{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T01:22:05Z","timestamp":1773796925780,"version":"3.50.1"},"reference-count":26,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2012,10,5]],"date-time":"2012-10-05T00:00:00Z","timestamp":1349395200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2012,10,5]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>The information security policy document of an organization needs to be translated into controls and procedures at the implementation level. The technical and business personnel in\u2010charge of implementing the controls and procedures need to consider a large number of security\u2010related statements from a heterogeneous pool of security documentation and decide on the implementation plan. The purpose of this paper is to propose an approach to analyze a set of security statements to establish an implicit hierarchy and relative importance among them.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>A set of statements relevant to e\u2010mail service security is chosen from the classified documentation of an IT firm. The authors contacted the technical person who was the owner of this service to obtain a one\u2010on\u2010one comparison between the policies. These policies and their inter\u2010relationships are represented as a graph. Centrality measures based on the in and out degrees of a node are used to calculate the relative importance of a policy. The authors present an improved approach based on DEMATEL, which considers the level of influence of one policy on another.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>Security statements fall into different categories based on their relative intensity and nature. They could be of high importance or low on one axis and of driving or receiving nature on the other. The driver policies are the action items that could be implemented to satisfy a large number of other security requirements. The policies that are predominantly receiver in nature, for their fulfillment, need many other requirements to be satisfied.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Practical implications<\/jats:title><jats:p>The intense driver policies are the ones to be considered for immediate implementation so as to achieve maximum benefits. If such an action item cannot be implemented at the level of consideration, it needs to be communicated to the appropriate level where it could be addressed effectively. An orphaned policy statement can indicate to a high\u2010level requirement left without any action plan or an unnecessary control. Establishing clear linkages between the implemented controls and the organization's security policy document could be very effective in convincing the employees to adhere to security practices.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>Analyzing a set of informal security statements to identify the linkages between them is a novel idea. While other works establish the need for translating the security policy to lower levels of implementation, the authors propose an approach to identify the existence or absence of an effective translation. The graph representation with associated centrality measures, and the application of DEMATEL technique to deduce the nature and intensity of security statements are not yet found in literature.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685221211267648","type":"journal-article","created":{"date-parts":[[2013,3,25]],"date-time":"2013-03-25T11:47:58Z","timestamp":1364212078000},"page":"264-280","source":"Crossref","is-referenced-by-count":16,"title":["Identifying linkages between statements in information security policy, procedures and controls"],"prefix":"10.1108","volume":"20","author":[{"given":"Vinod","family":"Pathari","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Rajendra","family":"Sonar","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2022032020135552900_b1","unstructured":"Barman, S. (2001), Writing Information Security Policies, SAMS, Indianapolis, IN."},{"key":"key2022032020135552900_b2","doi-asserted-by":"crossref","unstructured":"Bonacich, P. (1987), \u201cPower and centrality: a family of measures\u201d, American Journal of Sociology, Vol. 92 No. 5, pp. 1170\u201082.","DOI":"10.1086\/228631"},{"key":"key2022032020135552900_b3","unstructured":"Borgatti, S.P. (2002), NetDraw: Graph Visualization Software, Analytic Technologies, Harvard, MA."},{"key":"key2022032020135552900_b4","unstructured":"Borgatti, S.P., Everett, M.G. and Freeman, LC. (2002), UCINET for Windows: Software for Social Network Analysis, Analytic Technologies, Harvard, MA."},{"key":"key2022032020135552900_b26","unstructured":"Clearswift (2010), \u201cSecurity awareness research\u201d, available at: www.clearswift.com\/securityawareness (accessed May 11, 2011)."},{"key":"key2022032020135552900_b24","unstructured":"Computer Science Corporation (2011), Critical Issues of Information Systems Management, available at: http:\/\/assets1.csc.com\/newsroom\/downloads\/2503_1.pdf (accessed May 3)."