{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,7]],"date-time":"2026-02-07T11:49:19Z","timestamp":1770464959873,"version":"3.49.0"},"reference-count":80,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2023,2,13]],"date-time":"2023-02-13T00:00:00Z","timestamp":1676246400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2023,6,26]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This paper aims to propose a conceptual model of policy components for software that supports modularizing and tailoring of information security policies (ISPs).<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>This study used a design science research approach, drawing on design knowledge from the field of situational method engineering. The conceptual model was developed as a unified modeling language class diagram using existing ISPs from public agencies in Sweden.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>This study\u2019s demonstration as proof of concept indicates that the conceptual model can be used to create free-standing modules that provide guidance about information security in relation to a specific work task and that these modules can be used across multiple tailored ISPs. Thus, the model can be considered as a step toward developing software to tailor ISPs.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>The proposed conceptual model bears several short- and long-term implications for research. In the short term, the model can act as a foundation for developing software to design tailored ISPs. In the long term, having software that enables tailorable ISPs will allow researchers to do new types of studies, such as evaluating the software's effectiveness in the ISP development process.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>Practitioners can use the model to develop software that assist information security managers in designing tailored ISPs. Such a tool can offer the opportunity for information security managers to design more purposeful ISPs.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>The proposed model offers a detailed and well-elaborated starting point for developing software that supports modularizing and tailoring of ISPs.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-10-2022-0160","type":"journal-article","created":{"date-parts":[[2023,2,9]],"date-time":"2023-02-09T11:40:09Z","timestamp":1675942809000},"page":"331-352","source":"Crossref","is-referenced-by-count":9,"title":["Policy components \u2013 a conceptual model for modularizing and tailoring of information security policies"],"prefix":"10.1108","volume":"31","author":[{"given":"Elham","family":"Rostami","sequence":"first","affiliation":[]},{"given":"Fredrik","family":"Karlsson","sequence":"additional","affiliation":[]},{"given":"Shang","family":"Gao","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2023,2,13]]},"reference":[{"key":"key2023062211345705700_ref001","doi-asserted-by":"crossref","first-page":"101586","DOI":"10.1016\/j.cose.2019.101586","article-title":"Evaluating the effectiveness of learner controlled information security training","volume":"87","year":"2019","journal-title":"Computers and Security"},{"issue":"12","key":"key2023062211345705700_ref002","first-page":"41","article-title":"Users are not the enemy","volume":"42","year":"1999","journal-title":"Communication of the ACM"},{"issue":"4","key":"key2023062211345705700_ref003","doi-asserted-by":"crossref","first-page":"432","DOI":"10.1016\/j.cose.2009.12.005","article-title":"Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study","volume":"29","year":"2010","journal-title":"Computers and Security"},{"issue":"1","key":"key2023062211345705700_ref004","doi-asserted-by":"crossref","first-page":"102","DOI":"10.1108\/ICS-03-2014-0018","article-title":"An examination of factors that influence the number of information security policy violations in qatari organizations","volume":"23","year":"2015","journal-title":"Information and Computer Security"},{"issue":"4","key":"key2023062211345705700_ref005","doi-asserted-by":"crossref","first-page":"345","DOI":"10.1016\/j.infsof.2006.05.007","article-title":"Practice-driven approach for creating project-specific software development methods","volume":"49","year":"2007","journal-title":"Information and Software Technology"},{"issue":"5\/6","key":"key2023062211345705700_ref006","doi-asserted-by":"crossref","first-page":"337","DOI":"10.1108\/09576050210447019","article-title":"An information security meta\u2010policy for emergent organizations","volume":"15","year":"2002","journal-title":"Logistics Information Management"},{"issue":"2","key":"key2023062211345705700_ref007","first-page":"209","article-title":"Developing an information classification method","volume":"29","year":"2020","journal-title":"Information and Computer Security"},{"key":"key2023062211345705700_ref008","doi-asserted-by":"crossref","first-page":"1360","DOI":"10.1109\/CSCI.2016.0254","article-title":"Ambiguity as a barrier to information security policy compliance: a content analysis","volume-title":"2016 International Conference on Computational Science and Computational Intelligence (CSCI)","year":"2016"},{"key":"key2023062211345705700_ref009","unstructured":"Cervera, M. (2015), \u201cA Model-Driven approach for the design, implementation, and execution of software development methods\u201d, PhD, Universitat Politecnica de Vallencia."