Open this publication in new window or tab >>2023 (English)In: Information and Computer Security, E-ISSN 2056-4961, Vol. 31, no 3, p. 331-352Article in journal (Refereed) Published
Abstract [en]
Purpose: This paper aims to propose a conceptual model of policy components for software that supports modularizing and tailoring of information security policies (ISPs).
Design/methodology/approach: This study used a design science research approach, drawing on design knowledge from the field of situational method engineering. The conceptual model was developed as a unified modeling language class diagram using existing ISPs from public agencies in Sweden.
Findings: This study's demonstration as proof of concept indicates that the conceptual model can be used to create free-standing modules that provide guidance about information security in relation to a specific work task and that these modules can be used across multiple tailored ISPs. Thus, the model can be considered as a step toward developing software to tailor ISPs.
Research limitations/implications: The proposed conceptual model bears several short- and long-term implications for research. In the short term, the model can act as a foundation for developing software to design tailored ISPs. In the long term, having software that enables tailorable ISPs will allow researchers to do new types of studies, such as evaluating the software's effectiveness in the ISP development process.
Practical implications: Practitioners can use the model to develop software that assist information security managers in designing tailored ISPs. Such a tool can offer the opportunity for information security managers to design more purposeful ISPs.
Originality/value: The proposed model offers a detailed and well-elaborated starting point for developing software that supports modularizing and tailoring of ISPs.
Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2023
Keywords
Information security policy, Information security management, Policy component, Situational method engineering, Policy design
National Category
Computer Sciences
Identifiers
urn:nbn:se:oru:diva-104974 (URN)10.1108/ICS-10-2022-0160 (DOI)000930607700001 ()2-s2.0-85147558346 (Scopus ID)
2023-03-162023-03-162024-06-11Bibliographically approved