A framework for reporting and dealing with end-user security policy compliance. (11th March 2019)
- Record Type:
- Journal Article
- Title:
- A framework for reporting and dealing with end-user security policy compliance. (11th March 2019)
- Main Title:
- A framework for reporting and dealing with end-user security policy compliance
- Authors:
- Alotaibi, Mutlaq Jalimid
Furnell, Steven
Clarke, Nathan - Abstract:
- Abstract : Purpose: It is widely acknowledged that non-compliance of employees with information security polices is one of the major challenges facing organisations. This paper aims to propose a model that is intended to provide a comprehensive framework for raising the level of compliance amongst end-users, with the aim of monitoring, measuring and responding to users' behaviour with an information security policy. Design/methodology/approach: The proposed model is based on two main concepts: a taxonomy of the response strategy to non-compliant behaviour and a compliance points system. The response taxonomy comprises two categories: awareness raising and enforcement of the security policy. The compliance points system is used to reward compliant behaviour and penalise non-compliant behaviour. Findings: A prototype system has been developed to simulate the proposed model and work as a real system that responds to the behaviour of users (reflecting both violations and compliance behaviour). In addition, the model has been evaluated by interviewing experts from academic and industry. They considered the proposed model to offers a novel approach for managing end users' behaviour with the information security policies. Research limitations/implications: Psychological factors were out of the research scope at this stage. The proposed model may have some psychological impacts upon users; therefore, this issue needs to be considered by studying the potential impacts and the bestAbstract : Purpose: It is widely acknowledged that non-compliance of employees with information security polices is one of the major challenges facing organisations. This paper aims to propose a model that is intended to provide a comprehensive framework for raising the level of compliance amongst end-users, with the aim of monitoring, measuring and responding to users' behaviour with an information security policy. Design/methodology/approach: The proposed model is based on two main concepts: a taxonomy of the response strategy to non-compliant behaviour and a compliance points system. The response taxonomy comprises two categories: awareness raising and enforcement of the security policy. The compliance points system is used to reward compliant behaviour and penalise non-compliant behaviour. Findings: A prototype system has been developed to simulate the proposed model and work as a real system that responds to the behaviour of users (reflecting both violations and compliance behaviour). In addition, the model has been evaluated by interviewing experts from academic and industry. They considered the proposed model to offers a novel approach for managing end users' behaviour with the information security policies. Research limitations/implications: Psychological factors were out of the research scope at this stage. The proposed model may have some psychological impacts upon users; therefore, this issue needs to be considered by studying the potential impacts and the best solutions. Originality/value: Users being compliant with the information security policies of their organisation is the key to strengthen information security. Therefore, when employees have a good level of compliance with security policies, this positively affects the overall security of an organisation. … (more)
- Is Part Of:
- Information and computer security. Volume 27:Number 1(2019)
- Journal:
- Information and computer security
- Issue:
- Volume 27:Number 1(2019)
- Issue Display:
- Volume 27, Issue 1 (2019)
- Year:
- 2019
- Volume:
- 27
- Issue:
- 1
- Issue Sort Value:
- 2019-0027-0001-0000
- Page Start:
- 2
- Page End:
- 25
- Publication Date:
- 2019-03-11
- Subjects:
- Information security management -- Human factors -- User behaviour -- Compliance management -- Information security policy
Computer security -- Management -- Periodicals
Computer networks -- Security measures -- Periodicals
Data protection -- Management -- Periodicals
658.47 - Journal URLs:
- http://www.emeraldinsight.com/loi/ics ↗
http://www.emeraldinsight.com/ ↗ - DOI:
- 10.1108/ICS-12-2017-0097 ↗
- Languages:
- English
- ISSNs:
- 2056-4961
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 4481.796000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 22145.xml