},{"key":"key2023062211345705700_ref010","first-page":"279","article-title":"A model for information security governance in developing countries","volume-title":"International Conference on e-Infrastructure and e-Services for Developing Countries","year":"2012"},{"key":"key2023062211345705700_ref011","first-page":"1","article-title":"A software gateway to affordable and effective information security governance in SMMEs","volume-title":"2013 Information Security for South Africa, 14-16 August","year":"2013"},{"key":"key2023062211345705700_ref012","article-title":"A web-based information security management toolbox for small-to-medium enterprises in Southern africa","volume-title":"2011 Nformation Security for South Africa (ISSA 2011)","year":"2011"},{"key":"key2023062211345705700_ref013","article-title":"Integrating information security policy management with corporate risk management for strategic alignment","year":"2010"},{"key":"key2023062211345705700_ref014","doi-asserted-by":"crossref","first-page":"83","DOI":"10.1109\/SISY.2010.5647216","article-title":"Information security management\u2014defining approaches to information security policies in ISMS","volume-title":"IEEE 8th International Symposium on Intelligent Systems and Informatics","year":"2010"},{"issue":"6","key":"key2023062211345705700_ref015","doi-asserted-by":"crossref","first-page":"1091","DOI":"10.1111\/j.1540-5915.2012.00383.x","article-title":"Employee Misuse of information technology resources: testing a contemporary deterrence model","volume":"43","year":"2012","journal-title":"Decision Sciences"},{"key":"key2023062211345705700_ref016","volume-title":"Management information Systems: conceptual Foundations, Structure, and Development","year":"1985"},{"key":"key2023062211345705700_ref017","volume-title":"Information Security - Text and Cases","year":"2017"},{"key":"key2023062211345705700_ref018","first-page":"82","article-title":"Utilizing, producing, and contributing design knowledge in DSR projects","volume-title":"Designing for a Digital and Globalized World - 13th International Conference, DESRIST 2018","year":"2018"},{"issue":"3","key":"key2023062211345705700_ref019","first-page":"130","article-title":"Methodological triangulation: a vehicle for merging quantitative and qualitative research methods","volume":"19","year":"1987","journal-title":"Image: The Journal of Nursing Scholarship"},{"key":"key2023062211345705700_ref020","article-title":"ENISA Threat landscape 2014. Overview of current and emerging cyber-threats","author":"Enisa","year":"2014"},{"key":"key2023062211345705700_ref021","article-title":"Ernst and young 2008 global information security survey","author":"Ernst and Young","year":"2008"},{"key":"key2023062211345705700_ref022","article-title":"Borderless security - Ernst and young\u2019s 2010 global information security survey","author":"Ernst and Young","year":"2010"},{"key":"key2023062211345705700_ref023","doi-asserted-by":"crossref","first-page":"169","DOI":"10.1016\/j.cose.2016.06.002","article-title":"Information security policy development and implementation: the what, how and who","volume":"61","year":"2016","journal-title":"Computers and Security"},{"key":"key2023062211345705700_ref024","volume-title":"The discovery of Grounded Theory: strategies for Qualitative Research","year":"1967"},{"issue":"4","key":"key2023062211345705700_ref025","doi-asserted-by":"crossref","first-page":"281","DOI":"10.1016\/j.jsis.2010.10.002","article-title":"Metrics for characterizing the form of security policies","volume":"19","year":"2010","journal-title":"The Journal of Strategic Information Systems"},{"issue":"5","key":"key2023062211345705700_ref026","first-page":"4","article-title":"Method Engineering as design science","volume":"21","year":"2020","journal-title":"Journal of the Association for Information Systems (2020)"},{"issue":"5","key":"key2023062211345705700_ref027","doi-asserted-by":"crossref","first-page":"312","DOI":"10.17705\/1jais.00129","article-title":"The Anatomy of a design theory","volume":"8","year":"2007","journal-title":"Journal of the Association of Information Systems"},{"issue":"8","key":"key2023062211345705700_ref028","doi-asserted-by":"crossref","first-page":"709","DOI":"10.1016\/S0167-4048(97)00009-6","article-title":"A baseline security policy for distributed healthcare information systems","volume":"16","year":"1997","journal-title":"Computers and Security"},{"key":"key2023062211345705700_ref029","unstructured":"Harmsen, A.F. (1997), \u201cSituational Method engineering\u201d, Doctorial Dissertation, University of Twente."