Computerized tool-support for designing modular information security policies

Information assets have become critical in most organisations. Therefore, it is hardly surprising that information security management has become an important strategic issue.  Information security policies are important formal controls for regulating employee security behaviour. Their purpose is to safeguard information and prevent misuse of information systems. However, most information security breaches are consequences of employees who violate information security policies. It has been shown that the design of information security policies themselves can impair employees’ information security behaviour, because they are cumbersome and sometimes incompatible with existing work practices.

Consequently, it is relevant to question the usefulness of today’s information security policies in guiding employee behaviours. Although a great deal of consensus exists with regard to the importance of information security policies, less attention has been given to the design of such policies; not to mention the design of computerized tools that support information security managers in carrying out this challenging task. The aim of this project is to develop a design theory and a computerized tool supporting information security managers when developing modular information security policies, taking into account both an employee and a management perspective.