},{"key":"key2022032020135552900_b5","doi-asserted-by":"crossref","unstructured":"Cosic, Z. and Boban, M. (2010), \u201cInformation security management \u2013 defining approaches to information security policies in ISMS\u201d, Proceedings of the 8th IEEE International Symposium on Intelligent Systems and Informatics (SISY'10), Serbia, pp. 83\u20105.","DOI":"10.1109\/SISY.2010.5647216"},{"key":"key2022032020135552900_b6","doi-asserted-by":"crossref","unstructured":"Doherty, N.F. and Fulford, H. (2005), \u201cDo information security policies reduce the incidence of security breaches: an exploratory analysis\u201d, Information Resources Management Journal, Vol. 18 No. 4, pp. 21\u20108.","DOI":"10.4018\/irmj.2005100102"},{"key":"key2022032020135552900_b7","doi-asserted-by":"crossref","unstructured":"Doherty, N.F. and Fulford, H. (2006), \u201cAligning the information security policy with the strategic information systems plan\u201d, Computers & Security, Vol. 25 No. 1, pp. 55\u201063.","DOI":"10.1016\/j.cose.2005.09.009"},{"key":"key2022032020135552900_b8","doi-asserted-by":"crossref","unstructured":"Freeman, L.C. (1977), \u201cA set of measures of centrality based on betweenness\u201d, Sociometry, Vol. 40 No. 1, pp. 34\u201041.","DOI":"10.2307\/3033543"},{"key":"key2022032020135552900_b9","doi-asserted-by":"crossref","unstructured":"Harlow, J. (2001), \u201cSecurity policy \u2013 an individual view\u201d, VINE, Vol. 31 No. 2, pp. 17\u201022.","DOI":"10.1108\/03055720010803970"},{"key":"key2022032020135552900_b10","unstructured":"Hoagland, J.A., Pandey, R. and Levitt, K.N. (1998), \u201cSecurity policy specification using a graphical approach\u201d, CoRR, Vol. cs.CR\/9809124, available at: http:\/\/arxiv.org\/abs\/cs\/9809124."},{"key":"key2022032020135552900_b11","doi-asserted-by":"crossref","unstructured":"Hone, K. and Eloff, J.H.P. (2002a), \u201cInformation security policy \u2013 what do international information security standards say?\u201d, Computers & Security, Vol. 21 No. 5, pp. 402\u20109.","DOI":"10.1016\/S0167-4048(02)00504-7"},{"key":"key2022032020135552900_b12","doi-asserted-by":"crossref","unstructured":"Hone, K. and Eloff, J.H.P. (2002b), \u201cWhat makes an effective information security policy?\u201d, Network Security, Vol. 2002 No. 6, pp. 14\u201016.","DOI":"10.1016\/S1353-4858(02)06011-7"},{"key":"key2022032020135552900_b13","doi-asserted-by":"crossref","unstructured":"Hu, J. (2009), \u201cIdea to derive security policies from collaborative business processes\u201d, Proceedings of the 13th IEEE Enterprise Distributed Object Computing Conference Workshops (EDOC'09), Auckland.","DOI":"10.1109\/EDOCW.2009.5331987"},{"key":"key2022032020135552900_b14","doi-asserted-by":"crossref","unstructured":"Hwang, C.L. and Lin, M.J. (1987), Group Decision Making Under Multiple Criteria, Lecture Notes in Economics and Mathematical Systems, Vol. 281, Springer, Heidelberg.","DOI":"10.1007\/978-3-642-61580-1"},{"key":"key2022032020135552900_b25","unstructured":"nCircle (2010), Information Security and Compliance \u2013 Trend Study, available at: www.ncircle.com\/pdf\/studies\/nCircle\u2010WP\u20102010TrendStudy\u20101062\u201001.pdf (accessed May 10, 2011)."},{"key":"key2022032020135552900_b15","doi-asserted-by":"crossref","unstructured":"Pahnila, S., Siponen, M. and Mahmood, A. (2007), \u201cEmployees' behavior towards is security policy compliance\u201d, 40th Annual Hawaii International Conference on System Sciences (HICSS'07), Computer Society Press, Washington, DC.","DOI":"10.1109\/HICSS.2007.206"},{"key":"key2022032020135552900_b16","doi-asserted-by":"crossref","unstructured":"Schneider, F. (2000), \u201cEnforceable security policies\u201d, ACM Transactions on Information and System Security, Vol. 3 No. 1, pp. 30\u201050.","DOI":"10.1145\/353323.353382"},{"key":"key2022032020135552900_b17","doi-asserted-by":"crossref","unstructured":"Singh, A., Ramakrishnan, C.R., Ramakrishnan, I.V., Stoller, S.D. and Warren, D.S. (2007), \u201cSecurity policy analysis using deductive spreadsheets\u201d, Proceedings of the 2007 ACM Workshop on Formal Methods in Security Engineering (FMSE'07), ACM Press, Fairfax, VA.","DOI":"10.1145\/1314436.1314443"},{"key":"key2022032020135552900_b18","doi-asserted-by":"crossref","unstructured":"Siponen, M. (2006), \u201cInformation security standards focus on the existence of process, not its content\u201d, Communications of the ACM, Vol. 49 No. 8, pp. 97\u2010100.","DOI":"10.1145\/1145287.1145316"},{"key":"key2022032020135552900_b20","unstructured":"Tiller, J. (2011), Adaptive Security Management Architecture, CRC Press, Boca Raton, FL."},{"key":"key2022032020135552900_b21","doi-asserted-by":"crossref","unstructured":"Turner, R. (2011), \u201cA new focus for IT security?\u201d, Computer Fraud & Security, Vol. 2011 No. 2, pp. 7\u201011.","DOI":"10.1016\/S1361-3723(11)70016-1"},{"key":"key2022032020135552900_b19","doi-asserted-by":"crossref","unstructured":"vonSolms, B. and von Solms, R. (2004), \u201cThe 10 deadly sins of information security management\u201d, Computers & Security, Vol. 23 No. 5, pp. 371\u20106.","DOI":"10.1016\/j.cose.2004.05.002"},{"key":"key2022032020135552900_b22","doi-asserted-by":"crossref","unstructured":"Whitman, M.E. (2003), \u201cEnemy at the gate: threats to information security\u201d, Communications of the ACM, Vol. 46 No. 8, pp. 91\u20105.","DOI":"10.1145\/859670.859675"},{"key":"key2022032020135552900_b23","doi-asserted-by":"crossref","unstructured":"Yang, C. and Zhang, C.N. (2003), \u201cAn XML\u2010based administration method on role\u2010based access control in the enterprise environment\u201d, Information Management & Computer Security, Vol. 11 No. 5, pp. 249\u201057.","DOI":"10.1108\/09685220310500162"}],"container-title":["Information Management &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685221211267648\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685221211267648\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:25Z","timestamp":1753402165000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/20\/4\/264-280\/174720"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2012,10,5]]},"references-count":26,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2012,10,5]]}},"alternative-id":["10.1108\/09685221211267648"],"URL":"https:\/\/doi.org\/10.1108\/09685221211267648","relation":{},"ISSN":["0968-5227"],"issn-type":[{"value":"0968-5227","type":"print"}],"subject":[],"published":{"date-parts":[[2012,10,5]]}}}