Do Information Security Policies Reduce the Incidence of Security Breaches

The volume and severity of information security breaches encountered continues to increase as organizations, including healthcare organizations, struggle to identify more effective security policies and procedures. Publicly available guidelines such as GASSP or ISO17799 that are designed to facilitate development of effective security policies and procedures have been criticized for, among other things, inadequate attention to differences in organizational security needs (Baskerville & Siponen, 2002), and for inadequate attention to the social dimensions of security problems (Dhillon & Backhouse, 2001). In this contribution, we argue that the diversity of organizational security needs, as well as the need to recognize the social dimensions to security problems, will continue to grow as companies move away from employing unique, proprietary approaches to software and network development, in favor of adopting standards-based plug-and-play applications, and related standards-based methods and technologies designed to enable interorganizational as well as local systems interoperability.

Download Full-text

Exploring the Effectiveness of Information Security Policies

Advances in Information Resources Management - Emerging Information Resources Management and Technologies ◽

10.4018/978-1-59904-286-2.ch003 ◽

2011 ◽

pp. 43-66

Author(s):

Neil F. Doherty ◽

Heather Fulford

Keyword(s):

Information Security ◽

Security Policy ◽

Human Error ◽

Security Policies ◽

Unexpected Finding ◽

Security Breaches ◽

The United Kingdom ◽

Significant Relationships ◽

It Managers ◽

Information Assets

Ensuring the security of corporate information assets has become an extremely complex, challenging and high-priority activity, due partly to their growing organizational importance, but also because of their increasing vulnerability to attacks from viruses, hackers, criminals, and human error. Consequently, organizations are having to prioritise the security of their computer systems, to ensure that their information assets retain their accuracy, confidentiality, and availability. Whilst the importance of the information security policy (InSPy) in ensuring the security of information is widely acknowledged, there has, to date, been little empirical analysis of its impact or effectiveness in this role. To help fill this gap an exploratory study was initiated that sought to investigate the relationship between the uptake and application of information security policies and the accompanying levels of security breaches. To this end a questionnaire was designed, validated, and then targeted at IT managers within large organisations in the United Kingdom. The findings, presented in this chapter, are somewhat surprising, as they show no statistically significant relationships between the adoption of information security policies and the incidence or severity of security breaches. The chapter concludes by exploring the possible interpretations of this unexpected finding, and its implications for the practice of information security management.

Download Full-text

Information Security Policies in Large Organizations

Information Security and Ethics ◽

10.4018/978-1-59140-286-7.ch012 ◽

2011 ◽

pp. 238-260

Author(s):

Neil F. Doherty ◽

Heather Fulford

Keyword(s):

United Kingdom ◽

Information Security ◽

Conceptual Framework ◽

Security Policy ◽

Progress Report ◽

Security Policies ◽

Security Breaches ◽

The United Kingdom ◽

It Managers ◽

The Relationship

While the importance of the information security policy (ISP) is widely acknowledged in the academic literature, there has, to date, been little empirical analysis of its impact. To help fill this gap a study was initiated that sought to explore the relationship between the uptake, scope and dissemination of information security policies and the accompanying levels of security breaches. To this end, a questionnaire was designed, validated and then targeted at IT managers within large organisations in the United Kingdom. The aim of this chapter is to provide a progress report on this study by describing the objectives of the research and the design of the conceptual framework.

Download Full-text

Do Information Security Policies Reduce the Incidence of Security Breaches

Social and Human Elements of Information Security ◽

10.4018/978-1-60566-036-3.ch019 ◽

2011 ◽

pp. 326-342

Author(s):

Neil F. Doherty

Keyword(s):

