To Örebro University

oru.seÖrebro University Publications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
The hunt for computerized support in information security policy management: A literature review
Örebro University, Örebro University School of Business. Department of Informatics.ORCID iD: 0000-0002-4439-4713
Örebro University, Örebro University School of Business.ORCID iD: 0000-0002-3265-7627
Örebro University, Örebro University School of Business.
2020 (English)In: Information and Computer Security, E-ISSN 2056-4961, Vol. 28, no 2, p. 215-259Article, review/survey (Refereed) Published
Abstract [en]

Purpose: The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about.

Design/methodology/approach: The results are based on a literature review of ISP management research published between 1990 and 2017.

Findings: Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare.

Research limitations/implications: Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process.

Practical implications: The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners.

Originality/value: Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.

Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2020. Vol. 28, no 2, p. 215-259
Keywords [en]
Literature review, Information security policy, Computerized support
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:oru:diva-79888DOI: 10.1108/ICS-07-2019-0079ISI: 000509959800001OAI: oai:DiVA.org:oru-79888DiVA, id: diva2:1393035
Available from: 2020-02-14 Created: 2020-02-14 Last updated: 2023-11-03Bibliographically approved
In thesis
1. Tailoring information security policies: a computerized tool and a design theory
Open this publication in new window or tab >>Tailoring information security policies: a computerized tool and a design theory
2023 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Protecting information assets in organizations is a must and one way for doing it is developing information security policy (ISP) to direct employees’ behavior and define acceptable procedures that employees have to comply with on a daily basis. However, compliance with the ISP is a perennial problem. Non-compliance with ISPs is at least related to two factors: 1) employees’ behavior, and 2) the design of ISPs. Although much attention has been given to understanding and changing employees’ behavior, designing ISPs that are easy to follow has received less attention. Existing research has suggested designing such ISPs using a tailoring approach where the ISP is designed in several versions that fulfill the needs of different target groups of employees. At the same time, tailoring means increased design complexity for information security managers as the designer of ISPs, where computerized tool can aid. Thus, the aim of this thesis is to develop a computerized tool to support information security managers’ tailoring of ISPs and the design principles that such a tool can be based on. To this end, a design science research approach was employed. Using the knowledge from the Situational Method Engineering field as the kernel theory for the design science research project, a set of design principles and a conceptual model were developed in terms of a Unified Modeling Language class diagram. Subsequently, a web-based software (POLCO) was developed based on the proposed conceptual model to support information security managers to design tailored ISPs. The conceptual model and POLCO were developed, demonstrated, and evaluated as a proof-of-concept in three DSR cycles.

The thesis contribute to research and practice by proposing the design principles and the conceptual model that can be considered as: 1) a new theory on how to design ISPs, 2) a way to develop software to assist information security managers in designing tailored ISPs. Meanwhile, POLCO as an artifactual contribution can be considered as a starting point for researchers to do studies in the ISP design area.

Place, publisher, year, edition, pages
Örebro: Örebro universitet, 2023. p. 149
Series
Örebro Studies in Informatics ; 21
Keywords
Information security management software, tailorable information security policy, policy component, design science, POLCO
National Category
Information Systems, Social aspects
Identifiers
urn:nbn:se:oru:diva-103050 (URN)9789175294896 (ISBN)
Public defence
2023-03-21, Örebro universitet, Forumhuset, Hörsal F, Fakultetsgatan 1, Örebro, 13:15 (English)
Opponent
Supervisors
Available from: 2023-01-12 Created: 2023-01-12 Last updated: 2023-03-16Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full text

Authority records

Rostami, ElhamKarlsson, FredrikKolkowska, Ella

Search in DiVA

By author/editor
Rostami, ElhamKarlsson, FredrikKolkowska, Ella
By organisation
Örebro University School of Business
In the same journal
Information and Computer Security
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 310 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf