To Örebro University

oru.seÖrebro University Publications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Requirements for computerized tools to design information security policies
Örebro University, Örebro University School of Business. CERIS, Department of Informatics.ORCID iD: 0000-0002-4439-4713
Örebro University, Örebro University School of Business. CERIS, Department of Informatics.ORCID iD: 0000-0002-3265-7627
Örebro University, Örebro University School of Business. CERIS, Department of Informatics.ORCID iD: 0000-0002-3722-6797
2020 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 99, article id 102063Article in journal (Refereed) Published
Abstract [en]

Information security is a hot topic nowadays, and while top-class technology exists to safeguard information assets, organizations cannot rely on technical controls alone. Information security policy (ISP) is one of the most important formal controls when organizations work with implementing information security. However, designing ISPs is a challenging task for information security managers and to ease the burden, computerized tools have been suggested to support this design task. One important prerequisite for developing such tools is the requirements. However, existing research has, to a very limited extent, synthesized existing requirements. Against this backdrop, this study aims to elicit a set of requirements, anchored in existing ISP research, for computerized tools that support ISP design. First, we summarize existing ISP research into 14 requirement themes. Second, we suggest a set of user stories that operationalize these requirement themes from an information security manager's perspective. Third, we suggest another set of user stories that operationalize the same requirement themes from an ISP user's perspective. In total, we suggest 28 user stories that can act as a starting point for both researchers and practitioners when developing computerized tools that provide ISP design support for information security managers. 

Place, publisher, year, edition, pages
Elsevier, 2020. Vol. 99, article id 102063
Keywords [en]
Information security policy, Information security management, Requirements, User story, Computerized tool
National Category
Information Systems
Identifiers
URN: urn:nbn:se:oru:diva-88215DOI: 10.1016/j.cose.2020.102063ISI: 000591706000002Scopus ID: 2-s2.0-85092099945OAI: oai:DiVA.org:oru-88215DiVA, id: diva2:1513386
Available from: 2020-12-30 Created: 2020-12-30 Last updated: 2023-02-22Bibliographically approved
In thesis
1. Tailoring information security policies: a computerized tool and a design theory
Open this publication in new window or tab >>Tailoring information security policies: a computerized tool and a design theory
2023 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Protecting information assets in organizations is a must and one way for doing it is developing information security policy (ISP) to direct employees’ behavior and define acceptable procedures that employees have to comply with on a daily basis. However, compliance with the ISP is a perennial problem. Non-compliance with ISPs is at least related to two factors: 1) employees’ behavior, and 2) the design of ISPs. Although much attention has been given to understanding and changing employees’ behavior, designing ISPs that are easy to follow has received less attention. Existing research has suggested designing such ISPs using a tailoring approach where the ISP is designed in several versions that fulfill the needs of different target groups of employees. At the same time, tailoring means increased design complexity for information security managers as the designer of ISPs, where computerized tool can aid. Thus, the aim of this thesis is to develop a computerized tool to support information security managers’ tailoring of ISPs and the design principles that such a tool can be based on. To this end, a design science research approach was employed. Using the knowledge from the Situational Method Engineering field as the kernel theory for the design science research project, a set of design principles and a conceptual model were developed in terms of a Unified Modeling Language class diagram. Subsequently, a web-based software (POLCO) was developed based on the proposed conceptual model to support information security managers to design tailored ISPs. The conceptual model and POLCO were developed, demonstrated, and evaluated as a proof-of-concept in three DSR cycles.

The thesis contribute to research and practice by proposing the design principles and the conceptual model that can be considered as: 1) a new theory on how to design ISPs, 2) a way to develop software to assist information security managers in designing tailored ISPs. Meanwhile, POLCO as an artifactual contribution can be considered as a starting point for researchers to do studies in the ISP design area.

Place, publisher, year, edition, pages
Örebro: Örebro universitet, 2023. p. 149
Series
Örebro Studies in Informatics ; 21
Keywords
Information security management software, tailorable information security policy, policy component, design science, POLCO
National Category
Information Systems, Social aspects
Identifiers
urn:nbn:se:oru:diva-103050 (URN)9789175294896 (ISBN)
Public defence
2023-03-21, Örebro universitet, Forumhuset, Hörsal F, Fakultetsgatan 1, Örebro, 13:15 (English)
Opponent
Supervisors
Available from: 2023-01-12 Created: 2023-01-12 Last updated: 2023-03-16Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Rostami, ElhamKarlsson, FredrikGao, Shang

Search in DiVA

By author/editor
Rostami, ElhamKarlsson, FredrikGao, Shang
By organisation
Örebro University School of Business
In the same journal
Computers & security (Print)
Information Systems

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 212 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf