Elsevier

Computers & Security

Volume 61, August 2016, Pages 169-183
Computers & Security

Information security policy development and implementation: The what, how and who

https://doi.org/10.1016/j.cose.2016.06.002Get rights and content

Abstract

The development of an information security policy involves more than mere policy formulation and implementation. Unless organisations explicitly recognise the various steps required in the development of a security policy, they run the risk of developing a policy that is poorly thought out, incomplete, redundant and irrelevant, and which will not be fully supported by the users. This paper argues that an information security policy has an entire life cycle through which it must pass during its useful lifetime. A formal content analysis of information security policy development methods was conducted using secondary sources. Based on the results of the content analysis, a conceptual framework was subsequently developed. The proposed framework outlines the various constructs required in the development and implementation of an effective information security policy. In the course of this study, a survey of 310 security professionals was conducted in order to validate and refine the concepts contained in the key component of the framework: the ISPDLC.

Introduction

Organisations today are more dependent than ever on Information Technology (IT) as IT supports their day-to-day transactions as well as numerous other critical business functions. According to Doughty and Grieco (2005), “IT should be seen as a way for increasing the accessibility, speed and comprehensiveness of information that supports the decision-making processes within the organisation”. However, the dependency on IT has unfortunately resulted in an increase in potential threats to organisations' information assets.

A 2014 cybercrime survey in the United States of America found that more damage was caused by insider attacks than by outsider attacks, with insider involvement comprising the highest percentage of damage in the following incidents: private or sensitive information unintentionally exposed (82%); confidential records compromised or stolen (76%); customer records compromised or stolen (71%); and employee records compromised or stolen (63%) (CERT Insider Threat Center, 2014 ). Based on the findings of this survey, it is evident that organisations must have security controls in place to ensure the confidentiality, integrity and availability of their information.

This paper posits that one important mechanism for protecting organisations' information assets is the formulation and implementation of an effective information security policy. The main contribution made by this paper is the proposal of a key component “1” in the framework termed the “Information Security Policy Development Life Cycle” (ISPDLC – Fig. 2). This framework indicates the various constructs that information security practitioners need to consider in the development and implementation of an effective information security policy.

The remainder of this paper is structured as follows: The background to an information security policy is discussed in Section 2, Section 3 describes the research methodology, and Section 4 covers the constructs of the proposed component (ISPDLC). The relationship between the constructs of the ISPDLC is highlighted in Section 5, while Section 6 highlights the stakeholders that are involved in the development and implementation of the information security policy. Finally, Sections 7 and 8 discuss the findings and offer a conclusion.

Section snippets

Information security policy

The literature contains many definitions for an information security policy. Chen and Li (2014) state that an information security policy is used by management to differentiate between employee behaviours that are either permitted or prohibited, as well as the consequent sanctions if the forbidden behaviours take place. On the other hand, ISO/IEC 27002 (2013) states that the objective of an information security policy is to provide management with direction and support in accordance with

Research methodology

This study used a mixed method approach, combining both qualitative and quantitative methods during the data collection and data analysis processes. Firstly, the study adopted a qualitative approach during the formal content analysis of existing theories on and methods for developing an information security policy. The interpretation of the results of the content analysis subsequently resulted in the development of a conceptual framework. Secondly, quantitative data was collected using a survey

Framework codes: the WHAT

The ten framework codes are based on the integration of the existing information security policy development and implementation methods and models found in the current literature, plus the input of the surveyed security professionals. The findings revealed different codes that organisations should consider when developing and implementing an effective information security policy. Fig. 1 depicts the final ten codes of the proposed framework.

By reflecting on the different codes depicted in Fig. 1

The relationship between the ISPDLC constructs: the HOW

The results of the content analysis revealed a high frequency of occurrence of Management Support and Employee Support. Accordingly, it was assumed that it is essential that Management Support and Employee Support are involved in all the processes when developing and implementing an information security policy. Therefore, inferential statistical tests were conducted to ascertain whether there is a relationship between Management Support and the Information Security Policy Development Life Cycle

Information security policy stakeholders: the WHO

In order for an information security policy to survive and attain its objectives, management, employees and stakeholders need to support the entire process involved in developing and implementing it. The development of an effective security policy requires a combination of skills which emanate from the experiences of the different stakeholders (Diver, 2007). Respondents in the survey suggested various stakeholders that should be involved in the process of developing and implementing the policy.

