ArticlePDF Available

Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis

Authors:

Abstract

Information is a critical corporate asset that has become increasingly vulnerable to attacks from viruses, hackers, criminals, and human error. Consequently, organizations are having to prioritize the security of their computer systems in order to ensure that their information assets retain their accuracy, confidentiality, and availability. While the importance of the information security policy InSPy in ensuring the security of information is acknowledged widely, to date there has been little empirical analysis of its impact or effectiveness in this role. To help fill this gap, an exploratory study was initiated that sought to investigate the relationship between the uptake and application of information security policies and the accompanying levels of security breaches. To this end, a questionnaire was designed, validated, and then targeted at IT managers within large organizations in the UK. The findings presented in this paper are somewhat surprising, as they show no statistically significant relationships between the adoption of information security policies and the incidence or severity of security breaches. The paper concludes by exploring the possible interpretations of this unexpected finding and its implications for the practice of information security management.
Do Information Security Policies Reduce the
Incidence of Security Breaches: An Exploratory
Analysis.
Neil F. DOHERTY and Heather FULFORD - The Business School, Loughborough
University, UK
Abstract: Information is a critical corporate asset, which has become increasingly vulnerable to
attacks from viruses, hackers, criminals and human error. Consequently, organizations are having to
prioritise the security of their computer systems, to ensure that their information assets retain their
accuracy, confidentiality and availability. Whilst the importance of the information security policy
(InSPy) in ensuring the security of information is widely acknowledged, there has, to date, been little
empirical analysis of its impact or effectiveness in this role. To help fill this gap an exploratory study
was initiated that sought to investigate the relationship between the uptake and application of
information security policies and the accompanying levels of security breaches. To this end a
questionnaire was designed, validated and then targeted at IT managers within large organizations in
the United Kingdom. The findings, presented in this paper, are somewhat surprising, as they show no
statistically significant relationships between the adoption of information security policies and the
incidence or severity of security breaches. The paper concludes by exploring the possible
interpretations of this unexpected finding, and its implications for the practice of information security
management.
Key words: Information security policy; security breaches; policy scope; policy uptake; large
organizations.
INTRODUCTION
It has been claimed that 'information is the firm’s primary strategic asset' [Glazer, 1993], as it is the
critical element in strategic planning and decision-making, as well as day to day operational control.
Consequently, organizations must make every effort to ensure that their information resources retain
their accuracy, integrity and availability. However, ensuring the security of corporate information
assets has become an extremely complex, and challenging activity due to the growing value of
information resources and the increased levels of interconnectivity between information systems, both
within and between organizations [Garg et al, 2003]. Indeed, the high incidence of security breaches
suggests that many organizations are failing to manage their information resources effectively [Straub
& Welke, 1998]. One increasingly important mechanism for protecting corporate information, and in so
1
doing reducing the occurrence of security breaches, is through the formulation and application of a
formal information security policy (InSPy) [Hinde, 2002; von Solms & von Solms]. Gaston [1996; p
175] defines an InSPy as: 'broad guiding statements of goals to be achieved; significantly, they define
and assign the responsibilities that various departments and individuals have in achieving policy
goals'.
The role and importance of information security policies and the incidence and severity of security
breaches are both topics that have attracted significant attention in the literature, but there is little
evidence that these topics have been explicitly linked. Consequently, there has been little empirical
exploration of the extent to which information security policies are effective, in terms of reducing
security breaches. The aim of this paper is to help fill this gap by reporting upon the results of a study
that sought to empirically explore the relationship between the uptake and application of information
security policies and the incidence of security breaches. The remainder of this paper is organized into
the following five sections: a review of the literature and a description of the conceptual framework; a
discussion of the research methods employed; a presentation of the findings; a discussion of their
importance and finally the conclusions and recommendations for future research.
LITERATURE REVIEW AND CONCEPTUAL FRAMEWORK
This section aims to present a discussion of the literature with regard to the role and importance of the
InSPy and the common security threats, which such policies are intended to prevent. The section
concludes with a critique of this literature, and the presentation of the conceptual framework for our
study.
The Role of the Information Security Policy
The broad aim of the information security policy is to provide the ‘ideal operating environment’ for the
management of information security [Barnard & von Solms, 1998], by defining: 'the broad boundaries
of information security’ as well as the ‘responsibilities of information resource users’ [Hone & Eloff,
2002b: 145]. More specifically a good security policy should: ‘outline individual responsibilities, define
authorized and unauthorized uses of the systems, provide venues for employee reporting of identified
or suspected threats to the system, define penalties for violations, and provide a mechanism for
updating the policy’ [Whitman, 2004: 52].
The InSPy also has an important role to play in emphasizing management’s commitment to, and
support for, information security [Gaston, 1996; Hone & Eloff, 2002b; Kwok & Longley, 1999]. Whilst
the InSPy provides the framework for facilitating the prevention, detection and response to security
2
breaches, the policy document is typically supported by standards that tend to have a more technical
or operational focus [Dhillon, 1997].
In recent years, a consensus has emerged - both within the academic and practitioner communities -
that the security of corporate information resources is predicated upon the formulation and application
of an appropriate information security policy [e.g. Rees et al, 2003]. As Hinde [2002: p. 315] puts it, the
information security policy is now the: 'sine qua non [indispensable condition] of effective security
management'. In a similar vein, von Solms and von Solms [2004; p. 374] note that the information
security policy is the ‘heart and basis’ of successful security management. However, whilst an InSPy
may play an important role in effective information security management, there is growing recognition
that the policy is unlikely to be a successful security tool unless organizations adhere to a number of
important prescriptions in their policy implementation [e.g. Hone & Eloff, 2002b]. The following are
probably the most commonly cited examples of best practice guidelines:
1. The policy must be widely and strongly disseminated throughout the organization [ISO, 2000;
Hone & Eloff, 2002a; Hone & Eloff, 2002b; Sipponen, 2000];
2. The policy must be frequently reviewed and revised [Higgins, 1999; Hone & Eloff, 2002a; Hong
et al, 2003;];
It has also been suggested that policies must be: tailored to the culture of the organization [Hone &
Eloff, 2002b; ISO, 2000]; well aligned with corporate objectives [ISO, 2000; Rees et al, 2003] and
rigorously enforced [David, 2002]. Whilst the literature with respect to the facilitators of effective
information security policy utilization is undoubtedly growing, no previous studies could be found that
sought to empirically explore the importance of different success factors. Indeed, there is a very
significant gap in the literature with respect to empirical studies of the role that the InSPy has to play in
the prevention of common security threats [e.g. Loch et al, 1992; Mitchell et al;1999; Rees et al, 2003;
Whitman, 2004], such as those summarized in the following section.
Threats to the Security of Information Assets
Information resources can only retain their integrity, confidentiality and availability if they can be
protected from the growing range of threats that is arrayed against them [Dhillon & Backhouse, 1996;
Garg et al, 2003]. Security threats – which have been defined as ‘circumstances that have the
potential to cause loss or harm’ [Pfleeger, 1997; p.3] - come both from within and from outside the
organization [Hinde, 2002]. For example, common internal threats include ‘mistakes by employees
[Mitchell et al, 1999] and some categories of computer-based fraud [Dhillon, 1999], whilst attacks by
hackers [Austin & Derby, 2003] and viruses [de Champeaux, 2002] are the most commonly cited types
of external threat. The increasing vulnerability of computer-based information systems is underlined by
3
the growing cost of security breaches [Austin & Darby, 2003]. For example, Garg et al [2003] estimate
the cost of significant security breaches, such as ‘denial of service attacks’ to be in the range ‘$17-28
million’. Given the growing cost of security breaches, many surveys have been undertaken that have
sought to quantify the range and significance of threats that face computer-based information
systems. A review of these surveys [e.g. Loch et al, 1992; Mitchell et al,1999; Whitman, 2004],
suggest that the breaches presented in table 1 are probably the most common and the most
significant threats. Whilst the threats to the security of information systems, are both well documented
and well understood, there is a continuing worry that such issues are not high on the organizational
agenda. As Straub & Welke [1998: 441] note: ‘information security continues to be ignored by top
managers, middle managers, and employees alike. The result of this unfortunate neglect is that
organizational systems are far less secure than they might otherwise be and that security breaches
are far more frequent and damaging than is necessary’. There is, therefore, a pressing need for more
research that can highlight any strategies or approaches that might reduce the incidence and severity
of security breaches.
Table 1: Common Types of Security Breaches
Type of Breach Description
Computer Virus Computer programs that have the capability to automatically
replicate themselves across systems and networks.
Hacking
Incidents
The penetration of organizational computer systems by
unauthorized outsiders, who are then free to manipulate
data.
Unauthorised
Access
The deliberate abuse of systems, and the data contained
therein, by authorized users of those systems.
Theft of
resources
The theft of increasingly valuable hardware, software and
information assets.
Computer-based
Fraud
Information systems, especially financial systems, are
vulnerable to individuals who seek to defraud an
organization.
Human Error: The accidental destruction, or incorrect entry, of data by
computer users.
Natural
Disasters
Damage to computing facilities or data resources, caused
by phenomena such as earthquakes, floods or fires.
Damage by
Employee
Disgruntled employees may seek revenge by damaging
their employer's computer systems.
Conceptual Framework and Research Hypotheses
The summary of the literature suggests that there are growing literatures both with regard to the role of
the information security policy and the nature and incidence of security breaches. Moreover, there is a
general acceptance that the information security policy is an important, if not the most important,
means of preventing such breaches [e.g. Loch et al, 1992; Mitchell et al,1999; Whitman, 2004]. It is
4
perhaps surprising that, to date, there has been little conceptual or empirical scrutiny to determine
whether the incidence and severity of security breaches can be reduced through the adoption of an
information security policy. The aim of the remainder of this section is to describe the study designed
to fill this gap, before articulating the specific research hypotheses and presenting the research
framework. It should be noted that a full discussion of the design of the questionnaire, and the
operationalisation of the constructs discussed in this section, is deferred to the following section.
Given the lack of empirical research in the area it was felt that an exploratory piece of work that
embraced a wide range of issues would be most appropriate. To this end the aim of the study was to
explore how a variety of issues relating to the uptake and application of information security policies
impacted upon the incidence of security breaches within large organizations. Based upon our review
of the literature, it is possible to hypothesize that a number of distinct aspects of the InSPy might
influence the incidence of security breaches. Each of these areas is represented as a significant
construct on the conceptual framework [see figure 1], and each can be linked to a research
hypothesis, as described below:
The existence of an InSPy: The review of literature highlighted the strength of the consensus with
regard to the importance of information security policy in countering security breaches [e.g. Loch et al,
1992; Mitchell et al,1999; Whitman, 2004]. It is, therefore, reasonable to propose the following
hypothesis:
H1: Those organizations that have a documented InSPy are likely to have fewer security
breaches, in terms of both frequency and severity, than those organizations that do not.
The age of the InSPy: The literature has relatively little to say about the longevity of information
security policies. However, the following hypothesis articulates the assumption that organizations with
a long history of utilising such policies might be more experienced, and therefore effective in security
management:
H2: Those organizations that have had an InSPy in place for many years are likely to have
fewer security breaches, in terms of both frequency and severity, than those organizations that
have not.
The updating of the ISP: There is a growing – yet empirically un-tested – view within the literature
[e.g. Higgins, 1999; Hone & Eloff, 2002a; Wood, 1995] that the InSPy should be updated regularly.
Consequently, the following hypothesis can be proposed:
H3: Those organizations that update their InSPy frequently are likely to have fewer security
breaches, in terms of both frequency and severity, than those organizations that do not.
5
The Scope of the ISP: It has been suggested that the scope of an InSPy might vary greatly,
depending upon which national or international information security standard has been adopted [Hone
& Eloff, 2002b]. What is less clear is how the scope of a policy might effect its successful deployment.
However, it seems reasonable to propose the following relationship between the scope of the InSPy
and the effectiveness of an organization's security management:
H4: Those organizations that have a policy with a broad scope are likely to have fewer security
breaches, in terms of both frequency and severity, than those organizations that do not.
The adoption of best practice: The International Standard [ISO, 2000] has some very clear advice
about the factors that are important in ensuring the successful application of an InSPy, most of which
have not been explicitly covered by the previous hypotheses. The corollary of this, as presented in the
following hypothesis, is that the adoption of these success factors should lead to a reduction in
security breaches:
H5: Those organizations that have adopted a wide variety of best practice factors are likely to
have fewer security breaches, in terms of both frequency and severity, than those organizations
that have not.
It
should be noted that the original intention was to explore whether the active dissemination of an
information security policy affected the incidence or severity of security breaches [e.g. ISO, 2000;
Hone & Eloff, 2002a; Hone & Eloff, 2002b]. However, as 99% of our sample reported that they actively
6
Information
Security
Policy
in place
Information
Security
Policy
in place
Incidence and
Severity of
Security
Breaches
Incidence and
Severity of
Security
Breaches
Policy
age
Policy
updating
Policy
scope
Adoption of
best practice
H1
H5
H4
H3
H2
Figure 1: Conceptual Framework
disseminated their policies, it was not possible to test this hypothesis. Whilst the hypotheses have
been formulated to represent the outcomes that the researchers believed to be the most likely, it was
recognised that in some cases alternative, yet equally plausible results, might be produced. For
example, it might be that the existence of an InSPy is associated with a high incidence of security
breaches, in circumstances in which the policy has been implemented in direct response to a poor
security record. The possibility of alternative hypotheses is further considered in the section 5.
The urgent need for more research and new insights in the information security domain was recently
highlighted by Dhillon [2004: 4], who noted:information security problems have been growing at an
exponential rate’. In a similar vein, Kotulic & Clark [2004: 605] argue that: the organizational level
information security domain is relatively new and under researched. In spite of this, it may prove to be
one of the most critical areas of research, necessary for supporting the viability of the firm’. It was
therefore envisaged that our study might, therefore provide some important new insights, at the
organizational level, as to how the incidence and severity of security breaches might be controlled.
RESEARCH DESIGN
To successfully explore the five research hypotheses described in the previous section, it was
necessary to employ survey methods, so that the resultant data could be subjected to a rigorous
statistical analysis. The aim of this section is to review how the questionnaire was designed, validated
and ultimately executed, and then to describe the characteristics of the sample.
Questionnaire Development, Validation and Targeting
A detailed questionnaire was used to collect the data necessary to explore the research hypotheses
proposed in the previous section. The questionnaire was organized into the following four sections:
Security Breaches: Respondents were asked to report on the incidence and severity of each
of the eight most common types of security breach [see table 1], that their organizations had
experienced over the previous 2 years. The incidence variable was operationalized as a four
point ordinal scale [0; 1-5; 6-10; >10], whilst the severity of breaches was measured using a
five-point Likert scale.
The existence and updating of the information security policy: This section sought to
determine whether a responding organization had a documented InSPy, and if it did, how old
it was, and how often it was updated.
The scope of the information security policy: This section of the questionnaire was
designed to evaluate the coverage of the information security policy. The respondent was
7
presented with a list of eleven distinct issues, such as 'disclosure of information', 'Internet
access' and 'viruses, worms & trojans' that an information security policy might reasonably be
expected to cover. These items have all been explicitly derived from the International
Standard [ISO, 2000], or from a white paper published by the SANS Institute [Canavan,
2003]. For each of these issues, the respondent was invited to indicate whether the issue was
covered in 'the policy document only', through the policy document and a supplementary
procedure', or 'not explicitly covered' through the InSPy.
Best practice in information security policy adoption: The International Standard on
information security management [ISO, 2000] suggests that there are ten distinct factors that
might influence the success of an information security policy, such as 'visible commitment
from management' and 'a good understanding of security requirements'. For each of these
factors, the respondent was asked indicate the extent to which his / her organization was
successful in adopting that factor, using a five-point Likert scale.
As there are few previous survey-based, empirical studies that explicitly address the application of
information security policies, it was not possible to adapt specific questions and item measures from
the existing literature. Consequently, once a draft questionnaire had been created, it was necessary to
subject it to a rigorous validation process. More specifically, the draft questionnaire was initially
validated through a series of pre-tests, first with four experienced IS researchers, and then, after some
modifications, it was re-tested with five senior IT professionals, all of whom had some responsibility for
information security. The pre-testers were asked to critically appraise the questionnaire, focusing
primarily on issues of instrument content, clarity, question wording and validity, before providing
detailed feedback, via interviews. The pre-tests were very useful, as they resulted in a number of
enhancements being made to the structure of the survey and the wording of specific questions.
Having refined the questionnaire, a pilot study exercise was also undertaken, which provided valuable
insights into the likely response rate and analytical implications for the full survey.
As the InSPy is essentially a managerial, ‘direction-giving document [Hone & Eloff, 2002b: 14], rather
than a technical, document, it was recognised that the most appropriate individuals to target would be
executives with a high degree of managerial responsibility for information systems and technology.
Senior IT executives were, therefore, explicitly targeted, as it was envisaged that they could provide
the required organizational and managerial perspective. A list of the addresses of IT Directors, from
large UK-based organizations, was purchased from a commercial research organization. The decision
to target only larger firms [firms employing more than 250 people] was based on the premise that
small firms have few, if any, dedicated IT staff [Prembukar & King, 1992]. A total of 219 valid
8
responses were received from the 2838 questionnaires mailed out, representing a response rate of
7.7%. Whilst this response rate is rather disappointing, it is not perhaps surprising given the
increasingly sensitive nature of information security [Menzies, 1993]. More recently, in an article
entitled Why aren’t there more information security studies?’, Kotulic & Clark [2004: 604] concluded
that:it is nearly impossible to extract information of this nature [relating to information security] by
mail from business organizations without having a major supporter’. Consequently, whilst the sample
was smaller than had been originally hoped, it was probably as good as could be expected, in the
circumstances.
Sample Characteristics and Response Bias
The sample could be characterised in terms of both the size of the responding organizations and the
sectors in which they are primarily operating. Of the valid respondents, 44% were employed in
organizations having less than 1000 employees, 33% were based in organizations with between 1000
and 5000 employees and the remaining 23% in larger organizations with over 5000 employees. Whilst
the responses were also found to have come from a wide variety of industrial sectors, four were
particularly well represented; manufacturing [24% of sample]; public services [20%], health [7%], and
wholesale / retail [6%]. Respondents were also asked to indicate the geographical spread of their
organization as it was envisaged that this might have an impact on their need for a formal information
security policy. The majority of responding organizations [50%] operated from multiple locations within
the UK, whilst a further 33% of organizations operated from multiple sites, both within the UK and
abroad, and the final 17% of the sample were located at a single site within the UK.
When undertaking survey-based research, there is always the danger that the results will be
undermined, or even invalidated, through the introduction of bias. It is, therefore, important that active
measures are taken to reduce the likelihood of bias having any such negative effects. In this research
the content validity of the constructs has been established through the process of initially linking the
variables to the research literature and then refining them through an extensive and comprehensive
process of pre-testing and pilot testing. Any sample bias introduced through the loss of data from non-
respondents is often harder to establish, as this data is not easily obtainable. However, it is possible to
approximate this bias by comparing the answer patterns of early and late respondents [Lindner et al,
2001]. Consequently, in this study, “early” and “late” responses were compared along key dimensions,
such as the existence of policy, the age of the policy, the frequency of updating and severity of
breaches, to test for non-response bias. An independent samples t-test indicated that there were no
significant differences in the profile of responses at the 5.0% level. These results imply that no
9
detectable response bias exists in the sample and that the results are generalizable within the
boundary of the sample frame.
RESEARCH FINDINGS
This section explores the five research hypotheses, as presented in section 2, through a quantitative
analysis of the survey data. Before reviewing the evidence relating to each of these hypotheses, it is
important to summarize and discuss the data relating to both the incidence and significance of security
breaches, as these two data items are used as the dependant variable throughout the analyses. It is
beyond the scope of this paper to present a detailed, descriptive analysis of the data relating to the
uptake and application of information security policies. However, this information is available in a
previous paper by the authors [Fulford & Doherty, 2003]. Table 2, presents a simple, descriptive
analysis of the data relating to the incidence and severity of security breaches.
Table 2: The incidence and severity of security breaches
Type of Breach
Incidence of breaches Severity of worst breach
Approximate no. of
breaches in last 2 years
Fairly
Insignificant
Highly
Significan
t
Mean
value
0 1-5 6-10 > 10 1 2 3 4 5
Computer virus 6 111 23 77 45 65 47 35 19 2.59
Hacking incident 142 66 1 5 42 21 10 5 4 1.92
Unauthorised access 106 83 13 10 32 42 21 5 7 2.23
Theft of resources 50 123 24 19 43 52 48 20 8 2.38
Computer-based fraud 187 23 0 2 15 10 3 6 2 2.15
Human error 41 85 19 65 32 61 43 23 10 2.48
Natural disaster 160 54 2 1 16 24 9 11 5 2.52
Damage by employees 185 28 0 0 20 8 7 2 2 1.82
It is interesting to note that all eight potential types of security breach have been experienced within
our sample and that there appears to be a relationship between the incidence of breaches and their
perceived impact. For example, the computer virus and human error are both a very common type of
breach and both have a significant impact, when they do strike. At the other end of the scale, damage
by disgruntled employees, hacking incidents and computer-based fraud all occur infrequently and
have a relatively insignificant impact, where they do occur. The only type of breach to obviously break
this pattern, is natural disasters, which despite occurring rarely, do have a significant impact.
10
The Impact of the Adoption of an InSPy on Security Breaches
The vast majority of respondents [77%], in our sample, reported that their organization had a formal,
documented InSPy, with the remaining 23% of organizations confirming that they didn’t. It was
therefore, both possible and desirable to explore the degree of association between the adoption of an
InSPy and the resultant level of security breaches. The results of a series of chi-squared tests suggest
that there is no statistical association between the adoption of an InSPy and the incidence of security
breaches [see table 3: columns 2-4]. An analysis of variance [ANOVA] was also used to determine
whether there was any association between the adoption of InSPys and the severity of each of the
distinct types of security breaches [see table 3: columns 5-8].
Table 3: The Relationship between the Adoption of an InSPy and
the Incidence & Severity of Security Breaches
Type of Breach Incidence of breaches
(Chi-squared Analysis)
Severity of worst breach
(One-way ANOVA)
Pearson
Value
Deg. of
freedom
2-sided
Prob.
Yes No F
Ratio
F
prob.
Computer virus 0.730 3 0.878 2.59 2.69 0.215 0.644
Hacking incident 5.733 3 0.111 1.92 1.72 0.422 0.518
Unauthorised access 3.090 3 0.378 2.23 2.00 0.730 0.395
Theft of resources 1.905 3 0.607 2.38 2.51 0.429 0.513
Computer-based fraud 1.892 2 0.300 2.15 2.25 0.036 0.851
Human error 5.388 3 0.144 2.48 2.67 0.743 0.390
Natural disaster 6.469 3 0.089 2.52 2.32 0.361 0.550
Damage by employees 0.003 1 1.000 1.82 2.30 1.210 0.279
Note: A chi-squared test was used to test the association between the 4 categories of
incidence [0, 1-5, 6-10, >10] & the 2 classes of InSPy existence [yes, no], whilst ANOVA
was used to compare the mean severity of breaches & the 2 classes of InSPy existence..
An inspection of the data in table 3 indicates that there are no statistically significant associations
between the existence of an information security policy, and either the incidence or the severity of any
of the eight types of security breach. This is a particularly surprising result, given the prevailing
orthodoxy that the InSPy is the primary mechanism for preventing security breaches [e.g. Rees et al,
2003]. However, based upon this analysis, hypothesis H1 must be rejected.
The Impact of the Age of an InSPy on Security Breaches
It was envisaged that the greater experience of those organizations that had utilized an
information security policy for many years might be manifested in more effective security
management practices, and thus fewer security breaches. As the respondents had been
asked to estimate the number of years that their organizations had actively used an InSPy, as
a simple integer, the degree of association between the age of a policy and the incidence /
11
severity of security breaches was explored using ANOVA [table 4: columns 2-7] and
correlation [table 4: columns 8-9]. The findings [see table 4] indicate that there are two
significant associations between the age of the policy and the incidence of security breaches.
However, an inspection of this data suggests that in both cases, where there is a significant
result, the decreased incidence of security breaches is associated with recently deployed
policies, rather than those that have been in existence for a long time. Consequently, these
findings are important, as they suggest that there may be some complacency creeping into
the security practices of those organizations with a longer history of policy utilisation. When it
comes to associations between the age of the policy and the severity of breaches, there is
only one case [theft of resources] where there is a significant association. In this case, there
is some support for hypothesis H2, as the Pearson correlation value is negative, indicating
that older policies are associated with less severe breaches. However, given that there is no
strong or consistent evidence in support of the hypothesis, H2 must also be rejected.
Table 4: Relationship between the age of an InSPy & the incidence / severity of
security breaches
Type of Breach Incidence of Breaches
(One-way ANOVA)
Severity of Worst
Breach (Correlation)
0 1-5 6-10 >10 F
Ratio
F
Prob
.
Pearson
Value
2-sided
Significance
Computer virus 2.0 3.7 3.0 5.1 2.3 .08 -0.05 0.501
Hacking incident 3.7 4.7 5.0 5.0 .77 .51 -0.05 0.718
Unauthorised access 3.5 3.9 4.5 10.1 6.4 .00** -0.08 0.443
Theft of resources 4.1 3.7 3.4 7.27 3.7 .01*-0.20 0.025*
Computer-based fraud 3.9 6.14 - 3.00 2.8 .07 -0.13 0.513
Human error 3.9 3.5 3.7 4.9 1.2 .31 -0.00 0.963
Natural disaster 4.1 3.8 2.8 - .23 .80 -0.15 0.335
Damage by employees 7.8 8.9 - - 2.9 .09 -0.19 0.332
Note: * Result significant at the 5% level; ** Result significant at the 1% level
The Impact of the Frequency of Updating an InSPy on Security Breaches
The relationship between the frequency of updating an information security policy and the incidence
and severity of security breaches was explored using a chi-squared analysis [table 5: columns 2-4]
and ANOVA [table 5: columns 5-8]. The frequency with which InSPys were updated was measured
using a five item categorical scale [< every 2 years; every 2 years; every year; every 6 months; >
every 6 months]. To use this variable in a chi-squared analysis, with the incidence of breaches
variable, it was necessary to compress the 5 original categories into just two [‘ < once a year and
once a year’], to ensure that the expected frequencies in every cell of the contingency table were
12
greater than five; a pre-requisite of the chi-squared approach. Having used a two-category measure of
frequency of updating for the chi-squared analysis, it made sense to also use it for the ANOVA, to
make the results more comparable.
The results of the two analyses [see table 5] indicate that there are no statistically significant
associations between the frequency with which the InSPy is updated and the incidence and severity of
any of the eight types of security breach, and hypothesis H3 must therefore also be rejected. This
result is also surprising in the face of the prevailing orthodoxy that the InSPy will be more effective if
updated regularly [e.g. Hone & Eloff, 2002b].
Table 5: Relationship between the frequency of updating an InSPy & the
incidence / severity of security breaches
Type of Breach Incidence of Breaches
(Chi-squared Analysis)
Severity of Worst Breach
(One-way ANOVA)
Pearson
Value
Deg. of
freedom
2-sided
Prob.
< once
a year
 once
a year
F
Ratio
F
prob.
Computer virus 3.157 3 0.368 2.42 2.75 2.71 0.101
Hacking incident 1.679 3 0.642 2.00 1.92 0.065 0.799
Unauthorised access 3.108 3 0.375 2.21 2.25 0.030 0.864
Theft of resources 2.219 3 0.528 2.35 2.42 0.117 0.733
Computer-based fraud 1.098 2 0.577 2.08 2.20 0.052 0.821
Human error 5.253 3 0.154 2.67 2.42 1.467 0.228
Natural disaster 3.237 2 0.198 2.29 2.72 1.450 0.235
Damage by employees 1.198 1 0.274 1.73 1.87 0.087 0.770
The impact of the scope of an InSPy on security breaches
The scope of information security policies can vary greatly, in terms of the numbers of issues covered,
so it was important to explore whether the scope of the policy was associated with the incidence and
severity of security breaches. As discussed in section 3, the scope of the policy was investigated by
asking respondents to indicate which issues, from a list of eleven separate issues, were covered in
their policies. Consequently, it was possible to create a new variable total issues covered that
was the sum of the individual issues covered. This new variable, which was in the range 0-11, had a
mean of: 8.01, and a standard deviation of: 2.61. The relationship between thetotal issues covered
and the incidence and severity of security breaches was explored using an ANOVA [table 6: columns
2-7] and a bivariate correlation [table 6: columns 8-9].
13
Table 6: Relationship between the range of issues covered by an InSPy & the
incidence / severity of security breaches
Type of Breach Incidence of Breaches
(One-way ANOVA)
Severity of Worst
Breach (Correlation))
0 1-5 6-10 >10 F
Ratio
F
Prob
.
Pearson
Value
2-sided
Significance
Computer virus 8.0 7.8 7.6 8.4 .79 .49 0.05 0.530
Hacking incident 8. 0 7.9 10.0 6.5 .41 .75 -0.04 0.779
Unauthorised access 7.9 8.0 7.9 9.4 .86 .46 0.15 0.169
Theft of resources 7.4 8.0 8.2 9. 3 2.4 .10 -0.05 0.536
Computer-based fraud 7.8 9.3 - 5.00 3.4 .04*0.31 0.122
Human error 8.1 7.9 7.8 8.2 .29 .88 0.02 0.838
Natural disaster 7.9 8.5 3.5 - 3.8 .02*0.24 0.105
Damage by employees 7.8 8.9 - - 2.9 .09 0.08 0.678
Note: * Result significant at the 5% level
The results, relating to hypothesis H4 are quite interesting as there are some statistically significant
results. For example, the range of issues covered is significantly associated with the incidence of both
computer-based fraud’, and natural disasters’. However, an inspection of the data [table 6: columns
2-5] is inconclusive; whilst the incidence of breaches is highest, in both these cases, where the issues
covered is lowest, the lowest incidence of breaches is not associated with the highest numbers of
issues covered. With regard to the severity of threats, there are no statistically significant associations
between number of issues covered by the policy and the severity of security breaches. In summary,
given that only two, out of the sixteen individual tests conducted, resulted in statistically significant
outcomes, there is little in the way of strong evidence in support of hypothesis H4, and it must
therefore be rejected.
The impact of the adoption of best practice on security breaches
In order to effectively explore the relationship between the adoption of success factors, and the
incidence and severity of security breaches, it was necessary to derive a summated scale for the ten
success factors. An underlying assumption and fundamental requirement for constructing a summated
measure of a metric construct is that the item scales all measure the same underlying construct. This
was confirmed by undertaking internal reliability tests, using the Cronbach alpha measure; which
yielded a statistically significant score of 0.87. Having derived the overall measure for the adoption of
best practice, ANOVA and correlation analyses were conducted to explore its association with the
incidence and severity of security breaches [see table 7].
14
Table 7: One-way ANOVA between the successful adoption of success factors & the
incidence / severity of security breaches
Type of Breach Incidence of Breaches
(One-way ANOVA)
Severity of Worst
Breach (Correlation))
0 1-5 6-10 >10 F
Ratio
F
Prob
.
Pearson
Value
Two-sided
Significance
Computer virus 3.17 2.95 2.85 2.85 0.42 0.74 0.031 0.699
Hacking incident 2.94 2.93 2.50 1.55 3.05 0.03*0.120 0.365
Unauthorised access 2.99 2.82 2.76 2.75 1.01 0.39 -0.070 0.529
Theft of resources 2.87 2.89 3.01 2.91 0.40 0.75 -0.149 0.097
Computer-based fraud 2.89 2.87 - 2.40 0.27 0.76 0.305 0.138
Human error 2.98 2.87 3.12 2.81 0.99 0.39 -0.189 0.035*
Natural disaster 2.92 2.82 3.20 - 0.50 0.60 0.171 0.255
Damage by employees 2.91 2.86 - - 0.09 0.76 -0.088 0.655
Note: * Result significant at the 5% level
The results of these analyses indicate that there is a statistical association between the summated
success factors and security breaches, for two out of the sixteen individual tests conducted. Moreover,
an inspection of the data provides some evidence in support of hypothesis H5. For example, success
in adopting best practice is associated with a low occurrence of hacking incidents, whereas low
success in adopting best practice is associated with a high incidence of hacking incidents. In a similar
vein, success in adopting best practice is associated with low severity breaches due to ‘human error’,
whereas low success in adopting best practice is associated with high severity incidents of human
error’. However, given that only two of the sixteen individual tests were significant, there is insufficient
evidence to support hypothesis H5, and it must, therefore, be rejected.
DISCUSSION
It was established in the literature review that the information security policy is now viewed as the
basis for the dissemination and enforcement of sound security practices, and as such should help to
reduce the occurrence of security breaches [e.g. Loch et al, 1992; Mitchell et al;1999; Whitman, 2004].
Indeed, as Wadlow [2000] notes: ‘if you ask any security professional what the single most important
thing is that you can do to protect your network, they will unhesitatingly say that it is to write a good
security policy’. It therefore came as something of a surprise, in the present study, to find almost no
statistically significant relationships between the adoption of information security policies and the
incidence or severity of security breaches. Consequently, it is important to explore the possible
interpretations of this unexpected finding. The implications of this study for the practice of information
security management are reviewed in this section, and then its limitations are explored.
15
Although there is little evidence of any formal, empirical studies, focusing on the effectiveness of
information security policies, the published literature does provide some clues as to why InSPys might
be failing to stem the level of security breaches. Amongst these, the following are the most plausible
reasons for deficient policies:
Difficulties of raising awareness: Sipponen [2000] highlights the problems of policy
dissemination in the workplace. If employees are not made aware of a policy, then
there is a danger that it will become a dead document, rather than an active and
effective security management tool. Given that nearly all the respondents in our study
claimed to be actively disseminating their policies, questions must be raised about the
effectiveness of their dissemination strategies, given the consistently high levels of
security breach witnessed. As Hone & Eloff [2002b: 15] note a common failure of
information security policies is that they fail to impact users on the ground’.
Difficulties of enforcement: As David [2002: 506] notes, having a policy and being
able to enforce it are totally different things’. Hinde [2002] provides evidence that the
problem of policy enforcement might primarily stem from the difficulties of getting
employees to read and take heed of policies. As Wood [2000: 14] notes the
expectation that users are going to look at a centralized information security policy is
just unrealistic and bound to lead to disappointing results’.
Policy standards are too complex: Many organizations will lack the skills and
experience to formulate an information security policy. They will, therefore, typically
refer to one of the many international information security standards, such as
ISO17799, COBIT or GMITS [Hone & Eloff, 2002a]. Whilst such standards are
recognized as agood starting point for determining what an InSPy should consist of
[Hone & Eloff, 2002a: 402], in practice, they can be complex and time consuming to
apply [Arnott, 2002].
Inadequate resourcing: In too many cases, there are insufficient resources available
to devote to the monitoring and enforcement of policies [Moule & Giavara, 1995: 8].
Effective security management requires a great deal of time, effort and money, which
many organisations are not prepared to commit.
Failure to tailor policies: It has been argued that the security requirements of an
organization will be dependent upon the types of information being processed [Pernul,
1995] and the culture of the organization [Hone & Eloff, 2002a: 402]. Consequently, the
InSPy must be tailored to its organizational context. However, because many
organizations rely on international standards as the point of departure for developing a
16
policy, they often apply a generic solution, rather than tailoring it to their own
circumstances.
It is very likely that the factors reviewed above provide at least a partial explanation as to why InSPys
are failing to have a significant impact on the incidence and severity of security breaches. However,
the drivers for adopting or enhancing an information security policy might also help to explain why all
five of our hypotheses were ultimately rejected. Our basic thesis was that organizations that had
formulated a policy, which was regularly updated, broad in scope and adhered to best practice, would
have fewer security breaches than those organizations that had not. An alternative thesis might be
that rather than deploying policies to prevent breaches, many organizations might be adopting or
enhancing a policy in response to a spate of security breaches. However, if there was any significant
evidence in support of this alternative thesis, in which the direction of causality is simply reversed,
then a large number of statistically significant associations might still have been expected.
Consequently, one plausible explanation of our findings is that there is a mixture of drivers: in some
instance policies are doing their job, and preventing breaches, in other cases policies are being
implemented or enhanced in response to a high incidence of breaches.
Whilst the above discussion might help to explain the apparent ineffectiveness of information security
policies, any manager with responsibility for the formulation of his / her organization’s information
security policy, needs to heed the messages, inherent in these findings. Firstly, the findings suggest
that there is no room for complacency; it is not enough simply to produce a policy, even if that policy
has a broad scope, adheres to best practice and is regularly updated. Steps must be taken to ensure
that the policy is tailored to its organizational context and then enforced, which in turn means that the
policy must be appropriately disseminated and well resourced. Moreover, the results suggest that
organizations need to be more proactive in evaluating the effectiveness of their policies: when security
breaches occur, the policy should be reviewed to determine how such incidents can be avoided in the
future. It is particularly important for those organizations who already deploy an appropriate policy, and
who appear to be following best practice in its application, yet who still suffer a high incidence of
security breaches, to critically evaluate their security policy and security practices.
This research should also be of interest to the information management research community. As it is
one of the first empirical studies to explicitly tackle the relationship between the information security
policy and the level of security breaches, many new variables and item measures have been identified
and validated; these might be usefully incorporated in future research. Moreover, the study has
highlighted the need for far more research in this area to further explore the relationship between the
17
information security policy and security breaches and to determine what steps are needed to improve
its effectiveness.
Research into the adoption of sophisticated policies, within the organizational context, is an ambitious
undertaking, and therefore contains a number of inherent limitations. In particular, the adoption of the
survey format restricts the range of issues and constructs that can be explored, the selection of a very
narrow sampling frame reduces the generalizability of the results and finally there is potential
response bias associated with the ‘single-informant’. Moreover, the survey approach cannot help to
provide meaningful explanations of why no statistically significant findings were derived from our
analyses. Consequently, whilst the study provides many interesting insights, these limitations do
highlight the need for follow-up studies to be conducted employing different methods, and targeting
different populations. When considering future studies, it will be important for researchers to be
creative in finding ways of securing organizational buy-in to their studies, to avoid the difficulties of
response, witnessed on this and other information security projects [Kotulic & Clarke, 2004]
CONCLUDING REMARKS
The work presented in this paper makes an important contribution to the information security literature
as it presents the first empirical study of the relationship between the application of information
security policies and the incidence and severity of security breaches. The key result of this research is
the finding that there is no statistically significant relationship between the existence and application of
information security policies and the incidence or severity of security breaches. Whilst a number of
plausible explanations have been proffered to help understand this, somewhat surprising, finding,
there is an urgent need for follow-up studies to explore what can be done to improve the effectiveness
of information security policies. To this end, a series of follow-up interviews and focus groups to help
interpret and explain the results of the quantitative analysis are currently being planned. As the project
unfolds, it is anticipated that the findings will help organizations to better understand the value of
security policies and to pinpoint the policy areas for prioritisation.
Acknowledgements: The provisional version of the research framework upon which this paper is
based was presented at the IRMA Conference [Doherty & Fulford, 2003]. The authors would like to
thank the paper reviewers and conference participants for their helpful comments, as these greatly
shaped our thinking with regard to this paper.
18
References
Arnott, S. (2002). Strategy Paper. Computing, 28th February.
Austin, R. D. & Darby, C.A. (2003). The Myth of Secure Computing. Harvard Business Review, June.
Barnard, L. & von Solms, R. (1998). The evaluation and certification of information security against BS
7799. Information Management and Computer Security, 6 (2), 72-77.
Canavan, S. (2003). An Information Security Policy Development Guide for Large Companies. SANS
Institute, [http://www.SANS.org]
De Campeaux, D. (2002). Taking Responsibility for Worms and Viruses. Communications of the ACM,
45 (4), 15-16.
David, J. (2002). Policy enforcement in the workplace. Computers and Security, 21 (6), 506-513.
Dhillon, G. & Backhouse, J. (1996). Risks in the use of Information Technology within Organizations.
International Journal of Information Management, 16 (1), 65-74.
Dhillon, G. (1997). Managing Information Systems Security. London: Macmillan Press.
Dhillon, G. (1999). Managing and Controlling Computer Misuse. Information Management and
Computer Security, 7 (4), 171 - 175.
Dhillon, G. (2004). Guest Editorial: the challenge of managing information security. International
Journal of Information Management, 24, 3-4.
Doherty, N.F. and Fulford, H., '(2003). Information Security Policies in Large Organisations:
Developing a Conceptual Framework to Explore their Impact. Information Technology and
Organizations: Trends, Issues, Challenges and Solutions, IRMA International Conference ,
Philadelphia, USA.
Fulford, H. & Doherty, N. F. (2003). The application of information security policies in large UK-based
organizations. Information Management and Computer Security, 11 (3), 106-114.
Garg, A., Curtis, J. & Halper, H. (2003). Quantifying the financial impact of information security
breaches. Information Management and Computer Security, 11 (2), 74-83.
Gaston, S. J. (1996).Information Security: Strategies for Successful Management. Toronto: CICA.
Glazer, R. (1993).Measuring the Value of Information: The Information Intensive Organization. IBM
Systems Journal, 32 (1), 99-110.
Higgins, H. N. (1999), Corporate system security: towards an integrated management approach.
Information Management and computer Security, 7 (5), 217-222.
Hinde, S. (2002). Security surveys spring crop. Computers and Security, 21 (4), 310-321.
Hinde, S. (2003). Cyber-terrorism in context. Computers and Security, 22, (3), 188-192.
Hone, K. & Eloff, J. H. P. (2002a). Information security policy- what do international security standards
say. Computers & Security, 21 (5), 402-409.
Hone, K. & Eloff, J. H. P. (2002b). What makes an effective information security policy. Network
Security, 20 (6), 14-16.
Hong, K., Chi, Y. Chao, L. & Tang, J. (2003). An Integrated System Theory of Information Security
Management. Information Management and Computer Security, 11 (5), 243 - 248.
19
I.S.O. (2000). Information technology. Code of practice for information security management - ISO
17799. International Standards Organization.
Kotulic , A. G. & Clark, J. G. (2004). Why there aren’t more information security research studies.
Information & Management, 41, 5907-607.
Kwoc, L. & Longley, D. (1999). Information Security Management & Modelling. Information
Management and Computer Security, 7 (1), 30 - 39.
Lindner, J.R., Murphy, T.H. & Briers, G.E. (2001). Handling non-response in social science research.
Journal of Agricultural Education, 42 (4), 43-53.
Loch, K. D., Carr, H. H. & Warkentin, M. E. (1992). Threats to Information Systems - Today's reality,
Yesterday's Understanding. MIS Quarterly, 16 (2), 173-186.
Menzies, R. (1993). Information Systems Security. in IT Strategy for Business, J. Peppard, (Ed),
London: Pitman Publishing..
Mitchell, R. C., Marcella, R. & Baxter, G. (1999). Corporate Information Security. New Library World,
100 (1150), 213-277.
Pernul, G. (1995). Information systems security: Scope, state of the art and evaluation of techniques.
International Journal of Information Management, 15 (3), 165-180.
Pfleeger, C. P. (1997). Security in Computing. Englewood Cliffs, NJ: Prentice Hall.
Premkumar, G. & King, W. R. (1992). An empirical assessment of information systems planning and
the role of information systems in organizations. Journal of Management Information Systems,
19 (2), 99-125.
Rees, J., Bandyopadhyay, S. & Spafford, E. H. (2003). PFIRES: A Policy Framework for Information
Security. Communications of the ACM, 46 (7), 101-106.
Siponen, M. (2000).Policies for construction of information systems' security guidelines. in
Proceedings of 15th International Information Security Conference (IFIP TC11/SEC2000),
Beijing, China, August, 111-120.
Von Solms, B. & von Solms, R. (2004).The ten deadly sins of information security management.
Computers & Security, 23, 371-376.
Straub, D. W. & Welke R. J. (1998). Coping with systems risk: Security planning models for
management decision making. MIS Quarterly, 22 (4), 441-470.
Wadlow, T. A. (2000). The Process of Network Security. Reading, MA: Addison-Wesley.
Whitman (2004). In defense of the realm: understanding threats to information security. International
Journal of Information Management, 24, 3-4.
Wood, C. C. (1996). Writing InfoSec Policies. Computers & Security, 14 (8), 667-674.
Wood, C. C. (2000). An unappreciated reason why information security policies fail. Computer Fraud
& Security, 10, 13-14.
20
... To foster a better information security culture, it is important to provide a proper training to the employees (Saint-Germain, 2005; von solms & von solms, 2004), which constitutes another success factor. The policies derived from standards must be well aligned with corporate objectives (Rees et al., 2003;Saint-Germain, 2005), tailored to the organizational context of the company (Doherty & Fulford, 2005) and then rigorously enforced (David, 2002). ...
... Beyond the financial costs are the organizational costs, indeed effective security management requires a great deal of time, effort, and money, which many organizations are not prepared to commit (Doherty & Fulford, 2005). Moreover, according Wiander (2007) implementing the standard requires skilled people and this can require higher salary expenses. ...
... Due to the often complex nature of security standards (Arnott, 2002), the lack of skills -and money to buy the skills -for SMEs is further burdened by the lack of time for adoption and certification of standards. Effective security management requires a great deal of time and effort, which most of SMEs are not prepared to commit (Doherty & Fulford, 2005;Moule & Giavara, 1995). For example, security standard's implementation can take more than 5 or 6 months (CNRS, 2002). ...
Chapter
This chapter introduces major information security management methods and standards, and particularly ISO/IEC 27001 and 27002 standards. A literature review was conducted in order to understand the reasons for the low level of adoption of information security standards by companies, and to identify the drivers and the success factors in implementation of these standards. Based on the findings of the literature review, we provide recommendations on how to successfully implement and stimulate diffusion of information security standards in the dynamic business market environment, where companies vary in their size and organizational culture. The chapter concludes with an identification of future trends and areas for further research.
