-
Steps Towards Satisficing Distributed Dynamic Team Trust
Authors:
Edmund R. Hunt,
Chris Baber,
Mehdi Sobhani,
Sanja Milivojevic,
Sagir Yusuf,
Mirco Musolesi,
Patrick Waterson,
Sally Maynard
Abstract:
Defining and measuring trust in dynamic, multiagent teams is important in a range of contexts, particularly in defense and security domains. Team members should be trusted to work towards agreed goals and in accordance with shared values. In this paper, our concern is with the definition of goals and values such that it is possible to define 'trust' in a way that is interpretable, and hence usable…
▽ More
Defining and measuring trust in dynamic, multiagent teams is important in a range of contexts, particularly in defense and security domains. Team members should be trusted to work towards agreed goals and in accordance with shared values. In this paper, our concern is with the definition of goals and values such that it is possible to define 'trust' in a way that is interpretable, and hence usable, by both humans and robots. We argue that the outcome of team activity can be considered in terms of 'goal', 'individual/team values', and 'legal principles'. We question whether alignment is possible at the level of 'individual/team values', or only at the 'goal' and 'legal principles' levels. We argue for a set of metrics to define trust in human-robot teams that are interpretable by human or robot team members, and consider an experiment that could demonstrate the notion of 'satisficing trust' over the course of a simulated mission.
△ Less
Submitted 4 November, 2023; v1 submitted 11 September, 2023;
originally announced September 2023.
-
Addressing Knowledge Leakage Risk caused by the use of mobile devices in Australian Organizations
Authors:
Carlos Andres Agudelo Serna,
Rachelle Bosua,
Sean B. Maynard,
Atif Ahmad
Abstract:
Information and knowledge leakage has become a significant security risk to Australian organizations. Each security incident in Australian business cost an average US$\$$2.8 million. Furthermore, Australian organisations spend the second most worldwide (US$\$$1.2 million each on average) on investigating and assessing information breaches. The leakage of sensitive organizational information occurs…
▽ More
Information and knowledge leakage has become a significant security risk to Australian organizations. Each security incident in Australian business cost an average US$\$$2.8 million. Furthermore, Australian organisations spend the second most worldwide (US$\$$1.2 million each on average) on investigating and assessing information breaches. The leakage of sensitive organizational information occurs through different avenues, such as social media, cloud computing and mobile devices. In this study, we (1) analyze the knowledge leakage risk (KLR) caused by the use of mobile devices in knowledge-intensive Australian organizations, (2) present a conceptual research model to explain the determinants that influence KLR through the use of mobile devices grounded in the literature, (3) conduct interviews with security and knowledge managers to understand what strategies they use to mitigate KLR caused by the use of mobile devices and (4) use content analysis and the conceptual model to frame the preliminary findings from the interviews. Keywords: Knowledge leakage, mobile devices, mobile contexts, knowledge leakage risk
△ Less
Submitted 21 August, 2023;
originally announced August 2023.
-
Towards a knowledge leakage Mitigation framework for mobile Devices in knowledge-intensive Organizations
Authors:
Carlos Andres Agudelo Serna,
Rachelle Bosua,
Atif Ahmad,
Sean B. Maynard
Abstract:
The use of mobile devices in knowledge-intensive organizations while effective and cost-efficient also pose a challenging management problem. Often employees whether deliberately or inadvertently are the cause of knowledge leakage in organizations and the use of mobile devices further exacerbates it. This problem is the result of overly focusing on technical controls while neglecting human factors…
▽ More
The use of mobile devices in knowledge-intensive organizations while effective and cost-efficient also pose a challenging management problem. Often employees whether deliberately or inadvertently are the cause of knowledge leakage in organizations and the use of mobile devices further exacerbates it. This problem is the result of overly focusing on technical controls while neglecting human factors. Knowledge leakage is a multidimensional problem, and in this paper, we highlight the different dimensions that constitute it. In this study, our contributions are threefold. First, we study knowledge leakage risk (KLR) within the context of mobile devices in knowledge-intensive organizations in Australia. Second, we present a conceptual framework to explain and categorize the mitigation strategies to combat KLR through the use of mobile devices grounded in the literature. And third, we apply the framework to the findings from interviews with security and knowledge managers. Keywords: Knowledge Leakage, Knowledge Risk, Knowledge intensive, Mobile device.
△ Less
Submitted 21 August, 2023;
originally announced August 2023.
