The Security Policy Application Process: Action Research

  • Isabel LopesEmail author
  • Pedro Oliveira
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 445)


It is crucial for companies to acknowledge the need for applying security policies because, without such policies, there is no reliable way to define, implement, and enforce a security plan within an organization. Small and medium sized enterprises (SME) are no exception. Within the organizational universe, SMEs assume a unique relevance due to their high number, which makes information security efficiency a paramount issue. There are several measures which can be implemented in order to ensure the effective protection of information assets, among which the adoption of ISS policies stands out. A recent survey concluded that from 307 SMEs, only 15 indicated to have an ISS policy [1]. The conclusion drawn from that study was that the adoption of ISS policies has not become a reality yet. As an attempt to mitigate this fact, security policies were formulated, implemented and adopted in 10 SMEs which had stated not to have this security measure. These interventions were conceived as Action Research (AR) projects.


Formulation Implementation and adoption of information security policies Information security Small and medium sized enterprises 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Lopes, I. and Oliveira, P.: Understanding Information Security Culture: A Survey in SMEs. Álvaro Rocha, et al. A Stroetmann. New Perspectives in Information Systems and Technologies, Volume 1. ed. Cham: Springer, 2014, v. 275, pp. 277-286 (2014)Google Scholar
  2. 2.
    Da Veiga, A., Eloff, J. H. P.: An Information Security Governance Framework, Information Systems Management, 24:4, pp. 361-372 (2007)Google Scholar
  3. 3.
    Kim, D., Solomon, M. G.: Fundamentals of Information Systems Security, Jones and Bartlett Publishers (2010)Google Scholar
  4. 4.
    Tipton, H., Krause, M.: Information Security Mangement Handbook. Auerbach Publications (2009)Google Scholar
  5. 5.
    de Sá-Soares, F.: A Theory of Action Interpretation of Information Systems Security, PhD Thesis, University of Minho, Guimarães (2005)Google Scholar
  6. 6.
    Höne, K., Eloff, J.: Information security policy — what do international information security standards say?, Computers & Security 21 (5), pp. 402–409 (2012)Google Scholar
  7. 7.
    Wood, C. C.: Writing InfoSec Policies, Computers & Security, 14 (8), pp. 667-674 (1995)Google Scholar
  8. 8.
    Peltier, T. R.: ISS, Procedure: a practitioner’s reference, CRC Press (1999)Google Scholar
  9. 9.
    Hartley, B., Locke, A.: The Process of Security, Business Security Advisor, pp. 22-24, USA (2001)Google Scholar
  10. 10.
    Karyda, M., Kiountouzis, E., Kokolakis, S.: Information systems security policies: a contextual perspective, Computers & Security 24 (3) pp. 246-260 (2005)Google Scholar
  11. 11.
    Wills, L.: Security Policies: Where to Begin, Security Essentials, 1(4b) (2002)Google Scholar
  12. 12.
    Gaunt, N.: Installing an appropriate information security policy, International Journal of Medical Informatics 49(1) pp. 131-134 (1998)Google Scholar
  13. 13.
    Dick, B.: A beginner’s guide to action research (2000), (Accessed 4 de Dez 2014)
  14. 14.
    Susman, G., Evered, R.: An Assessment of the Scientific Merits of Action Research, Administrative Science Quarterly, 23(4), pp 582-603 (1978)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Centro ALGORITMIUniversidade do MinhoBragaPortugal
  2. 2.School of Technology and ManagementPolytechnic Institute of BragançaBragançaPortugal

Personalised recommendations