Effective Internet Acceptable Usage Policy for Organisationsi Sharman Lichtenstein and Paula M.C. Swatman Department of Information Systems, Monash University, 26 Sir John Monash Drive, Caulfield East, Victoria, 3145, Australia. Email:
[email protected] [email protected] Phone: +613-9903 2703 +613-99032768 Fax: +613-9903 2005
Abstract With the Internet increasingly being used for the conduct of electronic commerce, organisations are now cognisant of the need to control their employees’usage of the Internet. Little research has been conducted to date into this important concern. An Internet acceptable usage policy is one vehicle for providing this control, containing guidelines for employees indicating both acceptable and unacceptable Internet usages. The policy aims to control those employee behaviours and actions which contribute to the incidence and severity of internal and external Internet risks, while enabling employees and the organisation to gain maximum business value from the Internet connection. This paper explores the issues to be considered in the development of an organisation’s Internet acceptable usage policy, using a case study of a large, Australian organisation to illustrate the issues. A set of criteria for an effective Internet acceptable usage policy is proposed as a result of this research.
Introduction Organisations have readily adopted the Internet as a revolutionary technology for electronic commerce without justification via either a business case or an Internet strategy (Miers et al., 1996; Lawrence et al., 1996). However, information systems managers recently underlined the importance of ensuring that business objectives and added business value drive information technology investments (Broadbent et al., 1995). Hence, organisations must now look towards developing effective organisational Internet strategies that direct Internet usage towards the integration and alignment of organisational business processes with business objectives (Logan, 1995; Logan et al., 1996; Brockway, 1996; Poon and Swatman, 1995; 1996) and towards the attainment and maximisation of added business value (Cronin et al., 1994; Bloch et al., 1996; Cockburn et al., 1996; Quelch et al., 1996). An effective organisational Internet strategy must also cater for diverse problems which may arise as a result of Internet connection. The diffusion of the Internet within the workplace has introduced serious new organisational security concerns (Cockburn et al., 1996; Ernst & Young, 1996; Abell and Lim, 1996). The Internet's many vulnerabilities are being exploited by hackers, competitors, disgruntled employees and ex-employees, often resulting in damage, disruption and uncertainty (Doddrell, 1995). These vulnerabilities are not likely to disappear in the foreseeable future (Doddrell, 1995) — many employees who have been granted connection to the Internet for valid business reasons have been
i
This paper was published in the proceedings of "Bled'97 - 10th International Conference on Electronic Commerce, Bled, Slovenia, June 9-11, 503-522.
1
misusing or abusing it from a lack of awareness of the Internet’s insecurities, a lack of awareness of valid, value-adding business Internet usages, or from malicious intent. The Internet’s vulnerabilities and their escalating exploitation both internally and externally, suggest that an organisation’s Internet strategy should include plans for an Internet security management programme comprising measures which address organisational Internet risks and other Internet security concerns. These measures range from policies and procedures through to technological safeguards such as firewalls (Doddrell, 1995). Policies, procedures, standards and other management instructions are considered critical in providing information security, being aimed at controlling the decisive human factor (Wood, 1995) in this case, the employees. The Internet acceptable usage policy addresses the employee factor in Internet security and Internet business value maximisation, its purpose being “to direct staff in the use of Internet services so use will be acceptable to the public and the (organisation)” (Heard, 1996). The policy contains guidelines for employees indicating both acceptable and unacceptable Internet usages, with the aim of controlling those employee behaviours and actions that contribute to the organisation’s Internet risks, while maximising the benefits to be gained by the organisation through Internet usage. The aim of this paper is to propose a set of criteria for an effective organisational Internet acceptable usage policy. This will be achieved by identifying issues from the literature as well as those recognised in existing policies, exploring these issues further by means of a case study of a large, Australian organisation, and finally drawing conclusions. It should be noted that the paper focuses on the security function of the Internet acceptable usage policy — the use of the Internet acceptable usage policy for the protection of the organisation and its employees from Internet risks — rather than its equally important use for Internet business value maximisation. This research study provides: • a justification of the need for Internet acceptable usage policy in organisations; • an improved understanding of the Internet risks faced by organisations; • an appreciation of holistic issues in Internet acceptable usage policy for organisations; and • a set of criteria to be met for achieving an effective Internet acceptable usage policy The research results contribute towards the development of comprehensive and effective Internet acceptable usage policy for organisations that use the Internet for electronic commerce. Existing Internet acceptable usage policies were developed for Internet service providers (ISP) (for example, TIOcom, 1996), network providers connecting organisations to the Internet (for example, NSFNET, 1992), or non-ISP and non-network provider organisations (for example, AHERF, 1995; NASA, 1996). This paper focuses on the last of these three groups — Internet acceptable usage policies for non-ISP and non-network provider organisations. In this paper, we initially overview developments in Internet acceptable usage policy, drawing attention to shortcomings in existing approaches. We then present a model of the Internet risks faced by organisations, followed by a summary of the various holistic issues whose consideration will increase the likelihood of an effective Internet acceptable usage policy. We next discuss the research method selected for this study, and continue with a description and discussion of the case study. Finally, we propose a list of criteria to be met for an effective organisational Internet acceptable usage policy, and outline current and planned research activities.