},{"key":"key2023062211345705700_ref030","first-page":"169","article-title":"Situational method engineering for information system project approaches","volume-title":"IFIP WG8.1 Working Conference CRIS'94","year":"1994"},{"issue":"4","key":"key2023062211345705700_ref031","doi-asserted-by":"crossref","first-page":"373","DOI":"10.1016\/j.jsis.2011.06.001","article-title":"Value conflicts for information security management","volume":"20","year":"2011","journal-title":"The Journal of Strategic Information Systems"},{"key":"key2023062211345705700_ref032","volume-title":"Situational Method Engineering","year":"2014"},{"issue":"2","key":"key2023062211345705700_ref033","doi-asserted-by":"crossref","first-page":"154","DOI":"10.1016\/j.dss.2009.02.005","article-title":"Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness","volume":"47","year":"2009","journal-title":"Decision Support Systems"},{"issue":"1","key":"key2023062211345705700_ref034","doi-asserted-by":"crossref","first-page":"75","DOI":"10.2307\/25148625","article-title":"Design science in information systems research","volume":"28","year":"2004","journal-title":"MIS quarterly"},{"issue":"5","key":"key2023062211345705700_ref035","doi-asserted-by":"crossref","first-page":"402","DOI":"10.1016\/S0167-4048(02)00504-7","article-title":"Information security policy \u2013 what do international information security standards say?","volume":"21","year":"2002","journal-title":"Computers and Security"},{"issue":"6","key":"key2023062211345705700_ref036","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1016\/S1353-4858(02)06011-7","article-title":"What makes an effective information security policy?","volume":"2002","year":"2002","journal-title":"Network Security"},{"key":"key2023062211345705700_ref037","first-page":"1","article-title":"The effective implementation of information security in organizations","volume-title":"Security in the Information Society - Visions and Perspective","year":"2002"},{"key":"key2023062211345705700_ref038","article-title":"Formulation and development process of information security policy in higher education","volume-title":"1st International Conference on Engineering Technology and Applied Sciences","year":"2016"},{"key":"key2023062211345705700_ref039","article-title":"ISO\/IEC 27000:2017 information technology - Security techniques - Information security management systems \u2013 Overview and vocabulary","author":"ISO","year":"2017"},{"issue":"6","key":"key2023062211345705700_ref040","doi-asserted-by":"crossref","first-page":"690","DOI":"10.1057\/ejis.2012.30","article-title":"Longitudinal use of method rationale in method configuration: an exploratory study","volume":"22","year":"2013","journal-title":"European Journal of Information Systems"},{"issue":"9","key":"key2023062211345705700_ref041","doi-asserted-by":"crossref","first-page":"619","DOI":"10.1016\/j.infsof.2003.12.004","article-title":"Method configuration: adapting to situational characteristics while creating reusable assets","volume":"46","year":"2004","journal-title":"Information and Software Technology"},{"issue":"3","key":"key2023062211345705700_ref042","doi-asserted-by":"crossref","first-page":"51","DOI":"10.4018\/jdm.2009070103","article-title":"Towards structured flexibility in information systems development: devising a method for method configuration","volume":"20","year":"2009","journal-title":"Journal of Database Management"},{"issue":"1","key":"key2023062211345705700_ref043","doi-asserted-by":"crossref","first-page":"82","DOI":"10.1057\/palgrave.ejis.3000596","article-title":"Combining method engineering with activity theory: theoretical grounding of the method component concept","volume":"15","year":"2006","journal-title":"European Journal of Information Systems"},{"key":"key2023062211345705700_ref044","doi-asserted-by":"crossref","first-page":"267","DOI":"10.1016\/j.cose.2016.12.012","article-title":"Practice-based discourse analysis of information security policies","volume":"67","year":"2017","journal-title":"Computers and Security"},{"key":"key2023062211345705700_ref045","first-page":"1","article-title":"Developing Organization-Specific information security policies","year":"2018","journal-title":"Pacis 2018"},{"key":"key2023062211345705700_ref046","first-page":"126","article-title":"Information security policy creating","volume":"12","year":"2011","journal-title":"Actual Problems of