A model for monitoring end-user security policy compliance

Alotaibi, Mutlaq

January 2017

Organisations increasingly perceive their employees as a great asset that needs to be cared for; however, at the same time, they view employees as one of the biggest potential threats to their cyber security. Organizations repeatedly suffer harm from employees who are not obeying or complying with their information security policies. Non-compliance behaviour of an employee, either unintentionally or intentionally, pose a real threat to an organization’s information security. As such, more thought is needed on how to encourage employees to be security compliant and more in line with a security policy of their organizations. Based on the above, this study has proposed a model that is intended to provide a comprehensive framework for raising the level of compliance amongst end-users, with the aim of monitoring, measuring and responding to users’ behaviour with an information security policy. The proposed approach is based on two main concepts: a taxonomy of the response strategy to non-compliance behaviour, and a compliance points system. The response taxonomy is comprised of two categories: awareness raising and enforcement of the security policy. The compliance points system is used to reward compliant behaviour, and penalise noncompliant behaviour. A prototype system has been developed to simulates the proposed model in order to provide a clear image of its functionalities and how it is meant to work. Therefore, it was developed to work as a system that responds to the behaviour of users (whether violation or compliance behaviour) in relation to the information security policies of their organisations. After designing the proposed model and simulating it using the prototype system, it was significant to evaluate the model by interviewing different experts with different backgrounds from academic and industry sectors. Thus, the interviewed experts agreed that the identified research problem is a real problem that needs to be researched and solutions need to be devised. It also can be stated that the overall feedback of the interviewed experts about the proposed model was very encouraging and positive. The expert participants thought that the proposed model addresses the research gap, and offers a novel approach for managing the information security policies.

The COVID-19 pandemic impact on Information Security Policy compliance in regional healthcare. : An empirical study

Fält, Melker, Minierski, Bartlomiej

January 2022

Information Security (InfoSec) is a broad term used to describe the study of how to protect sensitive data from unauthorized access, modification, or deletion. InfoSec is commonly used within companies and organisations to facilitate the secure use of digital systems, taking its shape in the form of technical solutions as well as rules and guidelines defined in a so-called Information Security Policy (ISP). Subsequently, ISPs, which aim to mitigate the risks posed by the generally agreed upon weakest link, the human factor, is considered a crucial asset to maintaining security. The outbreak of the COVID-19 pandemic further solidifying its worth as an increase in attacks targeting humans, especially within the healthcare sector, can be seen. Research directed at ISPs is a much debated area which scientists from many different fields of study continuously lend their efforts. However, to the best of the authors' knowledge no recent studies can been seen that examines ISP Compliance (ISPC), with a focus on InfoSec awareness, from a Swedish regional healthcare employees’ perspective. Hence, this study seeks to provide an insight into this area, with the outbreak of the COVID-19 pandemic in mind. The research is based on a web-questionnaire survey created using information gained throughout several interviews with people working in the field of InfoSec. It seeks to examine healthcare employees' InfoSec awareness following the COVID-19 pandemic outbreak with regard  teleworking. It can be seen from the results that healthcare sector employees' were well aware of the InfoSec risks related to the changing work conditions following the outbreak of the COVID-19 pandemic.

Computer Science

Information Security Policy

Information Security Policy compliance

COVID-19 pandemic

Healthcare

Computer Sciences

Datavetenskap (datalogi)

Investigating the Impact of Self-Control and Deterrents on Noncompliant Information Security Behavior

