See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/304494363

Information security policy development and implementation: The what, how

and who

Article  in  Computers & Security · June 2016

DOI: 10.1016/j.cose.2016.06.002

CITATIONS READS

29 7,087

2 authors:

Stephen Flowerday Tite Tuyikeze

Rhodes University Fort Hare University
103 PUBLICATIONS   545 CITATIONS    3 PUBLICATIONS   33 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Information security policy development and implementation: The what, how and who View project

Sustainability of using technology View project

All content following this page was uploaded by Stephen Flowerday on 29 February 2020.

The user has requested enhancement of the downloaded file.

 computers & security 61 (2016) 169–183

Available online at www.sciencedirect.com

ScienceDirect

j o u r n a l h o m e p a g e : w w w. e l s e v i e r. c o m / l o c a t e / c o s e

Information security policy development and

implementation: The what, how and who

Stephen V. Flowerday *, Tite Tuyikeze

Department of Information Systems, University of Fort Hare, 50 Church Street, East London, 5241, South Africa

A R T I C L E I N F O A B S T R A C T

Article history: The development of an information security policy involves more than mere policy formu-
Received 8 May 2015 lation and implementation. Unless organisations explicitly recognise the various steps required
Received in revised form 15 April in the development of a security policy, they run the risk of developing a policy that is poorly
2016 thought out, incomplete, redundant and irrelevant, and which will not be fully supported
Accepted 7 June 2016 by the users. This paper argues that an information security policy has an entire life cycle
Available online 20 June 2016 through which it must pass during its useful lifetime. A formal content analysis of infor-
mation security policy development methods was conducted using secondary sources. Based
Keywords: on the results of the content analysis, a conceptual framework was subsequently devel-
Security policy development oped. The proposed framework outlines the various constructs required in the development
Security policy implementation and implementation of an effective information security policy. In the course of this study,
Security policy life cycle a survey of 310 security professionals was conducted in order to validate and refine the con-
Security policy management cepts contained in the key component of the framework: the ISPDLC.
Risk assessment © 2016 Elsevier Ltd. All rights reserved.

compromised or stolen (71%); and employee records compro-

1. Introduction mised or stolen (63%) (CERT Insider Threat Center, 2014 ). Based
on the findings of this survey, it is evident that organisations
Organisations today are more dependent than ever on Infor- must have security controls in place to ensure the confiden-
mation Technology (IT) as IT supports their day-to-day tiality, integrity and availability of their information.
transactions as well as numerous other critical business func- This paper posits that one important mechanism for pro-
tions. According to Doughty and Grieco (2005), “IT should be tecting organisations’ information assets is the formulation and
seen as a way for increasing the accessibility, speed and com- implementation of an effective information security policy. The
prehensiveness of information that supports the decision- main contribution made by this paper is the proposal of a key
making processes within the organisation”. However, the component “1” in the framework termed the “Information Se-
dependency on IT has unfortunately resulted in an increase curity Policy Development Life Cycle” (ISPDLC – Fig. 2). This
in potential threats to organisations’ information assets. framework indicates the various constructs that information
A 2014 cybercrime survey in the United States of America security practitioners need to consider in the development and
found that more damage was caused by insider attacks than implementation of an effective information security policy.
by outsider attacks, with insider involvement comprising the The remainder of this paper is structured as follows: The
highest percentage of damage in the following incidents: private background to an information security policy is discussed in
or sensitive information unintentionally exposed (82%); con- Section 2, Section 3 describes the research methodology, and
fidential records compromised or stolen (76%); customer records Section 4 covers the constructs of the proposed component

* Corresponding author.
E-mail addresses: [email protected] (S.V. Flowerday), [email protected] (T. Tuyikeze).
http://dx.doi.org/10.1016/j.cose.2016.06.002
0167-4048/© 2016 Elsevier Ltd. All rights reserved.
170 computers & security 61 (2016) 169–183

(ISPDLC). The relationship between the constructs of the

ISPDLC is highlighted in Section 5, while Section 6 highlights 3. Research methodology
the stakeholders that are involved in the development
and implementation of the information security policy. This study used a mixed method approach, combining both
Finally, Sections 7 and 8 discuss the findings and offer a qualitative and quantitative methods during the data collec-
conclusion. tion and data analysis processes. Firstly, the study adopted a
qualitative approach during the formal content analysis of ex-
isting theories on and methods for developing an information
security policy. The interpretation of the results of the content
2. Information security policy analysis subsequently resulted in the development of a con-
ceptual framework. Secondly, quantitative data was collected
The literature contains many definitions for an information se- using a survey in order to validate the constructs contained
curity policy. Chen and Li (2014) state that an information in the ISPDLC (component 1 of Fig. 2) with the objective of
security policy is used by management to differentiate between generalising the findings.
employee behaviours that are either permitted or prohibited,
as well as the consequent sanctions if the forbidden behaviours 3.1. Secondary data collection: the content analysis
take place. On the other hand, ISO/IEC 27002 (2013) states that
the objective of an information security policy is to provide A content analysis of security policy development was con-
management with direction and support in accordance with ducted using secondary sources in the literature in order to
business requirements and regulations when dealing with in- obtain a thorough understanding of the processes necessary
formation security. As highlighted in these two definitions, it to formulate and implement the policy.
is clear that an information security policy contributes sig- A total of 21 documents were chosen for the sample in this
nificantly to the well-being of an organisation when protecting study as shown in Appendix A. These documents constitute
its information. However, the processes involved in develop- cited and prevalent published items on the topic on Google
ing and implementing an effective information security policy Scholar; it comprised journal articles, conference proceed-
are difficult at best. ings and industry publications. These 21 sampled documents
The existing literature concentrates on describing the struc- were subsequently imported into the MAXQDA software
ture and content of a security policy, but fails, in general, to package. MAXQDA is a software program that has been de-
describe in detail the processes for developing the policy. Con- signed for computer-assisted qualitative and mixed methods
sequently, there is little guidance for the people involved in data, text and multimedia analysis (MAXQDA, 2012). Each docu-
information security policy development with regard to the pro- ment was individually coded by highlighting the sentence or
cesses they should follow. the paragraph that mentions the process of developing a se-
In view of this lack of guidance, the developers of such poli- curity policy. On completion of the coding process, a total of
cies often use those developed by other organisations, 42 codes and 568 accumulative codes had emerged. These codes
commercially available sources, or templates available from varied from the general to the specific. General codes in-
public sources such as the Internet. However, the document cluded for example “security policy construction”, while the
that results from such methods will not provide proper direc- specific ones included “draft the policy”, “write policy” and “write
tion for the information security within the context of the policy procedure”. The 42 codes that had emerged during the
organisation that it is supposed to protect. In such cases, the coding process were reduced to ten codes (see Fig. 1), with some
policy statements developed may not be directly applicable to of the smaller codes merged with similar allied codes. For
the risks they are designed to nullify, and thus they will not example, the codes labelled “identification of vulnerabili-
combat the security threats that the specific organisation is ties”, “identification of threats” and “identification of assets to
facing. McKenna (2010) states that “Unfortunately, many IT se- be protected” were grouped under one code termed “risk as-
curity people do not understand business risks, so they end sessment” as they were all part of evaluating the security risk
up writing these huge security policies that are all about pro- processes. Based on the results of the content analysis, a con-
tecting everything”. ceptual framework was proposed. The proposed framework was
The process of developing and implementing an effective then refined on the basis of suggestions made by the profes-
information security policy is not straight forward, but is driven sionals who were surveyed.
by multiple issues such as regulatory requirements, the com-
plexities of new technologies, and external and internal threats. 3.2. Primary data collection: the survey
The existing literature highlights certain information secu-
rity policy development and implementation methods (Anand, The primary data collection in this paper included a survey,
2012; Bayuk, 2009), but these methods do not include a com- which was conducted in order to validate the constructs of the
prehensive, integrated method that details step-by-step ISPDLC component of the framework. A research instrument
processes. Accordingly, this paper aims to find a solution to the was developed and distributed to 400 security professionals –
problem of the Information Security Policy Development Life 200 in the United Kingdom and 200 in the United States of
Cycle (ISPDLC) in order to address the challenges that have been America. A total of 310 security professionals (182 from the UK
highlighted in this section. The next section discusses the re- and 128 from the USA) responded to the survey question-
search methodology that was used to achieve the objective of naire, which was administered using SurveyMonkey software.
this paper. The information security professionals targeted by the survey
 computers & security 61 (2016) 169–183 171

