{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,22]],"date-time":"2026-01-22T08:58:25Z","timestamp":1769072305236,"version":"3.49.0"},"reference-count":53,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2019,11,21]],"date-time":"2019-11-21T00:00:00Z","timestamp":1574294400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2019,11,21]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>Colleges and universities across the USA have seen data breaches and intellectual property theft rise at a heightened rate over the past several years. An integral step in the first line of defense against various forms of attacks are (written) security policies designed to prescribe the construction and function of a technical system, while simultaneously guiding the actions of individuals operating within said system. Unfortunately, policy analysis is an insufficiently discussed topic in many academic communities with very little research being conducted in this space.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>This work aims to assess the current state of information security policies by analyzing in-use policies from 200 universities and colleges in the USA with the goal of identifying important features and general attributes of these documents. The authors accomplish this through a series of analyzes designed to examine the language and construction of these policies.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>To summarize high-level results, the authors found that only 54 per cent of the top 200 universities had publicly accessible information security policies, and the policies that were examined lacked consistency with little shared source material. The authors also found that the tonal makeup of these policies lacked a great deal of emotion, but contained a high amount of tentative or ambiguous language leading toward policies that could be viewed as \u201cunclear.\u201d<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This work is an extension of a paper that was presented at ECIS 2018. The authors have added additional analyzes including a cross-policy content and tonal analysis to strengthen the findings and implications of this work for the wider research audience.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-12-2018-0142","type":"journal-article","created":{"date-parts":[[2019,12,11]],"date-time":"2019-12-11T05:16:41Z","timestamp":1576041401000},"page":"423-444","source":"Crossref","is-referenced-by-count":5,"title":["Assessing the current state of information security policies in academic organizations"],"prefix":"10.1108","volume":"28","author":[{"given":"Jake","family":"Weidman","sequence":"first","affiliation":[]},{"given":"Jens","family":"Grossklags","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"issue":"1","key":"key2020071513123851900_ref001","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1111\/j.1744-6570.1991.tb00688.x","article-title":"The big five personality dimensions and job performance: a Meta-analysis","volume":"44","year":"1991","journal-title":"Personnel Psychology"},{"key":"key2020071513123851900_ref002","article-title":"International comparison of bank fraud reimbursement: Customer perceptions and contractual terms","volume-title":"Workshop on the Economics of Information Security (WEIS)","year":"2016"},{"issue":"2","key":"key2020071513123851900_ref003","doi-asserted-by":"crossref","first-page":"151","DOI":"10.1057\/ejis.2009.8","article-title":"If someone is watching, I\u2019ll do what I\u2019m asked: mandatoriness, control, and information security","volume":"18","year":"2009","journal-title":"European Journal of Information Systems"},{"issue":"9","key":"key2020071513123851900_ref004","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1016\/S1353-4858(16)30086-1","article-title":"Ransomware attacks: detection, prevention and cure","volume":"2016","year":"2016","journal-title":"Network Security"},{"issue":"3","key":"key2020071513123851900_ref005","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"key":"key2020071513123851900_ref006","first-page":"63","article-title":"Human factors issues in computer and e-business security","volume-title":"Handbook of Integrated Risk Management for e-Business: measuring, Modeling and Managing Risk","year":"2005"},{"issue":"6","key":"key2020071513123851900_ref007","doi-asserted-by":"publisher","first-page":"449","DOI":"10.1016\/j.ijinfomgt.2009.05.003","article-title":"The information security policy unpacked: a critical study of the content of university policies","volume":"29","year":"2009","journal-title":"International Journal of Information Management"},{"key":"key2020071513123851900_ref008","volume-title":"Public Policy Analysis","year":"2015"},{"key":"key2020071513123851900_ref009","unstructured":"Durgin, M. (2007), \u201cUnderstanding the importance of and implementing internal security measures\u201d, SANS