A systematic framework to explore the determinants of information security policy development and outcomes

Purpose This paper aims to develop an effective information security policy (ISP), which is an important mechanism to combat insider threats. Design/methodology/approach A general framework based on the Nine-Five-circle was proposed for developing, implementing and evaluating an organisation's ISP. Findings The proposed framework outlines the steps involved in developing, implementing and evaluating a successful ISP. Research limitations/implications The study took place in Germany, and most of the data was collected virtually due to the different locations of the organisation. Practical implications In practice, this study can be a guide for managers to design a robust ISP that employees will read and follow. Social implications Employee compliance with the ISP is a critical aspect in any organisation and therefore a rigorous strategy based on a systematic approach is required. Originality/value The main contribution of the paper is the application of a comprehensive and coherent model that can be the first step in defining a "checklist" for creating and managing ISPs.