purpose and security supported environment (user behaviour and security protection tools) and governance (security policy and ownership) protection tools offered, ownership, user behaviour, and security policy towards ISS practice by the users. Originality/value This paper fulfils an identified need to study how to enable ISS practice.
13
Da Veiga, Adéle. "Comparing the information security culture of employees who had read the information security policy and those who had not." Information & Computer Security 24, no. 2 (June 13, 2016): 139–51. http://dx.doi.org/10.1108/ics-12-2015-0048.
Full textAbstract:
Purpose This study aims, firstly, to determine what influence the information security policy has on the information security culture by comparing the culture of employees who read the policy to those who do not, and, secondly, whether a stronger information security culture is embedded over time if more employees have read the information security policy. Design/methodology/approach An empirical study is conducted at four intervals over eight years across 12 countries using a validated information security culture assessment (ISCA) questionnaire. Findings The overall information security culture average scores as well as individual statements for all four survey assessments were significantly more positive for employees who had read the information security policy compared with employees who had not. The overall information security culture also improved from one assessment to the next. Research limitations/implications The information security culture should be measured and benchmarked over time to monitor change and identify and prioritise actions to improve the information security culture. If employees read the information security policy, it has a positive influence on the information security culture of an organisation. Practical implications Organisations should ensure that employees have read the information security policy to aid in minimising the human risk, related errors and incidents and, ultimately, to instil a stronger information security culture with a higher level of compliant behaviour. Originality/value This research confirms theoretical research indicating that the information security policy could influence the information security culture positively. It provides novel and statistical evidence illustrating that if employees read the information security policy, they have a stronger information security culture and that the culture can be improved through targeted interventions using an ISCA.
14
Paliszkiewicz, Joanna. "Information Security Policy Compliance: Leadership and Trust." Journal of Computer Information Systems 59, no. 3 (February 7, 2019): 211–17. http://dx.doi.org/10.1080/08874417.2019.1571459.
Full text
15
Gvozdov, R. Y., and R. V. Oliynykov. "Method and technique of formal design of complex information security system in information and telecommunication systems." Radiotekhnika, no. 203 (December 23, 2020): 91–96. http://dx.doi.org/10.30837/rt.2020.4.203.08.
Full textAbstract:
The aim of the article is to develop a methodology for the formal design of the complex information security system in information and telecommunication systems. At the moment, there are no methods for the formal design of complex information security system in information and telecommunication systems, so the development of such a methodology is an urgent task. The article discusses the methods of formalized modeling of information security policy and methods of formalized description of the information and telecommunications system and information processing processes. The necessity of formal design of complex information security system is substantiated and the requirements for the development of formal descriptions of an integrated information security system in accordance with regulatory documents in the field of technical protection of information are described. The comparative characteristics of the methods of formalized modeling of information security policy and methods of formalized description of the information and telecommunication system and information processing processes are given. As a result of the comparison, it is proposed to use the UML method for the formal description of the information-telecommunication system, and the UMLsec method for the security policy modeling. An algorithm for the formation of a complex of protection facilities in an information and telecommunications system is proposed from a formal model of security policy and from a formalized description of an information and telecommunications system and information processing processes.
16
Sommestad, Teodor. "Work-related groups and information security policy compliance." Information & Computer Security 26, no. 5 (November 12, 2018): 533–50. http://dx.doi.org/10.1108/ics-08-2017-0054.
Full textAbstract:
PurposeIt is widely acknowledged that norms and culture influence decisions related to information security. The purpose of this paper is to investigate how work-related groups influence information security policy compliance intentions and to what extent this influence is captured by the Theory of Planned Behavior, an established model over individual decision-making.Design/methodology/approachA multilevel model is used to test the influence of work-related groups using a cluster sample of responses from 2,291 employees from 203 worksites, 119 organizations, 6 industries and 38 professions.FindingsThe results suggest that work-related groups influence individuals’ decision-making in the manner in which contemporary theories of information security culture posit. However, the influence is weak to modest and overshadowed by individual perceptions that are straightforward to measure.Research limitations/implicationsThis paper is limited to one national culture and four types of work-related groups. However, the results suggest that the Theory of Planned Behavior captures most of the influence that work-related groups have on decision-making. Future research on security culture and similar phenomena should take this into account.Practical implicationsInformation security perceptions in work-related groups are diverse and information security decisions appear to be based on individual perceptions and priorities rather than groupthink or peer-pressure. Security management interventions may be more effective if they target individuals rather than groups.Originality/valueThis paper tests some of the basic ideas related to information security culture and its influence on individuals’ decision-making.
17
Sommestad, Teodor, Jonas Hallberg, Kristoffer Lundholm, and Johan Bengtsson. "Variables influencing information security policy compliance." Information Management & Computer Security 22, no. 1 (March 4, 2014): 42–75. http://dx.doi.org/10.1108/imcs-08-2012-0045.
