Towards software for tailoring information security policies to organisations’ different target groups

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-09-27 DOI:10.1016/j.cose.2025.104687

Elham Rostami, Fredrik Karlsson, Ella Kolkowska, Shang Gao

{"title":"Towards software for tailoring information security policies to organisations’ different target groups","authors":"Elham Rostami, Fredrik Karlsson, Ella Kolkowska, Shang Gao","doi":"10.1016/j.cose.2025.104687","DOIUrl":null,"url":null,"abstract":"<div><div>Designing accessible and relevant information security policies (ISPs) that support employees is crucial for improving organisations’ information security. When employees are required to deal with cumbersome ISPs, there is a risk of reduced motivation towards information security, and employees’ not following the rules in ISPs has been reported as a persistent issue. Existing research has suggested adopting a tailored approach to ISPs in order to enhance their relevance to employees. Tailoring is difficult and time consuming and information security managers lack information security management systems software (ISMSS) that can assist with this tailoring task. In this paper, we develop a design theory for ISMSS to support information security managers in tailoring ISPs to different employees. To achieve this, we employ design science research, drawing on prior studies concerning the tailoring of systems development methods. We evaluate the design theory through an expository instantiation, POLCO, and with information security managers, demonstrating both proof-of-concept and proof-of-value.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104687"},"PeriodicalIF":5.4000,"publicationDate":"2025-09-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825003761","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Designing accessible and relevant information security policies (ISPs) that support employees is crucial for improving organisations’ information security. When employees are required to deal with cumbersome ISPs, there is a risk of reduced motivation towards information security, and employees’ not following the rules in ISPs has been reported as a persistent issue. Existing research has suggested adopting a tailored approach to ISPs in order to enhance their relevance to employees. Tailoring is difficult and time consuming and information security managers lack information security management systems software (ISMSS) that can assist with this tailoring task. In this paper, we develop a design theory for ISMSS to support information security managers in tailoring ISPs to different employees. To achieve this, we employ design science research, drawing on prior studies concerning the tailoring of systems development methods. We evaluate the design theory through an expository instantiation, POLCO, and with information security managers, demonstrating both proof-of-concept and proof-of-value.

查看原文本刊更多论文

为组织的不同目标群体定制信息安全策略的软件

设计可访问和相关的信息安全政策（isp）来支持员工，对于改善组织的信息安全至关重要。当员工被要求与麻烦的互联网服务提供商打交道时，就有降低信息安全动机的风险，而且据报道，员工不遵守互联网服务提供商的规则是一个持续存在的问题。现有的研究建议对互联网服务提供商采取量身定制的方法，以增强其与员工的相关性。裁剪是困难且耗时的，信息安全管理人员缺乏能够协助此裁剪任务的信息安全管理系统软件（ISMSS）。在本文中，我们开发了ISMSS的设计理论，以支持信息安全管理人员为不同的员工定制ISMSS。为了实现这一点，我们采用了设计科学研究，借鉴了先前关于系统开发方法裁剪的研究。我们通过说明性实例、POLCO和信息安全管理人员来评估设计理论，演示概念证明和价值证明。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.