-
Spin vectors in the Koronis family: IV. Completing the sample of its largest members after 35 years of study
Authors:
Stephen M. Slivan,
Matthew Hosek Jr.,
Max Kurzner,
Alyssa Sokol,
Sarah Maynard,
Anna V. Payne,
Arden Radford,
Alessondra Springmann,
Richard P. Binzel,
Francis P. Wilkin,
Emily A. Mailhot,
Alan H. Midkiff,
April Russell,
Robert D. Stephens,
Vincent Gardiner,
Daniel E. Reichart,
Joshua Haislip,
Aaron LaCluyze,
Raoul Behrend,
René Roy
Abstract:
An observational study of Koronis family members' spin properties was undertaken with two primary objectives: to reduce selection biases for object rotation period and lightcurve amplitude in the sample of members' known spin vectors, and to better constrain future modeling of spin properties evolution. Here we report rotation lightcurves of nineteen Koronis family members, and derived results tha…
▽ More
An observational study of Koronis family members' spin properties was undertaken with two primary objectives: to reduce selection biases for object rotation period and lightcurve amplitude in the sample of members' known spin vectors, and to better constrain future modeling of spin properties evolution. Here we report rotation lightcurves of nineteen Koronis family members, and derived results that increase the sample of determined spin vectors in the Koronis family to include 34 of the largest 36 family members, completing it to $H \approx 11.3$ ($D \sim 16$ km) for the largest 32 members. The program observations were made during a total of 72 apparitions between 2005-2021, and are reported here along with several earlier unpublished lightcurves. All of the reported data were analyzed together with previously published lightcurves to determine the objects' sidereal rotation periods, spin vector orientations, and convex model shape solutions. The derived distributions of retrograde rotation rates and pole obliquities appear to be qualitatively consistent with outcomes of modification by thermal YORP torques. The distribution of spin rates for the prograde rotators remains narrower than that for the retrograde rotators; in particular, the absence of prograde rotators having periods longer than about 20 h is real, while among the retrograde rotators are several objects having longer periods up to about 65 h. None of the prograde objects newly added to the sample appear to be trapped in an $s_6$ spin-orbit resonance that is characteristic of most of the largest prograde objects; these smaller objects either could have been trapped previously and have already evolved out, or have experienced spin evolution tracks that did not include the resonance.
△ Less
Submitted 23 December, 2022;
originally announced December 2022.
-
Information Security Management in High Quality IS Journals: A Review and Research Agenda
Authors:
Sean Maynard,
Atif Ahmad
Abstract:
In the digital age, the protection of information resources is critical to the viability of organizations. Information Security Management (ISM) is a protective function that preserves the confidentiality, integrity and availability of information resources in organizations operating in a complex and evolving security threat landscape. This paper analyses ISM research themes, methods, and theories…
▽ More
In the digital age, the protection of information resources is critical to the viability of organizations. Information Security Management (ISM) is a protective function that preserves the confidentiality, integrity and availability of information resources in organizations operating in a complex and evolving security threat landscape. This paper analyses ISM research themes, methods, and theories in high quality IS journals over a period of 30 years (up to the end of 2017). Although our review found that less than 1 percent of papers to be in the area of ISM, there has been a dramatic increase in the number of ISM publications as well as new emerging themes in the past decade. Further, past trends towards subjective-argumentative papers have reversed in favour of empirically validated research. Our analysis of research methods and approaches found ISM studies to be dominated by one-time surveys rather than case studies and action research. The findings suggest that although ISM research has improved its empirical backing over the years, it remains relatively disengaged from organisational practice.
△ Less
Submitted 27 August, 2022;
originally announced August 2022.
-
Factors Influencing the Organizational Decision to Outsource IT Security: A Review and Research Agenda
Authors:
Antra Arshad,
Atif Ahmad,
Sean Maynard
Abstract:
IT security outsourcing is the process of contracting a third-party security service provider to perform, the full or partial IT security functions of an organization. Little is known about the factors influencing organizational decisions in outsourcing such a critical function. Our review of the research and practice literature identified several managerial factors and legal factors. We found res…
▽ More
IT security outsourcing is the process of contracting a third-party security service provider to perform, the full or partial IT security functions of an organization. Little is known about the factors influencing organizational decisions in outsourcing such a critical function. Our review of the research and practice literature identified several managerial factors and legal factors. We found research in IT security outsourcing to be immature and the focus areas not addressing the critical issues facing industry practice. We therefore present a research agenda consisting of fifteen questions to address five key gaps relating to knowledge of IT security outsourcing, specifically effectiveness of the outcome, lived experience of the practice, the temporal dimension, multi-stakeholder perspectives, and the impact on IT security practices, particularly agility in incident response.