Full textAbstract:
Purpose – The purpose of this paper is to identify variables that influence compliance with information security policies of organizations and to identify how important these variables are. Design/methodology/approach – A systematic review of empirical studies described in extant literature is performed. This review found 29 studies meeting its inclusion criterion. The investigated variables in these studies and the effect size reported for them were extracted and analysed. Findings – In the 29 studies, more than 60 variables have been studied in relation to security policy compliance and incompliance. Unfortunately, no clear winners can be found among the variables or the theories they are drawn from. Each of the variables only explains a small part of the variation in people's behaviour and when a variable has been investigated in multiple studies the findings often show a considerable variation. Research limitations/implications – It is possible that the disparate findings of the reviewed studies can be explained by the sampling methods used in the studies, the treatment/control of extraneous variables and interplay between variables. These aspects ought to be addressed in future research efforts. Practical implications – For decision makers who seek guidance on how to best achieve compliance with their information security policies should recognize that a large number of variables probably influence employees' compliance. In addition, both their influence strength and interplay are uncertain and largely unknown. Originality/value – This is the first systematic review of research on variables that influence compliance with information security policies of organizations.
18
Trček, D. "Security policy conceptual modeling and formalization for networked information systems." Computer Communications 23, no. 17 (November 2000): 1716–23. http://dx.doi.org/10.1016/s0140-3664(00)00257-7.
Full text
19
Warman, A. R. "Organizational computer security policy: the reality." European Journal of Information Systems 1, no. 5 (May 1992): 305–10. http://dx.doi.org/10.1057/ejis.1992.2.
Full text
20
Amankwa, Eric, Marianne Loock, and Elmarie Kritzinger. "Establishing information security policy compliance culture in organizations." Information & Computer Security 26, no. 4 (October 8, 2018): 420–36. http://dx.doi.org/10.1108/ics-09-2017-0063.
Full textAbstract:
Purpose This paper aims to establish that employees’ non-compliance with information security policy (ISP) could be addressed by nurturing ISP compliance culture through the promotion of factors such as supportive organizational culture, end-user involvement and compliance leadership to influence employees’ attitudes and behaviour intentions towards ISP in organizations. This paper also aims to develop a testable research model that might be useful for future researchers in predicting employees’ behavioural intentions. Design/methodology/approach In view of the study’s aim, a research model to show how three key constructs can influence the attitudes and behaviours of employees towards the establishment of security policy compliance culture (ISPCC) was developed and validated in an empirical field survey. Findings The study found that factors such as supportive organizational culture and end-user involvement significantly influenced employees’ attitudes towards compliance with ISP. However, leadership showed the weakest influence on attitudes towards compliance. The overall results showed that employees’ attitudes and behavioural intentions towards ISP compliance together influenced the establishment of ISPCC for ISP compliance in organizations. Practical implications Organizations should influence employees’ attitudes towards compliance with ISP by providing effective ISP leadership, encouraging end-user involvement during the draft and update of ISP and nurturing a culture that is conducive for ISP compliance. Originality/value The study provides some insights on how to effectively address the problem of non-compliance with ISP in organizations through the establishment of ISPCC, which has not been considered in any past research.
21
Moody, Gregory D., Mikko Siponen, and Seppo Pahnila. "Toward a Unified Model of Information Security Policy Compliance." MIS Quarterly 42, no. 1 (January 1, 2018): 285–311. http://dx.doi.org/10.25300/misq/2018/13853.
Full text
22
Erlich, Zippy, and Moshe Zviran. "Goals and Practices in Maintaining Information Systems Security." International Journal of Information Security and Privacy 4, no. 3 (July 2010): 40–50. http://dx.doi.org/10.4018/jisp.2010070103.
Full textAbstract:
With the rapid growth of information systems and networks, security is a major concern of organizations. The main goals of information systems security are confidentially, integrity, and availability. The cornerstone of an organization’s security lies in designing, developing and implementing proper information systems’ security policy that balances security goals with the organization’s needs. In this paper, the authors discuss the goals of information systems security and the techniques to achieve them. Specifically, the paper focuses on access control and the various authentication approaches, as well as intrusion detection and prevention systems. As attacks become more frequent and devastating, ongoing research is required to adapt and improve security technologies and policies to reflect new modes of attack to keep information systems secure.
23
Ranise, Silvio, Anh Truong, and Riccardo Traverso. "Parameterized model checking for security policy analysis." International Journal on Software Tools for Technology Transfer 18, no. 5 (December 18, 2015): 559–73. http://dx.doi.org/10.1007/s10009-015-0410-1.
Full text
24
Wiafe, Isaac, Felix Nti Koranteng, Abigail Wiafe, Emmanuel Nyarko Obeng, and Winfred Yaokumah. "The role of norms in information security policy compliance." Information & Computer Security 28, no. 5 (June 19, 2020): 743–61. http://dx.doi.org/10.1108/ics-08-2019-0095.
