Information Security by Words Alone: The Case for Strong Security Policies

Information Security by Words Alone: The Case for Strong Security Policies

Kirk P. Arnett (Mississippi State University, USA), Gary F. Templeton (Mississippi State University, USA) and David A. Vance (Olivet Nazarene University, USA)
DOI: 10.4018/978-1-60960-200-0.ch011
OnDemand PDF Download:
No Current Special Offers


Effective information security extends beyond using software controls that are so prominently discussed in the popular and academic literature. There must also be management influence and control. The best way to control information security is through formal policy and measuring the effectiveness of existing policies. The purpose of this research is to determine 1) what security elements are embedded in Web-based information security policy statements and 2) what security-related keywords appear more frequently. The authors use these findings to propose a density measure (the extent to which each policy uses security keywords) as an indicator of policy strength. For these purposes, they examine the security component of privacy policies of Fortune 100 Web sites. The density measure may serve as a benchmark that can be used as a basis for comparison across companies and the development of industry norms.
Chapter Preview

Addressing The Problem

U.S. businesses have a strong interest in data protection and the efforts that are underway to protect the personal information of its customer community. From a business standpoint, policy is used to specify the company’s approach to security. Management selects and implements technology, but it is policy that guides and coordinates the selection and implementation of technologies. Security policy issues ranked sixth in an international survey of 874 certified information system security professionals (Knapp, Marshall, Rainer, and Morrow, 2006). There is no evidence that the importance of security policies should or will change in the foreseeable future.

Web-based security policies must reach beyond protecting against the threats of hackers and must extend to the causes of and solutions to insider threats. These Internal security breaches often result from worker stress brought on by organizational change or unpredictability. Events that may trigger internal breaches include “reengineering, downsizing, upsizing, mergers or acquisitions, rapid changes in markets or the economy, litigation, organized labor actions, and other traumatic phenomena” (Parker, 1996, p. 21). Although a company safeguards personal information from traditional hackers, there is evidence from the authoritative CSI Annual Security Survey respondents that more serious problems exist as “insider attacks edged out virus incidents as the most pressing security problem” (Richardson, 2007, p. 2).

Complete Chapter List

Search this Book: