Topic
Computer security policy
About: Computer security policy is a research topic. Over the lifetime, 33 publications have been published within this topic receiving 752 citations.
Papers
TL;DR: The Straub and Welke (1998) security action cycle framework is extended and three areas worthy of empirical investigation are proposed--techniques of neutralization, expressive/instrumental criminal motivations, and disgruntlement as a result of perceptions of organizational injustice--and questions for future research in these areas are proposed.
Abstract: Recent academic investigations of computer security policy violations have largely focused on nonmalicious noncompliance due to poor training, low employee motivation, weak affective commitment, or individual oversight. Established theoretical foundations applied to this domain have related to protection motivation, deterrence, planned behavior, self-efficacy, individual adoption factors, organizational commitment, and other individual cognitive factors. But another class of violation demands greater research emphasis: the intentional commission of computer security policy violation, or insider computer abuse. Whether motivated by greed, disgruntlement, or other psychological processes, this act has the greatest potential for loss and damage to the employer. We argue the focus must include not only the act and its immediate antecedents of intention (to commit computer abuse) and deterrence (of the crime), but also phenomena which temporally precede these areas. Specifically, we assert the need to consider the thought processes of the potential offender and how these are influenced by the organizational context, prior to deterrence. We believe the interplay between thought processes and this context may significantly impact the efficacy of IS security controls, specifically deterrence safeguards. Through this focus, we extend the Straub and Welke (1998) security action cycle framework and propose three areas worthy of empirical investigation--techniques of neutralization (rationalization), expressive/instrumental criminal motivations, and disgruntlement as a result of perceptions of organizational injustice--and propose questions for future research in these areas.
521 citations
Patent•
2 Dec 2003
TL;DR: In this paper, a system and method for providing an enterprise-based security policy are described, which includes a central agent (212) that is configured to retrieve a policy skin from a database (202) and to transmit the policy skin to a host.
Abstract: A system and method for providing an enterprise-based security policy are described. In one embodiment, the system includes a central agent (212) that is configured to retrieve a policy skin from a database (202) and to transmit the policy skin to a host. The system further includes a data gathering engine (222) that is configured to collect host data related to the host. In addition, the system includes a policy engine (220) that is configured to execute the policy skin against the host data to determine security policy compliance.
117 citations
Patent•
5 Mar 2004
TL;DR: In this paper, the authors propose a technique in which a desired computer security policy can be enforced by performing a host computer security assessment at the time of user authentication by means of a system configuration that comprises a managed and trusted device.
Abstract: The invention comprises a technique in which a desired computer security policy, e.g. member or corporate security policy, can be enforced by performing a host computer security assessment at the time of user authentication by means of a system configuration that comprises a managed and trusted device. In this way, a company can extend their corporate security policy to the user's desktop and verify an untrusted host, e.g. a PC, by means of a trustworthy technology, e.g. a hardened smartcard. Because the smartcard is relatively tamperproof, operations performed on the card are considered more trustworthy than those running solely on the PC. The smartcard and associated middleware running on the host perform such security-related functions as, for example, verifying that the host's anti-virus software is running and that it is not modified, verifying that the anti-virus software has the most recent virus definitions installed, verifying that the host is not currently infected and does not have dangerous and/or unpermitted remote control Trojan horses running and listening on TCP/IP ports, and checking that the host has a passwordprotected screen saver enabled to prevent unauthorized access to the system in the user's absence.
41 citations
TL;DR: This paper describes key results from research carried out to determine the status of computer security in organizations today and shows how it is important that other considerations are taken into account, such as business and management requirements, and practical user issues.
Abstract: Computer security issues are normally addressed from a technical perspective. Increasingly, however, organizations and computer specialists are coming to realise that applying more technology as the basis of an answer to a problem that derives from technology cannot, in the long term, be a viable solution. This paper shows how it is important that other considerations are taken into account, such as business and management requirements, and practical user issues. In order for this approach to make any progress, we must first establish the current situation in ordinary organizations. This paper describes key results from research carried out to determine the status of computer security in organizations today.
32 citations
TL;DR: White House, congressional, and high-level US Department of Defense policy documents that illustrate the direction and pace of Washington's recognition of potential foreign threats to US government information systems and the government's policy-level response are discussed.
Abstract: The United States government and military helped lead the information technology revolution and were among the first to warn of its consequent dangers to privacy and national security. This article discusses White House, congressional, and high-level US Department of Defense (DoD) policy documents that illustrate the direction and pace of Washington's recognition of potential foreign threats to US government information systems and the government's policy-level response. The documents show a progression from recognition of the security problem--particularly for the DoD--to the assignment of responsibilities and creation of capabilities for the "cyber domain." While the documents herein hardly comprise a representative sampling of cyber policy pronouncements since the 1960s, they suggest that the values of privacy and innovation stressed by the earliest legislative approaches to the problem had the lingering, unintended consequence of complicating the improvement of security. Indeed, the US government might have missed an opportunity in the 1980s to advance federal computer security policy.
25 citations
Related Topics (5)
Performance Metrics
| Year | Papers |
|---|---|
| 2019 | 1 |
| 2018 | 2 |
| 2017 | 1 |
| 2016 | 2 |
| 2015 | 1 |
| 2014 | 1 |