Full textAbstract:
Purpose The purpose of this paper is to determine which factors influence information system security policy compliance. It examines how different norms influence compliance intention. Design/methodology/approach Based on relevant literature on information system security policy compliance, a research model was developed and validated. An online questionnaire was used to gather data from respondents and partial least square structural equation modelling (PLS-SEM) was used to analyse 432 responses received. Findings The results indicated that attitude towards information security compliance mediates the effects of personal norms on compliance intention. In addition, descriptive and subjective norms are significant predictors of personal norms. Originality/value Though advancement in technology has reached significant heights, it is still inadequate to guaranteed information systems’ security. Researchers have identified humans to be central in ensuring information security. To this effect, this study provides empirical evidence of the role of norms in influence information security behaviour.
25
Arbanas, Krunoslav, and Nikolina Žajdela Hrustek. "Key Success Factors of Information Systems Security." Journal of information and organizational sciences 43, no. 2 (December 8, 2019): 131–44. http://dx.doi.org/10.31341/jios.43.2.1.
Full textAbstract:
The issue of information systems security, and thus information as key resource in today's information society, is something that all organizations in all sectors face in one way or another. To ensure that information remain secure, many organizations have implemented a continuous, structured and systematic security approach to manage and protect an organization's information from undermining individuals by establishing security policies, processes, procedures, and information security organizational structures. However, despite this, security threats, incidents, vulnerabilities and risks are still raging in many organizations. One of the main causes of this problem is poor understanding of information systems security key success factors. Identifying and understanding of information security key success factors can help organizations to manage how to focus limited resources on those elements that really impact on success, therefore saving time and money and creating added value and further enabling operational business. This research, based on comprehensive literature review, summarizes most cited key success factors of information systems security identified in scientific articles indexed in relevant databases, of which the top three success factors were management support, information security policy and information security education, training and awareness. At the end, article states identified research gaps and provides readers with possible directions for further researches
26
Beydina, T., and A. Kukharsky. "INFORMATION SECURITY POLICY: A CRITICAL STUDY OF THE CONTENT OF UNIVERSITY POLICY." Transbaikal State University Journal 27, no. 4 (2021): 55–72. http://dx.doi.org/10.21209/2227-9245-2021-27-4-55-72.
Full textAbstract:
The article is relevant, as it provides an assessment of the information security of universities. Ensuring the security of corporate information, which is increasingly stored, processed and disseminated using information and communication technologies (ICT). This is a particularly important problem for knowledge-intensive organizations such as universal ones; the effective conduct of their main educational activities and research activities increasingly depends on the availability, integrity and accuracy of computer information resources. One of the more important mechanisms to reduce the number of security breaches, and thus corporate information, is the development and implementation of a formal information security policy (ISP). Although much has now been written about the importance and role of information security policies and approaches to formulating them, there is relatively little empirical material that is incorporated into the structure or content of security policies. The purpose of the article is to fill this gap in the literature through this method of using the structure and methods of authentic information security policies. Having established the parameters and key features of university policies, the article critically examines the concept of information security embedded in the policy. Two important conclusions can be drawn from this study: 1) the wide variety of disparate policies and standards used, whether there will be a consistent approach to security management; and 2) the range of specific issues explicitly covered by university policy, a surprisingly low and highly technocentric view of information security management. This article is one of the first to objectively, rigorously and independently assess the content of authentic information security policies and information security documentation frameworks in a well-organized organizational environment. The article notes that there are four different levels of information policy: “system security policy, product security policy, community security policy, and corporate information security policy.” All policies involve: personal use of information systems, information disclosure, physical security, breaches and hacks, viruses, system access control, mobile computing, internet access, software development, encryption and contingency planning
27
Wang, Yu Fei, Tao Zhang, Yuan Yuan Ma, and Bo Zhang. "An Information Security Assessments Framework for Power Control Systems." Advanced Materials Research 805-806 (September 2013): 980–84. http://dx.doi.org/10.4028/www.scientific.net/amr.805-806.980.
Full textAbstract:
Information and cyber security of Industrial Control Systems (ICS) faces severe challenges and has gained considerable importance. Information security assessment is an essential component of information security assurance infrastructure mechanisms. First, a hierarchical model of smart grid was abstracted. Based on the proposed model and the information security risks and information security protection demands of power control systems, an information security assessments framework for power control systems was proposed in dimensions of system layers and life cycle to guide the security assessment contents of power control systems. Finally, a test bed function design for power control system security assessment was proposed. The power control system security test bed may include four parts, such as power control system security assessment management platform, power control system simulation environment, security assessment tools, and security policy. The proposed security assessment framework and test bed functional design can be used to guide the electric power utilities in their power control system information security efforts.
