The information security policy unpacked: a critical study of the content of university policies

Neil F. Doherty, Leonidas Anastasakis, Heather Fulford

Research output: Contribution to journalArticle

Abstract

Ensuring the security of corporate information, that is increasingly stored, processed and disseminated using information and communications technologies [ICTs], has become an extremely complex and challenging activity. This is a particularly important concern for knowledge-intensive organisations, such as universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of security breaches, and in so doing, protecting corporate information, is through the formulation and application of a formal information security policy (InSPy). Whilst a great deal has now been written about the importance and role of the information security policy, and approaches to its formulation and dissemination, there is relatively little empirical material that explicitly addresses the structure or content of security policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and content of authentic information security policies, rather than simply making general prescriptions about what they ought to contain. Having established the structure and key features of the reviewed policies, the paper critically explores the underlying conceptualisation of information security embedded in the policies. There are two important conclusions to be drawn from this study: (1) the wide diversity of disparate policies and standards in use is unlikely to foster a coherent approach to security management; and (2) the range of specific issues explicitly covered in university policies is surprisingly low, and reflects a highly techno-centric view of information security management.
LanguageEnglish
Pages449–457
Number of pages9
JournalInternational Journal of Information Management
Volume29
Issue number6
DOIs
Publication statusPublished - Dec 2009

Fingerprint

university policy
security policy
Security of data
Teaching
Availability
management
Communication
integrity
communication technology
medication
information technology
university

Keywords

  • information security policies
  • security breaches
  • policy content
  • higher education sector

Cite this

@article{f13ac893428442228bc6475a9053874c,
title = "The information security policy unpacked: a critical study of the content of university policies",
abstract = "Ensuring the security of corporate information, that is increasingly stored, processed and disseminated using information and communications technologies [ICTs], has become an extremely complex and challenging activity. This is a particularly important concern for knowledge-intensive organisations, such as universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of security breaches, and in so doing, protecting corporate information, is through the formulation and application of a formal information security policy (InSPy). Whilst a great deal has now been written about the importance and role of the information security policy, and approaches to its formulation and dissemination, there is relatively little empirical material that explicitly addresses the structure or content of security policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and content of authentic information security policies, rather than simply making general prescriptions about what they ought to contain. Having established the structure and key features of the reviewed policies, the paper critically explores the underlying conceptualisation of information security embedded in the policies. There are two important conclusions to be drawn from this study: (1) the wide diversity of disparate policies and standards in use is unlikely to foster a coherent approach to security management; and (2) the range of specific issues explicitly covered in university policies is surprisingly low, and reflects a highly techno-centric view of information security management.",
keywords = "information security policies, security breaches, policy content, higher education sector",
author = "Doherty, {Neil F.} and Leonidas Anastasakis and Heather Fulford",
year = "2009",
month = "12",
doi = "10.1016/j.ijinfomgt.2009.05.003",
language = "English",
volume = "29",
pages = "449–457",
journal = "International Journal of Information Management",
issn = "0268-4012",
publisher = "Elsevier",
number = "6",

}

The information security policy unpacked : a critical study of the content of university policies. / Doherty, Neil F.; Anastasakis, Leonidas; Fulford, Heather.

In: International Journal of Information Management, Vol. 29, No. 6, 12.2009, p. 449–457.

Research output: Contribution to journalArticle

TY - JOUR

T1 - The information security policy unpacked

T2 - International Journal of Information Management

AU - Doherty, Neil F.

AU - Anastasakis, Leonidas

AU - Fulford, Heather

PY - 2009/12

Y1 - 2009/12

N2 - Ensuring the security of corporate information, that is increasingly stored, processed and disseminated using information and communications technologies [ICTs], has become an extremely complex and challenging activity. This is a particularly important concern for knowledge-intensive organisations, such as universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of security breaches, and in so doing, protecting corporate information, is through the formulation and application of a formal information security policy (InSPy). Whilst a great deal has now been written about the importance and role of the information security policy, and approaches to its formulation and dissemination, there is relatively little empirical material that explicitly addresses the structure or content of security policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and content of authentic information security policies, rather than simply making general prescriptions about what they ought to contain. Having established the structure and key features of the reviewed policies, the paper critically explores the underlying conceptualisation of information security embedded in the policies. There are two important conclusions to be drawn from this study: (1) the wide diversity of disparate policies and standards in use is unlikely to foster a coherent approach to security management; and (2) the range of specific issues explicitly covered in university policies is surprisingly low, and reflects a highly techno-centric view of information security management.

AB - Ensuring the security of corporate information, that is increasingly stored, processed and disseminated using information and communications technologies [ICTs], has become an extremely complex and challenging activity. This is a particularly important concern for knowledge-intensive organisations, such as universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of security breaches, and in so doing, protecting corporate information, is through the formulation and application of a formal information security policy (InSPy). Whilst a great deal has now been written about the importance and role of the information security policy, and approaches to its formulation and dissemination, there is relatively little empirical material that explicitly addresses the structure or content of security policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and content of authentic information security policies, rather than simply making general prescriptions about what they ought to contain. Having established the structure and key features of the reviewed policies, the paper critically explores the underlying conceptualisation of information security embedded in the policies. There are two important conclusions to be drawn from this study: (1) the wide diversity of disparate policies and standards in use is unlikely to foster a coherent approach to security management; and (2) the range of specific issues explicitly covered in university policies is surprisingly low, and reflects a highly techno-centric view of information security management.

KW - information security policies

KW - security breaches

KW - policy content

KW - higher education sector

UR - https://www.sciencedirect.com/science/article/pii/S0268401209000735?via%3Dihub

U2 - 10.1016/j.ijinfomgt.2009.05.003

DO - 10.1016/j.ijinfomgt.2009.05.003

M3 - Article

VL - 29

SP - 449

EP - 457

JO - International Journal of Information Management

JF - International Journal of Information Management

SN - 0268-4012

IS - 6

ER -