Abstract
The benchmarking of information security policies has two challenges. Organizations are reluctant to share data regarding information security and no two organizations are identical. In this paper, we attempt to propose an artifact for a benchmarking method of information security policy, which can resolve the above challenges. We employ design science methodology, activity theory and international standards to design the artifact as a proof of concept. The artifact facilitates the implementation of efficient information security policies. Organizations can utilize the artifact to analyze and benchmark information security policies. We illustrate the completeness and reliability of the artifact through a case study using information security policies from six companies.
Similar content being viewed by others
Notes
The reader should note that while modeling a complete BMISP is greatly beneficial for industry, it is beyond the scope of one academic study. Therefore, the theoretical discussion in Section 2 depicts a general model and uniform methodology. However, the implementation and proof-of-concept discussed in Sections 4 and 5 are limited to one type of system policy.
Opposed to expected or optimal ISSP described in the ISO standard and in many commercial and industry papers, here we are utilizing the actual ISSPs that the company has implemented at the time of the benchmarking modeling.
The paper employs the ISO 27K series for establishing measurements in the case study. The case study demonstrates an example of a BMISP as a research process by proposing its validity and rationality. The case study explains how the BMISP can be performed in industry analysis and academic research.
The leading high-tech companies in Korea implement strict policies for two main reasons. 1. Their strategic survival depends on innovation. Defending against corporate espionage is unavoidable. 2. These companies engage in the global market and thus follow international standards. Conversely, financial companies in Korea mostly engage in the local market and have limited incentives to implement policies above those required by the government.
PL has a one-off function that gives temporary authority in the use of ISMS to an employee. PL allows the employee to ask for an exception from the system, and then use these functions once.
References
Alberts, C. J., & Dorofee, A. (2002). Managing information security risks: The OCTAVE approach. Boston: Addison-Wesley Longman Publishing.
Allen, D., & Karanasios, S. (2011). Critical factors and patterns in the innovation process. Policing, 5(1), 87–97.
Allen, D. K., Brown, A., Karanasios, S., & Norman, A. (2013). How should technology-mediated organizational change be explained? A comparison of the contributions of critical realism and activity theory. MIS Quarterly, 37(3), 835–854.
Amsenga, J. (2008). An introduction to standards related to information security. ISSA, 1–18.
Banaeianjahromi, N., & Smolander, K. (2017). Lack of communication and collaboration in enterprise architecture development. Information Systems Frontiers, 57, 1–32.
Baskerville, R., & Pries-Heje, J. (2010). Explanatory design theory. Business & Information Systems Engineering, 2(5), 271–282.
Baskerville, R. L., Kaul, M., & Storey, V. C. (2015). Genres of inquiry in design-science research: justification and evaluation of knowledge production. MIS Quarterly, 39(3), 541–564.
Berinato, S. (2002). Finally, a real return on security spending. CIO, 15(9), 432–432.
Brecht, M., & Nowey, T. (2013). A closer look at information security costs. In The economics of information security and privacy (pp. 3–24). Springer, Berlin, Heidelberg.
Briggs, R. O., & Schwabe, G. (2011). On expanding the scope of design science in IS research. In International conference on design science research in information systems (pp 92–106). Berlin: Springer.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548.
Cavusoglu, H., Cavusoglu, H., Son, J. Y., & Benbasat, I. (2015). Institutional pressures in security management: direct and indirect influences on organizational investment in information security control resources. Information Management, 52(4), 385–400.
Code U (2018) USC § 3542 (b)(1).
D’Arcy, J., & Hovav, A. (2009). Does one size fit all? Examining the differential effects of IS security countermeasures. Journal of Business Ethics, 89(1), 59–71.
D'Arcy, J., & Hovav, A. (2007). Deterring internal information systems misuse. Communications of the ACM, 50(10), 113–117.
D'Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research, 20(1), 79–98.
Dattakumar, R., & Jagadeesh, R. (2003). A review of literature on benchmarking. Benchmarking: An International Journal, 10(3), 176–209.