28
Alshare, Khaled A., Peggy L. Lane, and Michael R. Lane. "Information security policy compliance: a higher education case study." Information & Computer Security 26, no. 1 (March 12, 2018): 91–108. http://dx.doi.org/10.1108/ics-09-2016-0073.
Full textAbstract:
Purpose The purpose of this case study is to examine the factors that impact higher education employees’ violations of information security policy by developing a research model based on grounded theories such as deterrence theory, neutralization theory and justice theory. Design/methodology/approach The research model was tested using 195 usable responses. After conducting model validation, the hypotheses were tested using multiple linear regression. Findings The results of the study revealed that procedural justice, distributive justice, severity and celerity of sanction, privacy, responsibility and organizational security culture were significant predictors of violations of information security measures. Only interactional justice was not significant. Research limitations/implications As with any exploratory case study, this research has limitations such as the self-reported information and the method of measuring the violation of information security measures. The method of measuring information security violations has been a challenge for researchers. Of course, the best method is to capture the actual behavior. Another limitation to this case study which might have affected the results is the significant number of faculty members in the respondent pool. The shared governance culture of faculty members on a US university campus might bias the results more than in a company environment. Caution should be applied when generalizing the results of this case study. Practical implications The findings validate past research and should encourage managers to ensure employees are involved with developing and implementing information security measures. Additionally, the information security measures should be applied consistently and in a timely manner. Past research has focused more on the certainty and severity of sanctions and not as much on the celerity or swiftness of applying sanctions. The results of this research indicate there is a need to be timely (swift) in applying sanctions. The importance of information security should be grounded in company culture. Employees should have a strong sense of treating company data as they would want their own data to be treated. Social implications Engaging employees in developing and implementing information security measures will reduce employees’ violations. Additionally, giving employees the assurance that all are given the same treatment when it comes to applying sanctions will reduce the violations. Originality/value Setting and enforcing in a timely manner a solid sanction system will help in preventing information security violations. Moreover, creating a culture that fosters information security will help in positively affecting the employees’ perceptions toward privacy and responsibility, which in turn, impacts information security violations. This case study applies some existing theories in the context of the US higher education environment. The results of this case study contributed to the extension of existing theories by including new factors, on one hand, and confirming previous findings, on the other hand.
29
Malimage, Kalana, Nirmalee Raddatz, Brad S. Trinkle, Robert E. Crossler, and Rebecca Baaske. "Impact of Deterrence and Inertia on Information Security Policy Changes." Journal of Information Systems 34, no. 1 (March 5, 2019): 123–34. http://dx.doi.org/10.2308/isys-52400.
Full textAbstract:
ABSTRACT This study examines the impact of deterrence and inertia on information security policy changes. Corporations recognize the need to prioritize information security, which sometimes involves designing and implementing new security measures or policies. Using an online survey, we investigate the effect of deterrent sanctions and inertia on respondents' intentions to comply with modifications to company information security policies. We find that certainty and celerity associated with deterrent sanctions increase compliance intentions, while inertia decreases respondents' compliance intentions related to modified information security policies. Therefore, organizations must work to overcome employees' reluctance to change in order to improve compliance with security policy modifications. They may also consider implementing certain and timely sanctions for noncompliance.
30
Hong, Kwo‐Shing, Yen‐Ping Chi, Louis R. Chao, and Jih‐Hsing Tang. "An empirical study of information security policy on information security elevation in Taiwan." Information Management & Computer Security 14, no. 2 (March 2006): 104–15. http://dx.doi.org/10.1108/09685220610655861.
Full text
31
Huston, Terry L., and Janis L. Huston. "Security in the Management of Information Systems." Health Care Manager 16, no. 4 (June 1998): 28–34. http://dx.doi.org/10.1097/00126450-199806000-00005.
Full text
32
Ahmad, Zauwiyah, Thian Song Ong, Tze Hui Liew, and Mariati Norhashim. "Security monitoring and information security assurance behaviour among employees." Information & Computer Security 27, no. 2 (June 12, 2019): 165–88. http://dx.doi.org/10.1108/ics-10-2017-0073.