study. Oates (2006) explains that combining both research

WHAT
Risk Assessment (RA) methods provides the researcher with multiple modes of
“attack” on the research objective. In addition, the findings or
Policy Construction (PC)
conclusions of such a study are more likely to be convincing
Policy Implementation (PI) and accurate than would otherwise have been the case (Yin,
2003). The next section highlights the evaluation of the quali-
Policy Compliance (PCO) tative and quantitative data.

Policy Monitoring (PM) 3.3.1. Qualitative data

Borrego et al. (2009) state that “just as rigorous statistical analy-
Management Support (MS)
sis is essential in quantitative research to ensure reliability and
generalisability of the results, so too is the rich description of
Employee Support (ES)
the context and experiences of the participants essential in
International Security Standards qualitative research to ensure trustworthiness”. In this paper,
trustworthiness was ensured because the constructs were evalu-
Policy Stakeholders ated by security experts. The participants were chosen
purposefully (purposeful sample) for their involvement in
Legislations Requirements
security-related matters in their daily activities, and were there-
fore viewed as information rich.
Fig. 1 – Framework codes. Furthermore, Lincoln and Guba (1985) propose four crite-
ria for trustworthiness:

included IT managers, chief information security officers and • Credibility – this refers to confidence in the “truth” of the
security specialists. The participants were chosen because they findings. Critical and constructive feedback from the secu-
are involved in information security related issues in their daily rity experts that were surveyed enabled this research
activities and therefore may be considered to exert signifi- contribution to be refined.
cant influence on information security management in their • Transferability– this entails that the findings have applica-
organisations. The respondents were asked to specify the type bility in other contexts. The proposed ISPDLC provides
of organisation for which they worked. It emerged that 41.92% guidelines that organisations can follow in order to improve
worked in industry; 17.69% in government; 14.23% in the their mechanisms for developing an information security
banking sector; 13.46% in the consulting sector; and 12.69% in policy.
the trading sector. In addition, the respondents were asked to • Dependability – this shows that the findings are consis-
indicate the number of employees working in their organisation. tent. The data used in this paper were obtained from
The findings revealed that 35.71% worked for organisations with multiple sources and the findings were supported by lit-
fewer than 500 employees; 25.65% for organisations with erature, extant theories, and the empirical results.
between 500 and 1000 employees; 23.70% for organisations • Confirmability – this refers to a degree of neutrality or the
with between 1000 and 5000 employees; 6.17% for organisations extent to which the findings of a study are shaped by the
with between 5000 and 10000 employees, and 8.77% for respondents and not by researcher bias, motivation, or in-
organisations with more than 10 000 employees. The findings terest. In this paper, the researchers were neutral as the data
also showed that 62% of the respondents were male, while 38% used included the findings of the content analysis and the
were female. input of the surveyed security professionals.
The survey questionnaire was based primarily on the results
of the content analysis that had been conducted on the sec- 3.3.2. Quantitative data
ondary data. Additionally, the questionnaire contained open- Tavakol and Dennick (2011) maintain that reliability and va-
ended questions which gave the respondents the opportunity lidity are two fundamental concerns in the assessment of a
to respond in their own words. The respondents were asked measurement instrument. In this paper, Cronbach’s alpha was
to offer suggestions in respect of the processes for develop- used to measure the reliability of the constructs of the pro-
ing and implementing an information security policy which posed ISPDLC. Raerd (2012) indicates that Cronbach’s alpha is
they felt was important, but which had not been included in the most commonly used statistical test to determine the re-
the questionnaire. The questionnaire also included closed ques- liability of multiple Likert-type questions in a survey. In addition,
tions based on a Likert-type scale that restricted the construct validity was assessed by performing a Factor Analy-
respondents to selecting answers from a predefined set. sis on the items (variables constituting a construct) of each
construct and calculating the validity of the resulting factors.
3.3. Evaluation of the research
3.3.2.1. Reliability of constructs. Table 1 provides the findings
This research used a mixed method approach which com- of the reliability statistics of all combined constructs.
bined qualitative and quantitative data. According to Johnson As depicted in Table 1, the Cronbach’s alpha was α = 0.943
and Onwuegbuzie (2004), mixed method research involves for all combined constructs. In addition, Cronbach’s alpha was
mixing or combining quantitative and qualitative research tech- used to establish the internal consistency of the questions
niques, methods, approaches, concepts or language into one related to the variables of each construct. The Cronbach’s alphas
172 computers & security 61 (2016) 169–183

to be highly valid, thus measuring what they are expected to

Table 1 – Reliability statistics (Cronbach’s alpha).
measure. According to Hair et al. (1998), loadings of .5 or greater
Item Combined RA PC PI PCO PM MS ES represent items of practical significance.
constructs
The next section discusses the results of the content analy-
Cronbach’s .943 .907 .916 .894 .909 .898 .904 .900 sis and the input of the surveyed security professionals.
alpha
No items 7 4 4 4 4 4 4 4

