nach oben

Information Systems Frontiers

Erschienen in:

09.05.2018

Benchmarking Methodology for Information Security Policy (BMISP): Artifact Development and Evaluation

verfasst von: Martin (Dae Youp) Kang, Anat Hovav

Erschienen in: Information Systems Frontiers | Ausgabe 1/2020

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The benchmarking of information security policies has two challenges. Organizations are reluctant to share data regarding information security and no two organizations are identical. In this paper, we attempt to propose an artifact for a benchmarking method of information security policy, which can resolve the above challenges. We employ design science methodology, activity theory and international standards to design the artifact as a proof of concept. The artifact facilitates the implementation of efficient information security policies. Organizations can utilize the artifact to analyze and benchmark information security policies. We illustrate the completeness and reliability of the artifact through a case study using information security policies from six companies.

Vorheriger Artikel Determinants of Intention to Participate in Corporate BYOD-Programs: The Case of Digital Natives

Nächster Artikel Exploring the influential factors of continuance intention to use mobile Apps: Extending the expectation confirmation model

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

The reader should note that while modeling a complete BMISP is greatly beneficial for industry, it is beyond the scope of one academic study. Therefore, the theoretical discussion in Section 2 depicts a general model and uniform methodology. However, the implementation and proof-of-concept discussed in Sections 4 and 5 are limited to one type of system policy.

https://www.w3.org/XML/

https://en.wikipedia.org/wiki/ISO/IEC_27000-series

https://en.wikipedia.org/wiki/International_Electrotechnical_Commission

Opposed to expected or optimal ISSP described in the ISO standard and in many commercial and industry papers, here we are utilizing the actual ISSPs that the company has implemented at the time of the benchmarking modeling.

https://www.w3.org/TR/REC-xml; https://tools.ietf.org/html/rfc7303

The paper employs the ISO 27K series for establishing measurements in the case study. The case study demonstrates an example of a BMISP as a research process by proposing its validity and rationality. The case study explains how the BMISP can be performed in industry analysis and academic research.

The leading high-tech companies in Korea implement strict policies for two main reasons. 1. Their strategic survival depends on innovation. Defending against corporate espionage is unavoidable. 2. These companies engage in the global market and thus follow international standards. Conversely, financial companies in Korea mostly engage in the local market and have limited incentives to implement policies above those required by the government.

PL has a one-off function that gives temporary authority in the use of ISMS to an employee. PL allows the employee to ask for an exception from the system, and then use these functions once.

Alberts, C. J., & Dorofee, A. (2002). Managing information security risks: The OCTAVE approach. Boston: Addison-Wesley Longman Publishing.

Allen, D., & Karanasios, S. (2011). Critical factors and patterns in the innovation process. Policing, 5(1), 87–97.CrossRef

Allen, D. K., Brown, A., Karanasios, S., & Norman, A. (2013). How should technology-mediated organizational change be explained? A comparison of the contributions of critical realism and activity theory. MIS Quarterly, 37(3), 835–854.CrossRef

Amsenga, J. (2008). An introduction to standards related to information security. ISSA, 1–18.

Banaeianjahromi, N., & Smolander, K. (2017). Lack of communication and collaboration in enterprise architecture development. Information Systems Frontiers, 57, 1–32.

Baskerville, R., & Pries-Heje, J. (2010). Explanatory design theory. Business & Information Systems Engineering, 2(5), 271–282.

Baskerville, R. L., Kaul, M., & Storey, V. C. (2015). Genres of inquiry in design-science research: justification and evaluation of knowledge production. MIS Quarterly, 39(3), 541–564.CrossRef

Berinato, S. (2002). Finally, a real return on security spending. CIO, 15(9), 432–432.

Brecht, M., & Nowey, T. (2013). A closer look at information security costs. In The economics of information security and privacy (pp. 3–24). Springer, Berlin, Heidelberg.

Briggs, R. O., & Schwabe, G. (2011). On expanding the scope of design science in IS research. In International conference on design science research in information systems (pp 92–106). Berlin: Springer.

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548.CrossRef

Cavusoglu, H., Cavusoglu, H., Son, J. Y., & Benbasat, I. (2015). Institutional pressures in security management: direct and indirect influences on organizational investment in information security control resources. Information Management, 52(4), 385–400.CrossRef

Code U (2018) USC § 3542 (b)(1).

D’Arcy, J., & Hovav, A. (2009). Does one size fit all? Examining the differential effects of IS security countermeasures. Journal of Business Ethics, 89(1), 59–71.CrossRef

D'Arcy, J., & Hovav, A. (2007). Deterring internal information systems misuse. Communications of the ACM, 50(10), 113–117.CrossRef

D'Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research, 20(1), 79–98.CrossRef

Dattakumar, R., & Jagadeesh, R. (2003). A review of literature on benchmarking. Benchmarking: An International Journal, 10(3), 176–209.CrossRef

Demetz, L., & Bachlechner, D. (2013). To invest or not to invest? Assessing the economic viability of a policy and security configuration management tool. The economics of information security and privacy (pp. 25–47). Berlin: Springer.

Dhillon, G. (2004). Realizing benefits of an information security program. Business Process Management Journal, 10(3), 21–22.CrossRef

Doherty, N. F., & Fulford, H. (2006). Aligning the information security policy with the strategic information systems plan. Computers & Security, 25(1), 55–63.CrossRef

Dorsch, J. J., & Yasin, M. M. (1998). A framework for benchmarking in the public sector: literature review and directions for future research. International Journal of Public Sector Management, 11(2/3), 91–115.CrossRef

Engeström, Y. (2000). Activity theory as a framework for analyzing and redesigning work. Ergonomics, 7(43), 960–974.CrossRef

Engeström, Y. (2001). Expansive learning at work: toward an activity theoretical reconceptualization. Journal of Education and Work, 14(1), 133–156.CrossRef

Engeström, Y. (2014). Learning by expanding. Cambridge: Cambridge University Press.CrossRef

Engeström, Y., Miettinen, R., & Punamäki, R. L. (Eds.). (1999). Perspectives on activity theory. Cambridge: Cambridge University Press.

Fossi, M., Turner, D., Johnson, E., Mack, T., Adams, T., Blackbird, J., Wueest, C. (2009). Symantec global internet security threat report. White paper, symantec enterprise security, 1.

Fuentes, R., Gómez-Sanz, J. J., & Pavón, J. (2004). Social analysis of multi-agent systems with activity theory. Current topics in artificial intelligence (pp. 526–535). Berlin: Springer.CrossRef

Goldstein, A., & Frank, U. (2016). Components of a multi-perspective modeling method for designing and managing IT security systems. Information Systems and e-Business Management, 14(1), 101–140.CrossRef

Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security (TISSEC), 5(4), 438–457.CrossRef

Gregor, S., & Hevner, A. R. (2013). Positioning and presenting design science research for maximum impact. MIS Quarterly, 37(2), 337–355.CrossRef

Guy, E. S. (2005). ... real, concrete facts about what works...: integrating evaluation and design through patterns. In Proceedings of the 2005 international ACM SIGGROUP conference on supporting group work.

Hevner, A. R., March, S. T., Park, J., & Ram, S. (2004). Design science in information systems research. MIS Quarterly, 28(1), 75–105.CrossRef

HM Government (2015). 2015 information security breaches survey – technical report. Department for Business Innovation and Skills. URN BIS/15/302.

Höne, K., & Eloff, J. H. P. (2002). Information security policy—what do international information security standards say? Computers & Security, 21(5), 402–409.CrossRef

Hoo, K. J. S. (2000). How much is enough? A risk management approach to computer security. Stanford: Stanford University.

Hovav, A., & D’Arcy, J. (2012). Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the US and South Korea. Information Management, 49(2), 99–110.CrossRef

Hovav, A., & Putri, F. F. (2016). This is my device! Why should I follow your rules? Employees’ compliance with BYOD security policy. Pervasive and Mobile Computing, 32, 35–49.CrossRef

Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM, 54(6), 54–60.CrossRef

Huang, C. D., Hu, Q., & Behara, R. S. (2008). An economic analysis of the optimal information security investment in the case of a risk-averse firm. International Journal of Production Economics, 114(2), 793–804.CrossRef

Hull, R., & King, R. (1987). Semantic database modeling: survey, applications, and research issues. ACM Computing Surveys (CSUR), 19(3), 201–260.CrossRef

Internet Engineering Task Force (2014). XML Media Types https://tools.ietf.org/html/rfc7303

Jeon, S., & Hovav, A. (2015). Empowerment or control: Reconsidering employee security policy compliance in terms of authorization. In Hawaii International Conference on System Sciences (HICSS-48), January 5–8, 2015, pp. 3473–3482. IEEE.

Johnson, M. E., & Goetz, E. (2007). Embedding information security into the organization. IEEE Security and Privacy, 5(3), 16–24.CrossRef

Kaptelinin, V. (2005). The object of activity: making sense of the sense-maker. Mind, Culture, and Activity, 12(1), 4–18.CrossRef

Kaptelinin, V., Kuutti, K., & Bannon, L. (1995, July). Activity theory: Basic concepts and applications. In International Conference on Human-Computer Interaction (pp. 189-201). Springer, Berlin, Heidelberg.

Kim, J., Conesa, J., & Ramesh, B. (2015). The use of ontology in knowledge intensive tasks: ontology driven retrieval of use cases. Asia Pacific Journal of Information Systems, 25(1), 25–60.CrossRef

Knapp, K. J., Marshall, T. E., Kelly Rainer, R., & Nelson Ford, F. (2006). Information security: management’s effect on culture and policy. Information Management & Computer Security, 14(1), 24–36.CrossRef

Kongnso, F. J. (2015). Best practices to minimize data security breaches for increased business performance. http://scholarworks.waldenu.edu/cgi/viewcontent.cgi?article=2928&context=dissertations, Accessed 26 Dec 2017.

Kriglstein, S., Leitner, M., Kabicher-Fuchs, S., & Rinderle-Ma, S. (2016). Evaluation methods in process-aware information systems research with a perspective on human orientation. Business & Information Systems Engineering, 58(6), 397–414.CrossRef

Leitner, M., & Rinderle-Ma, S. (2014). A systematic review on security in process-aware information systems–constitution, challenges, and future directions. Information and Software Technology, 56(3), 273–293.CrossRef

Li, T., & Ma, Z. (2017). Object-stack: an object-oriented approach for top-k keyword querying over fuzzy XML. Information Systems Frontiers, 19(3), 669–697.CrossRef

Liu, W., Tanaka, H., & Matsuura, K. (2008). Empirical-analysis methodology for information-security investment and its application to reliable survey of Japanese firms. Information and Media Technologies, 3(2), 464–478.

Lowry, P. B., & Moody, G. D. (2015). Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organizational information security policies. Information Systems Journal, 25(5), 433–463.CrossRef

Markus, M. L., Majchrzak, A., & Gasser, L. (2002). A design theory for systems that support emergent knowledge processes. MIS quarterly, 179–212.

MacLean, D., MacIntosh, R., & Grant, S. (2002). Mode 2 management research. British Journal of Management, 13(3), 189–207.CrossRef

Martins, A., & Elofe, J. (2002). Information security culture. In Security in the information society (pp. 203–214). Springer, Boston, MA.

McCumber, J. (2004). Assessing and managing security risk in IT systems: A structured methodology. Boca Raton: CRC Press.CrossRef

Moore, T., Dynes, S., & Chang, F. R. (2016). Identifying how firms manage cybersecurity investment. Berkeley: University of California.

Morin, J.-H., & Hovav, A. (2012). Strategic value and drivers behind organizational adoption of enterprise DRM: the Korean case. Journal of Service Science Research, 4(1), 143–168.CrossRef

Nancylia, M., Mudjtabar, E. K., Sutikno, S., & Rosmansyah, Y. (2014). The measurement design of information security management system. In 2014 8th International Conference on Telecommunication Systems Services and Applications (TSSA). IEEE.

Naveh, E., & Marcus, A. (2005). Achieving competitive advantage through implementing a replicable management standard: installing and using ISO 9000. Journal of Operations Management, 24(1), 1–26.CrossRef

Odell, J. J. (1998). Advanced object-oriented analysis and design using UML (p. 12). Cambridge: Cambridge University Press.

Papazafeiropoulou, A., & Spanaki, K. (2016). Understanding governance, risk and compliance information systems (GRC IS): the experts view. Information Systems Frontiers, 18(6), 1251–1263.CrossRef

Peckham, J., & Maryanski, F. (1988). Semantic data models. ACM Computing Surveys (CSUR), 20(3), 153–189.CrossRef

Peffers, K., Tuunanen, T., Rothenberger, M. A., & Chatterjee, S. (2007). A design science research methodology for information systems research. Journal of Management Information Systems, 24(3), 45–77.CrossRef

Pressman, R. S. (2005). Software engineering: A practitioner's approach. Basingstoke: Palgrave Macmillan.

Purao, S., Baldwin, C. Y., Hevner, A., Storey, V. C., Pries-Heje, J., Smith, B., & Zhu, Y. (2008). The sciences of design: Observations on an emerging field. Harvard Business School Finance Working Paper: 09–56.

Rumbaugh, J., Blaha, M., Premerlani, W., Eddy, F., & Lorensen, W. E. (1991). Object-oriented modeling and design, 199(1). Englewood Cliffs: Prentice-hall.

Runeson, P., Host, M., Rainer, A., & Regnell, B. (2012). Case study research in software engineering: Guidelines and examples. Hoboken: John Wiley & Sons.CrossRef

Shabtai, A., Elovici, Y., & Rokach, L. (2012). A survey of data leakage detection and prevention solutions. Springer Science & Business Media.

Schatz, D., & Bashroush, R. (2017). Economic valuation for information security investment: a systematic literature review. Information Systems Frontiers, 19(5), 1205–1228.CrossRef

Shirtz, D., & Elovici, Y. (2011). Optimizing investment decisions in selecting information security remedies. Information Management & Computer Security, 19(2), 95–112.CrossRef

Strecker, S., Heise, D., & Frank, U. (2011). RiskM: a multi-perspective modeling method for IT risk assessment. Information Systems Frontiers, 13(4), 595–611.CrossRef

Susanto, H., Almunawar, M. N., Syam, W. P., Tuan, Y. C., & Bakry, S. H. (2011). I-SolFramework Views on ISO 27001 Information Security Management System: Refinement Integrated Solution’s Six Domains.

Talbot, J., & Jakeman, M. (2011). Security risk management body of knowledge. Hoboken: John Wiley & Sons.

Talbot et al. (2011). Security risk management body of knowledge (Vol. 69). John Wiley & Sons.

Vaishnavi, V. K., & Kuechler, W. (2015). Design science research methods and patterns: Innovating information and communication technology. Boca Raton: CRC Press.CrossRef

Van Aken, J. E. (2005). Management research as a design science: articulating the research products of mode 2 knowledge production in management. British Journal of Management, 16(1), 19–36.CrossRef

Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: insights from habit and protection motivation theory. Information Management, 49(3), 190–198.CrossRef

Vygotsky, L. S. (1980). Mind in society: The development of higher psychological processes. Cambridge: Harvard University Press.CrossRef

Walls, Joseph G., George R. Widmeyer, and Omar A. El Sawy. "Building an information system design theory for vigilant EIS." Information systems research 3.1 (1992): 36–59.CrossRef

Whitman, M. E. (2003). Enemy at the gate: threats to information security. Communications of the ACM, 46(8), 91–95.CrossRef

Whitman, M.E. (2008). Security Policy: From Design to Maintenance. In: D.W. Straub, S.E. Goodman and R. Baskerville (Eds.), Information security : policy, processes, and practices. Advances in management information systems (pp. 123-151). London, England Armonk, New York: M.E. Sharpe.

Whitman et al. (2013). Management of information security. Boston: Cengage Learning.

Whitman, M., & Mattord, H. (2013). Management of information security. Boston: Cengage Learning.

World Wide Web Consortium. (2010). XML Core Working Group, https://www.w3.org/XML/Core

Yasin, M. M. (2002). The theory and practice of benchmarking: then and now. Benchmarking: An International Journal, 9(3), 217–243.CrossRef

Zairi, M. (1992). The art of benchmarking: using customer feedback to establish a performance gap. Total Quality Management, 3(2), 177–188.CrossRef

Zowghi, D., & Coulin, C. (2005). Requirements elicitation: A survey of techniques, approaches, and tools. In Engineering and managing software requirements (pp. 19–46). Springer, Berlin,

Titel: Benchmarking Methodology for Information Security Policy (BMISP): Artifact Development and Evaluation
verfasst von: Martin (Dae Youp) Kang
Anat Hovav
Publikationsdatum: 09.05.2018
Verlag: Springer US
Erschienen in: Information Systems Frontiers / Ausgabe 1/2020
Print ISSN: 1387-3326
Elektronische ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-018-9855-6

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 1/2020

Examining the Role of Tie Strength in Users’ Continuance Intention of Second-Generation Mobile Instant Messaging Services

U.S. Healthcare Provider Capabilities and Performance: the Mediating Roles of Service Innovation and Quality

Analyzing Cryptocurrencies

Ubiquitous Computing Capabilities and User-System Interaction Readiness: An Activity Perspective

Presenting Cloud Business Performance for Manufacturing Organizations

Reconciliation of Privacy with Preventive Cybersecurity: The Bright Internet Approach