Internet acceptable usage policy
2
This section summarises developments in the area of Internet acceptable usage policy for business. An Internet acceptable usage policy can be positioned within a company's information security management infrastructure. One view (Lichtenstein, 1997) recommends that an organisation mount a corporate information security programme containing many elements, one of these being the Internet security management programme featuring an Internet security policy — itself comprised of a number of subpolicies, including: an Internet information protection policy, an Internet information access policy, an Internet publication policy, an Internet employee privacy policy and the Internet acceptable usage policy. An essential point to make here is that the Internet acceptable usage policy serves two major organisational functions — it is not only a security policy, but also an instrument for specifying the valid Internet usages which support the business objectives of the company and maximise added business value. As stated earlier, this research concentrates on the security function of the policy, rather than its added business value function. While Internet security policies have been given some attention in recent years (IETF, 1991; Pethia et al., 1991; FNC, 1995a; Lichtenstein, 1997), research into Internet acceptable usage policies is scarce. Lichtenstein (1996a) describes an approach to the development of such policies, incorporating a risk assessment of the Internet risks faced by organisations, as well as a consideration of important holistic issues. Oliver (1997) describes a schema for use in the development of corporate policies for electronic commerce. In this schema, electronic commerce constituents (employees, customers, suppliers, etc) are cross-matched with components of electronic space (Intranet, Internet, Web sites, etc) in order to identify the relevant Internet security issues to be addressed by a corporate electronic commerce policy. Other research includes the production of an early set of guidelines for the structure and content of such policies by The Internet Security Committee of British Columbia, reported in Heard (1996). Heard’s guidelines recommend that an Internet acceptable use policy contain subpolicies which advocate: high employee ethical standards, business-only usage, adherence to copyright and licensing laws, and nondisclosure of confidential information. Acceptable business usages cited are business communications, professional development communications, and pre-approved postings (unless disclaimers are attached). Unacceptable business usages cited include non-business related postings, interference or disruption to other Internet participants, distribution of malicious, rude, obscene or harassing material, and personal financial gain. The guidelines also stipulate definitions for roles and responsibilities for individuals and groups, and articulation of sanctions for non-compliance. Valuable research into defining a comprehensive set of beneficial business usages of the Internet has been carried out by a number of researchers (for example, Bloch et al., 1997). Such taxonomies may be of use in deriving a set of acceptable business Internet usages for the Internet acceptable usage policy. Further guidance in policy structure and content may be obtained from empirical data in the form of existing policies (for example, AHERF, 1995; NASA, 1996). A final aspect to consider is that in any Internet acceptable usage policy, there is often cautionary advice warning users that the acceptable use policies of other organisations and networks unknowingly utilised during Internet connection may apply, and these may constrain acceptable usage (in other words, there may be several Internet acceptable use policies with which an Internet user must be compliant). We suggest that inadequacies in current guidelines (for example, those of Heard, 1996) and existing policies include: highly general subpolicies which are never made specific, ambiguity, ad hoc specification of acceptable value-adding Internet usages, the omission of reference to any underlying corporate Internet strategy and ad hoc, limited identification of the Internet risks faced by the organisation. It should be noted that the Internet acceptable usage policy itself requires support through other company policies (for example, the company Code of Conduct), Internet awareness and training sessions, operational procedures and technical mechanisms (for example, firewalls).