4. Framework codes: the WHAT

achieved for these variables ranged from 0.916 (highest) to 0.894 The ten framework codes are based on the integration of the
(lowest). This, in turn, indicates that the variables asked in the existing information security policy development and imple-
questionnaire in relation to all the combined constructs were mentation methods and models found in the current literature,
both reliable and consistent. A Cronbach’s alpha value of 0.7 plus the input of the surveyed security professionals. The find-
or greater is considered acceptable (Gefen et al., 2000; Nunnally ings revealed different codes that organisations should consider
and Bernstein, 1994). when developing and implementing an effective information
security policy. Fig. 1 depicts the final ten codes of the pro-
3.3.2.2. Validity of constructs. A principle component Factor posed framework.
Analysis was conducted on all combined constructs. Table 2 By reflecting on the different codes depicted in Fig. 1, it
shows the results of the Factor Analysis. became clear that seven codes – namely Risk Assessment, Policy
Furthermore, a principle component Factor Analysis was also Construction, Policy Implementation, Policy Compliance, Policy
done on the variables of each construct. As depicted in Table 3, Monitoring, Management and Employee Support – encom-
the Factor Analysis findings for all the combined constructs pass all the processes needed to develop and implement an
and their variables ranged from 0.925 (highest) to 0.831 (lowest). information security policy. Therefore, these codes thus con-
Therefore, the Factor Analysis indicated that all scales proved stituted the Information Security Policy Development Life Cycle
(ISPDLC component in Fig. 2) and became the seven constructs.
The second component: Security Policy Drivers (see compo-
nent 2 in Fig. 2) consisted of three codes. This component is
Table 2 – Combined constructs factor matrix (validity).
composed of the threats that place the organisation under pres-
Item RA PC PI PCO PM MS ES sure so that mechanisms are implemented in order to protect
Loading .850 .886 .885 .875 .859 .884 .870 information. Abdel-Aziz (2010) states that “before discussing
information security policy and the process to assess it, it is
important to know what drives information security in the first
place”. The development of an information security policy is
Table 3 – Items factor matrix. driven by both external and internal influences that exert pres-
Item Loading sure on the organisation to put in place mechanisms to protect
RA1 .897 the organisation’s information. The internal threats include
RA2 .925 insider employees who place the organisation’s information
RA3 .892 at risk, while external threats include hackers. In addition, there
RA4 .861 is the necessity of complying with proliferating government
PC1 .893
legislative requirements.
PC2 .884
The third component is the Security Policy Guidance (see Fig.
PC3 .901
PC4 .862 2). This component is composed of the security standards that
PI1 .831 guide organisations in constructing an information security
PI2 .903 policy. As discussed, international security standards such as
PI3 .893 ISO/IEC 27002 (2013) are used as a major guide at the begin-
PI4 .860 ning stage of information security policy development.
PCO1 .878
Finally, organisations need to use relevant Existing Theories
PCO2 .894
PCO3 .890
(component 4 in Fig. 2) in order to understand the behavioural
PCO4 .884 intention of employees concerning information security policy
PM1 .872 compliance. The content analysis revealed that General De-
PM2 .861 terrence Theory (GDT) and the Theory of Planned Behaviour
PM3 .892 (TPB), among others, are key theories for understanding em-
PM4 .874
ployees’ behavioural intention to comply with an information
MS1 .879
security policy of an organisation. The TPB explains that the
MS2 .900
MS3 .890 intention of an individual to perform a given behaviour is in-
MS4 .857 fluenced by attitude, subjective norms and perceived
ES1 .877 behavioural control (Ajzen, 1991). On the other hand, GDT pre-
ES2 .886 dicts that an increase in the severity of the punishment imposed
ES3 .882 on those who violate the rules of the organisation reduces
ES4 .866
certain criminal acts (Blumstein et al., 1978).
 computers & security 61 (2016) 169–183 173

Information Security Policy Development Life Cycle (1)

Management Support (MS) Employee Support (ES)

Risk Assessment Policy Policy Policy Policy

(RA) Construction Implementation Compliance Monitoring
(PC) (PI) (PCO) (PM)

Security Policy Guidance (3) Security Policy Drivers (2) Existing Theories (4)

Fig. 2 – The policy development framework including the ISPDLC component.

As discussed in this section, the proposed framework, de- the survey showed that Risk Assessment was the most im-
picted in Fig. 2, comprises four components that constitute the portant construct of the various measured constructs. This
main pillars of the information security policy development result is not surprising given that the main reason for devel-
and implementation process. However, this paper focuses on oping an information security policy is to mitigate the various
component 1 and the seven constructs which constitute this security risks that organisations face. The second most im-
component. portant construct was Management Support. Management plays
The seven constructs of the ISPDLC component, namely Risk a significant role in decision-making in an organisation, es-
Assessment (RA), Policy Construction (PC), Policy Implemen- pecially with regard to budgeting and information security policy
tation (PI), Policy Compliance (PCO), Policy Monitoring (PM), approval and enforcement. The findings also revealed that the
Management Support (MS) and Employee Support (ES), were respondents believed that Policy Compliance and Employee
evaluated based on the survey result. The software used to Support were important steps for inclusion in an informa-
conduct the statistical analysis was SPSS v22.0. The next section tion security development and implementation process. The
discusses the descriptive data analysis findings relating to the overall results showed that Policy Monitoring was the least im-
constructs of the ISPDLC. portant of the measured constructs. The formal content analysis
revealed similar results, with Information Security Monitor-
4.1. ISPDLC evaluation ing showing the lowest frequency of tags compared to the other
constructs.
Once the data had been entered in SPSS, various statistical tests
were conducted. Descriptive statistical tests were used to gen- 4.1.1. Results of the Risk Assessment (RA) variables
erate frequencies, the median, the mean, and the standard Table 5 presents the descriptive statistics pertaining to the Risk
deviation. Table 4 presents the descriptive statistics of the con- Assessment variables, with the mean values arranged from
structs of the ISPDLC with the mean values arranged from highest to lowest.
highest to lowest. Table 5 reveals that the mean was above 3, which shows
As shown in Table 4, the mean of all constructs was above that the respondents deemed all four variables to be impor-
3 – the middle value in the five-point scale (Dewberry, 2004). tant. The identification of vulnerabilities and threats process had
Accordingly, the results of the descriptive statistics revealed the highest mean of 4.1392. This indicates that the respon-
that, in general, the respondents agreed that all constructs of dents believed this process to be very important compared to
the ISPDLC component were important. The overall results of the other processes of the Risk Assessment construct.

4.1.2. Results of the Policy Construction (PC) variables

Table 4 – Descriptive statistical results of the ISPDLC Table 6 shows the descriptive statistics pertaining to the Policy
component. Construction variables.
N Mean Median Std.
deviation
Risk assessment (RA) 308 4.1623 3.0000 1.04909 Table 5 – Results of Risk Assessment variables.
Policy construction (PC) 308 4.0032 3.0000 1.01294
N Mean Median Std.
Policy implementation (PI) 307 4.0130 3.0000 1.00318
deviation
Policy compliance (PCO) 307 4.0749 3.0000 .93808
Policy monitoring (PM) 307 3.9644 3.0000 1.07602 Vulnerabilities and threats 309 4.1392 3.0000 .98201
Management support (MS) 309 4.0814 3.0000 .97177 Assets identification 310 4.0774 3.0000 .96230
Employee support (ES) 309 4.0615 3.0000 .98335 Legislation 308 4.0714 3.0000 .94547
Risk identification 308 4.0455 3.0000 .96412
174 computers & security 61 (2016) 169–183

Table 6 – Results of the Policy Construction variables. Table 9 – Results of Policy Monitoring variables.
N Mean Median Std. N Mean Median Std.
deviation deviation
Write detailed security 306 3.9804 3.0000 .93015 Periodical review 308 4.0162 3.0000 .97346
policy Audit information 310 4.0161 3.0000 .96024
Write high level security 309 3.9612 3.0000 .97623 Non periodical review 307 3.9935 3.0000 .95996
policy Automated review 306 3.9052 3.0000 .97552
Consultation with 307 3.9609 3.0000 .90664
stakeholders
Write lower level security 307 3.8567 3.0000 1.03168
policy
4.1.5. Results of the Policy Monitoring (PM) variables
Table 9 presents the descriptive statistics pertaining to the Policy
Monitoring and assessment variables, with the mean values
arranged from highest to lowest.
As highlighted in Table 6, the results revealed that the mean Table 9 indicates that the mean was above 3. The periodical
was above 3. The development of detailed security policies had review had the highest mean of 4.0162, indicating that the re-
the highest mean of 3.9804, indicating that the respondents spondents believed this process to be the most important
believed that this process was very important as compared to process of the Policy Monitoring.
the other processes of the Policy Construction construct.
4.1.6. Results of Management Support (MS) variables
4.1.3. Results of the Policy Implementation (PI) variables Table 10 presents the descriptive statistics of the Manage-
Table 7 presents the descriptive statistics pertaining to the Policy ment Support variables with the mean values arranged from
Implementation variables, with the mean values arranged from highest to lowest.
highest to lowest. As highlighted in Table 10, the results revealed that the mean
Table 7 illustrates that the mean was above 3, which shows was above 3. Management involvement had the highest mean of
that respondents deemed all four variables to be important. 4.0455, indicating that the respondents believed this process
Defining the role of stakeholders had the highest mean of 4.0550, to be the most important process of the Management Support
indicating that the respondents believed that this process was construct.
very important as compared to the other processes of the Policy
Implementation construct. 4.1.7. Results of Employee Support (ES) variables
Table 11 presents the descriptive statistics of the Employee
Support variables with the mean values arranged from highest
4.1.4. Results of Policy Compliance (PCO) variables
to lowest.
Table 8 presents the descriptive statistics pertaining to the Policy
Table 11 reveals that the mean was above 3, which shows
Compliance variables.
that the respondents found all four variables to be impor-
Table 8 shows that the mean was above 3 – the middle value
tant. Employee involvement had the highest mean of 4.0326, thus
in the five-point scale (Dewberry, 2004). Knowledge emerged as
indicating that the respondents believed that this process was
an important variable with the highest mean of 3.9934, thus
very important compared to the other processes of the Em-
indicating that the respondents believed this process to be very
ployee Support construct.
important as compared to the other processes of the Policy
The next section discusses the relationship between the
Compliance construct.
ISPDLC constructs.