Institute Reading Room, available at: www2.sans.org\/reading_room\/whitepapers\/policyissues\/1901.php"},{"issue":"4","key":"key2020071513123851900_ref010","doi-asserted-by":"crossref","first-page":"712","DOI":"10.1037\/0022-3514.53.4.712","article-title":"Universals and cultural differences in the judgments of facial expressions of emotion","volume":"53","year":"1987","journal-title":"Journal of Personality and Social Psychology"},{"key":"key2020071513123851900_ref011","volume-title":"Yahoo Data Breach Is among the Biggest in History","year":"2016"},{"key":"key2020071513123851900_ref012","first-page":"276","article-title":"A comparison of features for automatic readability assessment","year":"2010"},{"key":"key2020071513123851900_ref013","first-page":"180","article-title":"The methodology of positive economics","volume":"2","year":"1953","journal-title":"The Philosophy of Economics: An Anthology"},{"key":"key2020071513123851900_ref014","volume-title":"Campus Announces Data Breach","year":"2015"},{"issue":"3","key":"key2020071513123851900_ref015","first-page":"1","article-title":"2006 CSI\/FBI computer crime and security survey","volume":"22","year":"2006","journal-title":"Computer Security Journal"},{"issue":"1","key":"key2020071513123851900_ref016","first-page":"58","article-title":"Readability levels of patient education material on the world wide web","volume":"48","year":"1999","journal-title":"Journal of Family Practice"},{"key":"key2020071513123851900_ref017","article-title":"North Dakota university system hacked, roughly 300k impacted","year":"2014","journal-title":"SC Magazine"},{"key":"key2020071513123851900_ref018","first-page":"341","article-title":"Empirical studies on software notices to inform policy makers and usability designers","volume-title":"International Conference on Financial Cryptography and Data Security","year":"2007"},{"issue":"6","key":"key2020071513123851900_ref019","doi-asserted-by":"crossref","first-page":"74","DOI":"10.1109\/MSP.2015.2462851","article-title":"Speaker recognition by machines and humans: a tutorial review","volume":"32","year":"2015","journal-title":"IEEE Signal Processing Magazine"},{"key":"key2020071513123851900_ref020","volume-title":"Investigating Apparent IT Breach, Stanford Urges Users to Update Passwords","year":"2013"},{"key":"key2020071513123851900_ref021","unstructured":"IBM (2016), \u201cWatson tone analyzer - new service now available\u201d, IBM Cloud Blog, available at: www.ibm.com\/blogs\/bluemix\/2015\/07\/ibm-watson-tone-analyzer\/"},{"key":"key2020071513123851900_ref022","first-page":"471","article-title":"Privacy policies as decision-making tools: an evaluation of online privacy notices","year":"2004"},{"key":"key2020071513123851900_ref023","volume-title":"Risk Management for Computer Security","year":"2005"},{"key":"key2020071513123851900_ref024","unstructured":"Kirlappos, I. (2016), \u201cLearning from \u2018shadow security\u2019: understanding non-compliant behaviours to improve information security management\u201d, Ph. D. thesis, University College London."},{"issue":"7","key":"key2020071513123851900_ref025","doi-asserted-by":"crossref","first-page":"493","DOI":"10.1016\/j.cose.2009.07.001","article-title":"Information security policy: an organizational-level process model","volume":"28","year":"2009","journal-title":"Computers and Security"},{"issue":"5","key":"key2020071513123851900_ref026","doi-asserted-by":"crossref","first-page":"597","DOI":"10.1016\/j.im.2003.08.001","article-title":"Why there aren\u2019t more information security research studies","volume":"41","year":"2004","journal-title":"Information and Management"},{"key":"key2020071513123851900_ref027","volume-title":"A Pre-View of Policy Sciences","year":"1971"},{"key":"key2020071513123851900_ref028","first-page":"397","article-title":"On the economics of ransomware","volume-title":"International Conference on Decision and Game Theory for Security","year":"2017"},{"key":"key2020071513123851900_ref029","article-title":"The rules of engagement for bug bounty programs","volume-title":"International Conference on Financial Cryptography and Data Security","year":"2018"},{"issue":"2\/3","key":"key2020071513123851900_ref030","first-page":"19","article-title":"Secure team composition to thwart insider threats and cyber espionage","volume":"14","year":"2014","journal-title":"ACM Transactions on Internet Technology"},{"issue":"2","key":"key2020071513123851900_ref031","doi-asserted-by":"crossref","first-page":"57","DOI":"10.1108\/09685220210424104","article-title":"A holistic model of computer abuse within organizations","volume":"10","year":"2002","journal-title":"Information Management and Computer Security"},{"issue":"2","key":"key2020071513123851900_ref032","article-title":"Key issues for IT executives 2007","volume":"7","year":"2008","journal-title":"MIS Quarterly