3
Internet risks for organisations This section overviews Internet risks being faced by organisations engaged in electronic commerce — it is the employee factor in these risks that is addressed by the Internet acceptable usage policy. Losses being sustained by organisations due to Internet risks include: the existence of corrupted, erroneous or pirated software on the organisation's systems, erroneous data, misinformation, loss of privacy, damaged employee reputations, and monetary or credit damage (NIST, 1996). Hence, Internet risks should be taken very seriously indeed. A model of Internet risks for an organisation is illustrated in Figure 1 (a detailed description of each risk type may be found in Lichtenstein (1996a, 1997)). This model has been compiled from earlier findings (for example, Cheswick et al., 1994; NIST, 1994a, 1996; Cohen, 1995; Stallings, 1995; FNC, 1995b). Both deliberate and accidental types of risks have been included, although the difference between deliberate and accidental is often extremely difficult to determine (for example, Vanbokkelen (1990) remarked that “Security is subjective; one site might view as idle curiosity what another would view as a hostile probe”). In Figure 1, the central circle denotes an organisation with Internet connection. The outer ring labelled ‘Other Internet Participants’ denotes other members of the Internet community. The two-way arrows portray Internet risks that can emanate from within the organisation and affect other Internet participants, or that can emanate from other Internet participants and affect the organisation. Each arrow represents a different type of Internet risk.
4
Other Internet Participants
non-business activities
corrupted or erroneous Internetsoftware transferred threats accidental erroneous businesss transactions
accidental/ deliberate disclosure
Organisation pirated media
hacking low quality data
junk email
inaccurate advertising
Figure 1: Internet Risks for an Organisation Note that although many risks included in the model may exist even without an Internet connection (for example, ‘corrupted or erroneous software’), the Internet manifestations of these risks are distinctive, and are exacerbated by the global scope and magnitude of access provided via the Internet. Hence, Internet risks deserve Internet-specific policy for effective control. A risk assessment of the Internet risks will enable an Internet acceptable usage policy to be developed which controls the risks and hence limits the losses incurred. Employees should be made aware through the policy and supporting education of the significant risks, consequent losses and recommended remedies.
Holistic issues in Internet acceptable usage policy This section summarises holistic issues that impact Internet acceptable usage policy (a detailed discussion may be found in Lichtenstein (1996a, 1996c)). Recently, researchers have argued for holistic perspectives of information security (for example, Hartmann, 1995; Olson et al., 1995; Yngstrom, 1995; Lichtenstein, 1996a, 1996b, 1996c, 1997), suggesting that Internet acceptable usage policy, too, should reflect a holistic perspective of organisational Internet security.
Legal issues It is incumbent upon an organisation to be aware of relevant laws and standards prior to setting policy. An extensive treatment of legal issues in cyberspace may be found in Cavazos et al. (1994). The Internet acceptable usage policy must notify employees of illegal Internet operations.
5
Managerial, administrative and operational issues Critical managerial measures which support the Internet acceptable usage policy include: management commitment; an effective Internet strategy which specifies valid, value-adding Internet usages; a comprehensive Internet security management programme centred on Internet security policies and Internet acceptable usage policies; Internet education; and Internet security awareness. Administrative and operational tasks must also be defined (for example, the procedures for applying, monitoring and auditing security policies (Branstad et al., 1995)).
Technical issues Procedures must be specified for ensuring that appropriate technical mechanisms (for example, firewalls) are selected, configured, installed, and monitored.
Human issues Extensive work has been carried out to determine human information security requirements and human Internet security requirements (for example, Kohl, 1995; Nance et al., 1995, Condon et al., 1985; NIIAC, 1995; EC, 1995; Rannenberg, 1994). Many important human issues of concern to employees must be considered in order to develop an effective Internet acceptable use policy.