Demetz, L., & Bachlechner, D. (2013). To invest or not to invest? Assessing the economic viability of a policy and security configuration management tool. The economics of information security and privacy (pp. 25–47). Berlin: Springer.
Dhillon, G. (2004). Realizing benefits of an information security program. Business Process Management Journal, 10(3), 21–22.
Doherty, N. F., & Fulford, H. (2006). Aligning the information security policy with the strategic information systems plan. Computers & Security, 25(1), 55–63.
Dorsch, J. J., & Yasin, M. M. (1998). A framework for benchmarking in the public sector: literature review and directions for future research. International Journal of Public Sector Management, 11(2/3), 91–115.
Engeström, Y. (2000). Activity theory as a framework for analyzing and redesigning work. Ergonomics, 7(43), 960–974.
Engeström, Y. (2001). Expansive learning at work: toward an activity theoretical reconceptualization. Journal of Education and Work, 14(1), 133–156.
Engeström, Y. (2014). Learning by expanding. Cambridge: Cambridge University Press.
Engeström, Y., Miettinen, R., & Punamäki, R. L. (Eds.). (1999). Perspectives on activity theory. Cambridge: Cambridge University Press.
Fossi, M., Turner, D., Johnson, E., Mack, T., Adams, T., Blackbird, J., Wueest, C. (2009). Symantec global internet security threat report. White paper, symantec enterprise security, 1.
Fuentes, R., Gómez-Sanz, J. J., & Pavón, J. (2004). Social analysis of multi-agent systems with activity theory. Current topics in artificial intelligence (pp. 526–535). Berlin: Springer.
Goldstein, A., & Frank, U. (2016). Components of a multi-perspective modeling method for designing and managing IT security systems. Information Systems and e-Business Management, 14(1), 101–140.
Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security (TISSEC), 5(4), 438–457.
Gregor, S., & Hevner, A. R. (2013). Positioning and presenting design science research for maximum impact. MIS Quarterly, 37(2), 337–355.
Guy, E. S. (2005). ... real, concrete facts about what works...: integrating evaluation and design through patterns. In Proceedings of the 2005 international ACM SIGGROUP conference on supporting group work.
Hevner, A. R., March, S. T., Park, J., & Ram, S. (2004). Design science in information systems research. MIS Quarterly, 28(1), 75–105.
HM Government (2015). 2015 information security breaches survey – technical report. Department for Business Innovation and Skills. URN BIS/15/302.
Höne, K., & Eloff, J. H. P. (2002). Information security policy—what do international information security standards say? Computers & Security, 21(5), 402–409.
Hoo, K. J. S. (2000). How much is enough? A risk management approach to computer security. Stanford: Stanford University.
Hovav, A., & D’Arcy, J. (2012). Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the US and South Korea. Information Management, 49(2), 99–110.
Hovav, A., & Putri, F. F. (2016). This is my device! Why should I follow your rules? Employees’ compliance with BYOD security policy. Pervasive and Mobile Computing, 32, 35–49.
Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM, 54(6), 54–60.
Huang, C. D., Hu, Q., & Behara, R. S. (2008). An economic analysis of the optimal information security investment in the case of a risk-averse firm. International Journal of Production Economics, 114(2), 793–804.
Hull, R., & King, R. (1987). Semantic database modeling: survey, applications, and research issues. ACM Computing Surveys (CSUR), 19(3), 201–260.
Internet Engineering Task Force (2014). XML Media Types https://tools.ietf.org/html/rfc7303
Jeon, S., & Hovav, A. (2015). Empowerment or control: Reconsidering employee security policy compliance in terms of authorization. In Hawaii International Conference on System Sciences (HICSS-48), January 5–8, 2015, pp. 3473–3482. IEEE.
Johnson, M. E., & Goetz, E. (2007). Embedding information security into the organization. IEEE Security and Privacy, 5(3), 16–24.