Chuma, Ramadhan

01 January 2012

Employees' noncompliance with information security policy and rules is a serious impediment to the effectiveness of security programs in organizations. The extant information security studies have used General Deterrence Theory (GDT) to investigate noncompliant information security behavior, yet most of the findings have not been effective in practice due to a lack of strong theoretical underpinning. Neglecting criminal propensity of the potential perpetrator has been identified to be one of the theoretical weaknesses of GDT-based studies. Any attempt to explain noncompliant information security behavior in organizational context, demands a well grounded framework to explain why employees transgress information security policies and rules. The purpose of this study was to empirically investigate the link between self-control (criminal propensity), deterrence perceptions, and noncompliant information security behavior. Criminal propensity was operationalized using the three perspectives of self-control: personality trait, social bond, and self-generated inhibitions. This study then examined the influence of the three self-control variables on deterrence perceptions (certainty, severity, and celerity). Further, the study investigated the impact of deterrence perceptions on noncompliant information security behavior. Data collected from 421 employees in a Southern USA-based company was used to test the relationships between research model constructs using SPSS's Amos structural equation modeling software package. Results indicated that employees' perceptions on all three dimensions of deterrents were positively impacted by self-control based on self-generated inhibitions. The results also showed that only employees' perceptions on certainty of apprehension and celerity of punishment were positively impacted by social bond self-control. No significant relationships were established between deterrence perceptions and personality trait self-control. Further, employees' perceptions on certainty of apprehension and celerity of punishment were negatively associated with noncompliant information security behavior. The results also indicated that severity of punishment was not a significant predictor of noncompliant information security behavior. The uniqueness of this study provided evidence on the importance of incorporating criminal propensity in GDT-based studies. The current study also highlighted the importance of celerity of punishment dimension, which is highly neglected by GDT-based information security studies.

Compliance

Criminal Propensity

General Deterrence Theory

information security behavior

Information security policy

Self-control

Computer Sciences

New Perspectives on Implementing Health Information Technology

Sarkar, Sumantra

24 July 2014

The importance of studying challenges in implementing information technology solutions in health care organizations is highlighted by the huge investments in health care information technology (HIT) which has been spurred by recent government mandates. Information technology can help improve health care delivery cost by facilitating the standardization of work processes or routines and reducing variations among them. Set in a premier 950+ bed hospital in the south eastern part of US, this dissertation consists of two studies examining the challenges involved in implementing HIT solutions. In the first study, we seek to gain deep insights into how the process of creating a patient’s chart evolves over time in a health care institution. The second study focuses on the users of Electronic Health Records (EHR) system, investigating the compliance behavior of various providers with respect to patient records in the system. In the first study, through the lens of Activity theory our results show that the charting routine is implicated by the following environmental factors: (1) Tools, (2) Rules, (3) Community, and (4) Roles, and by individual factors: (5) Computer Self-Efficacy and (6) Risk Propensity. In the second study, our results indicate that there is a substantial effect of subculture of the different occupational groups on IT security compliance intent and behavior in a health care institution.

routines

process

activity theory

information security

information security policy

compliance behavior

policy violation

pseudo-compliance

Informationssäkerhetspolicy och Säkerhetsmedvetenhet : En undersökning av kommunala förvaltningars praktiska arbete med att uppnå informationsäkerhet

Malis, Johanna, Falck, Josette

January 2016

No description available.