Information Security ◽

Security Policy ◽

Human Error ◽

Security Policies ◽

Unexpected Finding ◽

Security Breaches ◽

Significant Relationships ◽

It Managers ◽

The Uk ◽

The Relationship

Information is a critical corporate asset that has become increasingly vulnerable to attacks from viruses, hackers, criminals, and human error. Consequently, organizations are having to prioritize the security of their computer systems in order to ensure that their information assets retain their accuracy, confidentiality, and availability. While the importance of the information security policy (InSPy) in ensuring the security of information is acknowledged widely, to date there has been little empirical analysis of its impact or effectiveness in this role. To help fill this gap, an exploratory study was initiated that sought to investigate the relationship between the uptake and application of information security policies and the accompanying levels of security breaches. To this end, a questionnaire was designed, validated, and then targeted at IT managers within large organizations in the UK. The findings presented in this chapter are somewhat surprising, as they show no statistically significant relationships between the adoption of information security policies and the incidence or severity of security breaches. The chapter concludes by exploring the possible interpretations of this unexpected finding and its implications for the practice of information security management.

Download Full-text

Do Information Security Policies Reduce the Incidence of Security Breaches

Information Security and Ethics ◽

10.4018/978-1-59904-937-3.ch066 ◽

2008 ◽

pp. 964-980

Author(s):

Neil F. Doherty ◽

Heather Fulford

Keyword(s):

Information Security ◽

Security Policy ◽

Human Error ◽

Security Policies ◽

Unexpected Finding ◽

Security Breaches ◽

Significant Relationships ◽

It Managers ◽

The Uk ◽

The Relationship

Information is a critical corporate asset that has become increasingly vulnerable to attacks from viruses, hackers, criminals, and human error. Consequently, organizations are having to prioritize the security of their computer systems in order to ensure that their information assets retain their accuracy, confidentiality, and availability. While the importance of the information security policy (InSPy) in ensuring the security of information is acknowledged widely, to date there has been little empirical analysis of its impact or effectiveness in this role. To help fill this gap, an exploratory study was initiated that sought to investigate the relationship between the uptake and application of information security policies and the accompanying levels of security breaches. To this end, a questionnaire was designed, validated, and then targeted at IT managers within large organizations in the UK. The findings presented in this paper are somewhat surprising, as they show no statistically significant relationships between the adoption of information security policies and the incidence or severity of security breaches. The paper concludes by exploring the possible interpretations of this unexpected finding and its implications for the practice of information security management.

Download Full-text

Exploring Information Security Risks in Healthcare Systems

Encyclopedia of Healthcare Information Systems ◽

10.4018/978-1-59904-889-5.ch072 ◽

2008 ◽

pp. 573-577 ◽

Cited By ~ 1

Author(s):

Amy Ray ◽

Sue Newell

Keyword(s):

Information Security ◽

Security Policies ◽

Social Dimensions ◽

Healthcare Organizations ◽

Security Risks ◽

Local Systems ◽

Security Breaches ◽

Policies And Procedures ◽

The Social ◽

Organizational Security

The volume and severity of information security breaches encountered continues to increase as organizations, including healthcare organizations, struggle to identify more effective security policies and procedures. Publicly available guidelines such as GASSP or ISO17799 that are designed to facilitate development of effective security policies and procedures have been criticized for, among other things, inadequate attention to differences in organizational security needs (Baskerville & Siponen, 2002), and for inadequate attention to the social dimensions of security problems (Dhillon & Backhouse, 2001). In this contribution, we argue that the diversity of organizational security needs, as well as the need to recognize the social dimensions to security problems, will continue to grow as companies move away from employing unique, proprietary approaches to software and network development, in favor of adopting standards-based plug-and-play applications, and related standards-based methods and technologies designed to enable interorganizational as well as local systems interoperability.

Download Full-text

INFORMATION SECURITY POLICY: A CRITICAL STUDY OF THE CONTENT OF UNIVERSITY POLICY

Transbaikal State University Journal ◽

10.21209/2227-9245-2021-27-4-55-72 ◽

2021 ◽

Vol 27 (4) ◽

pp. 55-72

Author(s):

T. Beydina ◽

◽

A. Kukharsky ◽

Keyword(s):