Executive"},{"key":"key2020071513123851900_ref033","article-title":"Target data breach spilled info on as many as 70 million customers","year":"2014"},{"issue":"4","key":"key2020071513123851900_ref034","doi-asserted-by":"crossref","first-page":"677","DOI":"10.1111\/j.1740-1461.2007.00104.x","article-title":"What\u2019s in a standard form contract? An empirical analysis of software license agreements","volume":"4","year":"2007","journal-title":"Journal of Empirical Legal Studies"},{"key":"key2020071513123851900_ref035","article-title":"The effects of security management on security events","volume-title":"Workshop on the Economics of Information Security (WEIS)","year":"2017"},{"key":"key2020071513123851900_ref036","article-title":"An online experiment on consumers\u2019 susceptibility to fall for post-transaction marketing scams","volume-title":"European Conference on Information Systems (ECIS)","year":"2014"},{"key":"key2020071513123851900_ref037","first-page":"1","article-title":"Are you ready to lose control? A theory on the role of trust and risk perception on bring-your-own-device policy and information system service quality","volume-title":"European Conference on Information Systems (ECIS)","year":"2015"},{"issue":"1","key":"key2020071513123851900_ref038","first-page":"52","article-title":"Multi-layered defense architecture against ransomware","volume":"2","year":"2017","journal-title":"International Journal of Business and Cyber Security"},{"key":"key2020071513123851900_ref039","article-title":"Recently confirmed myspace hack could be the largest yet","year":"2016"},{"key":"key2020071513123851900_ref040","article-title":"Cost of cyber crime study and the risk of business innovation","author":"Ponemon Institute","year":"2016"},{"key":"key2020071513123851900_ref041","unstructured":"Privacy Rights Clearinghouse (2017), \u201cData breaches\u201d, Continuously updated database, available at: www.privacyrights.org\/data-breaches (accessed 7 June 2017)."},{"key":"key2020071513123851900_ref042","first-page":"1","article-title":"Employees\u2019 compliance with BYOD security policy: insights from reactance, organizational justice, and protection motivation theory","volume-title":"European Conference on Information Systems (ECIS)","year":"2014"},{"issue":"3","key":"key2020071513123851900_ref043","doi-asserted-by":"crossref","first-page":"613","DOI":"10.1002\/pam.20578","article-title":"The methodology of normative policy analysis","volume":"30","year":"2011","journal-title":"Journal of Policy Analysis and Management"},{"key":"key2020071513123851900_ref044","first-page":"189","article-title":"The advocacy coalition framework: innovations and clarifications","volume-title":"Theories of the Policy Process","year":"2007","edition":"2nd ed."},{"key":"key2020071513123851900_ref045","volume-title":"Information on Data Security Incident","year":"2016"},{"key":"key2020071513123851900_ref046","article-title":"US universities race to contain WannaCry ransomware, officials say","year":"2017"},{"key":"key2020071513123851900_ref047","article-title":"University of Maryland computer security breach exposes 300,000 records","year":"2014"},{"key":"key2020071513123851900_ref048","first-page":"212","article-title":"I like it, but i hate it: employee perceptions towards an institutional transition to BYOD second-factor authentication","year":"2017"},{"key":"key2020071513123851900_ref049","article-title":"The acceptable state: an analysis of the current state of acceptable use policies in academic institutions","year":"2019"},{"key":"key2020071513123851900_ref050","volume-title":"Management of Information Security","year":"2013"},{"issue":"4","key":"key2020071513123851900_ref051","doi-asserted-by":"crossref","first-page":"304","DOI":"10.1016\/j.infoandorg.2006.08.001","article-title":"Understanding the perpetration of employee computer crime in the organisational context","volume":"16","year":"2006","journal-title":"Information and Organization"},{"key":"key2020071513123851900_ref052","volume-title":"An Introduction to Computer Security: The NIST Handbook","author":"National Institute of Standards and Technology","year":"1995"},{"key":"key2020071513123851900_ref053","article-title":"The 10 Best Universities in America","author":"US News and World Report","year":"2017"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-12-2018-0142\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-12-2018-0142\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:26Z","timestamp":1753406606000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/28\/3\/423-444\/199252"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,11,21]]},"references-count":53,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2019,11,21]]}},"alternative-id":["10.1108\/ICS-12-2018-0142"],"URL":"https:\/\/doi.org\/10.1108\/ics-12-2018-0142","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2019,11,21]]}}}