Policy components - a conceptual model for modularizing and tailoring of information security policies

PurposeThis paper aims to propose a conceptual model of policy components for software that supports modularizing and tailoring of information security policies (ISPs). Design/methodology/approachThis study used a design science research approach, drawing on design knowledge from the field of situational method engineering. The conceptual model was developed as a unified modeling language class diagram using existing ISPs from public agencies in Sweden. FindingsThis study's demonstration as proof of concept indicates that the conceptual model can be used to create free-standing modules that provide guidance about information security in relation to a specific work task and that these modules can be used across multiple tailored ISPs. Thus, the model can be considered as a step toward developing software to tailor ISPs. Research limitations/implicationsThe proposed conceptual model bears several short- and long-term implications for research. In the short term, the model can act as a foundation for developing software to design tailored ISPs. In the long term, having software that enables tailorable ISPs will allow researchers to do new types of studies, such as evaluating the software's effectiveness in the ISP development process. Practical implicationsPractitioners can use the model to develop software that assist information security managers in designing tailored ISPs. Such a tool can offer the opportunity for information security managers to design more purposeful ISPs. Originality/valueThe proposed model offers a detailed and well-elaborated starting point for developing software that supports modularizing and tailoring of ISPs.