A Semiotic Examination of the Security Policy Lifecycle

Introduction

Information Systems (IS) security issues continue to pose significant cost and damage to organizations. Cybercrime costs more than $7.35 million per U.S. organization in 2017, (Ponemon, 2017). This is a 5% increase from 2016 despite a 25% increase in organizational investment in information security in the same time period. As a result, system security is an ongoing concern for organizations and their stakeholders. The increased investment did decrease the amount of the days to identify the data breach from an average of 201 in 2016 to 191 days in 2017 (Ponemon, 2017). Also, the average days to contain the data breach from decreased from 70 to 66 days. The fact remains that malicious attacks have been continuing to escalate, as can be seen from the increased cybercrime costs.

In recent years, there have been a plethora of widely publicized security breaches. Security breaches at Equifax, Target, and Anthem in 2017, 2015, and 2014 affected billions of consumers. Information including names, social security numbers, birth dates, driver’s licenses, and addresses were all stolen. The author of this chapter was directly affected by each and every one of these incidents. The incidents were all widely reported and had a dramatic impact on the respective organizations’ stock value and earnings.

What is driving continued cybercrime is primarily a market economy deep in the black market. Products such as the personal information described above are sold in bulk to identity thieves who use this information to open lines of credit. Credit card information stolen from websites are sold for $10-$20 each (SecureWorks, 2017). Criminals lock down systems with Ransomware and demand large sums to unlock data for organizations. Mobile malware is a significant threat and will continue to grow, with information theft and spying capabilities becoming widely available (SecureWorks, 2017). Most alarmingly, the perceived gap between criminality and nation-states, in terms of both actors and capabilities, will continue to shrink (SecureWorks, 2017).

We argue that a significant contributor to the issue of internal and external IS Security breaches within organizations is a disconnect between IS Security policy formulation and IS security policy implementation. This disconnect leads to a failure of IS Security policy. This detachment manifests in several ways. For instance, a stakeholder may have intended an IS Security policy to be implemented a particular way but written it to imply a different intent. Another instantiation of the disconnect is when the intent is inferred to mean something different by a stakeholder. In practical terms, one such scenario would manifest itself in terms of a policy board creating vague policy that does not explicitly address the pertinent issues. Another instantiation of a scenario would be seen by a user interpreting a “robust” password policy to mean that they should keep track of their changing passwords via a list taped to their monitor.

Given the complexity of organizations, at a technological and social level, it is not reasonable to think there could a simple solution. Organizations have attempted to deal with this in a continuously evolving manner. The first of the three generations of security development described by Baskerville (1993) is the checklist methodology. The complexity is seen in this first and simplest of the generations. While the simplest of the three, the methodology was still a multifarious venture including unwieldy specifications that were hard to read, understand, and maintain (Baskerville, 1993). There were a variety of lists, some approaching 1,000 potentially subjective and vague items. Despite their seemingly thorough nature, Baskerville (1993) describes a major weakness of checklists in that they oversimplify the security considerations that arise in more complex information systems. Dhillon and Backhouse (2000) term this oversimplification as atheoretical.