Addressing ambiguity within information security policies in higher education to improve compliance

Buthelezi, Mokateko Portia

06 1900

nformation security (InfoSec) policies are widely used by institutions as a form of InfoSec control measure to protect their information assets. InfoSec policies are commonly documented in natural language, which is prone to ambiguity and misinterpretation, thereby making it hard, if not impossible, for users to comply with. These misinterpretations may lead the students or staff members to wrongfully execute the required actions, thereby making institutions vulnerable to InfoSec attacks. According to the literature review conducted in this work, InfoSec policy documents are often not followed or complied with; and the key issues facing InfoSec policy compliance include the lack of management support for InfoSec, organisational cultures of non-compliance, intentional and unintentional policy violation by employees (the insider threat), lack of policy awareness and training as well as the policy being unclear or ambiguous. This study is set in the higher education context and explores the extent to which the non-compliance problem is embedded within the policy documents themselves being affected by ambiguity. A qualitative method with a case study research strategy was followed in the research, in the form of an inductive approach with a cross-sectional time horizon, whereby a selection case of relevant institutional InfoSec policies were analysed. The data was collected in the form of academic literature and InfoSec policies of higher education institutions to derive themes for data analysis. A qualitative content analysis was performed on the policies, which identified ambiguity problems in the data. The findings indicated the presence of ambiguity within the policy documents, making it possible to misinterpret some of the policy statements. Formal methods were explored as a possible solution to the policy ambiguity. A framework was then proposed to address ambiguity and improve on the clarity of the semantics of policy statements. The framework can be used by policy writers in paying attention to the presence of ambiguity in their policies and address these when drafting or revising their policy documents. / School of Computing / M. Sc.(Computing)

Formal methods

Policy ambiguity

Usable security

Policy clarity

Policy human aspects

Security policy compliance

Information policy

Information society

Universities and colleges

Addressing ambiguity within information security policies in higher education to improve compliance

Buthelezi, Mokateko Portia

06 1900

Information security (InfoSec) policies are widely used by institutions as a form of InfoSec control measure to protect their information assets. InfoSec policies are commonly documented in natural language, which is prone to ambiguity and misinterpretation, thereby making it hard, if not impossible, for users to comply with. These misinterpretations may lead the students or staff members to wrongfully execute the required actions, thereby making institutions vulnerable to InfoSec attacks. According to the literature review conducted in this work, InfoSec policy documents are often not followed or complied with; and the key issues facing InfoSec policy compliance include the lack of management support for InfoSec, organisational cultures of non-compliance, intentional and unintentional policy violation by employees (the insider threat), lack of policy awareness and training as well as the policy being unclear or ambiguous. This study is set in the higher education context and explores the extent to which the non-compliance problem is embedded within the policy documents themselves being affected by ambiguity. A qualitative method with a case study research strategy was followed in the research, in the form of an inductive approach with a cross-sectional time horizon, whereby a selection case of relevant institutional InfoSec policies were analysed. The data was collected in the form of academic literature and InfoSec policies of higher education institutions to derive themes for data analysis. A qualitative content analysis was performed on the policies, which identified ambiguity problems in the data. The findings indicated the presence of ambiguity within the policy documents, making it possible to misinterpret some of the policy statements. Formal methods were explored as a possible solution to the policy ambiguity. A framework was then proposed to address ambiguity and improve on the clarity of the semantics of policy statements. The framework can be used by policy writers in paying attention to the presence of ambiguity in their policies and address these when drafting or revising their policy documents. / School of Computing

Formal methods

Policy ambiguity

Usable security

Policy clarity

Policy human aspects

Security policy compliance

507.12

Information policy

Compliance

Ambiguity

Science -- Study and teaching (Higher)

Assessing Administrative and Political Factors in Implementing a Living Wage Ordinance

Carrasco, Teodoro Enrique

13 March 2008

Since 2000, the number of living wage ordinances has steadily increased throughout the country. While most of the current research has focused on the beneficial outcomes of living wages, little has been published on their administrative practices. To address this shortcoming, this study focused on the identification of key administrative and political factors involved impacting the implementation of living wage ordinances in Miami-Dade and Broward Counties. The study utilized a triangulation of interviews, surveys, and direct observation. The author conducted interviews of administrators and members of the living wage oversight boards in both counties and observed the monthly meetings held by each county’s oversight board from January 2006 to June 2007. These findings were buttressed with a national survey of senior staff in other living wage communities. The study utilized descriptive statistics, Chi Square, Cronbach’s Alpha, and Spearman’s Rank Correlation Coefficient (Spearman’s rho). Interviews indicated that administrators in Dade and Broward are seriously under-staffed and budgeted. Ambiguities in the enabling ordinances have lead to loopholes that undermine implementation and accountability for participating contractors. Survey results showed that policy ambiguity, organizational politics, and a lack of organizational capacity were significant negative factors in the implementation process while an organizational culture emphasizing consistent enforcement was a positive factor. Without the proper inputs, an organization hinders itself from meeting its outputs and outcomes. This study finds that Broward and Miami-Dade Counties do not provide the necessary administrative support to implement a living wage effectively – in stark contrast to the high hopes and strong political support behind their passage. For a living wage to succeed, it first needs an organizational culture committed to providing the necessary resources for implementation as well as transparent, consistent accountability mechanisms.

public administration

policy conflict

stakeholders

living wage

organizational culture

organizational politics

policy ambiguity

organizational capacity