Nothing Standard About It: An Analysis of Minimum Security Standards in Organizations

被引：0

作者：

Weidman, Jake ^{[1
,2
,3
]}

Bilogrevic, Igor ^{[2
]}

Grossklags, Jens ^{[3
]}

机构：

[1] Penn State Univ, Appl Res Lab, State Coll, PA 16801 USA

[2] Google, Zurich, Switzerland

[3] Tech Univ Munich, Munich, Germany

来源：

COMPUTER SECURITY, ESORICS 2020 INTERNATIONAL WORKSHOPS | 2020年 / 12580卷

关键词：

POLICY;

D O I：

10.1007/978-3-030-66504-3_16

中图分类号：

TP18 [人工智能理论];

学科分类号：

081104 ; 0812 ; 0835 ; 1405 ;

摘要：

Written security policies are an important part of the complex set of measures to protect organizations from adverse events. However, research detailing these policies and their effectiveness is comparatively sparse. We tackle this research gap by conducting an analysis of a specific user-oriented sub-component of a full information security policy, the Minimum Security Standard. Specifically, we conduct an analysis of 29 publicly accessible minimum security standard documents from U.S. academic institutions. We study the prevalence of an extensive set of user-oriented provisions across these statements such as who is being addressed, whether the standard is considered binding and how it is being enforced, and which specific procedures and practices for users are introduced. We demonstrate significant diversity in focus, style and comprehensiveness in this sample of minimum security standards and discuss their significance within the overall security landscape of organizations.

引用

页码：263 / 282

页数：20

共 50 条

[1] Anderson R., 2002, Security in open versus closed systemsthe dance of boltzmann, coase and moore
[2] [Anonymous], 2017, U.S. News: National university rankings
[3] [Anonymous], 2003, NIST Special Publication
[4] CISOs and organisational culture: Their own worst enemy?
Ashenden, Debi
Sasse, Angela
[J]. COMPUTERS & SECURITY, 2013, 39 : 396 - 405
[5] THE BIG 5 PERSONALITY DIMENSIONS AND JOB-PERFORMANCE - A METAANALYSIS
BARRICK, MR
MOUNT, MK
[J]. PERSONNEL PSYCHOLOGY, 1991, 44 (01) : 1 - 26
[6] Baskerville R., 2002, Logistics Information Management, V15, P337, DOI 10.1108/09576050210447019
[7] Braun R., 2004, An emerging information security minimum standard of due care
[8] Bulgurcu B, 2010, MIS QUART, V34, P523
[9] Burd S.A., 2006, Impact of Information Security in Academic Institutions on Public Safety and Security: Assessing the Impact and Developing Solutions for Policy and Practice
[10] Disterer G., 2013, Journal of Information Security, V4, P92, DOI [10.4236/jis.2013.42011, DOI 10.4236/JIS.2013.42011]

← 1 2 3 4 5 →