Abstract
Security management is now acknowledged as a key constituent of Information Systems (IS) management. IS security management traditionally relies on the formation and application of security policies. Most of the research in this field address issues regarding the structure and content of security policies; whereas the context within which security policies are conceived and developed remains rather unexplored. However, security policies that are formed without taking into account the specific social and organisational environment within which they will he applied, are often proven to he inapplicable or ineffective. In this paper we explore the issues pertaining to the formation of security policies under the perspective of contextualism. Within the framework of contextualism, we study the context, content and process of IS security policies development. This paper aims to contribute to IS security research by bringing forth the issue of context-dependent formation of security policies. In addition, it provides a contextual framework, which we expect to improve the effectiveness of IS security policies development.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35691-4_52
Chapter PDF
Similar content being viewed by others
References
Avgerou C. (2000), ‘Information systems: what sort of science is it?’, Omega, Vol., 28, pp.567–579, Elsevier Science Ltd.
Baskerville, R. and Siponen M. (2002) ‘An Information Security Meta-policy for Emergent Organizations’, forthcoming in Journal of Logistics Information Management.
Control Data Systems Inc. (1999) ‘Why Security Policies Fail - White Paper’ available at http://www.cdc.com
Dhillon G. (1997) Managing Information System Security,Macmillan Press Ltd.
Dhillon G. (2001) Information Security Management: Global Challenges in the New Millennium,Idea Group Publishing.
Dhillon G. and Backhouse J. (2001) ‘Current directions in IS security research: towards socio-organizational perspectives’, Information Systems Journal, Vol. 11, pp. 127–153.
Hitchings J. (1995) ‘Deficiencies of the Traditional Approach to Information Security and the Requirements for a New Methodology’, Computers and Security Vol. 14, No. 5, pp. 377–383.
ISO 17799 Directory: Services and Software for 150 17799 Compliance, ISO 17799 Audit, ISO 17799 Implementation and Security and Risk Analysis (also available at: http://www.isoI7799software.com).
ISO/IEC/JTCI (1996) Information Technology - Security Techniques - Guidelines for the Management of IT Security, GMITS, ISO/IEC DTR13335.
Kiountouzis E.A. and Kokolakis S.A. (1996) ‘An analyst’s view of information systems security’, in Proc. of the 12th International Information Security Conference (IFIP/SEC ‘86), Samos, Greece, May 1996, Chapman & Hall.
Lambrinoudakis C., Kokolakis S., Gritzalis D. (2001) ‘Recurrent IT security issues and recommendations: learning from risk assessment reviews’, in Proc. of the Security and Control of IT in Society (SLITS-II), IFIP Conference, Bratislava, Slovakia, June 2001.
Lindup K.R. (1995), ‘A New Model for Information Security Policies’, Computers and Security, Vol. 14, pp. 691–695.
Peltier T. (1999) Information security policies and procedures: a practitioner’s reference,CRC Press.
Pettigrew A.M. (1985), The Awakening Giant: Continuity and Change in ICI, Blackwell, Oxford.
Pettigrew A.M. and R. Whipp (1993) Managing Change for Competitive Success,Blackwell.
Siponen M. (2000), ‘Policies for Construction of Information Systems’ Security Guidelines’, Information Security for Global Information Infrastructures, Qing S., Eloff J.H.P. (eds.), pp. 112–120, Kluwer Academic Publishers.
Symons V. J. (1991), ‘A review of information systems evaluation: content, context and process’, Journal of Information Systems, Vol. I, No 3, pp 205–212.
Trompeter C. and Eloff J. (2001) ‘A Framework for the Implementation of Socio-ethical Controls in Information Security’, Computers and Security, Vol. 20, No 5, pp. 384–390.
von Solms B. (2001) ‘Information Security — A Multidimensional Discipline’, Computers and Security, Vol. 20, No 6, pp. 504–508.
Walsham, G. (1993) Interpreting Information Systems in Organisations, J. Wiley & Sons Ltd. Wood C. (2000) ‘An Unappreciated Reason Why Security Policies Fail’, Computer Fraud and Security, 10, pp. 13–14.
Yngstrom, L. (1995) ‘A Holistic Approach to IT Security’, in Information Security–the Next Decade (eds. Eloff, J. and S. von Solms ), Chapman & Hall, London, pp. 98–109.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 IFIP International Federation for Information Processing
About this paper
Cite this paper
Karyda, M., Kokolakis, S., Kiountouzis, E. (2003). Content, Context, Process Analysis of is Security Policy Formation. In: Gritzalis, D., De Capitani di Vimercati, S., Samarati, P., Katsikas, S. (eds) Security and Privacy in the Age of Uncertainty. SEC 2003. IFIP — The International Federation for Information Processing, vol 122. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35691-4_13
Download citation
DOI: https://doi.org/10.1007/978-0-387-35691-4_13
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-6489-5
Online ISBN: 978-0-387-35691-4
eBook Packages: Springer Book Archive