{"title":"作为组织权力的信息安全:重新思考安全策略的框架","authors":"P. Inglesant, M. Sasse","doi":"10.1109/STAST.2011.6059250","DOIUrl":null,"url":null,"abstract":"Successful enforcement of information security requires an understanding of a complex interplay of social and technological forces. Drawing on socio-technical literature to develop an analytical framework, we examine the relationship between security policies and power in organizations. We use our framework to study three examples of security policy from a large empirical study n an international company. Each example highlights a different aspect of our framework. Our results, from in-depth interviews with 55 staff members at all levels, show that there is often non-compliance in the detail of organizational information security policies; this is not willful but is in response to shortcomings in the policy and to meet business needs. We conclude by linking our findings to recent research on the institutional economics of information security. We suggest ways in which our framework can be used by organizational decision-makers to review and re-think existing security policies.","PeriodicalId":293851,"journal":{"name":"2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST)","volume":"74 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"Information security as organizational power: A framework for re-thinking security policies\",\"authors\":\"P. Inglesant, M. Sasse\",\"doi\":\"10.1109/STAST.2011.6059250\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Successful enforcement of information security requires an understanding of a complex interplay of social and technological forces. Drawing on socio-technical literature to develop an analytical framework, we examine the relationship between security policies and power in organizations. We use our framework to study three examples of security policy from a large empirical study n an international company. Each example highlights a different aspect of our framework. Our results, from in-depth interviews with 55 staff members at all levels, show that there is often non-compliance in the detail of organizational information security policies; this is not willful but is in response to shortcomings in the policy and to meet business needs. We conclude by linking our findings to recent research on the institutional economics of information security. We suggest ways in which our framework can be used by organizational decision-makers to review and re-think existing security policies.\",\"PeriodicalId\":293851,\"journal\":{\"name\":\"2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST)\",\"volume\":\"74 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2011-11-18\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/STAST.2011.6059250\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/STAST.2011.6059250","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Information security as organizational power: A framework for re-thinking security policies
Successful enforcement of information security requires an understanding of a complex interplay of social and technological forces. Drawing on socio-technical literature to develop an analytical framework, we examine the relationship between security policies and power in organizations. We use our framework to study three examples of security policy from a large empirical study n an international company. Each example highlights a different aspect of our framework. Our results, from in-depth interviews with 55 staff members at all levels, show that there is often non-compliance in the detail of organizational information security policies; this is not willful but is in response to shortcomings in the policy and to meet business needs. We conclude by linking our findings to recent research on the institutional economics of information security. We suggest ways in which our framework can be used by organizational decision-makers to review and re-think existing security policies.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