Information

security

Information security policy

Security awareness

Informationssäkerhet

Informationssäkerhetspolicy

Säkerhetsmedvetenhet

Information Systems

Enhancing information security in organisations in Qatar

Al-Hamar, Aisha

January 2018

Due to the universal use of technology and its pervasive connection to the world, organisations have become more exposed to frequent and various threats. Therefore, organisations today are giving more attention to information security as it has become a vital and challenging issue. Many researchers have noted that the significance of information security, particularly information security policies and awareness, is growing due to increasing use of IT and computerization. In the last 15 years, the State of Qatar has witnessed remarkable growth and development of its civilization, having embraced information technology as a base for innovation and success. The country has undergone tremendous improvements in the health care, education and transport sectors. Information technology plays a strategic role in building the country's knowledge-based economy. Due to Qatar s increasing use of the internet and connection to the global environment, it needs to adequately address the global threats arising online. As a result, the scope of this research is to investigate information security in Qatar and in particular the National Information Assurance (NIA) policy. There are many solutions for information security some technical and some non-technical such as policies and making users aware of the dangers. This research focusses on enhancing information security through non-technical solutions. The aim of this research is to improve Qatari organisations information security processes by developing a comprehensive Information Security Management framework that is applicable for implementation of the NIA policy, taking into account Qatar's culture and environment. To achieve the aim of this research, different research methodologies, strategies and data collection methods will be used, such as a literature review, surveys, interviews and case studies. The main findings of this research are that there is insufficient information security awareness in organisations in Qatar and a lack of a security culture, and that the current NIA policy has many barriers that need to be addressed. The barriers include a lack of information security awareness, a lack of dedicated information security staff, and a lack of a security culture. These barriers are addressed by the proposed information security management framework, which is based on four strategic goals: empowering Qataris in the field of information security, enhancing information security awareness and culture, activating the Qatar National Information Assurance policy in real life, and enabling Qatar to become a regional leader in information security. The research also provides an information security awareness programme for employees and university students. At the time of writing this thesis, there are already indications that the research will have a positive impact on information security in Qatar. A significant example is that the information security awareness programme for employees has been approved for implementation at the Ministry of Administrative Development Labour and Social Affairs (ADLSA) in Qatar. In addition, the recommendations proposed have been communicated to the responsible organisations in Qatar, and the author has been informed that each organisation has decided to act upon the recommendations made.

O IMPACTO DA UTILIZAÇÃO DE TÉCNICAS DE ENDOMARKETING NA EFETIVIDADE DAS POLÍTICAS DE SEGURANÇA DA INFORMAÇÃO / THE IMPACT OF THE INTERNAL MARKETING ON INFORMATION SECURITY POLICY EFECTIVENESS

Ellwanger, Cristiane

12 June 2009

Protecting the information resources has been a big challenge to organizations. The constitution of an information security policy PSI can solve part of problems related to security but it can t solve them completely, because of the human resources, present in the internal environment of organizations, they can seriously compromise the effectiveness of an PSI. Since the endomarketing (internal marketing) is an instrument that can contribute to obtain or even to rescue the users commitment with the PSI, this present dissertation shows impact of endomarketing techniques in the policy effectiveness using the experimental research. Performed in the Intensive Cardiology Unit (UCI) and Intensive