Economics"},{"issue":"4","key":"key2023062211345705700_ref047","doi-asserted-by":"crossref","first-page":"289","DOI":"10.1016\/j.cose.2006.02.008","article-title":"A prototype for assessing information security awareness","volume":"25","year":"2006","journal-title":"Computers and Security"},{"issue":"8","key":"key2023062211345705700_ref048","doi-asserted-by":"crossref","first-page":"691","DOI":"10.1016\/0167-4048(96)81709-3","article-title":"A new model for information security policies","volume":"14","year":"1995","journal-title":"Computers and Security"},{"key":"key2023062211345705700_ref049","first-page":"513","article-title":"Applying Action research in the formulation of information security policies","volume-title":"New Contributions in Information Systems and Technologies","year":"2015"},{"key":"key2023062211345705700_ref050","unstructured":"Nash, K.S. and Greenwood, D. (2008), \u201cThe global state of information security\u201d, CIO Magazine (reprinted by PriceWaterhouseCoopers)."},{"key":"key2023062211345705700_ref051","article-title":"Crafting an information security policy: insights from an ethnographic study","volume-title":"The 37th International Conference on Information Systems (ICIS 2016)","year":"2016"},{"issue":"4","key":"key2023062211345705700_ref052","first-page":"20","article-title":"Toward a broader vision for information systems","volume":"2","year":"2011","journal-title":"ACM Transactions on Management Information Systems"},{"issue":"2","key":"key2023062211345705700_ref053","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1201\/1086\/43314.10.2.20010506\/31399.4","article-title":"Information Security policy framework: best practices for security policy in the E-commerce age","volume":"10","year":"2001","journal-title":"Information Systems Security"},{"issue":"3","key":"key2023062211345705700_ref054","doi-asserted-by":"crossref","first-page":"45","DOI":"10.2753\/MIS0742-1222240302","article-title":"A design science research methodology for information systems research","volume":"24","year":"2007","journal-title":"Journal of Management Information Systems"},{"issue":"4","key":"key2023062211345705700_ref055","doi-asserted-by":"crossref","first-page":"757","DOI":"10.2307\/25750704","article-title":"Improving Employees' compliance Through information systems security training: an action research study","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"key":"key2023062211345705700_ref056","unstructured":"Pwc (2014), \u201cThe information security breaches survey - Technical report, Department for Business, Innovation and Skills (BIS), London, UK."},{"key":"key2023062211345705700_ref057","unstructured":"Pwc (2018), The Global State of Information Security Survey 2018, PriceWaterhouseCoopers."},{"key":"key2023062211345705700_ref058","first-page":"440","article-title":"Using Contextual goal models for constructing situational methods","volume-title":"Conceptual Modeling - 37th International Conference, ER 2018 Xi'an, China, October 22\u201325, 2018 Proceedings","year":"2018"},{"key":"key2023062211345705700_ref059","article-title":"An Assembly process model for method engineering","volume-title":"The 13th Conference on Advanced Information Systems Engineering (CAiSe '01)","year":"2001"},{"issue":"4","key":"key2023062211345705700_ref060","doi-asserted-by":"crossref","first-page":"296","DOI":"10.1108\/09685221211267666","article-title":"Health service employees and information security policies: an uneasy partnership?","volume":"20","year":"2012","journal-title":"Information Management and Computer Security"},{"key":"key2023062211345705700_ref061","first-page":"191","article-title":"A Proposal For Context-Specific method engineering","volume-title":"Proceedings of the IFIP TC8, WG8.1\/8.2 Working Conference on Method Engineering on Method Engineering","year":"1996"},{"key":"key2023062211345705700_ref062","first-page":"1","article-title":"Tailoring policies and involving users in constructing security policies: a mapping study","volume-title":"Thirteenth International Symposium on Human Aspects of Information Security and Assurance, HAISA 2019, Nicosia, Cyprus, July 15-16, 2019, Proceedings","year":"2019"},{"key":"key2023062211345705700_ref063","doi-asserted-by":"crossref","first-page":"102063","DOI":"10.1016\/j.cose.2020.102063","article-title":"Requirements for computerized tools to design information security policies","volume":"99","year":"2020","journal-title":"Computers and Security"},{"key":"key2023062211345705700_ref064","article-title":"Policy components - a conceptual model for tailoring information security policies","volume-title":"IFIP International Symposium on Human Aspects of Information Security and Assurance (HAISA 2022)","year":"2022"},{"issue":"2","key":"key2023062211345705700_ref065","doi-asserted-by":"crossref","first-page":"215","DOI":"10.1108\/ICS-07-2019-0079","article-title":"The