Kaptelinin, V. (2005). The object of activity: making sense of the sense-maker. Mind, Culture, and Activity, 12(1), 4–18.
Kaptelinin, V., Kuutti, K., & Bannon, L. (1995, July). Activity theory: Basic concepts and applications. In International Conference on Human-Computer Interaction (pp. 189-201). Springer, Berlin, Heidelberg.
Kim, J., Conesa, J., & Ramesh, B. (2015). The use of ontology in knowledge intensive tasks: ontology driven retrieval of use cases. Asia Pacific Journal of Information Systems, 25(1), 25–60.
Knapp, K. J., Marshall, T. E., Kelly Rainer, R., & Nelson Ford, F. (2006). Information security: management’s effect on culture and policy. Information Management & Computer Security, 14(1), 24–36.
Kongnso, F. J. (2015). Best practices to minimize data security breaches for increased business performance. http://scholarworks.waldenu.edu/cgi/viewcontent.cgi?article=2928&context=dissertations, Accessed 26 Dec 2017.
Kriglstein, S., Leitner, M., Kabicher-Fuchs, S., & Rinderle-Ma, S. (2016). Evaluation methods in process-aware information systems research with a perspective on human orientation. Business & Information Systems Engineering, 58(6), 397–414.
Leitner, M., & Rinderle-Ma, S. (2014). A systematic review on security in process-aware information systems–constitution, challenges, and future directions. Information and Software Technology, 56(3), 273–293.
Li, T., & Ma, Z. (2017). Object-stack: an object-oriented approach for top-k keyword querying over fuzzy XML. Information Systems Frontiers, 19(3), 669–697.
Liu, W., Tanaka, H., & Matsuura, K. (2008). Empirical-analysis methodology for information-security investment and its application to reliable survey of Japanese firms. Information and Media Technologies, 3(2), 464–478.
Lowry, P. B., & Moody, G. D. (2015). Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organizational information security policies. Information Systems Journal, 25(5), 433–463.
Markus, M. L., Majchrzak, A., & Gasser, L. (2002). A design theory for systems that support emergent knowledge processes. MIS quarterly, 179–212.
MacLean, D., MacIntosh, R., & Grant, S. (2002). Mode 2 management research. British Journal of Management, 13(3), 189–207.
Martins, A., & Elofe, J. (2002). Information security culture. In Security in the information society (pp. 203–214). Springer, Boston, MA.
McCumber, J. (2004). Assessing and managing security risk in IT systems: A structured methodology. Boca Raton: CRC Press.
Moore, T., Dynes, S., & Chang, F. R. (2016). Identifying how firms manage cybersecurity investment. Berkeley: University of California.
Morin, J.-H., & Hovav, A. (2012). Strategic value and drivers behind organizational adoption of enterprise DRM: the Korean case. Journal of Service Science Research, 4(1), 143–168.
Nancylia, M., Mudjtabar, E. K., Sutikno, S., & Rosmansyah, Y. (2014). The measurement design of information security management system. In 2014 8th International Conference on Telecommunication Systems Services and Applications (TSSA). IEEE.
Naveh, E., & Marcus, A. (2005). Achieving competitive advantage through implementing a replicable management standard: installing and using ISO 9000. Journal of Operations Management, 24(1), 1–26.
Odell, J. J. (1998). Advanced object-oriented analysis and design using UML (p. 12). Cambridge: Cambridge University Press.
Papazafeiropoulou, A., & Spanaki, K. (2016). Understanding governance, risk and compliance information systems (GRC IS): the experts view. Information Systems Frontiers, 18(6), 1251–1263.
Peckham, J., & Maryanski, F. (1988). Semantic data models. ACM Computing Surveys (CSUR), 20(3), 153–189.
Peffers, K., Tuunanen, T., Rothenberger, M. A., & Chatterjee, S. (2007). A design science research methodology for information systems research. Journal of Management Information Systems, 24(3), 45–77.
