Abstract
Information security research has a bias towards formal and small-scale policies. This research tradition, albeit important, has neglected the non-formal and non-computer oriented security policies. Yet the current classifications concerning security policies do not fully address the issues in security policies within information systems. Firstly, a new classification of (two categories) security policies will be depicted. Secondly, and the main contribution of this paper, five approaches to construction of end-user guidelines will be put forth, including the strengths and weaknesses of these approaches.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35515-3_53
Chapter PDF
Similar content being viewed by others
Key words
References
Anderson, R., (1996), A Security Policy Model for Clinical Information Systems. 1996 IEEE Symposium on Security and Privacy.
Baskerville, R., (1989), Logical Controls Specification: An approach to information system security. In H. Klein amp K. Kumar (eds.) systems development for human progress. Amsterdam: North-Holland.
Baskerville, R., (1993), Information Security: Adapting to Survive. Information Systems Security. Vol. 2, no. 1, pp. 40–47.
Baskerville, R., (1995), The Second-Order Security Dilemma. in W. Orlikowski, G. Walsham, M. Jones and J. DeGross (Eds.) Information Technology and Changes in Organizational Work. London: Chapman amp Hall, pp. 239–249.
Boswell, A., (1995), Specification and validation of a security policy model. IEEE Transaction on Software Engineering. February, vol. 21, issue 2, pp. 63–68.
Castano, S., Fugini, M., Martell, G., amp Samarati, P., (1995), Database Security. Addison-Wesley.
Chalmers, A.F., (1982), What is this thing called science? Second edition, Open University Press.
Conorich, D. G., (1996), UNIX Passwords. Information Systems Security. Vol. 7., No. 1.
Foley, S.N., (1991), A Taxonomy for Information Flow Policies and Models. Proceedings of the 1991 IEEE Computer Security Symposium on Research in Security and Privacy.
Glasgow, J.I amp MacEwen, G.H., (1987), The development of proof a formal specification for a multilevel secure system. ACM Transactions on Computer Systems. Vol. 5., issue 2. Pp. 151–184.
Hale, R., (1996), End-User Computing Security Guidelines. Information System Security. Vol. 6, No. 1.
Hare, R.M., (1981), Moral Thinking: its levels, methods and point. Oxford University Press, Oxford, UK.
Järvinen, P., (1997), The new classification of research approaches. The IFIP Pink Summary -36 years of IFIP. Edited by H. Zemanek, Laxenburg, IFIP.
Järvinen, P., (2000), Research Questions Guiding Selection of an Appropriate Research Method. Proceedings of the 8th European Conference on Information Systems (ECIS 2000 ), July 3–5, Vienna.
Lichtenstein, S. amp Swatman, P.M.C., (1997), Internet acceptable usage policy for organizations. Information Management and Computer Security. Vol. 5, no. 5, pp. 182190.
Lindup, K. R., (1995), A New Model for Information Security Policies. Computer amp Security, Vol. 14, No. 8, p. 691–695.
Lupu, E. amp Sloman, M., (1997), A Policy based role object model. Proceedings of the First International Enterprise Distributed Object Computing Workshop. IEEE Computer Society Press.
McLean, J., (1990), The specification and modelling of computer security. IEEE Computer. January, vol. 23, issue 1, pp. 9–16.
Poore, R. S., (1996), The Lowly Password. Information Systems Security. Vol. 7., No. 1. Ross, D., ( 1930 ), The Right and the Good. Oxford University Press.
Sandhu, R., (1998), Role-Based Access Control. Advances in Computers, Vol.46, Academic Press.
Sandhu, R.S, (1993), Lattice-based access controls. IEEE Computer. Pp. 9–19.
Sandhu, R., amp Samarati, P., (1994), Access Control: Principle and Practice. IEEE Communications vol. 32, issue 9, pp. 40–48.
Sibley, E.H., Wexelblat, R.L., Michael, J.B., Tanner, M.C., amp Littman, D.C., (1993), The role of policy in requirements definition. Proceedings of the IEEE International Symposium on Requirements Engineering.
Spruit, M.E.M, (1998), Competing against human failing. 15th IFIP World Computer Congress. ‘The Global Information Society on the Way to the Next Millennium’. SEC, TC11. Vienna.
Straub, D. W., (1990), Effective IS Security: An empirical Study. Information System Research. Vol. 1, Number 2, June, p. 255–277.
Straub, D.W. amp Welke, R.J., (1998), Coping with Systems Risk: Security Planning Models for Management Decision Making. MIS Quarterly, Vol. 22, No. 4, p. 441–464
Summers, R., (1997), Secure Computing: Threats and safeguards. McGraw-Hill.
Thomas, R.K. amp Sandhu. R. S., (1994), Conceptual Foundations for a Model of Task-based Authorizations. Proceedings of the 7th IEEE Computer Security Foundations Workshop. Franconia, NH, June.
Truex, D.P., Baskerville, R. amp Klein, H., (1999), Growing Systems in Emergent Organizations. Communications of the ACM. Vol. 42, No. 8, pp. 117–123.
Warman, A.R., (1992), Organizational computer security policy: the reality. European Journal of Information Systems. Vol. 1, no. 5, pp. 305–310.
Wood, C.C., (1995), Writing InfoSec Policies. Computer amp Security, Vol. 14, No. 8, p. 667674.
Wood, C.C., (1996a), Constructing difficult-to-guess passwords. Information Management amp Computer Security. Vol. 4, no. 1, pp. 43–44.
Wood, C.C., (1996b), A computer emergency response team policy. Information Management amp Computer Security. Vol. 4, no. 2.
Wood, C.C., (1996c), A Policy for sending secret information over communications networks. Information Management amp Computer Security. Vol. 4, no. 3.
Wood, C.C., (1997a), Part of the foundation for secure systems: separation of duties policy. Information Management amp Computer Security. Vol. 5, no. 1, pp. 18–19.
Wood, C.C., (1997b), A secure password storage policy. Information Management amp Computer Security. Vol. 5, no. 2, pp. 79–80.
Yialelis, N., Lupu, E., amp Sloman, M., (1996), Role-Based Security for Distributed Object Systems. Proceedings of the 5th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE’96).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 IFIP International Federation for Information Processing
About this paper
Cite this paper
Siponen, M.T. (2000). Policies for Construction of Information Systems’ Security Guidelines. In: Qing, S., Eloff, J.H.P. (eds) Information Security for Global Information Infrastructures. SEC 2000. IFIP — The International Federation for Information Processing, vol 47. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35515-3_12
Download citation
DOI: https://doi.org/10.1007/978-0-387-35515-3_12
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-5479-7
Online ISBN: 978-0-387-35515-3
eBook Packages: Springer Book Archive