Open this publication in new window or tab >>2023 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]
Protecting information assets in organizations is a must and one way for doing it is developing information security policy (ISP) to direct employees’ behavior and define acceptable procedures that employees have to comply with on a daily basis. However, compliance with the ISP is a perennial problem. Non-compliance with ISPs is at least related to two factors: 1) employees’ behavior, and 2) the design of ISPs. Although much attention has been given to understanding and changing employees’ behavior, designing ISPs that are easy to follow has received less attention. Existing research has suggested designing such ISPs using a tailoring approach where the ISP is designed in several versions that fulfill the needs of different target groups of employees. At the same time, tailoring means increased design complexity for information security managers as the designer of ISPs, where computerized tool can aid. Thus, the aim of this thesis is to develop a computerized tool to support information security managers’ tailoring of ISPs and the design principles that such a tool can be based on. To this end, a design science research approach was employed. Using the knowledge from the Situational Method Engineering field as the kernel theory for the design science research project, a set of design principles and a conceptual model were developed in terms of a Unified Modeling Language class diagram. Subsequently, a web-based software (POLCO) was developed based on the proposed conceptual model to support information security managers to design tailored ISPs. The conceptual model and POLCO were developed, demonstrated, and evaluated as a proof-of-concept in three DSR cycles.
The thesis contribute to research and practice by proposing the design principles and the conceptual model that can be considered as: 1) a new theory on how to design ISPs, 2) a way to develop software to assist information security managers in designing tailored ISPs. Meanwhile, POLCO as an artifactual contribution can be considered as a starting point for researchers to do studies in the ISP design area.
Place, publisher, year, edition, pages
Örebro: Örebro universitet, 2023. p. 149
Series
Örebro Studies in Informatics ; 21
Keywords
Information security management software, tailorable information security policy, policy component, design science, POLCO
National Category
Information Systems, Social aspects
Identifiers
urn:nbn:se:oru:diva-103050 (URN)9789175294896 (ISBN)
Public defence
2023-03-21, Örebro universitet, Forumhuset, Hörsal F, Fakultetsgatan 1, Örebro, 13:15 (English)
Opponent
Supervisors
2023-01-122023-01-122023-03-16Bibliographically approved