△ Less
Submitted 26 August, 2022;
originally announced August 2022.
-
Leveraging Data and Analytics for Digital Business Transformation through DataOps: An Information Processing Perspective
Authors:
Jia Xu,
Humza Naseer,
Sean Maynard,
Justin Fillipou
Abstract:
Digital business transformation has become increasingly important for organizations. Since transforming business digitally is an ongoing process, it requires an integrated and disciplined approach. Data Operations (DataOps), emerging in practice, can provide organizations with such an approach to leverage data and analytics for digital business transformation. This paper proposes a framework that…
▽ More
Digital business transformation has become increasingly important for organizations. Since transforming business digitally is an ongoing process, it requires an integrated and disciplined approach. Data Operations (DataOps), emerging in practice, can provide organizations with such an approach to leverage data and analytics for digital business transformation. This paper proposes a framework that integrates digital business transformation, data analytics, and DataOps through the lens of information processing theory (IPT). The details of this framework explain how organizations can employ DataOps as an integrated and disciplined approach to understand their analytical information needs and develop the analytical information processing capability required for digital business transformation. DataOps-enabled digital business transformation, in turn, improves organizational performance by improving operational efficiency and creating new business models. This research extends current knowledge on digital transformation by bringing in DataOps and analytics through IPT and thereby provide organizations with a novel approach for their digital business transformations.
△ Less
Submitted 24 January, 2022;
originally announced January 2022.
-
Cybersecurity Incident Response in Organisations: A Meta-level Framework for Scenario-based Training
Authors:
Ashley O'Neill,
Atif Ahmad,
Sean Maynard
Abstract:
Cybersecurity incident response teams mitigate the impact of adverse cyber-related events in organisations. Field studies of IR teams suggest that at present the process of IR is under-developed with a focus on the technological dimension with little consideration of practice capability. To address this gap, we develop a scenario-based training approach to assist organisations to overcome socio-te…
▽ More
Cybersecurity incident response teams mitigate the impact of adverse cyber-related events in organisations. Field studies of IR teams suggest that at present the process of IR is under-developed with a focus on the technological dimension with little consideration of practice capability. To address this gap, we develop a scenario-based training approach to assist organisations to overcome socio-technical barriers to incident response. The training approach is informed by a comprehensive list of socio-technical barriers compiled from a comprehensive review of the literature. Our primary contribution is a novel meta-level framework to generate scenarios specifically targeting socio-technical issues. To demonstrate the utility of the framework, a proof-of-concept scenario is presented.
△ Less
Submitted 10 August, 2021;
originally announced August 2021.
-
Sensemaking in Cybersecurity Incident Response: The Interplay of Organizations, Technology and Individuals
Authors:
Ritu Lakshmi,
Humza Naseer,
Sean Maynard,
Atif Ahmad
Abstract:
Sensemaking is a critical activity in organizations. It is a process through which individuals ascribe meanings to events which forms the basis to facilitate collective action. However, the role of organizations, technology and individuals and their interaction in the process of sensemaking has not been sufficiently explored. This novel study seeks to address this gap by proposing a framework that…
▽ More
Sensemaking is a critical activity in organizations. It is a process through which individuals ascribe meanings to events which forms the basis to facilitate collective action. However, the role of organizations, technology and individuals and their interaction in the process of sensemaking has not been sufficiently explored. This novel study seeks to address this gap by proposing a framework that explains how the interplay among organizations, technology and individuals enables sensemaking in the process of cybersecurity incident response. We propose that Organizations, Technology, and Individuals are the key components that interact in various ways to facilitate enactment, selection and retention activities (Sensemaking activities) in Incident Response. We argue that sensemaking in Incident Response is the outcome of this interaction. This interaction allows organizations to respond to cybersecurity incidents in a comprehensive manner.
△ Less
Submitted 6 July, 2021;
originally announced July 2021.