Full textAbstract:
Purpose The purpose of this research is to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour. Security assurance behaviour represents employees’ intentional and effortful actions aimed towards protecting information systems. The behaviour is highly desired as it tackles the human factor within the information security framework. The authors posited that security assurance behaviour is a learned behaviour that can be enhanced by the implementation of information security monitoring. Design/methodology/approach Theoretical framework underlying this study with six constructs, namely, subjective norm, outcome expectation, information security monitoring, information security policy, self-efficacy and perceived inconvenience, were identified as significant in determining employees’ security assurance behaviour (SAB). The influence of these constructs on SAB could be explained by social cognitive theory and is empirically supported by past studies. An online questionnaire survey as the main research instrument is adopted to elicit information on the six constructs tested in this study. Opinion from industry and academic expert panels on the relevance and face validity of the questionnaire were obtained prior to the survey administration. Findings Findings from this research indicate that organisations will benefit from information security monitoring by encouraging security behaviours that extend beyond the security policy. This study also demonstrates that employees tend to abandon security behaviour when the behaviour is perceived as inconvenient. Hence, organisations must find ways to reduce the perceived inconvenience using various security automation methods and specialised security training. Reducing perceived inconvenience is a challenge to information security practitioners. Research limitations/implications There are some limitations in the existing work that could be addressed in future studies. One of them is the possible social desirability bias due to the self-reported measure adopted in the study. Even though the authors have made every effort possible to collect representative responses via anonymous survey, it is still possible that the respondents may not reveal true behaviour as good conduct is generally desired. This may lead to a bias towards favourable behaviour. Practical implications In general, the present research provides a number of significant insights and valuable information related to security assurance behaviour among employees. The major findings could assist security experts and organisations to develop better strategies and policies for information security protection. Findings of this research also indicate that organisations will benefit from information security monitoring by encouraging security behaviours that extend beyond the security policy. Social implications In this research, the social cognitive learning theory is used to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour; the finding implies that monitoring emphases expected behaviours and helps to reinforce organisational norms. Monitoring may also accelerate learning when employees become strongly mindful of their behaviours. Hence, it is important for organisations to communicate the monitoring practices implemented, even more imperative whenever security monitoring employed is unobtrusive in nature. Nonetheless, care must be taken in this communication to avoid resentment and mistrust among employees. Originality/value This study is significant in a number of ways. First, this study highlights significant antecedents of security assurance behaviour, which helps organisations to assess their current practices, which may nurture or suppress information security. Second, using users’ perspective, this study provides recommendations pertaining to monitoring as a form of information security measure. Third, this study provides theoretical contribution to the existing information security literature via the application of the social cognitive learning theory.
33
Warkentin, Merrill, and Robert Willison. "Behavioral and policy issues in information systems security: the insider threat." European Journal of Information Systems 18, no. 2 (April 2009): 101–5. http://dx.doi.org/10.1057/ejis.2009.12.
Full text
34
Felix Chukwuma Aguboshim, Joy Ebere Ezeife, and Ifeyinwa Nkemdilim Obiokafor. "Managing organization information security systems, conflicts, and integrity for sustainable Africa transformation." World Journal of Advanced Research and Reviews 14, no. 2 (May 30, 2022): 080–85. http://dx.doi.org/10.30574/wjarr.2022.14.2.0425.
Full textAbstract:
The ubiquitous reliance on technological innovations by enterprise organizations for electronic file-sharing networks across all business transactions has further exposed organization system enterprises to security threats and risks. Globally, a positive relationship exists between employees’ adherence to security policy enforcement, enterprise definitions, and effective management of organization security systems. Security measures required to handle threats to the organizations’ data: confidentiality, integrity, and availability are becoming complex, dynamic, psychological, but largely undeveloped, outdated, and non-sustainable in Africa despite the huge cyber-security innovations. This study highlights the gaps created by poor employees’ adherence to security policies and enforcement in managing organization information security systems, conflicts, and integrity, and strategies to close them. The authors explored a narrative review of prior research that revealed significant information on strategies for managing organization information security systems. Peer-reviewed articles within the last five years were extracted from electronic databases, using relevant search keywords Results show that organizational security issues can be prevented or mitigated through effective adherence to security policies, control over policy enforcement, and enterprise definitions. Findings from this study may extend proper security management practices and prevention strategies for Africa’s transformation.
35
Chu, Amanda M. Y., and Mike K. P. So. "Organizational Information Security Management for Sustainable Information Systems: An Unethical Employee Information Security Behavior Perspective." Sustainability 12, no. 8 (April 14, 2020): 3163. http://dx.doi.org/10.3390/su12083163.
Full textAbstract:
This article examines the occurrences of four types of unethical employee information security behavior—misbehavior in networks/applications, dangerous Web use, omissive security behavior, and poor access control—and their relationships with employees’ information security management efforts to maintain sustainable information systems in the workplace. In terms of theoretical contributions, this article identifies and develops reliable and valid instruments to measure different types of unethical employee information security behavior. In addition, it investigates factors affecting different types of such behavior and how such behavior can be used to predict employees’ willingness to report information security incidents. In terms of managerial contributions, the article suggests that information security awareness programs and perceived punishment have differential effects on the four types of unethical behavior and that certain types of unethical information security behavior exert negative effects on employees’ willingness to report information security incidents. The findings will help managers to derive better security rules and policies, which are important for business continuity.
36
Alzamil, Zakarya A. "Information security practice in Saudi Arabia: case study on Saudi organizations." Information & Computer Security 26, no. 5 (November 12, 2018): 568–83. http://dx.doi.org/10.1108/ics-01-2018-0006.
