Sustainable information security policy in an organization Essay


The intent of this research paper is to look into how organisations design sustainable information security policies. Planing a sustainable information security policy is one of the most of import issues confronting organisations today. It should non merely be the first measure in an organisation ‘s information security policy plan but a go oning procedure to guarantee the policy should be maintained of high quality, it is clear, comprehensive and appropriate to the organisation ‘s specific concern aims, strategic ends and civilization demands. This is a peculiarly outstanding issue in organisations that operate in legion political, cultural, legal, geographic and economic environments and, by necessity, sometimes must hold an information security policy that employees can follow and really utilize. Information security represents a turning concern for organisations. As organisations are trusting and going more dependent on information systems for remaining competitory, derive strategic advantage and operations, the issue of effectual information security policy besides becomes of import and the necessary foundation for organisational information security.

In an organisation, some alone challenges can originate in planing an information security policy, such as policy differences originating through the assorted menaces, hazard credence and tolerance degrees among concern units ; internal and external demands at a state, local and national degree ; human factors ; and cultural differences. In some instances, an organisation may necessitate a region-specific information security policy that may be more restrictive than a planetary information security policy. However, the ground why an information security policy has to be enforced on an organisation is because the information security policy requires an attempt from them.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

The literature reappraisal and an experimental survey will be used to look into, research and understand different factors such as easiness of usage, interior decorator perceptual experiences of user defects, attitude toward use, equal influence, perceived behavioural control use, perceived easiness of usage, quality of working life, work attitude and purposes as to how to plan a sustainable information security policy in an organisation.

The research job and end.

The research job of this survey is to look into how to plan a sustainable information security policy in an organisation. Surprisingly, non excessively much is known about how to plan security policies that pay attending to alone organisational security characteristics, employees and concern demands ( Siponen and Iivari, 2006 ) . In concern, an information security policy is a papers that states in composing how an organisation should be after to protect its information systems and engineering assets, provides counsel based on criterions, ordinances and regulations of what to and what non to make. However the information security policy quality, flexibleness and serviceability are limited. Therefore employees do non pay attending, understand, follow abide and interrupt the information security policy.

An information security policy that is viewed as design merchandise and that is normative lists actions that the employees should follow or should non execute. The design of an information security policy does non needfully do it possible to turn to all state of affairss moderately. However, to steer the design of the information security policy, the merchandise and an application rule should province how it needs to be applied, and a design method should province how it needs to be crafted ( Siponen and Iivari, 2006 ) . Product design and development is a complex and drawn-out procedure for organisations since it involves multiple participants from several organisational sections who are required to do determinations outside their country of expertness. To turn to the job organisations frequently purchase ready made information security policies from assorted beginnings such as ISO, text books or follow information security policies from authorities and other online beginnings. This leads to incomplete activities and defects which lead to hard to follow information security policy.

Sound information security policy should protect the information and systems, every bit good as the single employees and the organisation as a whole from a broad assortment of menaces ( Veiga, Martins and Eloff, 2007 ) . It besides should function as a outstanding statement to the outside universe about the organisation ‘s committedness to information security. An information security policy is frequently considered to be a “ living papers, ” intending that the papers is ne’er finished but is continuously updated as engineering, ordinances and concern demands alteration. The information from systematic monitoring should function as a critical input to rating, preparation, execution and design of the information security policy. The information security policy should be seen non merely as an artifact papers of the organisation to implement best information security patterns but besides should place inside informations of what is acceptable or unacceptable and what is sensible behaviour from the employees in order to guarantee sound security of information.

Information security policy should be sustainable. Information security covers people and procedure issues every bit good as engineering. The design of information security policy in an organisation should be integrated into a procedure that involves employee serviceability testing and input from assorted parts, ordinances, industry criterions and concern units. An information security policy is the necessary foundation for a sound organisational information security.