hunt for computerized support in information security policy management: a literature review","volume":"28","year":"2020","journal-title":"Information and Computer Security"},{"issue":"3","key":"key2023062211345705700_ref066","doi-asserted-by":"crossref","first-page":"1833","DOI":"10.1007\/s10270-018-0692-3","article-title":"Method engineering in information systems analysis and design: a balanced scorecard approach for method improvement","volume":"18","year":"2019","journal-title":"Software and Systems Modeling"},{"key":"key2023062211345705700_ref067","article-title":"Patient Data act","author":"Sfs 2008:355","year":"2008"},{"key":"key2023062211345705700_ref068","first-page":"373","article-title":"Who Falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions","volume-title":"The SIGCHI Conference on Human Factors in Computing Systems 2010","year":"2010"},{"key":"key2023062211345705700_ref069","doi-asserted-by":"crossref","first-page":"675","DOI":"10.1109\/ARES.2009.106","article-title":"Information Security optimization: from theory to practice","volume-title":"2009 International Conference on Availability, Reliability and Security","year":"2009"},{"issue":"7","key":"key2023062211345705700_ref070","doi-asserted-by":"crossref","first-page":"445","DOI":"10.17705\/1jais.00095","article-title":"Six Design theories for IS security policies and guidelines","volume":"7","year":"2006","journal-title":"Journal of Association of Information Systems"},{"issue":"2","key":"key2023062211345705700_ref071","doi-asserted-by":"crossref","first-page":"217","DOI":"10.1016\/j.im.2013.08.006","article-title":"Employees\u2019 adherence to information security policies: an exploratory field study","volume":"51","year":"2014","journal-title":"Information and Management"},{"issue":"1","key":"key2023062211345705700_ref072","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1111\/j.1365-2575.2011.00378.x","article-title":"Information security policies in the UK healthcare sector: a critical evaluation","volume":"22","year":"2012","journal-title":"Information Systems Journal"},{"issue":"2","key":"key2023062211345705700_ref073","doi-asserted-by":"crossref","first-page":"124","DOI":"10.1016\/j.cose.2004.07.001","article-title":"Analysis of end user security behaviors","volume":"24","year":"2005","journal-title":"Computers and Security"},{"issue":"10","key":"key2023062211345705700_ref074","first-page":"1162","article-title":"The use of AHP in security policy decision making: an open office calc application","volume":"5","year":"2010","journal-title":"Journal of Software"},{"key":"key2023062211345705700_ref075","first-page":"11","article-title":"Information Security policy development and implementation: a content analysis approach","volume-title":"Haisa","year":"2014"},{"issue":"3","key":"key2023062211345705700_ref076","doi-asserted-by":"crossref","first-page":"119","DOI":"10.1108\/09685220210431872","article-title":"The information security management toolbox \u2013 taking the pain out of security management","volume":"10","year":"2002","journal-title":"Information Management and Computer Security"},{"key":"key2023062211345705700_ref077","first-page":"123","article-title":"Security Policy - From design to maintenance","volume-title":"Information Security \u2013 Policy, Processes, and Practices","year":"2008"},{"issue":"6","key":"key2023062211345705700_ref078","doi-asserted-by":"crossref","first-page":"101","DOI":"10.1145\/303849.303868","article-title":"Considerations for an effective Telecommunications-Use policy","volume":"42","year":"1999","journal-title":"Communications of the ACM"},{"key":"key2023062211345705700_ref079","first-page":"189","article-title":"Method Components - Rationale revealed","volume-title":"The 16th International Conference on Advanced Information Systems Engineering (CAiSE 2004)","year":"2004"},{"issue":"8","key":"key2023062211345705700_ref080","doi-asserted-by":"crossref","first-page":"667","DOI":"10.1016\/0167-4048(96)81706-8","article-title":"Writing InfoSec policies","volume":"14","year":"1995","journal-title":"Computers and Security"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-10-2022-0160\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-10-2022-0160\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:16Z","timestamp":1753406596000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/31\/3\/331-352\/104031"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,2,13]]},"references-count":80,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2023,2,13]]},"published-print":{"date-parts":[[2023,6,26]]}},"alternative-id":["10.1108\/ICS-10-2022-0160"],"URL":"https:\/\/doi.org\/10.1108\/ics-10-2022-0160","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,2,13]]}}}