Information Security ◽

Security Policy ◽

Security Management ◽

Security Policies ◽

Critical Study ◽

Information Security Policy ◽

University Policy ◽

Security Breaches ◽

Research Activities ◽

Corporate Information

The article is relevant, as it provides an assessment of the information security of universities. Ensuring the security of corporate information, which is increasingly stored, processed and disseminated using information and communication technologies (ICT). This is a particularly important problem for knowledge-intensive organizations such as universal ones; the effective conduct of their main educational activities and research activities increasingly depends on the availability, integrity and accuracy of computer information resources. One of the more important mechanisms to reduce the number of security breaches, and thus corporate information, is the development and implementation of a formal information security policy (ISP). Although much has now been written about the importance and role of information security policies and approaches to formulating them, there is relatively little empirical material that is incorporated into the structure or content of security policies. The purpose of the article is to fill this gap in the literature through this method of using the structure and methods of authentic information security policies. Having established the parameters and key features of university policies, the article critically examines the concept of information security embedded in the policy. Two important conclusions can be drawn from this study: 1) the wide variety of disparate policies and standards used, whether there will be a consistent approach to security management; and 2) the range of specific issues explicitly covered by university policy, a surprisingly low and highly technocentric view of information security management. This article is one of the first to objectively, rigorously and independently assess the content of authentic information security policies and information security documentation frameworks in a well-organized organizational environment. The article notes that there are four different levels of information policy: “system security policy, product security policy, community security policy, and corporate information security policy.” All policies involve: personal use of information systems, information disclosure, physical security, breaches and hacks, viruses, system access control, mobile computing, internet access, software development, encryption and contingency planning

Download Full-text

Information Security Policies in Large Organizations

Information Security and Ethics ◽

10.4018/978-1-59904-937-3.ch182 ◽

2008 ◽

pp. 2727-2744

Author(s):

Neil F. Doherty ◽

Heather Fulford

Keyword(s):

United Kingdom ◽

Information Security ◽

Conceptual Framework ◽

Security Policy ◽

Progress Report ◽

Security Policies ◽

Security Breaches ◽

The United Kingdom ◽

It Managers ◽

The Relationship

While the importance of the information security policy (ISP) is widely acknowledged in the academic literature, there has, to date, been little empirical analysis of its impact. To help fill this gap a study was initiated that sought to explore the relationship between the uptake, scope and dissemination of information security policies and the accompanying levels of security breaches. To this end, a questionnaire was designed, validated and then targeted at IT managers within large organisations in the United Kingdom. The aim of this chapter is to provide a progress report on this study by describing the objectives of the research and the design of the conceptual framework.

Download Full-text

How Bad is it? – A Branching Activity Model to Estimate the Impact of Information Security Breaches

SSRN Electronic Journal ◽

10.2139/ssrn.2233075 ◽

2013 ◽

Cited By ~ 5

Author(s):

Russell Cameron Thomas ◽

Marcin Antkiewicz ◽

Patrick Florer ◽

Suzanne Widup ◽

Matthew Woodyard

Keyword(s):

Information Security ◽

Activity Model ◽

Security Breaches ◽

The Impact

Download Full-text

The Market Value and Reputational Effects from Lost Confidential Information

International Journal of Financial Management ◽

10.21863/ijfm/2015.5.4.020 ◽

2015 ◽

Vol 5 (4) ◽

Cited By ~ 2

Author(s):

Joseph K. Tanimura ◽

Eric W. Wehrly

Keyword(s):

Information Security ◽

Market Value ◽

Direct Costs ◽

Publicly Traded ◽

Confidential Information ◽

Publicly Traded Companies ◽

Security Breaches ◽

Customer Information ◽

Employee Information

According to many business publications, firms that experience information security breaches suffer substantial reputational penalties. This paper examines incidents in which confidential information, for a firms customers or employees, is stolen from or lost by publicly traded companies. Firms that experience such breaches suffer statistically significant losses in the market value of their equity. On the whole, the data indicate that these losses are of similar magnitudes to the direct costs. Thus, direct costs, and not reputational penalties, are the primary deterrents to information security breaches. Contrary to many published assertions, on average, firms that lose customer information do not suffer reputational penalties. However, when firms lose employee information, we find significant reputational penalties.

Download Full-text