Information security policy should be able to heighten concern operations by cut downing hazard, guaranting protection of organisational critical information assets and diminishing information system ‘s security direction costs every bit good as to better information system ‘s operations while besides back uping the demands of internal and external conformity. Since many of these policies require human engagement, for illustration employee and client actions, the ends should be measured and checked if they are met merely if such human activities can be influenced and monitored and if positive results have inducements while negative actions are sanctioned.

The end of this research survey is to look into how to plan, create and keep a sustainable information security policy utilizing experimental methods and control focal point groups in an organisation. An effectual information security policy should be based on a usability criterion that can be achieved during the design techniques appropriate to implement sustainable information security policy.

Importance of research job

The successful design of information security policy is critical in today ‘s environment of rapid alteration and challenges in turn toing information security policy conformity and effectivity in organisations. The information security policy is the foundation on which a sound information security is built. As with any foundation, it must be good designed, and good constructed ; it can so be trusted to back up the organisation ‘s concern aims and ends efficaciously. It is indispensable that effectual information security policy patterns be in topographic point in organisations to guarantee the success of information security policy. Effective information security policy requires that users understand and follow the information security mission as described in the organisation ‘s information security policy.

Flexibility and serviceability are indispensable elements of an information security policy life rhythm, peculiarly of the design procedure of information security policy preparation and execution. An information security policy needs to be sustainable and non stiff. While the importance of the information security policy in guaranting the security of information is acknowledged widely, to day of the month, there has been small empirical analysis of its design, impact or effectivity in this function. Planing sustainable information security policy is critical to protecting the organisation ‘s information systems and assets. The effects of go againsting such as information security policy might be extended and expensive.

The organisation ‘s information security policy should be written with a clear apprehension of the expected result and the demand to be flexible and useable. The information security policy should integrate clear definitions and user duties ( Gaunt 1998 ) . It should besides take to act upon behaviour and turn employees into participants in the organisation ‘s attempts to procure its information assets.

Information security policy plays an of import function in forestalling, observing and reacting to security menaces and breaches. Organizations should hold security controls to protect their information. One of the most of import controls, harmonizing to Hone and Eloff ( 2002 ) , is the information security policy. The information security policy is likely to be uneffective if it is non written good, understood, followed and accepted by all employees.

The consequences of this survey will assist practicians understand how an organisation can plan sustainable information security policy to accomplish effectual information security.

Research statement

The information security of an organisation might be left in a less effectual province in state of affairss where information security policy is non followed by employees. Employee perceptual experience, in some cases, is that following the regulations in information security policy interferes and gets in the manner of making their daily work and their ability to carry through their occupation undertakings. This is because they feel as though this attack is cumbrous and a waste of clip. An employee ‘s failure to follow with the information security policy is a cardinal concern of information security practicians and organisations. Harmonizing to Desman ( 2002 ) information security is non a proficient issue, but instead a human issue, hence the most important menace to the security of information in an organisation is its employees ( Gaunt 1998 ) .

Information security policy should be just, sensible, apprehensible, flexible and useable. If an information security policy is non flexible and useable, employees will non follow it and it will interrupt. Harmonizing to Besnard and Arief ( 2004 ) , the design of security merchandises and information security policy should trust more on the regulations of human-computer interaction. The employees, independent of their cognition and mind, should be able to read an organisation ‘s information security policy understand, follow, comply and adhere to it.

One of the ways to implement good information security patterns in an organisation is to guarantee that a elaborate information security policy is in topographic point. The content of the information security policy is peculiarly important, as it should be monitored for any alterations after it is adopted to achieve relevancy and an apprehension of whether there were alterations due to the policy or plan. Harmonizing to Gaunt ( 2000 ) user engagement in the development of an organisation information security is necessary if it is to accomplish broad credence.

Problem Relevance

Harmonizing to Hone and Eloff ( 2002 ) one of the most of import information security controls in an organisation is the information security policy. However, this of import papers it is non ever easy to set together and develop. Some organisations derive their information policy from concern ends, service degree understandings, industry best patterns, and International Standard Organization criterions such as ISO 27000, or copy paste from other ready made policy templates found or procured from text editions or on-line resources.

Content in information security policies differ harmonizing to the type of organisation: for illustration, corporations, academic establishments, authorities, and within sections such as information engineering, human resources, legal, and finance to call a few. The grade of counsel varies from really specific mentions of what to make or non to make and countenances of non following the regulations. Sanctions affect employees ‘ existent conformity with information security policy. Harmonizing to Bia and Kalika ( 2007 ) , the determination to explicate an information security policy, for illustration, a policy of acceptable usage, occurs when the organisation has experienced jobs, struggle, harm, or concern loss because of improper usage of information security regulations.

The application of a security policy is considered indispensable for pull offing the security of information systems. Implementing a successful information security policy in an organisation, nevertheless, is non a straightforward undertaking and depends on many factors ( Karyda, Kiountouzis and Kokolakis, 2004 ) . Sometimes, employees view the information security policy as an obstruction and a barrier to advancement and, in an attempt, to make their occupation more expeditiously, employees might non follow the regulations set in the information security policy papers. Despite the fact that organisations have information security policy in topographic point, more frequently than non, the application of information security policy fails to achieve its ends. To guarantee that information security policy is effectual, information security professionals must foremost understand the societal elements, including cultural and generational discrepancies that affect employee behaviour and perceptual experiences about information security policy ( Cisco, 2008 ) .

Harmonizing to Baskerville and Siponen ( 2002 ) , rigorous entree controls imposed during fast turning organisational alterations can go an obstruction by restricting entree to information thereby endangering the organisations endurance. This job is one of restricting organisational outgrowth because of limited information entree and nowadayss conflicting and rigorous demands for security policy devising. Unexpected concern chances may necessitate actions that conflict with their information security policy.

Some of the jobs facing organisations are of employees non following the information security policy, which reflects the societal nature of human existences. Harmonizing to Kabay ( 2002 ) , an information security policy challenges employees to alter the manner they think about their ain duty for protecting the organisation ‘s valuable information. Trying to enforce information security policy on unwilling employees consequences in opposition both because stricter information security processs make occupations more hard and because people do non wish to be told what to make. The procedure of design and development of information security policy plays an of import function in the life rhythm of an information security policy and affects how people feel about the information security policy and whether they see regulations as a gratuitous infliction of power or an look of their ain values. Unfortunately, an information security policy struggles with most people ‘s position of world: for illustration, an employee demoing sensitive information to person who does non hold the appropriate degree of mandate to see such information because they both work on the same undertaking squad. However, if users fail to follow with the regulations, an information security policy can assist discourage maltreatment ( Straub and Nance 1990 ) .

Although holding an information security policy in an organisation is indispensable, it is non plenty to guarantee an employee ‘s conformity with it. Therefore, the purpose of this paper is to understand what factors should be considered in the design of a sustainable information security policy in order to actuate employees to follow with the information security policy and understand how of import it is.

Definitions of Footings

For the intents of this paper:

  • Information security policy: by definition, an information security policy refers to a clear, apprehensible comprehensive and chiseled program, regulations, and patterns that regulate entree to an organisation ‘s system and the information included in it. It is defined as the security policy in a papers that states in composing how an organisation programs to protect the company ‘s physical and information engineering assets.
  • Information policy: is defined as the combination of Torahs, ordinances, regulations, and guidelines that steer the creative activity, direction, and usage of information that greatly shapes the functions of information in society. Information policy includes a scope of issues related to freedom of information, privateness, secretiveness, security, rational belongings, and information and communicating engineerings among other policy countries.
  • Information system security: is defined as the province of being free from unacceptable hazard. Thus, information security focuses on cut downing the hazard of calculating and communicating systems, particularly in respect to the abuse, devastation, alteration or inappropriate revelation of information either by purpose or accident.
  • Product design and development: in this paper refers chiefly to the design and development of new information security policy.

