Show simple item record

dc.contributor.authorPaananen, Hanna
dc.date.accessioned2023-01-30T12:05:53Z
dc.date.available2023-01-30T12:05:53Z
dc.date.issued2023
dc.identifier.isbn978-951-39-9297-2
dc.identifier.urihttps://jyx.jyu.fi/handle/123456789/85239
dc.description.abstractInformation security policies (ISPs) are at the core of organizations’ information security efforts. They set objectives for protecting information assets and direct employees to achieve these goals. Advice for ISP development is available both in research and best practice literature. A common approach to describing ISP development is a lifecycle model that depicts inputs such as assessments, the ISP creation, and outputs that are implemented and maintained until the cycle starts again. However, ISP development needs to be planned to support the business requirements by adapting the method and the resulting policy to fit the context. The rules that are created in this process must be well considered so that employees are able to follow them in their daily work without conflicts with their other duties. This dissertation presents an action research study on ISP development. Its theoretical base is constructed around the idea that the ISP subject is a moral thinker who will make decisions about complying with rules by weighing options to reach the best possible results. This has implications for the ISP development process. The policy developers must be able to critically assess the alternatives for new rules based on their knowledge of the operations of the organization. In the study, the researcher helped a consultant firm to reconfigure their ISP development service to one that serves the client organization’s information security needs better. A set of 11 critical considerations were introduced to support critical thinking during the development process. They were based on previous research and needs expressed by companies. The critical considerations were used to highlight issues in the ISP development that needed new practices to foster critical thinking. During four cycles of action research, new practices were formed in the ISP development process to improve the gathering of facts and employee opinions in the client organization. This dissertation contributes to the current research on ISP development by presenting a way to convert general guidelines to local practices. The critical considerations can be used to further study the success of ISP development, and they can be easily implemented by practitioners in new contextsen
dc.format.mimetypeapplication/pdf
dc.language.isoeng
dc.publisherJyväskylän yliopisto
dc.relation.ispartofseriesJYU dissertations
dc.rightsIn Copyright
dc.titleInformation security policy development : considering the practices of making rules
dc.typeDiss.
dc.identifier.urnURN:ISBN:978-951-39-9297-2
dc.contributor.tiedekuntaFaculty of Information Technologyen
dc.contributor.tiedekuntaInformaatioteknologian tiedekuntafi
dc.contributor.yliopistoUniversity of Jyväskyläen
dc.contributor.yliopistoJyväskylän yliopistofi
dc.relation.issn2489-9003
dc.rights.copyright© The Author & University of Jyväskylä
dc.rights.accesslevelopenAccess
dc.type.publicationdoctoralThesis
dc.format.contentfulltext
dc.rights.urlhttps://rightsstatements.org/page/InC/1.0/


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record

In Copyright
Except where otherwise noted, this item's license is described as In Copyright