Care Adult (UTI) at Santa Maria University Hospital (HUSM), the experiment was constituted in an experimentation group (UCI), under the endomarketing directed different techniques and a control group (UTI) which it served as a basis to observation. In order to find the effectiveness of PSI on the referred units it was performed internal audits where the procedures, defined by the PSI were classified under the percentage way following the criteria: Non-Run Procedures (PNEs), Partially Implemented Procedures (PPEs) and Fully Implemented Procedures (PTEs).The experiment results show that both the control group as the experimentation group after the initial application of endomarketing techniques joined to implanted PSI on the respective units. However, after discontinuing the application of these techniques on the control group, it was observed a gradual decrease of percentages of PTEs by the components of this group that it decreased from 14,6% to 4,1% which it shows a decrease of 71,92% in the support to PSI in this group, if considered the PTEs. Already the continuous application of endomarketing techniques in the experimentation group did with that the procedures described in PSI were always presents in the users' mind, what generated a gradual increase in the percentage of PTEs. The percentage increased from 8,3% to 41,7% what reflects an improvement of 402,4% in the support to PSI in this group, if considered to PTEs. If considered the PNEs procedures, the continued application of endomarketing techniques in the experimentation group enabled a decrease of 88% against a increase of 12,6% in the control group and a high concentration of percentages on the partially or totally run procedures that added they reach 93,7% in the final evaluation. It is concluded then that the continuous application of endomarketing techniques improves the PSI effectiveness. / Proteger os recursos de informação tem sido um grande desafio às organizações. O estabelecimento de uma Política de Segurança da Informação (PSI) pode resolver parte dos problemas relacionados à segurança, mas não pode resolvê-los integralmente, pois os recursos humanos, presentes no ambiente interno das organizações, podem comprometer seriamente a efetividade de uma PSI. O endomarketig (marketing interno) é um instrumento que pode contribuir para se obter ou até mesmo resgatar o comprometimento dos usuários para com a PSI. A presente dissertação investiga o impacto da utilização de técnicas de endomarketing na efetividade da PSI, utilizando-se para tanto da pesquisa experimental. Realizado junto às Unidades de Cardiologia Intensiva (UCI) e Terapia Intensiva-Adulto (UTI) do Hospital Universitário de Santa Maria HUSM, o experimento foi constituído de um grupo de experimentação (UCI), sob o qual foram aplicadas diferentes técnicas de endomarketing e um grupo de controle (UTI), o qual recebeu apenas um nivelamento inicial. Para constatar a efetividade da PSI foram realizadas auditorias internas, nas quais os procedimentos definidos na PSI foram testados e classificados como: Procedimentos Não-Executados (PNEs); Procedimentos Parcialmente Executados (PPEs) e Procedimentos Totalmente Executados (PTEs). Os resultados do experimento demonstram que tanto o grupo de controle (UTI) quanto o grupo de experimentação (UCI) aderiram à PSI após a aplicação inicial de técnicas de endomarketing (nivelamento). Entretanto, após descontinuar a aplicação dessas técnicas no grupo de controle, observou-se uma diminuição gradativa dos percentuais de PTE pelos componentes deste grupo, que caiu de 14,6% para 4,1%, o que demonstra uma queda de 71,92% na adesão à PSI neste grupo, se considerado os PTE. Já a aplicação continuada de técnicas de endomarketing no grupo de experimentação fez com que os procedimentos descritos na PSI estivessem sempre presentes na mente dos usuários, o que gerou um aumento gradativo nos percentuais de PTEs. O percentual subiu de 8,3% para 41,7%, o que reflete uma melhora de 402,4% na adesão à PSI neste grupo, se considerado os PTEs. Se considerado os procedimentos PNEs, a aplicação contínuada de técnicas de endomarketing no grupo de experimentação possibilitou uma redução de 88%, contra um aumento de 12,6% no grupo de controle, e uma alta concentração de percentuais nos procedimentos parcialmente ou totalmente executados, que somados chegam a 93,7% na avaliação final. Conclui-se então que a aplicação contínua de técnicas de endomarketing melhora a efetividade da PSI.

Política de segurança da informação

Endomarketing

Recursos humanos

Segurança

Information security policy

Endomarketing

Human resources

Security

Employees' Role in Improving Information Systems Security

Aliti, Admirim, Akkaya, Deniz

January 2011

Information security is one of the most essential concerns in today’s organizations. IT departments in larger organizations are tasked to implement security, by both ensuring to have pertinent hardware and software, and likewise enlighten, teach and educate organization’s employees about security issues. The aim of this research is to focus on the human factor of the organization, which impacts the security of the information, since technological solutions of technical problems become incomprehensible without human recognition about security. If the security is not addressed in firms, this might lead to essential data of the organization to be compromised. This study explores ways to enhance information security and improve the human factor by integrating the crucial information security elements in organizations. Social constructivist worldview is adopted throughout the study, and an inductive based - qualitative approach, a single case study design and hermeneutical analysis for analyzing the observations and interviews are utilized. The research setting for this study is Växjö Municipality in Sweden. The empirical investigation suggests that human factor plays an essential role in maintaining information security, and organizations can improve employees’ role by keeping their security policies up to date and find the best ways to disseminate that information. As a result, this research comes up with “information security human management model” for organizations.

Information security

information security policy

human factor in organizations

employees' role

Information Systems

Why do employees violate is security policies?:insights from multiple theoretical perspectives

Vance, A. (Anthony)

12 October 2010

Abstract Employee violations of IS security policies is recognized as a key concern for organizations. Although interest in IS security has risen in recent years, little empirical research has examined this problem. To address this research gap, this dissertation identifies deliberate IS security policy violations as a phenomenon unique from other forms of computer abuse. To better understand this phenomenon, three guidelines for researching deliberate IS security violations are proposed. An analysis of previous behavioral IS security literature shows that no existing study meets more than one of these guidelines. Using these guidelines as a basis, this dissertation examines IS security policy violations using three theoretical models drawn from the following perspectives: neutralization theory, rational choice theory, and protection motivation theory. Three field studies involving surveys of 1,423 professional respondents belonging to 7 organizations across 47 countries were performed for empirical testing of the models. The findings of these studies identify several factors that strongly predict intentions to violate IS security policies. These results significantly increase our understanding of why employees choose to violate IS security policies and provide empirically-grounded implications for how practitioners can improve employee IS security policy compliance.

computer abuse

deterrence theory

information security

information security policy

neutralization theory

protection motivation theory

rational choice theory

Standardizing Instructional Definition and Content Supporting Information Security Compliance Requirements

Curran, Theresa

01 January 2018

Information security (IS)-related risks affect global public and private organizations on a daily basis. These risks may be introduced through technical or human-based activities, and can include fraud, hacking, malware, insider abuse, physical loss, mobile device misconfiguration or unintended disclosure. Numerous and diverse regulatory and contractual compliance requirements have been mandated to assist organizations proactively prevent these types of risks. Two constants are noted in these requirements. The first constant is requiring organizations to disseminate security policies addressing risk management through secure behavior. The second constant is communicating policies through IS awareness, training and education (ISATE) programs. Compliance requirements direct that these policies provide instruction about making compliant and positive security decisions to reduce risk. Policy-driven and organizationally-relevant ISATE content is understood to be foundational and critical to prevent security risk. The problem identified for investigation is inconsistency of the terms awareness, training and education as found in security-related regulatory, contractual and policy compliance requirements. Organizations are mandated to manage a rapidly increasing portfolio of inconsistent ISATE compliance requirements generated from many sources. Since there is no one set of common guidance for compliance, organizations struggle to meet global, diverse and inconsistent compliance requirements. Inconsistent policy-related content and instructions, generated from differing sources, may cause incorrect security behavior that can present increased security risk. Traditionally, organizations were required to provide only internally-developed programs, with content left to business, regulatory/contractual, and cultural discretion. Updated compliance requirements now require organizations to disseminate externally-developed content in addition to internally-provided content. This real-world business requirement may cause compliance risks due to inconsistent instruction, guidance gaps and lack of organizational relevance. The problem has been experienced by industry practitioners within the last five years due to increased regulatory and contractual compliance requirements. Prior studies have not yet identified specific impacts of multiple and differing compliance requirements on organizations. The need for organizational relevance in ISATE content has been explored in literature, but the amount of organizationally-relevant content has not been examined in balance of newer compliance mandates.The goal of the research project was to develop a standard content definition and framework. Experienced practitioners responsible for ISATE content within their organizations participated in a survey to validate definitions, content, compliance and organizational relevance requirements imposed on their organizations. Fifty-five of 80 practitioners surveyed (68.75% participation rate) provided responses to one or more sections of the survey. This research is believed to be the first to suggest a standardized content definition for ISATE program activities based on literature review, assessment of existing regulatory, contractual, standard and framework definitions and information obtained from specialized practitioner survey data. It is understood to be the first effort to align and synthesize cross-industry compliance requirements, security awareness topics and organizational relevance within information security awareness program content. Findings validated that multiple and varied regulatory and contractual compliance requirements are imposed on organizations. A lower number of organizations were impacted by third party program requirements than was originally expected. Negative and positive impacts of third party compliance requirements were identified. Program titles and content definitions vary in respondent organizations and are documented in a variety of organizational methods. Respondents indicated high acceptance of a standard definition of awareness, less so for training and education. Organizationally-relevant program content is highly important and must contain traditional and contemporary topics. Results are believed to be an original contribution to information/cyber security practitioners, with findings of interest to academic researchers, standards/framework bodies, auditing/risk management practitioners and learning/development specialists.

cybersecurity program

information security awareness

information security policy

organizational relevance

security compliance requirements

security risk management

Computer Sciences