Full textAbstract:
Purpose Information security of an organization is influenced by the deployed policy and procedures. Information security policy reflects the organization’s attitude to the protection of its information assets. The purpose of this paper is to investigate the status of the information security policy at a subset of Saudi’s organizations by understanding the perceptions of their information technology’s employees. Design/methodology/approach A descriptive and statistical approach has been used to describe the collected data and characteristics of the IT employees and managers to understand the information security policy at the surveyed organizations. The author believes that understanding the IT employees’ views gives a better understanding of the organization’s status of information security policy. Findings It has been found that most of the surveyed organizations have established information security policy and deployed fair technology; however, many of such policies are not enforced and publicized effectively and efficiently which degraded the deployed technology for such protection. In addition, the clarity and the comprehensibility of such policies are questionable as indicated by most of the IT employees’ responses. A comparison with similar studies at Middle Eastern and European countries has shown similar findings and shares the same concerns. Originality/value The findings of this research suggest that the Saudi Communications and Information Technology Commission should develop a national framework for information security to guide the governmental and non-governmental organizations as well as the information security practitioners on the good information security practices in terms of policy and procedures to help the organizations to avoid any vulnerability that may lead to violations on the security of their information.
37
Lin, Canchu, Anand S. Kunnathur, and Long Li. "The Cultural Foundation of Information Security Behavior." Journal of Database Management 31, no. 2 (April 2020): 21–41. http://dx.doi.org/10.4018/jdm.2020040102.
Full textAbstract:
Past behavior research overwhelmingly focused on information security policy compliance and under explored the role of organizational context in shaping information security behaviors. To address this research gap, this study integrated two threads of literature: organizational culture, and information security behavior control, and proposed a framework that integrates mid-range theories used in empirical research, connects them to organizational culture, and predicts its role in information security behavior control. Consistent with the cultural-fit perspective, this framework shows that information security policy compliance fits hierarchical culture and the approach of promoting positive, proactive, and emerging information security behaviors fits participative culture. Contributions and practical implications of this framework, together with future research directions, are discussed.
38
Alkahtani, Hend K. "Safeguarding the Information Systems in an Organization through Different Technologies, Policies, and Actions." Computer and Information Science 12, no. 2 (April 30, 2019): 117. http://dx.doi.org/10.5539/cis.v12n2p117.
Full textAbstract:
Background: Information system use has substantially increased among the organization based on its effective integration of the resources and improved performance. The increasing reliance on the information system serves as a great security threat for the firms. Objective: The study intends to evaluate the security of the information system in the organization located in the region of Saudi Arabia, concerning the user’s awareness level. Methods: The quantitative design of the study is adopted which uses the survey approach. A close-ended questionnaire is used for evaluating the awareness level among the individuals. A total of 109 participants (males and females) in the Saudi Company were recruited for the study. Results: Despite the implementation of the policy, employees were unaware of it. The study highlights that the development of the firm’s information security policy requires the firm to make employees aware of the significance of the information security. Conclusion: The study concludes that the organization needs to educate the workforce of the information security policy and develop their necessary understanding of the information security system. This allows the employees to identify and report security threats and risks which helps in the improvement of information security awareness.
39
Jassim Muhasin, Haifaa, Ali Yahya Gheni, and Hiba Adil Yousif. "Proposed model for data protection in information systems of government institutions." Bulletin of Electrical Engineering and Informatics 11, no. 3 (June 1, 2022): 1715–22. http://dx.doi.org/10.11591/eei.v11i3.3727.
Full textAbstract:
Information systems and data exchange between government institutions are growing rapidly around the world, and with it, the threats to information within government departments are growing. In recent years, research into the development and construction of secure information systems in government institutions seems to be very effective. Based on information system principles, this study proposes a model for providing and evaluating security for all of the departments of government institutions. The requirements of any information system begin with the organization's surroundings and objectives. Most prior techniques did not take into account the organizational component on which the information system runs, despite the relevance of this feature in the application of access and control methods in terms of security. Based on this, we propose a model for improving security for all departments of government institutions by addressing security issues early in the system's life cycle, integrating them with functional elements throughout the life cycle, and focusing on the system's organizational aspects. The main security aspects covered are system administration, organizational factors, enterprise policy, and awareness and cultural aspects.
40
Al-Mukahal, Hasan M., and Khaled Alshare. "An examination of factors that influence the number of information security policy violations in Qatari organizations." Information & Computer Security 23, no. 1 (March 9, 2015): 102–18. http://dx.doi.org/10.1108/ics-03-2014-0018.