Research inquiries and Hypothesis.

The chief research inquiry for this survey is formulated as:

  • How to plan sustainable information security policy in an organisation?


  • H1: Is there a important difference between flexibleness and serviceability?
  • H2: Is there a important relationship between flexibleness and serviceability?
  • H3: If an information security policy is useable so is at that place a demand for countenances?
  • H4: If an information security policy is flexible so is at that place a demand for wagess?


Agarwal, R and Sambamurthy, V. ( 2002 ) . Principles and theoretical accounts for forming the IT map. MIS Quarterly Executive, 1 ( 1 ) , 1-16.

Baskerville, R. , and Siponen, M. ( 2002 ) . An information security meta-policy for emergent organisations. Logistics Information Management, 15 ( 5/6 ) , 337-346.

Besnard, D. and Arief, B. ( 2004 ) . Computer security impaired by legal users. Computers & A ; Security, 23 ( 3 ) , 253-26.

Bia, M. , and Kalika, M. ( 2007 ) . Adopting an ICT codification of behavior: An empirical survey of organisational factors. Journal of Enterprise Information Management, 20 ( 4 ) , 432-446.

CISCO. Data escape worldwide: The effectivity of security policies, 2008, Retrieved March 29 2010 hypertext transfer protocol: //

Da Veiga, A. , Martins, N. , and Eloff, JHP. ( 2007 ) . Information security civilization – proof of an assessment instrument. Southern African Business Review, 11 ( 1 ) , 147-166.

Desman, M.B. ( 2002 ) . Constructing an information security consciousness plan. Boca Raton, FL, Auerbach Publications.

Doherty, NF. , and Fulford, H. ( 2006 ) . Aligning the information security policy with the strategic information systems program. Computers & A ; Security, 25 ( 1 ) , 55-63.

Eloff, JHP. , Labuschagne L, and Badenhorst KP. ( 1993 ) A comparative model for hazard analysis methods. Computers and Security, 12 ( 6 ) , 597-603.

Gaunt, N. ( 1998 ) . Installing an appropriate IS security policy in infirmaries. International Journal of Medical Informatics, 49 ( 1 ) , 131-134.

Gaunt N. ( 2000 ) . Practical attacks to making a security civilization. International Journal of Medical Informatics, 60 ( 2 ) , 151-157.

Hone, K. , and Eloff, JHP. ( 2002 ) . Information security policy – what do international security criterions state? Computers and Security, 21 ( 5 ) , 402-9.

Kabay, M. ( 1994 ) . Psychological factors in the execution of information security policy. EDPACS, The EDP Audit, Control, and Security Newsletter, 11 ( 10 ) , 1-10.

Karyda, M. , Kiountouzis, E. , Kokolakis, S. ( 2005 ) . Information systems security policies: a contextual position, Computers and Security, 24 ( 3 ) , 246-260.

Lapke M. , and Dhillon, G. ( 2008 ) . Power relationships in information systems security policy preparation and execution. European Conference on Information Systems, 16, 1358-1369.

Siponen, M. , and Iivari, J. ( 2006 ) . Six design theories for IS security policies and guidelines. Journal of the Association for Information System, s 7 ( 7 ) , 445-472.

Thomson, K. L. , von Solms, R. , and Louw, L. ( 2006 ) . Cultivating an organisational information security civilization. Computer Fraud and Security, 10, 7-11.

Straub, D.W. , and Nance, W.D. ( 1990 ) . Detecting and training computing machine maltreatment in organisations: A field survey. MIS Quarterly, 14 ( 1 ) , 45-60.

Warman, AR. ( 1992 ) . Organizational computing machine security policy: the world. European Journal of Information Systems, 1 ( 5 ) , 305-10.

Zhang, Y. , Liu, X. , and Wang, W. ( 2005 ) . Policy lifecycle theoretical account for systems direction. IT Professional, 7 ( 2 ) , 50-54.