-
Enhancing Strategic Information Security Management in Organizations through Information Warfare Practices
Authors:
Abid Hussain Shah,
Atif Ahmad,
Sean B. Maynard,
Humza Naseer
Abstract:
In this short paper we argue that to combat APTs, organizations need a strategic level shift away from a traditional prevention centered approach to that of a response centered one. Drawing on the information warfare (IW) paradigm in military studies, and using Dynamic Capability Theory (DCT), this research examines the applicability of IW capabilities in the corporate domain. We propose a researc…
▽ More
In this short paper we argue that to combat APTs, organizations need a strategic level shift away from a traditional prevention centered approach to that of a response centered one. Drawing on the information warfare (IW) paradigm in military studies, and using Dynamic Capability Theory (DCT), this research examines the applicability of IW capabilities in the corporate domain. We propose a research framework to argue that conventional prevention centred response capabilities; such as incident response capabilities and IW centred security capabilities can be integrated into IW enabled dynamic response capabilities that improve enterprise security performance.
△ Less
Submitted 14 April, 2021;
originally announced April 2021.
-
Dynamic Information Security Management Capability: Strategising for Organisational Performance
Authors:
Mazino Onibere,
Atif Ahmad,
Sean B Maynard
Abstract:
The increasing frequency, impact, consequence and sophistication of cybersecurity attacks is becoming a strategic concern for boards and executive management of organisations. Consequently, in addition to focusing on productivity and performance, organisations are prioritizing Information Security Management (ISM). However, research has revealed little or no conceptualisation of a dynamic ISM capa…
▽ More
The increasing frequency, impact, consequence and sophistication of cybersecurity attacks is becoming a strategic concern for boards and executive management of organisations. Consequently, in addition to focusing on productivity and performance, organisations are prioritizing Information Security Management (ISM). However, research has revealed little or no conceptualisation of a dynamic ISM capability and its link to organisational performance. In this research, we set out to 1) define and describe an organisational level dynamic ISM capability, 2) to develop a strategic model that links resources with this dynamic capability, and then 3) empirically demonstrate how dynamic ISM capability contributes to firm performance. By drawing on Resource-Based Theory (RBT) and Dynamic Capabilities View (DCV), we have developed the Dynamic ISM Capability model to address the identified gap. As we develop this research, we will empirically test this model to demonstrate causality between ISM capability and organisational performance.
△ Less
Submitted 14 April, 2021;
originally announced April 2021.
-
Exploring Knowledge Leakage Risk in Knowledge-Intensive Organisations: Behavioural aspects and Key controls
Authors:
Hibah Altukruni,
Sean B. Maynard,
Moneer Alshaikh,
Atif Ahmad
Abstract:
Knowledge leakage poses a critical risk to the competitive advantage of knowledge-intensive organisations. Although knowledge leakage is a human-centric security issue, little is known about leakage resulting from individual behaviour and the protective strategies and controls that could be effective in mitigating leakage risk. Therefore, this research explores the perspectives of security practit…
▽ More
Knowledge leakage poses a critical risk to the competitive advantage of knowledge-intensive organisations. Although knowledge leakage is a human-centric security issue, little is known about leakage resulting from individual behaviour and the protective strategies and controls that could be effective in mitigating leakage risk. Therefore, this research explores the perspectives of security practitioners on the key factors that influence knowledge leakage risk in the context of knowledge-intensive organisations. We conduct two focus groups to explore these perspectives. The research highlights three types of behavioural controls that mitigate the risk of knowledge leakage: human resource management practices, knowledge security training and awareness practices, and compartmentalisation practices.
△ Less
Submitted 14 April, 2021;
originally announced April 2021.
-
The Dark Web Phenomenon: A Review and Research Agenda
Authors:
Abhineet Gupta,
Sean B Maynard,
Atif Ahmad
Abstract:
The internet can be broadly divided into three parts: surface, deep and dark. The dark web has become notorious in the media for being a hidden part of the web where all manner of illegal activities take place. This review investigates how the dark web is being utilised with an emphasis on cybercrime, and how law enforcement plays the role of its adversary. The review describes these hidden spaces…
▽ More
The internet can be broadly divided into three parts: surface, deep and dark. The dark web has become notorious in the media for being a hidden part of the web where all manner of illegal activities take place. This review investigates how the dark web is being utilised with an emphasis on cybercrime, and how law enforcement plays the role of its adversary. The review describes these hidden spaces, sheds light on their history, the activities that they harbour including cybercrime, the nature of attention they receive, and methodologies employed by law enforcement in an attempt to defeat their purpose. More importantly, it is argued that these spaces should be considered a phenomenon and not an isolated occurrence to be taken as merely a natural consequence of technology. This paper contributes to the area of dark web research by serving as a reference document and by proposing a research agenda.