Full textAbstract:
Purpose – This paper aims to investigate factors that impact the number of information security policy violations in Qatari organizations and to examine the moderating effect of Hofstede’s cultural dimensions on the relationships between the independent factors and the number of information security policy violations. Design/methodology/approach – Grounded in related theories from the fields of criminology, behavioral psychology and theory of planned behavior, two components that affect the number of information security policy violations were identified. A quantitative approach was used by developing a questionnaire survey to collect the data. The research model was tested using 234 employees from different Qatari organizations. Findings – The results of the study indicate that trust, the impact of implementing information security policy on work environment and the clarity of the scope of the information security policy were significant factors in predicting the number of information security policy violations. The findings also reveal that cultural dimensions such as uncertainty avoidance and collectivism moderate the relationships between trust, clarity of policy scope and impact of information security policy on work environment and the number information security policy violations. Research limitations/implications – The generalizability of the results is limited because the sample of the study was drawn from only one developing country. Therefore, a plausible future research could be testing the proposed model in many developing and developed countries. Practical implications – The paper includes practical implications for developing and implementing security measures and policies in diversified work environments. Originality/value – This study fulfils a gap in investigating the factors that influence the number of information security policy violations and the moderating effect of cultural dimensions in developing countries such as Qatar.
41
Li, Han, Xin (Robert) Luo, and Yan Chen. "Understanding Information Security Policy Violation from a Situational Action Perspective." Journal of the Association for Information Systems 22, no. 3 (2021): 739–72. http://dx.doi.org/10.17705/1jais.00678.
Full textAbstract:
Insiders’ negligence or abuse is regarded as a leading cause of information security breaches in organizations. As most of the extant studies have largely examined insider threats at a high level of abstraction, the role of situational moral reasoning for information security policy (ISP) violations in specific situations has received little attention. To advance this line of research, this paper opens up a potentially fruitful path for IS researchers by applying situational action theory (SAT) to contextually examine why employees violate ISPs in particular situations. We consider the violations of password security policy, internet use policy, and confidential data security policy, and examine specific violation intents ranging from altruistic to malicious. The results support most of the assertions derived from SAT. We found situational moral beliefs to be the predominant driver for ISP violations across three situations in an organizational setting. However, the moderation effect of moral beliefs was only significant in situations involving sharing passwords and selling confidential data. Sanction certainty and sanction severity were also found to have different effects across situations. We conclude by presenting implications for IS security practitioners and suggestions for future research.
42
Georgiou, Dimitra, and Costas Lambrinoudakis. "Compatibility of a Security Policy for a Cloud-Based Healthcare System with the EU General Data Protection Regulation (GDPR)." Information 11, no. 12 (December 17, 2020): 586. http://dx.doi.org/10.3390/info11120586.
Full textAbstract:
Currently, there are several challenges that cloud-based healthcare systems around the world are facing. The most important issue is to ensure security and privacy, or in other words, to ensure the confidentiality, integrity, and availability of the data. Although the main provisions for data security and privacy were present in the former legal framework for the protection of personal data, the General Data Protection Regulation (GDPR) introduces new concepts and new requirements. In this paper, we present the main changes and the key challenges of the GDPR and, at the same time, we present how a cloud-based security policy could be modified in order to be compliant with the GDPR, as well as how cloud environments can assist developers to build secure and GDPR compliant cloud-based healthcare systems. The major concept of this paper is dual-purpose; primarily, to facilitate cloud providers in comprehending the framework of the new GDPR and secondly, to identify security measures and security policy rules, for the protection of sensitive data in a cloud-based healthcare system, following our risk-based security policy methodology that assesses the associated security risks and takes into account different requirements from patients, hospitals, and various other professional and organizational actors.
43
Lubua, Edison Wazoel, Adam Aloyce Semlambo, and Catherine G. Mkude. "Factors Affecting the Security of Information Systems in Africa: A Literature Review." University of Dar es Salaam Library Journal 17, no. 2 (January 18, 2023): 94–114. http://dx.doi.org/10.4314/udslj.v17i2.7.
Full textAbstract:
This study determined factors affecting the security of Information Systems in Africa. Also, it established the quality of publications in the area of Information Security. The study is based on peer-reviewed publications conducted in Africa. The study adopted the mixed research approach. The study used a systematic literature review, with part of the analysis using descriptive analysis. In total, 70 papers formed the population of publications extracted in the area of Information Security. In addition, 37 papers had the quality to be included in the analysis of factors affecting Information Security. The study found that information Security factors are in four key categories: human factors, policy-related issues, work environment, and demographic factors. Overall, the work environment is the most reported category affecting the security of Information Systems in Africa. In addition, gender is the highest reported individual factor associated with the insecurity of Information Systems; female is the highly affected gender. Other factors include the lack of Information Security training, the unchecked level of trust, carelessness and poor security policies. The study recommends training programs, policy improvement and promoting behaviours that minimise exposure to attacks.
44
Chen, Yan, K. Ramamurthy, and Kuang-Wei Wen. "Organizations' Information Security Policy Compliance: Stick or Carrot Approach?" Journal of Management Information Systems 29, no. 3 (December 2012): 157–88. http://dx.doi.org/10.2753/mis0742-1222290305.