Table 7 – Results of Policy Implementation variables. Table 10 – Results of Management Support variables.
N Mean Median Std. N Mean Median Std.
deviation deviation
Role of stakeholders 309 4.0550 3.0000 .97379 Management involvement 308 4.0455 3.0000 .94017
Security policy education 309 4.0356 3.0000 .99121 Budget 307 4.0391 3.0000 .94891
Security policy training 309 3.9385 3.0000 .95658 Policy enforcement 308 4.0195 3.0000 1.00792
Security policy awareness 310 3.7968 3.0000 .99870 Policy approval 305 3.9508 3.0000 .96699

Table 8 – Results of the Policy Compliance variables. Table 11 – Results of the Employee Support variables.
N Mean Median Std. N Mean Median Std.
deviation deviation
Knowledge 305 3.9934 3.0000 .90682 Employee involvement 307 4.0326 3.0000 .92474
Attitude 308 3.9838 3.0000 .89683 Binding agreement 309 3.9968 3.0000 1.00162
Perceived benefit 307 3.9772 3.0000 .90900 Job termination 307 3.9870 3.0000 .99991
Perceived social pressure 307 3.9739 3.0000 .95279 Deterrence measure 307 3.8436 3.0000 .99754
 computers & security 61 (2016) 169–183 175

Management Support being associated with high scores for Risk

5. The relationship between the ISPDLC Assessment.
constructs: the HOW Risk Assessment is the first step that an organisation needs
to embark on in order to identify the threats, vulnerabilities
The results of the content analysis revealed a high frequency and risks that need to be mitigated. At this stage, manage-
of occurrence of Management Support and Employee Support. ment involvement is the variable that is most needed.
Accordingly, it was assumed that it is essential that Manage- Subsequently, based on the results of the Risk Assessment stage,
ment Support and Employee Support are involved in all the management should conduct a cost–benefit analysis on the
processes when developing and implementing an informa- implementation of the recommended controls to reduce the
tion security policy. Therefore, inferential statistical tests were identified risks to an acceptable level. The Business Dictionary
conducted to ascertain whether there is a relationship between (2001) defines cost–benefit analysis as a “process of quantify-
Management Support and the Information Security Policy De- ing costs and benefits of a decision, program, or project (over
velopment Life Cycle (ISPDLC) constructs. a certain period), and those of its alternatives (within the same
Similarly, inferential statistical tests were therefore used to period), in order to have a single scale of comparison for an
ascertain whether there is a relationship between Employee unbiased evaluation”. Based on the result of the cost–benefit
Support and the ISPDLC constructs. analysis, management will decide if it is worthwhile imple-
As illustrated in Table 12, Pearson’s correlation coefficient menting the recommended control and, if the envisaged costs
was conducted to examine the strength and direction of cor- are within the budget, the Risk Assessment plan is approved
relations among the various constructs of the ISPDLC. The and the next phase of Policy Construction can commence. If
following abbreviations are used for these constructs: Man- not, the risk mitigation strategies will either need to be revised
agement Support (MS), Risk Assessment (RA), Policy to bring them within budget or the budget will have to be
Construction (PC), Policy Implementation (PI), Policy Monitor- increased.
ing (PM), Policy Compliance (PCO), and Employee Support (ES).
As shown in Table 12, Pearson correlation indicates the 5.2. Employee Support (ES) and Risk Assessment (RA)
strength of association between the constructs of the ISPDLC correlation analysis
component. The findings show a positive correlation between
the constructs of the ISPDLC, namely p < 0.05, which is statis- A positive correlation was found between Employee Support
tically significant. Therefore, the results show that the different and Risk Assessment [r = 0.756, n = 307, p = 0.000]. With p < 0.05,
constructs of the ISPDLC are reliable and consistent. this correlation is statistically significant, with high scores for
Employee Support being associated with high scores for Risk
5.1. Management Support (MS) and Risk Assessment Assessment.
(RA) correlation analysis The most important threats to organisations’ information
security are the employees who work in the organisation. There-
A positive correlation was found between Management Support fore, the involvement of employees in the Risk Assessment
and Risk Assessment [r = 0.804, n = 307, p = 0.000]. With p < 0.05, process is crucial. Douglas (2011) advises that during the Risk
this correlation is statistically significant, with high scores for Assessment stage, organisations need to identify the assets to

Table 12 – Correlation analysis between the ISPDLC constructs.

MS RA PC PI PM PCO ES
MS Pearson correlation 1 .804 .765 .673 .669 .654 .680
Sig. (2-tailed) .000 .000 .000 .000 .000 .000
N 309 307 307 306 306 306 308
RA Pearson correlation .804 1 .792 .673 .740 .707 .756
Sig. (2-tailed) .000 .000 .000 .000 .000 .000
N 307 308 307 305 306 305 307
PC Pearson correlation .765 .792 1 .737 .733 .691 .731
Sig. (2-tailed) .000 .000 .000 .000 .000 .000
N 307 307 308 305 306 305 307
PI Pearson correlation .673 .673 .737 1 .797 .682 .717
Sig. (2-tailed) .000 .000 .000 .000 .000 .000
N 306 305 305 307 305 304 306
PM Pearson correlation .669 .740 .733 .797 1 .781 .741
Sig. (2-tailed) .000 .000 .000 .000 .000 .000
N 306 306 306 305 307 304 306
PCO Pearson correlation .654 .707 .691 .682 .781 1 .774
Sig. (2-tailed) .000 .000 .000 .000 .000 .000
N 306 305 305 304 304 307 306
ES Pearson correlation .680 .756 .731 .717 .741 .774 1
Sig. (2-tailed) .000 .000 .000 .000 .000 .000
N 308 307 307 306 306 306 309
176 computers & security 61 (2016) 169–183

be protected and to assess the threats and vulnerabilities. It that this stage comprises four variables: Policy Awareness, Policy
is important to involve employees in asset identification, as Training, Stakeholders’ Role, and Policy Education. At this stage,
assets include the computers employees use. Therefore, em- the involvement of Management Support is crucial as com-
ployees have to cooperate with the staff members who will be munication from top management has to be disseminated
involved in carrying out the identification activities. The same throughout the different organisational levels. The commit-
cooperation is necessary during the threat and vulnerability ted participation of management will motivate employees to
identification process. comply with the new policy requirements and will also help
to increase employees’ acceptance and commitment to the
5.3. Management Support (MS) and Policy Construction organisation’s security policy. Management also plays an im-
(PC) correlation analysis portant role in Policy Awareness as it is their place to ensure
that all stakeholders are aware of and understand their re-
A positive correlation was found between Management Support sponsibilities as they relate to the security policy requirements.
and Policy Construction [r = 0.765, n = 307, p = 0.000]. With In order to reach the various audiences, different forms of busi-
p < 0.05, this correlation is statistically significant, with high ness communication (notices, intranet, posters, newsletters,
scores for Management Support being associated with a high etc.) can be used to promote Policy Awareness. Furthermore,
score for Policy Construction. management needs to ensure that there are mechanisms in
Bayuk (2009) points out that the construction of an infor- place for training and educating users on the new informa-
mation security policy should start with top management. tion security policy requirements. Such training can be
Accordingly, directives or high-level security policies emanat- organised regularly or intermittently, depending on the need
ing from the executive management are disseminated from for such training and education sessions.
the strategic level to the tactical level where they are trans-
lated into standards or guidelines; finally, they are disseminated
5.6. Employee Support (ES) and Policy Implementation
to the operational level in the form of procedures (Von Solms
(PI) correlation analysis
et al., 2011). During the information security policy construc-
tion stage, management involvement is essential because it is
A positive correlation was found between Employee Support
needed to approve the security policy. If management ap-
and Policy Implementation [r = 0.717, n = 306, p = 0.000]. With
proves the security policy, the next stage is the publication of
p < 0.05, this correlation is statistically significant, with high
the policy. On the other hand, if management refuses to approve
scores for Employee Support being associated with high scores
the policy, the security policy team will need to incorporate
for Policy Implementation.
management’s recommendations and resubmit the policy to
When implementing a new information security policy, it
management for approval.
is crucial to involve the employees. The Mauritian Computer
Emergency Team (2011) emphasises that employees should be
5.4. Employee Support (ES) and Policy Construction (PC)
required to sign the policy formally. This will mean that the
correlation analysis
new information security policy document is a binding con-
tractual agreement between the employers and the employees.
The results show a positive correlation between Employee
As such, the contract contains the rules that employees must
Support and Policy Construction [r = 0.731, n = 307, p = 0.000].
follow to protect the organisation’s information assets. It also
With p < 0.05, this correlation is statistically significant, with
includes the penalties that will be imposed on employees
high scores for Employee Support being associated with high
should they violate the policy.
scores for Policy Construction.
In addition, employees will be required to attend training and
Kadam (2007) advises that, when constructing an informa-
education programmes so that they understand the require-
tion security policy, employees need to be involved in order to
ments of the policy. The main objective of such programmes is
create a sense of ownership. In addition, it is critical at this
to increase knowledge about the policy requirements.
stage to start preparing employees for the upcoming changes
and the new ways in which they will be operating when the
new policy requirements are implemented. Involvement is thus 5.7. Management Support (MS) and Policy Compliance
critical in moving users through the stages of commitment – (PCO) correlation analysis
from preparation through acceptance and ultimately to the
commitment stage. A moderate positive correlation was found between Manage-
ment Support and Policy Compliance [r = 0.654, n = 306,
5.5. Management Support (MS) and Policy p = 0.000]. With p < 0.05, this correlation is statistically signifi-
Implementation (PI) correlation analysis cant, with moderate scores for Management Support being
associated with moderate scores for Policy Compliance.
A moderate positive correlation was found between Manage- Once the information security policy has been imple-
ment Support and Policy Implementation [r = 0.673, n = 306, mented in the organisation and the employees have been
p = 0.000]. With p < 0.05, this correlation is statistically signifi- trained and are aware of the policy, management needs to put
cant with high scores for Management Support being associated appropriate measures for information security policy compli-
with a high score for Policy Implementation. ance in place. These measures are designed to ascertain
During the Policy Implementation stage, the policy is rolled whether the requirements of the information security policy
out to the entire organisation. The content analysis revealed have been met. In order to understand the employees’
 computers & security 61 (2016) 169–183 177

compliance behaviour, Bulgurcu et al. (2010) recommend using encouraged and rewarded. On the other hand, those who are
existing theories related to information security policy com- found to be violating the organisation’s information security
pliance, such as the TPB and the GDT. policy should be cautioned and penalised.
The next section discusses the information security policy
5.8. Employee Support (ES) and Policy Compliance (PCO) stakeholders.
correlation analysis

A positive correlation was found between Employee Support 6. Information security policy stakeholders:
and Policy Compliance [r = 0.774, n = 306, p = 0.000]. With p < 0.05, the WHO
this correlation is statistically significant, with high scores for
Employee Support being associated with high scores for Policy In order for an information security policy to survive and attain
Compliance. its objectives, management, employees and stakeholders need
Bulgurcu et al. (2010) argue that organisations need to rely to support the entire process involved in developing and imple-
on existing theories related to information security policy com- menting it. The development of an effective security policy
pliance in order to understand employees’ intentions to comply requires a combination of skills which emanate from the
with such policy. Employees should not consider a security experiences of the different stakeholders (Diver, 2007). Re-
policy as a form of punishment, rather they should see them spondents in the survey suggested various stakeholders that
as measures that will help to protect the organisation’s assets should be involved in the process of developing and imple-
and thus grow the organisation’s business. menting the policy. This section therefore discusses the various
stakeholders that are critical in this process. The content analy-
sis and the input received from the surveyed security
5.9. Management Support (MS) and Policy Monitoring
professionals revealed six stakeholders that should be in-
(PM) correlation analysis
volved in the development and implementation of the policy.
These are depicted in Fig. 3.
A moderate positive correlation was found between Manage-
The following section discusses each of the stakeholders
ment Support and Policy Monitoring [r = 0.669, n = 306, p = 0.000].
showed in Fig. 3.
With p < 0.05, this correlation is statistically significant, with
moderate scores for Management Support being associated with
6.1. Executive management
moderate scores for Policy Monitoring construct.
Management plays a significant role in the information se-
Bayuk (2009) argues that the first step in formulating a secu-
curity policy monitoring and assessment stage. Management,
rity policy involves ascertaining the way in which top
who are responsible for the well-being of the organisation, needs
management understands security in the organisation. In view
to be aware of the status quo of the organisation’s informa-
of the fact that management plays a significant role in
tion security. In the Direct–Control cycle presented by Von Solms
organisational decision-making, the involvement of execu-
et al. (2011), the emphasis falls on the importance of the con-
tive management in information security policy development
trolling step. Von Solms et al. (2011) state, “In order to effectively
is key to its success (Maynard et al., 2011). Kadam (2007) high-
control, it is necessary to capture data to test for compliance
lights the fact that it is essential that management are aware
with the policies which were drafted and implemented through
of the importance of information security policy develop-
directing. At the Operational level, this data could be ex-
ment activities so that the necessary resources are allocated
tracted from, for example, log files of operating systems,
to them.
databases and firewalls”. The information gained from these
files must be compiled in a report and submitted to manage-
ment. Thereafter, management should assess the report and
6.2. End-users
make decisions accordingly.
Employee Support refers to the support of the end-users who
perform various activities in an organisation. Szuba (1998) posits
5.10. Employee Support (ES) and Policy Monitoring (PM)
correlation analysis
WHO
A positive correlation was found between Employee Support
and Policy Monitoring [r = 0.741, n = 306, p = 0.000]. With p < 0.05, Executive management
this correlation is statistically significant, with high scores for End-users
Employee Support being associated with high scores for Policy
Monitoring and Assessment. Legal counsel
As highlighted by Talbot and Woodward (2009), one of the Technical staff
objectives of information security policy monitoring and as-
sessment is to produce measurable results that show users’ Human resources
behaviour. These results should then be used to assess the em-
External representatives
ployees’ performance in terms of security policy compliance.
During an audit of security policy compliance, employees that
demonstrate high security policy compliance should be Fig. 3 – Information security policy stakeholders.
178 computers & security 61 (2016) 169–183

that involving employees in the development of an informa- 6.6. External representatives

tion security policy results in their “buy-in” and support, while
also creating a sense of ownership of the information secu- Maynard et al. (2011) motivate the need to include external rep-
rity policy. resentatives, such as customers, suppliers and other external
Maynard et al. (2011) further recommend that the end- entities, in the development of an information security policy.
user community be included as part of the development effort This is particularly important if the external entities depend on
to ensure that the multidisciplinary nature of an organisation the organisation’s computer systems for their activities. As dis-
is incorporated in the information security policy develop- cussed in this section, the development of an effective security
ment process. This involvement by end-users should take place policy requires a combination of the various skills that result
at an early stage so that they are given an opportunity to iden- from the experiences of different stakeholders. Therefore, the
tify errors and difficulties, which may then be remedied before inclusion of multiple stakeholders in the development of an ef-
the security policy is implemented. “If the policy documents fective security policy is crucial because it gives the organisation
are hard to understand, users may not read them fully or may as a whole a sense of ownership of the security policy which
fail to understand them correctly, thereby needlessly risking facilitates the acceptance and adoption of the policy.
security compromise” (Diver, 2007).

6.3. Legal counsel 7. Conclusion

During the survey, one respondent stated: “It is important that The main objective of the research on which this paper is based
the legal team is involved in the information security policy was to provide a framework (including the SPDLC) that would
development to ensure that organisations’ policies are in line ensure a comprehensive structured methodology for develop-
with government laws.” The legal department is important ing and implementing an effective information security policy.
because it provides information on current laws as well as an- A formal content analysis of current information security
ticipated legislative requirements. policy development methods was conducted using second-
ary sources to obtain a deep understanding of the processes.
6.4. Technical staff The content analysis revealed various codes that are consid-
ered to be the main pillars of this Life Cycle (Fig. 1). Based on
Technical staff members possess the technical knowledge that these codes, a conceptual framework (Fig. 2) was developed and
the security policy development team may lack. One of the subsequently refined on the basis of the suggestions made by
survey respondents stated that security specialists must be in- the security professionals who participated in the survey.
volved in security policy development because of their expertise, The focus of this paper was on the Information Security
which might be lacking in the team tasked with policy Policy Development Life Cycle component of the framework,
development. and thus the seven constructs of the ISPDLC were empiri-
Diver (2007) maintains that security specialists should guide cally tested. The findings of the descriptive data analysis showed
the development and revision of each policy document and that, while the respondents believed that all the constructs were
serve as policy development consultants. However, although important, Risk Assessment was the most important overall.
security specialists are familiar with security matters, they may Hence, when developing an information security policy, the first
not possess comprehensive knowledge and understanding of step to undertake is Risk Assessment in order to identify the
computer systems and communication network systems, which threats and vulnerabilities that must be mitigated.
is the role of the ICT specialists. Maynard et al. (2011) claim The second most important construct was Management
that ICT specialists are usually one of the driving forces in in- Support. Executive managers use policies to make their man-
formation security policy development, as they provide agement intentions and direction known. On the other hand,
technological knowledge and can advise on the level of secu- the overall results of the survey showed that Policy Monitor-
rity that is needed in a specific organisation. ing was the least important construct, which implies that this
area needs more attention. The content analysis highlighted
similar results, with information security monitoring showing
6.5. Human resources the lowest frequency of tags compared to the other categories.
The findings of the inferential statistical data analysis showed
In order to ensure that the security policy is in line with stan- a positive correlation between Management Support and the
dard organisational practices, it is critical that the human ISPDLC, with a statistically significant result. It emerged that as
resource department be involved in the security policy devel- Management Support increased/decreased, a concomitant
opment life cycle (Maynard et al., 2011). In this way, consistency increase/decrease could be expected in the ISPDLC constructs.
between the organisation’s security policy and standard For example, a high degree of involvement on the part of man-
organisational practices will be assured. Diver (2007) sup- agement, for example allocating sufficient resources for the risk
ports this notion of consistency by stating that “where the policy assessment process, would result in an increased likelihood of
touches on topics covered by existing HR policy, e.g., email success in the information security policy construction process.
usage, physical security, you must make sure that both sets The findings also revealed the existence of a significant re-
of policy say the same thing”. In other words, the security policy lationship between Employee Support and the ISPDLC
should not conflict with human resources policy. constructs. In other words, as Employee Support increased/
 computers & security 61 (2016) 169–183 179

decreased, an increase/decrease could be expected in the ISPDLC In most developed countries, senior management or a board
constructs of the framework. For example, a high degree of em- of directors are by law responsible for information security and
ployee support, such as participation in information security risk management. Thus, many have no option but to spend
policy training, education and awareness sessions, would result resources on putting mechanisms in place to protect the
in an increased likelihood of success in the information se- organisation’s information. In practice, however, this does not
curity policy implementation process. always happen, particularly in smaller organisations.
The second limitation is the time and cost that would be
involved in implementing all the processes suggested in the
proposed framework. The development of an information se-
8. Discussion and limitations curity policy requires that organisations have sufficient
budgetary resources to cover all the costs. These costs include,
The first limitation of this paper is related to the demograph- for example, the costs of conducting a risk assessment, con-
ics of the respondents in the survey. The respondents of the structing the information security policy, consulting with
survey were from the United States of America and the United stakeholders, conducting training and education sessions, and
Kingdom only, which may constitute a limitation with regard monitoring users’ activities by, perhaps, using an automated
to the generalisability of the study findings, as these two coun- monitoring system. Moreover, costs will increase with the size
tries are developed countries with advanced technology. It is of the organisation, with larger organisations requiring con-
therefore important that the proposed framework should siderable time and money compared to smaller organisations.
provide guidelines that underdeveloped countries could follow Finally, the decision to embark on drawing up an informa-
in order to improve their mechanisms for developing an in- tion security policy should be based on the organisation’s risk
formation security policy. Future research could involve an appetite. In this regard, a cost–benefit analysis should be con-
empirical study that compares the development of informa- ducted in order to ascertain whether it is worth spending an
tion security policies in developing and developed countries. excessive amount of resources on this exercise.

Appendix A

No Author Paper contribution

1 Talbot and Woodward This research paper examined the implementation of security policies in an organisation. The paper
(2009) makes recommendations on the processes involved in improving an organisation’s culture; creating an
awareness mechanism for policies; reviewing the policy periodically; updating the policy; policy
compliance and policy enforcement.
2 InstantSecurityPolicy.com This paper discusses the integration of security policy creation processes with a business management
(2013) model in terms of which the security risks may be easily quantified.
3 Abdel-Aziz (2010) This paper addresses the information security policy review and assessment.
4 Hong et al. (2006) The finding of this paper highlights that organisations should focus on procedures and implementation
items, rather than on the policy documents only. The contribution of this paper is relevant to the
objectives of this study.
5 Von Solms et al. (2011) This paper stresses the importance of information security policy as the main control with which to
mitigate information security threats. In addition, the paper highlights how the information security
policy should be implemented based on the strategic, tactical and operational management levels.
6 Kadam (2007) This paper points out a wide range of issues which were considered important to the research objectives
of this study, including the need to conduct a risk assessment, developing security policy and procedures’
processes, and management support.
7 Bayuk (2009) Bayuk emphasises the importance of information security management and policy control.
8 Avolio et al. (2007) This paper discusses the processes involved in writing a security policy to protect the network security. It
emphasises that security policies should be initiated by top managers. Furthermore, it highlights that,
before writing a security policy, it is essential that organisations take into account the regulations that
apply to that specific organisation.
9 Chen and Li (2014) The paper emphasises that deterrence measures will effectively decrease omission behavioural intention.
10 Wahsheh and The paper presents a model which describes the engineering processes of developing security policies.
Alves-Foss (2008)
11 Bulgurcu et al. (2010) Based on the theory of planned behaviour, this article investigates the reasons that drive an employee to
comply with requirements of the information security policy. It also investigates the impact of
information security awareness on an employee’s outcome beliefs.
12 RSA Security Inc. (2013) This paper discusses important issues related to security policy implementation such as policy
communication and policy enforcement.
13 Karyda et al. (2005) This paper explores the processes involved in formulating, implementing and adopting a security policy
in an organisation. The paper looks specifically at the contextual factors that affect the successful
adoption of information security policies.
(continued on next page)
180 computers & security 61 (2016) 169–183

No Author Paper contribution

14 National Computer This report is important because it points out that there are different policy audiences in every
Board (2011) organisation, and therefore it is imperative that the development of security policies take this issue into
account. The report also refers to the responsibilities of the various stakeholders in security policy
development.
15 University of Newcastle The document cites the processes which are required during the policy review, drafting the policy and
(2009) policy consultation. It also highlights the roles of stakeholders in approving the security policy.
16 Diver (2007) This paper offers a unique perspective that the other papers in the sample did not offer. It emphasises the
need to consider regulatory requirements before developing security policies. The paper also recommends
taking into account the current security policy maturity before choosing which approach to follow in
developing security policy.
17 Al-Awadi and Renaud The paper highlights the important issues to be considered during the implementation of an information
(2007) security policy. These issues include awareness and training, management support, budget and
information security policy enforcement and adaptation.
18 Griffins (2009) The paper discusses the various steps involved in writing policies and in the approval process. It also
discusses the processes involved in distributing new security policies.
19 Corpuz and Barnes The objective of this paper was to integrate information security policy management with corporate risk
(2010) management. The paper also mentions the various risk assessment processes.
20 Yayla (2011) This paper discusses different socio-behavioural control mechanisms that are useful in mitigating insider
threats to information security. These include, for example, deterrence measures that may be used to
ensure that employees do not violate the organisation’s rules.
21 Khan (2010) This paper emphasises the importance of the information security policy communication and publication
within an organisation. It also points out the need for detailed process documentation of an information
security programme.

Appendix B

Survey to assess the importance of information security policy development and implementation processes
1. Organisation type (Government, Industrial, Banking, Education, Others: please specify)
2. Occupation
A- CIO,
B- Security specialist,
C- IT manager,
D- Others (specify)
3. How many employees work in your organisation? Less than 500; between 500 and 1000; between 1000 and 5000; 5000 – 10 000; > 10 000
4. Does your organisation have an information security policy? (Yes or No):
5. Please specify your gender (Male or Female):
How important do you believe the following issues are for the successful implementation of an information security policy in your
organisation?
Where 1) is Not important, 2) Somewhat important, 3) Neutral, 4) Important and 5) is Very important.

1 2 3 4 5
6. Visible support and commitment from top executive management.
7. A clear understanding of the organisation’s security risks.
8. The information security policy writing process is based on the findings and the recommendations of the risk
assessment process.
9. Suitable information security policy training and education during the information security policy
implementation stage.
10. Regularly assess and monitor the information security policy to ensure that it is effective.
11. Effective information security policy compliance mechanisms to ensure that employees adhere to the
organisation’s information security policy requirements.
12. Ensure that employees support and understand their roles and responsibilities concerning the information
security policy requirements.
Assessment of the information security policy development process
In order to have an effective information security policy, an organisation should select a set of processes to be implemented. Please indicate
the importance of each of the following security policy development processes where
1) is Not important, 2) Somewhat important, 3) Neutral, 4) Important and 5) is Very important.
Risk Assessment (RA) processes

1 2 3 4 5
RA.1. Develop a risk assessment plan that includes the identification of assets to be protected.
RA.2. Develop a risk assessment plan that includes the assessment of vulnerabilities and security threats.
RA.3. The security policy is constructed based on the findings of the risk assessment result.
RA.4. Identify all legal and regulatory requirements pertaining to the organisation.
(continued on next page)
 computers & security 61 (2016) 169–183 181

1 2 3 4 5
Please add any activity that you feel is important with respect to the risk assessment process within your organisation:

Policy Construction (PC) processes

1 2 3 4 5
PC.1. At the strategic level, develop high level policies which are a set of management mandates that show how
executive management plan to protect the organisation’s information assets.
PC.2. At the tactical level, develop detailed security policies which are detailed statements showing what should be
done to comply with the security policy.
PC.3. At the operational level, develop lower level security policies which define the procedures, plans or processes
that address the details of how to perform a specific action.
PC.4. Organisations’ stakeholders must be consulted before the information security policy is submitted to senior
management for final approval.
Please add any activity that you feel is important with respect to the security policy construction process within your organisation:

Policy Implementation (PI) processes

1 2 3 4 5
PI.1. Different business communication (notices, posters, newsletters, etc.) are used to promote security policy
awareness.
PI.2. There are mechanisms to train all stakeholders so that they understand their responsibilities towards the
security policy requirements.
PI.3. Clearly define the roles of various organisational stakeholders (executive management, information security
officials, everyone).
PI.4. There are mechanisms in place to educate employees about the new information security policy requirements.
Please add any activity that you feel is important with respect to the security policy implementation process within your organisation:

Policy Monitoring (PM) processes

1 2 3 4 5
PM.1. Review the information security policy on a regular basis to make sure that it incorporates the latest threats
and new regulations and is kept up to date.
PM.2. Use of an automated review scheduling system which alerts when major changes have occurred to existing
practices.
PM.3. Review the audit information to identify the area(s) of frequent security policy deviation.
PM.4. An established information security policy review and update process exists.
Please add any activity that you feel is important with respect to the security policy assessment and monitoring process within your
organisation:

Management Support (MS) processes

1 2 3 4 5
MS.1. The involvement of executive management in the information security policy development is crucial to the
approval of the security policies.
MS.2. Top management plays a significant role in enforcing the information security policy so as to ensure that
employees regard the policy requirements in a serious light.
MS.3. Executive management is involved in the whole process of information security policy development.
MS.4. Executive management must have sufficient budget for information security policy development.
Please add any activity that you feel is important with respect to the management support process within your organisation:

Employee Support (ES) processes

1 2 3 4 5
ES.1. There should be mechanisms in place to punish employees who intentionally violate the information security
policy.
ES.2. Employees should sign off that they have received and reviewed the policies and agree to be bound by them.
ES.3. Job termination should be considered for employees who repeatedly violate the information security policy.
ES.4. Employees that have been trained and are aware of information security policy requirements are likely to
comply with such information security policy.
Please add any activity that you feel is important with respect to the employee support process within your organisation:

Policy Compliance (PCO) processes

1 2 3 4 5
PCO.1. An employee’s positive attitude towards compliance with the organisation’s information security policy
positively influences their intention to comply with the requirements of the policy.
(continued on next page)
182 computers & security 61 (2016) 169–183

1 2 3 4 5
PCO.2. An employee’s perceived social pressure about their compliance with the requirements of the information
security policy positively influences their intention to comply with the requirements of the policy.
PCO.3. An employee’s perceived benefit of compliance with the organisation’s information security policy will
positively influence their attitude towards complying with the requirements of the policy.
PCO.4. An employee’s judgment of his/her own knowledge in complying with the requirements of the information
security policy positively influences his/her intention to comply with the requirements of the policy
Please add any activity that you feel is important with respect to the information security policy compliance process within your
organisation:

REFERENCES Griffins M. How to write a policy manual. <http://www

.templatezone.com/download-free-ebook/office-policy
-manual-reference-guide.pdf>; 2009 [accessed 14.05.14].
Hair J, Anderson R, Tatham R, Black W. Multivariate data
Abdel-Aziz A. How to review and assess information security analysis. 5th ed. Patparganj, Delhi, India: Pearson Education,
policy: the six-step process. <http://www.sans.edu/>; 2010 Inc; 1998.
[accessed 15.05.13]. Hong K, Chi Y, Chao L. An empirical study of information
Ajzen I. The theory of planned behaviour. Special Issue: theories security policy on information security elevation in Taiwan.
of cognitive self-regulation. Organ Behav Hum Decis Process Inf Manag Comput Secur 2006;14(2):104–15.
1991;50:179–211. InstantSecurityPolicy.com. The IT Security Guide: why need one,
Al-Awadi M, Renaud K. Success factors in information security what it covers, and how to implement it. <http://www
implementation in organisations. Proc IADIS Int Conf .instantsecuritypolicy.com/Introduction_To_Security
e-Society 2007;6:169–76. _policies.pdf>; [accessed 14.06.14].
Anand V. Security policy management process within a six ISO/IEC 27002. Code of practice for information security
sigma framework. J Inf Secur 2012;3:49–58. management. <http://www.bsi-global.org>; 2013 [accessed
Avolio F, Fallin S, Pinzon DS. Producing your network security 15.06.14].
policy. WatchGuard Technologies; 2007. Johnson R, Onwuegbuzie A. Mixed methods research: a research
Bayuk J. How to write an information security policy. paradigm whose time has come. Educ Res 2004;33(7):14–
Computerworld 2009. <http://www.computerworld.com/ 26.
article/2525539/security0/how-to-write-an-information Kadam A. Information security policy development and
-security-policy.html>. implementation. Inf Syst Secur 2007;16(5):246–56.
Blumstein A, Cohen J, Nagin D. Deterrence and incapacitation: Karyda M, Kiountouzis E, Kokolakis S. Information systems
estimating the effects of criminal sanctions on crime rates. security policies: a contextual perspective. Comput Secur
Washington: National Academy of Sciences; 1978. 2005;24(3):246–60.
Borrego M, Douglas E, Amelik C. Quantitative, qualitative, and Khan R. Practical approaches to organisational information
mixed research methods in engineering education. J Eng Educ security management. <http://www.sans.org/reading
2009;98(1):112–22. -room/whitepapers/leadership/practical-approaches
Bulgurcu B, Cavusoglu H, Benbasat I. Information security policy -organisational-information-security-management-33568>;
compliance: an empirical study of rationality-based beliefs 2010 [accessed 05.01.14].
and information security awareness. MIS Q 2010;34(3):523–48. Lincoln Y, Guba E. Naturalistic inquiry. Newbury Park, CA: Sage
Business Dictionary. Definition of binding agreement. 2001. Publications; 1985.
<http://www.businessdictionary.com/definition/causal.html>. Mauritian Computer Emergency Team. Guidelines on
CERT Insider Threat Center. U.S. State of Cybercrime Survey. information security policy. Mauritius: National Computer
2014. <http://resources.sei.cmu.edu/asset_files/Presentation/ Board; 2011 CMSGu2011-04.
2014_017_001_298322.pdf>; 2014 [accessed 16.06.14]. Maynard S, Ruighaver A, Ahmad A. Stakeholders in security
Chen H, Li W. Understanding organisation employee’s policy development. In: Proceedings of the 9th Australian
information security omission behaviour: an integrated Information Security Management Conference. Perth,
model of social norm and deterrence. 2014. Proceedings of Western Australia: 2011.
PACIS, Chengdu, China. MAXQDA. Qualitative data analysis software for Mac and
Corpuz M, Barnes P. Integrating information security policy Windows. <http://www.maxqda.com/>; 2012 [accessed
management with corporate risk management for strategic 18.12.13].
alignment. In: Proceedings of the 14th World Multi- McKenna S. Keeping it real: updating your security policy. Inf
Conference on Systemic, Cybernetics and Informatics Secur J 2010;7(2):18–21.
(WMSCI). Orlando, Florida: 2010. National Computer Board. Guideline on information security
Dewberry C. Statistical methods for organizational research: policy. <http://www.ncb.mu/English/Documents/Downloads/
theory and practice. Oxford: Routledge Psychology Press Reports%20and%20Guidelines/Guideline%20on
Business and Economics; 2004. %20Information%20Security%20Policy.pdf>; 2011 [accessed
Diver S. Information security policy: a development guide for 08.06.13].
large and small companies. <http://www.sans.org>; 2007 Nunnally J, Bernstein I. Psychometric theory. 3rd ed. New York:
[accessed 12.06.13]. McGraw Hill; 1994.
Doughty K, Grieco F. IT governance: pass or fail? Inf Syst Audit Oates B. Researching information systems and computing.
Control Assoc 2005;6(12):124–32. London: Sage Publications; 2006.
Douglas J. Risk appetite and tolerance. <http://www.theirm.org/ Raerd Y. Cronbach’s Alpha (α) using SPSS. <https://
media/464806/IRMRiskAppetiteExecSummaryweb.pdf>; 2011. statistics.laerd.com/spss-tutorials/cronbachs-alpha-using
Gefen D, Straub D, Boudreau M. Structural equation modelling -spss-statistics.php>; 2012.
and regression: guidelines for research practice. Commun AIS RSA Security Inc. A guide to security policy – a primer for
2000;4:61–77. developing an effective policy. <www.sans.org/security
 computers & security 61 (2016) 169–183 183

-resources/policies/Policy_Primer.pdf>; 2009 [accessed Information Systems: ECIS, Helsinki, Finland, vol. 9, 12. 2011.
30.11.13]. p. 242–57.
Szuba T. Safeguarding your technology: practical guidelines for Yin RK. Case study research: design and methods. 3rd ed.
electronic education information security. <http:// California: SAGE Publications; 2003.
nces.ed.gov/pubs98/98297.pdf>; 1998 [accessed 19.01.13].
Talbot S, Woodward A. Improving an organisations existing Stephen V. Flowerday
information technology policy to increase security. In:
Proceedings of the 7th Australian Information Security Department of Information Systems, University of Fort Hare, East
Management Conference. Perth, Western Australia: London, South Africa
2009.
Tavakol M, Dennick R. Making sense of Cronbach’s alpha. Int J Stephen holds a doctoral degree in Information Technology from
Med Educ 2011;2:53–5. the Nelson Mandela Metropolitan University. He is presently a pro-
University of Newcastle. Policy Development and Review process fessor focusing on Information Security at the University of Fort
–Guideline. <http://www.newcastle.edu.au/Resources/ Hare. Stephen has supervised postgraduate students and pub-
Divisions/Services/Corporate%20Governance/Policy/ lished extensively within his research field.
Policy-Development-Guideline.pdf>; 2009 [accessed
12.06.14]. Tite Tuyikeze
Von Solms R, Thomson KL, Maninjwa M. Information security
governance control through comprehensive policy School of ICT, Sol Plaatje University, Kimberley, South Africa
architectures. Johannesburg, South Africa: In ISSA; 2011.
Wahsheh L, Alves-Foss J. Security policy development: towards a Tite holds a DPhil in Information Systems from the University of
life-cycle and logic-based verification model. Am J Appl Sci Fort Hare. His primary research area focuses on the maturity as-
2008;5(9):1117–26. sessment of information security policy. He has previously published
Yayla A. Controlling insider threats with information security research papers in this research area. Tite works as a senior lec-
policies. In: Proceedings of 19th European Conference on turer at Sol Plaatje University.

View publication stats