△ Less
Submitted 14 April, 2021;
originally announced April 2021.
-
Teaching Information Security Management in Postgraduate Tertiary Education: The Case of Horizon Automotive Industries
Authors:
Atif Ahmad,
Sean B. Maynard,
Sameen Motahhir
Abstract:
Teaching cases based on stories about real organizations are a powerful means of storytelling. These cases closely parallel real-world situations and can deliver on pedagogical objectives as writers can use their creative license to craft a storyline that better focuses on the specific principles, concepts, and challenges they want to address in their teaching. The method instigates critical discu…
▽ More
Teaching cases based on stories about real organizations are a powerful means of storytelling. These cases closely parallel real-world situations and can deliver on pedagogical objectives as writers can use their creative license to craft a storyline that better focuses on the specific principles, concepts, and challenges they want to address in their teaching. The method instigates critical discussion, draws out relevant experiences from students, encourages questioning of accepted practices, and creates dialogue between theory and practice. We present Horizon, a case study of a firm that suffers a catastrophic incident of Intellectual Property (IP) theft. The case study was developed to teach information security management (ISM) principles in key areas such as strategy, risk, policy and training to postgraduate Information Systems and Information Technology students at the University of Melbourne, Australia.
△ Less
Submitted 27 March, 2021;
originally announced March 2021.
-
Teaching Information Security Management Using an Incident of Intellectual Property Leakage
Authors:
Atif Ahmad,
Sean B. Maynard,
Sameen Motahhir,
Moneer Alshaikh
Abstract:
Case-based learning is a powerful pedagogical method of creating dialogue between theory and practice. CBL is particularly suited to executive learning as it instigates critical discussion and draws out relevant experiences. In this paper we used a real-world case to teach Information Security Management to students in Management Information Systems. The real-world case is described in a legal ind…
▽ More
Case-based learning is a powerful pedagogical method of creating dialogue between theory and practice. CBL is particularly suited to executive learning as it instigates critical discussion and draws out relevant experiences. In this paper we used a real-world case to teach Information Security Management to students in Management Information Systems. The real-world case is described in a legal indictment, T-mobile USA Inc v Huawei Device USA Inc. and Huawei Technologies Co. LTD, alleging theft of intellectual property and breaches of contract concerning confidentiality and disclosure of sensitive information. The incident scenario is interesting as it relates to a business asset that has both digital and physical components that has been compromised through an unconventional cyber-physical attack facilitated by insiders. The scenario sparked an interesting debate among students about the scope and definition of security incidents, the role and structure of the security unit, the utility of compliance-based approaches to security, and the inadequate use of threat intelligence in modern security strategies.
△ Less
Submitted 27 March, 2021;
originally announced March 2021.
-
Information Security Strategy in Organisations: Review, Discussion and Future Research Directions
Authors:
Craig A. Horne,
Atif Ahmad,
Sean B. Maynard
Abstract:
Dependence on information, including for some of the world's largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these information-based activities. Clearly, more researc…
▽ More
Dependence on information, including for some of the world's largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these information-based activities. Clearly, more research is needed to better understand how organisations should formulate strategy to secure their information. Through a thematic review of academic security literature, we (1) analyse the antecedent conditions that motivate the potential adoption of a comprehensive information security strategy, (2) the current perspectives of strategy and (3) the yields and benefits that could be enjoyed post-adoption. Our contributions include a definition of information security strategy. We argue for a paradigm shift to extend from internally-focussed protection of organisation-wide information towards a strategic view that considers the inter-organisational level. Our findings are then used to suggest future research directions.
△ Less
Submitted 10 June, 2016;
originally announced June 2016.
-
Business Intelligence and Supply Chain Agility
Authors:
Mohammad Moniruzzaman,
Sherah Kurnia,
Alison Parkes,
Sean B. Maynard
Abstract:
Supply Chain Agility is important for organisations to stay competitive in today's dynamic business environment. There is increasing interest in deploying Business Intelligence (BI) in the Supply Chain Management (SCM) context to improve Supply Chain (SC) Agility. However, there is limited research exploring BI contributions to SC Agility. In this research-in-progress paper we propose a model base…
▽ More
Supply Chain Agility is important for organisations to stay competitive in today's dynamic business environment. There is increasing interest in deploying Business Intelligence (BI) in the Supply Chain Management (SCM) context to improve Supply Chain (SC) Agility. However, there is limited research exploring BI contributions to SC Agility. In this research-in-progress paper we propose a model based on a conceptual analysis of the literature showing how BI can help organisations achieve SC Agility by supporting the key areas of SCM (Plan, Source, Make, Deliver and Return). In the next stage of this project, we will conduct a series of case studies investigating how organisations use BI when managing their SC activities and how BI contributes to SC Agility. The result of the study will help organizations deploy BI effectively to support SCM and improve SC Agility.
△ Less
Submitted 10 June, 2016;
originally announced June 2016.
-
Understanding Knowledge Leakage & BYOD (Bring Your Own Device): A Mobile Worker Perspective
Authors:
Carlos Andres Agudelo,
Rachelle Bosua,
Atif Ahmad,
Sean B. Maynard
Abstract:
Knowledge sharing drives innovation and the opportunity to develop a sustainable competitive advantage. However, in the extant knowledge management and information security literature, leakage from sharing activities is neglected. The risk of knowledge leakage is exacerbated with the pervasive use of mobile devices and the adoption of BYOD (Bring Your Own Device). Thus, this research-in-progress p…
▽ More
Knowledge sharing drives innovation and the opportunity to develop a sustainable competitive advantage. However, in the extant knowledge management and information security literature, leakage from sharing activities is neglected. The risk of knowledge leakage is exacerbated with the pervasive use of mobile devices and the adoption of BYOD (Bring Your Own Device). Thus, this research-in-progress paper examines the role of the behavior of mobile workers that engage in accidental knowledge leakage through the use of BYOD. We use the Decomposed Theory of Planned Behavior (DTPB) to explain the causes behind this phenomenon and how it negatively impacts organization's competitive advantage. The contributions of this study are the following. First, it posits that the reasons of knowledge leakage by mobile workers through BYOD can be explained using DTPB. Second, the paper proposes a conceptual model for research based on DTPB constructs whilst adding other variables such as BYOD and mobile device usage context. Finally, the conceptual study outlines the potential contributions and implications of this research.
△ Less
Submitted 4 June, 2016;
originally announced June 2016.
-
Evaluating the Utility of Research Articles for Teaching Information Security Management
Authors:
Harry Zurita,
Sean B. Maynard,
Atif Ahmad
Abstract:
Research articles can support teaching by introducing the latest expert thinking on relevant topics and trends and describing practical real-world case studies to encourage discussion and analysis. However, from the point of view of the instructor, a common challenge is identifying the most suitable papers for classroom teaching amongst a very large pool of potential candidates that are not typica…
▽ More
Research articles can support teaching by introducing the latest expert thinking on relevant topics and trends and describing practical real-world case studies to encourage discussion and analysis. However, from the point of view of the instructor, a common challenge is identifying the most suitable papers for classroom teaching amongst a very large pool of potential candidates that are not typically written for teaching purposes. Further, even in practice-oriented disciplines such as Information Security Management (ISM), high-quality journals emphasise theoretical contribution and research method rather than relevance to practice. Our review of the relevant literature did not find a comprehensive set of criteria to assist instructors in evaluating the suitability of research articles to teaching. Therefore, this research-in-progress paper presents a framework to support academics in the process of evaluating the suitability of research articles for their teaching programs.
△ Less
Submitted 4 June, 2016;
originally announced June 2016.
-
Information Security Policy: A Management Practice Perspective
Authors:
Moneer Alshaikh,
Sean B. Maynard,
Atif Ahmad,
Shanton Chang
Abstract:
Considerable research effort has been devoted to the study of Policy in the domain of Information Security Management (ISM). However, our review of ISM literature identified four key deficiencies that reduce the utility of the guidance to organisations implementing policy management practices. This paper provides a comprehensive overview of the management practices of information security policy a…
▽ More
Considerable research effort has been devoted to the study of Policy in the domain of Information Security Management (ISM). However, our review of ISM literature identified four key deficiencies that reduce the utility of the guidance to organisations implementing policy management practices. This paper provides a comprehensive overview of the management practices of information security policy and develops a practice-based model that addresses the four aforementioned deficiencies. The model provides comprehensive guidance to practitioners on the activities security managers must undertake for security policy development and allows practitioners to benchmark their current practice with the models suggested best practice. The model contributes to theory by map** existing information security policy research in terms of the defined management practices.
△ Less
Submitted 27 May, 2016;
originally announced June 2016.