Full text
45
Scoma, Louis. "Security Policy in the PC Environment." Journal of Information Systems Management 4, no. 2 (January 1987): 85–86. http://dx.doi.org/10.1080/07399018708962850.
Full text
46
Goel, Sanjay, Kevin J. Williams, Jingyi Huang, and Merrill Warkentin. "Can financial incentives help with the struggle for security policy compliance?" Information & Management 58, no. 4 (June 2021): 103447. http://dx.doi.org/10.1016/j.im.2021.103447.
Full text
47
Henry Mathews Odiango, Silvance Abeka, and Samuel Liyala. "Health information systems security: Risks, prospects and frameworks." World Journal of Advanced Engineering Technology and Sciences 6, no. 2 (July 30, 2022): 057–70. http://dx.doi.org/10.30574/wjaets.2022.6.2.0082.
Full textAbstract:
Information is the most precious asset of any organization and assessing risk to information is a core mandate of any institutional management to ensure availability of effective controls to protect information assets. The increasing digitization of health information and the ever-changing cyber security threat environment, has led to some public health data breaches and as information security become increasingly important to the continued success for businesses, majority of organizations are searching for an appropriate security framework. Security risk assessment framework enables identification of threats and vulnerabilities. Although numerous frameworks available in the market, selection of the right framework to meet the organization’s need is a challenge due to lack of prescriptiveness, standard, inconsistencies, complexity, compliance, cost, and certifications. To address the gap, this study assessed the security of health information system and privacy risks in addition to existing frameworks and developed an enhanced framework. The study adopted a descriptive cross – sectional design and was conducted in Siaya County, in Kenya. A questionnaire was used to collect data which was analyzed and presented inform of tables, and charts. The results indicated that confidentiality of information is good (use of identifiers and passwords at 96.8% approval rate), availability of physical controls to protect authorized access at 95.2%, availability of policies stating staff responsible for protection of information confidentiality at 91.9%, availability of written policy on patient confidentiality and privacy at 74.2% and use of access privileges at 68.8%. The findings on integrity of information was poor with availability of systems to review data accuracy having 71.9% approval rate, frequency of data review at 81.2%, availability of written description of information security manager’s responsibility at 39.5%, monitoring of electronic systems to detect potential breaches at 40%, creation of audit logs to track system transactions at 54% and frequency of reviewing audit logs at 51.5%. The findings on availability of information was good (availability of inventory of computers at 69.9%), regular updates of inventory at 61.3%, updates of patient data on laptops and desktops at 68.2%, sharing of data confidentiality and security policy at 36%, and regular backups of audited logs at 51% approval rates. Regarding the assessment of existing security frameworks, it was noted that HIPAA has the following shortcomings: lacks complete valid risk analysis, not certifiable, security rule is safeguarding electronic protected health information only, the security does not regulate emails and does not require encryption, and commitment on security is verbal. On the other hand, ISO/IEC 27001 is expensive, requires specific IT budget, special expertise, and more time to apply in public hospitals. Finally, NIPP framework is expensive, and uses consequence’s assessment which is outside the scope of this study.
48
Gwebu, Kholekile L., Jing Wang, and Michael Y. Hu. "Information security policy noncompliance: An integrative social influence model." Information Systems Journal 30, no. 2 (August 13, 2019): 220–69. http://dx.doi.org/10.1111/isj.12257.
Full text
49
Tawar, Imam Riadi, Adiniah Gustika Pratiwi, and Ariqah Adliana Siregar. "Assessment and Mitigation of Information Security Policy in Budgeting System using KAMI Index 4.1." Journal of Novel Engineering Science and Technology 1, no. 01 (August 3, 2022): 24–29. http://dx.doi.org/10.56741/jnest.v1i01.57.
Full textAbstract:
This Threats to information resources require information security management policies in every agency. The Information Security Index (KAMI Index) is one of the methods developed by the Ministry of Communication and Information Technology, used to evaluate the maturity level, completeness of ISO/IEC 27001:2013 implementation and information security readyness. As a national zakat institution, XYZ Organization has utilized information technology in several systems, including the budgeting system. However, the information security index has never been measured. This condition may result in the risk of threats to information security, so it is necessary to measure. The Budgeting System needs to be measured using KAMI Index 4.1. The assessment criteria are carried out on seven categories to know how the quality of the information security policy is. The results of this assessment, XYZ organization gets an electronic system score is 17, governance 75, risk management 30, framework 31, asset management 37, ICT 38, securing third party involvement 40%, service security 20%, personal data protection 27% so the total score of 5 categories is 211 or at level I+ to II. This organization has started implement the framework at early stage and has not met the initial requirements for ISO/IEC 27001:2013 certification.
50
D’Arcy, John, and Pei-Lee Teh. "Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization." Information & Management 56, no. 7 (November 2019): 103151. http://dx.doi.org/10.1016/j.im.2019.02.006.
Full text