1. Addressing Information Security (InfoSec) Policy Gaps
through Participatory Design (PD) Approach.
(Position Paper)
Muhammad Imran Suid∗
15th April 2010
Abstract
This research is a study of attitudes and behaviors towards Information Security (InfoSec) pol-
icy. The computing.co.uk report in 2008 highlights the data loss incidents happening in UK public
sector organization including the 25 million child benefits record lost in HM Revenue and Custom
(HMRC) and 17,000 data file lost in UK Border Agency (UKBA) records [3; 1; 2], clearly establishes
the facts that there are gaps between information security policy and practice. The research aims
to identify the gaps between information security policy formulation and security practice and un-
derstanding what influences the occurrences of such gaps. This research explores the gap between
information security policy and practice using the lenses of Participatory Design (PD) approach;
and also evaluates aspects and principles of public policy decision making in order to assess their
contribution to the process information security policy making.
Security policies alone do not constitute a successful security practice effort; and (Kearney, 1994)
[4] argues from participatory design perspective, that successful participation in a decision making
program might address information security policy gaps. Further, (Miller, 2006) [5] emphasizes
that public engagement initiatives are frequently met with questions about ‘impact’; which enables
policy makers design better policies by focusing on areas such contexts, alternatives and concerns
of the public. Following the line of arguments present in [4; 5], this research explores whether
there are elements of the public policy design that support the participatory design approach and
whether this combined approach might help to address the gap between information security pol-
icy and practice; and with this understanding, develop a novel approaches to information security
policy design and implementation that better influences information security practice.
My problem space is as follows:
• Different factors which influence an organization’s information security policy interpretation.
• Differences in interpretation of a successful information security policy implementations between
policy makers and policy practitioners.
My research objectives are as follows:
∗
Information Security Group, Royal Holloway University of London, Egham, Surrey TW20 0EX, UK. EMail:
m.suid@rhul.ac.uk
1
2. • To explore the different types of gap between information security policy and practice.
• To understand the kind of security perceptions which influence policy makers when designing
information security policies.
• To identify which elements of public policy design might complement the participatory design
approach in order to address information security policy practice gap.
My research questions are as follows:
• What kinds of policy gaps can be found in information security?
• What kinds of perception guides the information security policy makers’ decision making?
• What influences the emergence of information security policy gap?
• How might public policy design combined with Participatory Design (PD) approach help to close
this information security policy gaps?
Information Security Policy Gap Taxonomy
What are the information security policy gaps?
Information security policy formulation ⇔ Gap ⇔ Information security policy in practice
How might Participatory Design(PD) approach address these gaps?
Public policy design in Participatory Design (PD) approach ⇔ Gap ⇔ Information secu-
rity policy formulation & Information security policy in practice
References
1. Computing Staff. The Top 10 Public Sector Data Losses–So Far: Feel-
ing Left Out? Don’t Worry, You’re Bound to be Affected Soon, 2008.
http://www.computing.co.uk/computing/analysis/2225625/top-public-sector-losses-far.
2. Contractor UK Limited. Immigration Officials Admit 17,000 Files Are Lost, 2009.
http://www.contractoruk.com/news/004181.html.
3. Glyn Wintle. HMRC ”Datagate” Verdict: Further Data Loss ”A Distinct Possibility”, 2008.
http://www.openrightsgroup.org/blog/2008/hmrc-datagate-verdict-further-data-loss-a-distinct-possibil
4. R. C. Kearney and S. W. Hays. Labor-Management Relations and Participative Decision Making: Toward
a New Paradigm. Public Administration Review, 54(1):44–51, 1994.
5. P. Miller. Better Humans?: The Politics of Human Enhancement and Life Extension. Demos Medical
Publishing, 2006.
2