Paper Number
2109
Paper Type
Completed
Description
Information security policies (ISPs) have a key role in organizational information security. Research has introduced processes for ISP development, including lifecycle models. There are also recommendations to include contextual issues in the ISP development to ensure that the ISP provides tailored protection to the organization’s assets. One way of ensuring this is to include organization members in the development efforts. We identified six functions for the organization member participation from the research literature. Then, we presented two case studies of organizations where the personnel was included in the ISP development process. We found that the participation of the organization members did add value to the process through these functions but that there were also some negative effects. The inclusion of organization members in ISP development can help in gathering feedback directly at the beginning of the lifecycle without the need to go through the entire cycle to identify issues.
Recommended Citation
Paananen, Hanna and Siponen, Mikko, "Organization Members Developing Information Security Policies: a Case Study" (2023). ICIS 2023 Proceedings. 14.
https://aisel.aisnet.org/icis2023/cyber_security/cyber_security/14
Organization Members Developing Information Security Policies: a Case Study
Information security policies (ISPs) have a key role in organizational information security. Research has introduced processes for ISP development, including lifecycle models. There are also recommendations to include contextual issues in the ISP development to ensure that the ISP provides tailored protection to the organization’s assets. One way of ensuring this is to include organization members in the development efforts. We identified six functions for the organization member participation from the research literature. Then, we presented two case studies of organizations where the personnel was included in the ISP development process. We found that the participation of the organization members did add value to the process through these functions but that there were also some negative effects. The inclusion of organization members in ISP development can help in gathering feedback directly at the beginning of the lifecycle without the need to go through the entire cycle to identify issues.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.
Comments
06-Security