... The need to adapt the ISP to different work practices has been identified by several researchers (e.g., Stahl et al., 2012 ;Diver, 2007 ;Szuba, 1998 ;Karlsson et al., 2017 ;Höne and Eloff, 2002a ;Doherty and Fulford, 2005 ). It is important to translate and transform laws, external policies, and standards into an understandable language when they are prescribed for different work practices. ...
... It is important to translate and transform laws, external policies, and standards into an understandable language when they are prescribed for different work practices. Regarding this point, Doherty and Fulford (2005) explained that many organizations rely on international information security standards as a starting point for developing their ISPs, but they usually do not tailor them to their own circumstances; so they depicted that ISP must be adopted to its organizational context. Adopted to the work practice also means that ISPs should be written by using language and terminology that is accessible by the ISP users ( Stahl et al., 2012 ). ...
... Actionable advice on software development Doherty and Fulford (2006) Actionable advice on encryption Doherty and Fulford (2006) Actionable advice on contingency planning Doherty and Fulford (2006) Rules and protocols Lindup (1995) How to use computer systems Al-Hamdani and Dixie (2009) Actionable advice Gritzalis (1997) , Lopes and Oliveira (2015) , Stahl et al. (2012) , Karlsson et al. (2017) , White (2013) , Whitman et al. (1999) Ends to achieve " Stahl et al. (2012) ", Goel and Chengalur-Smith (2010) Adapted to the work practice Translation of external policy input to current work practice Karlsson et al. (2017) , Whitman et al. (2001) , Doherty and Fulford (2005) Adapted to work practice Karlsson et al. (2017) Match audience's language Karyda et al. (2003) , Höne and Eloff (2002 a ), Stahl et al. (2012) , Maynard and Ruighaver (2006) Connect to organization's culture Höne and Eloff (2002 a ) Understandable language Lopes and Oliveira (2015) , Cosic and Boban (2010) , Szuba (1998) , Stahl et al. (2012) , Whitman (2008) , Maynard and Ruighaver (2006) Easy to understand Tuyikeze and Flowerday (2014) , Diver (2007) , Szuba (1998) (2009) Cram et al. (2017) , Maynard and Ruighaver (2006) (2011) in information systems from Norwegian University of Science and Technology (NTNU). His research interests include mobile information systems, technology diffusion, business process modeling, and information systems modeling and requirement engineering. ...
Article
Full-text available
Information security is a hot topic nowadays, and while top-class technology exists to safeguard information assets, organizations cannot rely on technical controls alone. Information security policy (ISP) is one of the most important formal controls when organizations work with implementing information security. However, designing ISPs is a challenging task for information security managers and to ease the burden, computerized tools have been suggested to support this design task. One important prerequisite for developing such tools is the requirements. However, existing research has, to a very limited extent, synthesized existing requirements. Against this backdrop, this study aims to elicit a set of requirements, anchored in existing ISP research, for computerized tools that support ISP design. First, we summarize existing ISP research into 14 requirement themes. Second, we suggest a set of user stories that operationalize these requirement themes from an information security manager's perspective. Third, we suggest another set of user stories that operationalize the same requirement themes from an ISP user's perspective. In total, we suggest 28 user stories that can act as a starting point for both researchers and practitioners when developing computerized tools that provide ISP design support for information security managers.
... Many past studies distinguished positive relationships between job satisfaction and organizational commitment (Thomas & Kevin,20 . Accordingly, high organizational commitment is expected of employees who have greater job satisfaction, and raising organizational commitment has a positive effect on job satisfaction Additionally, it is presumed that job satisfaction is a requirement for organizational commitment (Doherty & Fulford, 2005;Sergeant & Frenkel, 2000). Many researchers determined positive relationships between the dimensions of these two constructs and described job satisfaction as a concept that fosters organizational commitment (Porter et al., 1974;Dubinsky et al., 1992;Conley & Wooley, 2000;Ruyter et al., 2001;Top, 2012). ...
Article
Full-text available
In this study the relationship between job satisfaction and organizational commitment in female employees has been examined. The structural equation modelling technique was used to analyze complex models with both direct and indirect relationships. Quantitative data was gathered by utilizing questionnaires. To demonstrate convergence validity, confirmatory factor analysis was used. Composite reliability and AVE scores were calculated to assess the scales' reliability and discriminant validity. The AMOS statistical program's structural equation model method was used to test the hypotheses. Out of six hypotheses, two of them were supported. It has been empirically proven that Internal Job Satisfaction has a direct effect on Affective Commitment and Normative Commitment, where External Job Satisfaction does not have a direct effect on any sub-dimensions of organizational commitment. Although job satisfaction and organizational commitment have been examined individually in many studies, this research focused on female employees working in the service sector while evaluating the relationship between the two concepts in the light of current data.
... Many past studies distinguished positive relationships between job satisfaction and organizational commitment . Accordingly, high organizational commitment is expected of employees who have greater job satisfaction, and raising organizational commitment has a positive effect on job satisfaction a requirement for organizational commitment (Doherty & Fulford, 2005;Sergeant & Frenkel, 2000). Many researchers determined positive relationships between the dimensions of these two constructs and described job satisfaction as a concept that fosters organizational commitment (Porter et al., 1974;Dubinsky et al., 1992;Conley & Wooley, 2000;Ruyter et al., 2001;Top, 2012). ...
... Although security infrastructure is of critical importance for the defense against cybercriminals' tactics and techniques, an organization's biggest threat to privacy and security has been acknowledged to be its own personnel [14]. ENISA's report in 2018 [6] revealed that 50.6% of attacked hospitals identified insider threats as their most serious adversary. ...
Article
Full-text available
Recent studies report that cybersecurity breaches noticed in hospitals are associated with low levels of personnel’s cybersecurity awareness. This work aims to assess the cybersecurity culture in healthcare institutions from middle- to low-income EU countries. The evaluation process was designed and performed via anonymous online surveys targeting individually ICT (internet and communication technology) departments and healthcare professionals. The study was conducted in 2019 for a health region in Greece, with a significant number of hospitals and health centers, a large hospital in Portugal, and a medical clinic in Romania, with 53.6% and 6.71% response rates for the ICT and healthcare professionals, respectively. Its findings indicate the necessity of establishing individual cybersecurity departments to monitor assets and attitudes while underlying the importance of continuous security awareness training programs. The analysis of our results assists in comprehending the countermeasures, which have been implemented in the healthcare institutions, and consequently enhancing cybersecurity defense, while reducing the risk surface.
... Awareness and training has been reported as one of several critical factors in relation to management of HIP (Al-Tameem, Zairi, & Kamala, 2009). Organizations need sufficient financial support to maintain effective information security systems (Doherty & Fulford, 2005).The lack of financial support has been stated as one of the hindrances of implementing information privacy and security best practice (Dinnie, 1999). Studies report that the lack of staff awareness regarding privacy and security policy could hinder the implementation of privacy best practice (Abraham, 2011;Siponen, 2000). ...
... Awareness and training has been reported as one of several critical factors in relation to management of HIP (Al-Tameem, Zairi, & Kamala, 2009). Organizations need sufficient financial support to maintain effective information security systems (Doherty & Fulford, 2005).The lack of financial support has been stated as one of the hindrances of implementing information privacy and security best practice (Dinnie, 1999). Studies report that the lack of staff awareness regarding privacy and security policy could hinder the implementation of privacy best practice (Abraham, 2011;Siponen, 2000). ...