Conclusion

The main objective of the research on which this paper is based was to provide a framework (including the SPDLC) that would ensure a comprehensive structured methodology for developing and implementing an effective information security policy.

A formal content analysis of current information security policy development methods was conducted using secondary sources to obtain a deep understanding of the processes. The content analysis revealed various codes that are considered to be the main

Discussion and limitations

The first limitation of this paper is related to the demographics of the respondents in the survey. The respondents of the survey were from the United States of America and the United Kingdom only, which may constitute a limitation with regard to the generalisability of the study findings, as these two countries are developed countries with advanced technology. It is therefore important that the proposed framework should provide guidelines that underdeveloped countries could follow in order to

Stephen V. Flowerday

Department of Information Systems, University of Fort Hare, East London, South Africa

Stephen holds a doctoral degree in Information Technology from the Nelson Mandela Metropolitan University. He is presently a professor focusing on Information Security at the University of Fort Hare. Stephen has supervised postgraduate students and published extensively within his research field.

References (45)

  • I. Ajzen

    The theory of planned behaviour. Special Issue: theories of cognitive self-regulation

    Organ Behav Hum Decis Process

    (1991)
  • M. Karyda et al.

    Information systems security policies: a contextual perspective

    Comput Secur

    (2005)
  • A. Abdel-Aziz

    How to review and assess information security policy: the six-step process

  • M. Al-Awadi et al.

    Success factors in information security implementation in organisations

    Proc IADIS Int Conf e-Society

    (2007)
  • V. Anand

    Security policy management process within a six sigma framework

    J Inf Secur

    (2012)
  • F. Avolio et al.

    Producing your network security policy

    (2007)
  • J. Bayuk

    How to write an information security policy

  • A. Blumstein et al.

    Deterrence and incapacitation: estimating the effects of criminal sanctions on crime rates

    (1978)
  • M. Borrego et al.

    Quantitative, qualitative, and mixed research methods in engineering education

    J Eng Educ

    (2009)
  • B. Bulgurcu et al.

    Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness

    MIS Q

    (2010)
  • Business Dictionary

    Definition of binding agreement

  • CERT Insider Threat Center

    U.S. State of Cybercrime Survey. 2014

  • ChenH. et al.

    Understanding organisation employee's information security omission behaviour: an integrated model of social norm and deterrence

    (2014)
  • M. Corpuz et al.

    Integrating information security policy management with corporate risk management for strategic alignment

  • C. Dewberry

    Statistical methods for organizational research: theory and practice

    (2004)
  • S. Diver

    Information security policy: a development guide for large and small companies

  • K. Doughty et al.

    IT governance: pass or fail?

    Inf Syst Audit Control Assoc

    (2005)
  • J. Douglas

    Risk appetite and tolerance

  • D. Gefen et al.

    Structural equation modelling and regression: guidelines for research practice

    Commun AIS

    (2000)
  • M. Griffins

    How to write a policy manual

  • J. Hair et al.

    Multivariate data analysis

    (1998)
  • HongK. et al.

    An empirical study of information security policy on information security elevation in Taiwan

    Inf Manag Comput Secur

    (2006)
  • Cited by (0)

    Stephen V. Flowerday

    Department of Information Systems, University of Fort Hare, East London, South Africa

    Stephen holds a doctoral degree in Information Technology from the Nelson Mandela Metropolitan University. He is presently a professor focusing on Information Security at the University of Fort Hare. Stephen has supervised postgraduate students and published extensively within his research field.

    Tite Tuyikeze

    School of ICT, Sol Plaatje University, Kimberley, South Africa

    Tite holds a DPhil in Information Systems from the University of Fort Hare. His primary research area focuses on the maturity assessment of information security policy. He has previously published research papers in this research area. Tite works as a senior lecturer at Sol Plaatje University.

    View full text