Pressman, R. S. (2005). Software engineering: A practitioner's approach. Basingstoke: Palgrave Macmillan.
Purao, S., Baldwin, C. Y., Hevner, A., Storey, V. C., Pries-Heje, J., Smith, B., & Zhu, Y. (2008). The sciences of design: Observations on an emerging field. Harvard Business School Finance Working Paper: 09–56.
Rumbaugh, J., Blaha, M., Premerlani, W., Eddy, F., & Lorensen, W. E. (1991). Object-oriented modeling and design, 199(1). Englewood Cliffs: Prentice-hall.
Runeson, P., Host, M., Rainer, A., & Regnell, B. (2012). Case study research in software engineering: Guidelines and examples. Hoboken: John Wiley & Sons.
Shabtai, A., Elovici, Y., & Rokach, L. (2012). A survey of data leakage detection and prevention solutions. Springer Science & Business Media.
Schatz, D., & Bashroush, R. (2017). Economic valuation for information security investment: a systematic literature review. Information Systems Frontiers, 19(5), 1205–1228.
Shirtz, D., & Elovici, Y. (2011). Optimizing investment decisions in selecting information security remedies. Information Management & Computer Security, 19(2), 95–112.
Strecker, S., Heise, D., & Frank, U. (2011). RiskM: a multi-perspective modeling method for IT risk assessment. Information Systems Frontiers, 13(4), 595–611.
Susanto, H., Almunawar, M. N., Syam, W. P., Tuan, Y. C., & Bakry, S. H. (2011). I-SolFramework Views on ISO 27001 Information Security Management System: Refinement Integrated Solution’s Six Domains.
Talbot, J., & Jakeman, M. (2011). Security risk management body of knowledge. Hoboken: John Wiley & Sons.
Talbot et al. (2011). Security risk management body of knowledge (Vol. 69). John Wiley & Sons.
Vaishnavi, V. K., & Kuechler, W. (2015). Design science research methods and patterns: Innovating information and communication technology. Boca Raton: CRC Press.
Van Aken, J. E. (2005). Management research as a design science: articulating the research products of mode 2 knowledge production in management. British Journal of Management, 16(1), 19–36.
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: insights from habit and protection motivation theory. Information Management, 49(3), 190–198.
Vygotsky, L. S. (1980). Mind in society: The development of higher psychological processes. Cambridge: Harvard University Press.
Walls, Joseph G., George R. Widmeyer, and Omar A. El Sawy. "Building an information system design theory for vigilant EIS." Information systems research 3.1 (1992): 36–59.
Whitman, M. E. (2003). Enemy at the gate: threats to information security. Communications of the ACM, 46(8), 91–95.
Whitman, M.E. (2008). Security Policy: From Design to Maintenance. In: D.W. Straub, S.E. Goodman and R. Baskerville (Eds.), Information security : policy, processes, and practices. Advances in management information systems (pp. 123-151). London, England Armonk, New York: M.E. Sharpe.
Whitman et al. (2013). Management of information security. Boston: Cengage Learning.
Whitman, M., & Mattord, H. (2013). Management of information security. Boston: Cengage Learning.
World Wide Web Consortium. (2010). XML Core Working Group, https://www.w3.org/XML/Core
Yasin, M. M. (2002). The theory and practice of benchmarking: then and now. Benchmarking: An International Journal, 9(3), 217–243.
Zairi, M. (1992). The art of benchmarking: using customer feedback to establish a performance gap. Total Quality Management, 3(2), 177–188.
Zowghi, D., & Coulin, C. (2005). Requirements elicitation: A survey of techniques, approaches, and tools. In Engineering and managing software requirements (pp. 19–46). Springer, Berlin,
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kang, M.(., Hovav, A. Benchmarking Methodology for Information Security Policy (BMISP): Artifact Development and Evaluation. Inf Syst Front 22, 221–242 (2020). https://doi.org/10.1007/s10796-018-9855-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-018-9855-6