Thesis
Full-text available
2015 Summary Health information privacy (HIP) is an important component of general privacy, which involves the management and governance of collection and handling of health information. After the introduction of the electronic health records in Oman, HIP practice has been an area of concern in different health care institutions. Purpose: The purpose of this study is to acquire in-depth knowledge of the HIP policies and practices in different healthcare providers in Oman. The 4 research questions that guided the study addressed the current status of HIP practice, the similarities and differences among different healthcare providers' HIP practices, the major factors that affect the implementation of HIP best practice, and the major factors identified by the respondents to be more effectively addressed. Methodology: A qualitative research design was used in this study. Through semi structured interviews, I was able to extract information from key professionals in different healthcare providers in Oman. A 5-step framework analysis was used. The fair information practices guidelines served as a benchmark in analysing HIP practices. Results: The result of the study indicated that the current practice of HIP in Oman encounters many challenges. There are inconsistent privacy practices in different healthcare providers, highlighting the lack of standard privacy laws in Oman. Even though all the different healthcare providers recognize the importance of HIP, the methods and practices used by each healthcare provider may be different. There is a belief that HIP practices in Oman should be standardized in order to be generally consistent across the different healthcare providers in the country. Limitations: Because this study only used interviews as the data collection tool, which means that generalizing to a larger population may not be appropriate. Implications: The results of the study correspond to the assumptions of communication privacy management theory. The knowledge that was generated from this study contributed to the development of insights in HIP research arena and is a valuable baseline to modify, improve, and strengthen HIP policy and practice in Oman.
... 5 An organization's biggest threat to privacy and security, even if not acknowledged, are considered to be their own staff. 6 Employee security awareness is a key link to an organization's security chain since even the most well-guarded corporation is defenseless with no security culture. 7,8 This term, "security culture," soon dominated in the era and was attributed various definitions. ...
Article
This paper presents a cyber-security culture framework for assessing and evaluating the current security readiness of an organization’s workforce. Having conducted a thorough review of the most commonly used security frameworks, we identify core security human-related elements and classify them by constructing a domain agnostic security model. We then proceed by presenting in detail each component of our model and attempt to quantify them in order to achieve a feasible assessment methodology. The paper thereafter presents the application of this methodology for the design and development of a security culture evaluation tool, that offers recommendations and alternative approaches to workforce training programs and techniques. The model has been designed to easily adapt on various application domains while focusing on their unique characteristics. The paper concludes on applications of our instrument on security-critical domains, and its contribution to current research by providing deeper insights regarding the human factor in cybersecurity.
... Information is one of the most important assets of any organization; because of its high and vital value for any organization, information should be well protected [1]. Information is often used for directing processes of employees from top to operational levels. ...
Article
This study evaluates the effect of supply chain information systems on firm performance in IKAMCO as a empirical case study. For this purpose, The 132 IKAMCO employees selected by simple random sampling responded to a questionnaire. Content validity of the questionnaire has been confirmed by experts in this field; its reliability has been confirmed by using Cronbach's alpha and Fisher’s test. Kolmogorov-Smirnov test is used to ensure normality of the data obtained from questionnaire. The hypotheses are tested using SmartPLS software. Results show that the model is well fitted to the data. Findings show that a lean and agile supply chain is effective on supply chain performance and supply chain performance is effective on firm performance. Efficiency of information systems moderates the effect of lean supply chain on supply chain performance and firm performance. However, flexibility of information systems does not moderate the effect of agile supply chain on supply chain performance and firm performance.
Chapter
Active sharing of information security advice among the employees has undeniable implications for developing a sustainable security environment. This research examines this topic from the network perspective, and focuses on the work relationships that promote sharing security advice. Exponential random graph modeling technique was employed to evaluate the relationship between team collaborative activities and sharing security advice. The findings revealed that those who share security advice also tend to give work- and IT-related knowledge. Moreover, employees who have similar tenure tend to exchange security advice with each other more. Furthermore, the network of sharing security advice is transitive and has a tendency to form separate clusters. Security managers are suggested to take into account the research findings to identify key employees who frequently share security advice in the workplace and devise appropriate strategies to manage them.
Article
Full-text available
This study was designed to describe and explore how nonresponse in the Journal of Agricultural Education has been handled historically. All articles (N=364) published in the Journal of Agricultural Education during the years 1990 through 1999 were analyzed using content analysis techniques. Study findings show that not mentioning nonresponse error as a threat to external validity of a study, not attempting to control for nonresponse error, or not providing a reference to the literature were, unfortunately, the norm and not the exception. This study provides three statistically sound and professionally acceptable procedures and protocols for handling nonresponse: Method 1—Comparison of Early to Late Respondents; Method 2—Using "Days to Respond" as a regression variable; and Method 3—Compare Respondents to Nonrespondents.
Book
Preface - Nature and Scope of IS Security - Review of Research and Practice - Interpreting the Management of IS Security in the Health Care Sector - Interpreting the Management of IS Security in Local Government - Synthesis of Key Themes - Conclusions
Article
The enormous information management capabilities available in the Internet retailing landscape today provide a challenging research opportunity with direct managerial implications for product suppliers and retailers. Elaborating on the multidisciplinary ...
Article
To ensure business continuity the security of corporate information is extremely important. Previous studies have shown that corporate information is vulnerable to security attacks. Companies are losing money through security breaches. This paper describes an MSc project that aimed to investigate the issues surrounding corporate information security management. Postal questionnaires and telephone interviews were used. Findings indicate that companies are not proactively tackling information security management and thus are not prepared for security incidents when they occur. Reasons for this lack of action include: awareness of information security threats is restricted; management and awareness of information security is concentrated around the IT department; electronic information is viewed as an intangible business asset; potential security risks of Internet access have not been fully assessed; and surveyed companies have not yet encountered security problems, and therefore are unprepared to invest in security measures. The recommendations include that companies: carry out a formal risk analysis; move information security management from being an IT-centric function; and alter perceptions towards electronic information so that information is viewed as a valuable corporate asset.
Article
I’ve had the questionable privilege of working in this field for over two decades now and all that while there has existed an assumption that every information security specialist seems to make, an assumption that needs to be re-examined, an assumption that needs to be radically changed. This assumption is that workers are going to come to the information security trough when they get hungry, when they want some information security sustenance. So many of us information security specialists assume that rank-and-file workers are like horses or cows, that they will come back to the source of expertise when they need guidance. To the contrary, time and time again modern workers show themselves to be independent and quite capable of making local decisions without involving information security specialists. In many companies, these independent workers have for instance set up web pages or even commerce servers without consulting or even thinking about a central information security staff person.
Article
One of the most important information security controls, is the information security policy. This vital direction-giving document is, however, not always easy to develop and the authors thereof battle with questions such as what constitutes a policy. This results in the policy authors turning to existing sources for guidance. One of these sources is the various international information security standards. These standards are a good starting point for determining what the information security policy should consist of, but should not be relied upon exclusively for guidance. Firstly, they are not comprehensive in their coverage and furthermore, tending to rather address the processes needed for successfully implementing the information security policy. It is far more important the information security policy must fit in with the organisation’s culture and must therefore be developed with this in mind.
Article
It is well known, at least among true security professionals, that formal policy is a prerequisite of security. While many organizations have security policy of varying types, having policy and being able to enforce it are totally different things. This writing looks at the importance of formal security policy, and then presents and discusses a new set of tools that provide a ready method for assuring critical policy enforcement in the workplace.
Article
This paper identifies 10 essential aspects, which, if not taken into account in an information security governance plan, will surely cause the plan to fail, or at least, cause serious flaws in the plan. These 10 aspects can be used as a checklist by management to ensure that a comprehensive plan has been defined and introduced.
Article
To achieve a certain degree of information systems security different techniques have been proposed and implemented. It is the aim of this paper to form a basis for their evaluation and comparison. For this purpose a general framework of security is established by defining its scope, most common threats against the security, and two kinds of different comparison and evaluation criteria. The first criteria is a set of requirements on the secrecy and confidentiality of information while the second consists of several structural requirements which we believe are essential for a successful and powerful security technique. In our evaluation we include the Discretionary Models, the Mandatory Models, the Personal Knowledge Approach, the Chinese Wall Policy and the Clark and Wilson model of security.