Disassociations in Security Policy Lifecycles

Introduction

Information Systems (IS) security issues continue to pose significant cost and damage to organizations. Cybercrime costs more than $8.9 million per U.S. organization in 2012, a $500,000 increase from 2011 (George, 2013; Ponemon, 2012). In addition, in 2012, 86% of websites contained at least one serious vulnerability even though 81% of organizations had implemented strong password controls into its web applications. Research has also found that phishers, for instance, mainly target the innocent consumer, likely the weakest link in the security chain (Purkait, 2012). As a result, system security is an ongoing concern for organizations and their stakeholders.

In recent years, there have been a plethora of widely publicized security breaches. Security breaches at Home Depot, Target, and Anthem in 2014 and 2015 affected hundreds of millions of consumers. The authors of this paper were directly affected by these incidents. Another major breach that directly affected millions was the TJX breach that resulted in 45 million credit and debit card numbers being stolen from its IT systems in 2007 (Gaudin, 2007). These incidents were all widely reported and had a dramatic impact on the organizations’ stock value and earnings.

Discussing these spectacular security anecdotes would occupy reams of paper and not validate the problem statement. Statistical data, however, also backs up the case that IS Security breaches continue to be a concern within organizations. The latest CSI survey indicates that 43% of respondents had experienced security incidents with an average loss of $288,618 per incident (Richardson, 2008). Though the trend has been volatile in the last few years, it is likely that security breaches will increase dramatically in light of the current economic conditions (Richardson, 2008).

A significant contributor to the issue of internal and external IS Security breaches within organizations is a disconnect between IS Security policy formulation and IS security policy implementation. This disconnect leads to a failure of IS Security policy. This detachment manifests in several ways. For instance, a stakeholder may have intended an IS Security policy to be implemented a particular way but written it to imply a different intent. Another instantiation of the disconnect is when the intent is inferred to mean something different by a stakeholder. In practical terms, one such scenario would manifest itself in terms of a policy board creating vague policy that does not explicitly address the pertinent issues. Another instantiation of a scenario would be seen by a user interpreting a “robust” password policy to mean that they should keep track of their changing passwords via a list taped to their monitor.

Given the complexity of organizations, at a technological and social level, it is not reasonable to think there could a simple solution. Organizations have attempted to deal with this in a continuously evolving manner. The first of the three generations of security development described by Baskerville (1993) is the checklist methodology. The complexity is seen in this first and simplest of the generations. While the simplest of the three, the methodology was still a multifarious venture including unwieldy specifications that were hard to read, understand, and maintain (Baskerville, 1993). There were a variety of lists, some approaching 1,000 potentially subjective and vague items. Despite their seemingly thorough nature, Baskerville (1993) describes a major weakness of checklists in that they oversimplify the security considerations that arise in more complex information systems. Dhillon and Backhouse (2000) term this oversimplification as atheoretical.