National and organisational cultural differences, and netiquette Cultural differences impact heavily on individual ethical behaviour and the effectiveness of Internet communication and collaboration. Some guidance as to the handling of cultural differences is therefore advisable within the Internet acceptable usage policy. An organisation may wish to specify Internet user etiquette (netiquette) to suit its peculiar culture, within the Internet acceptable usage policy.
Rights and freedoms Employee rights and freedoms should be recognised within an Internet acceptable usage policy. An employee's right to privacy is especially important within the context of global exposure (for example, employees may not desire personal information about themselves to be published and made available on the Internet via Web pages or other postings). Employees will not only demand their rights but also their freedoms in the workplace, as illustrated by the traditionally permitted (albeit limited) personal usage of the office telephone. In many organisations, a total ban on personal usage of the Internet may cause resentment or indeed strong protest from employees, who may feel that they should be completely free to send personal email, surf the Internet, download games and images, subscribe to listservers, and so forth. Cultural patterns will influence the amount and types of freedom which employees expect.
Responsibilities, duties and accountability Specific policies must clarify business and nonbusiness usages of the Internet, although it may be increasingly difficult to define a given usage as personal or business, as communication and collaboration may involve personal exchanges as a cultural expectation (see earlier discussion on culture). Employees may be held accountable for their Internet activities as well as for residual system conditions after an Internet misuse or abuse. Policies which clarify employee accountability are essential, yet extremely difficult to formulate. For example, data exchanged by employees over the Internet may be of poor quality, yet current legal and ethical guidelines for determining liability and accountability for the quality of Internet information are inadequate (Mathieu et al., 1995). In such conditions, how can policies lay the blame for poor data quality upon the employee?
6
Non-Compliance Sanctions for breaching the policy should be clearly defined and should be acceptable to employees.
Research method This section discusses our use of a single case study to illustrate the research topic. Bonoma suggests that case research methods are useful where "a phenomenon is broad and complex, where the existing body of knowledge is insufficient to permit the posing of causal questions and when a phenomenon cannot be studied outside the context in which it occurs" (Bonoma, 1985). Benbasat, Goldstein and Mead provide additional support for the use of the case study approach to investigate "certain types of problems: those in which research and theory are at their early, formative stages; and sticky, practice-based problems where the experiences of the actors are important and the context of action is critical" (Benbasat, Goldstein and Mead, 1987). Yin believes that the reason for selecting one particular research strategy over another is determined by: "three conditions, consisting of (a) the type of research question posed, (b) the extent of control an investigator has over actual behavioural events, and (c) the degree of focus on contemporary as opposed to historical events" (Yin, 1989). He then notes that although the research strategies are not mutually exclusive, it is possible to identify situations where one particular strategy is of particular usefulness. He suggests that case studies are especially useful when the researcher is attempting to answer a “how” or “why” question over which s/he has little control - an example which is relevant to the present project. Benbasat, Goldstein and Mead have also set out a list of questions intended to assist the prospective researcher determine whether or not the case study approach is appropriate to his/her topic (Benbasat et al, 1987). We apply these questions to Internet acceptable usage policy: 1.
Can the phenomenon of interest be studied outside its natural setting? No - Internet acceptable usage policies are only relevant to (and within) the organisation attempting to develop the policy.
2.
Must the study focus on contemporary events? Yes - significant organisational use of the Internet in Australia is only 3 years old.
3.
Is control or manipulation of subjects or events necessary? No - observation and recording will provide the clearest evidence of current events.
4.
Does the phenomenon of interest enjoy an established theoretical base? No - there is still very little theoretical work being undertaken in this area.
The lack of existing theoretical work suggests that a case study approach is an appropriate research method for this project. Even though the results of a single case study cannot be generalised to other organisations, they can certainly provide indicative evidence of the issues under study. We therefore decided that a single case study would be a suitable approach for illustrating important issues to be considered in the development of an Internet acceptable usage policy. It is instructional to note that this study forms only part of a longer-term research project and that the results of this exploratory pilot case study have formed the basis for a series of case studies which are currently underway.
A case for Internet acceptable usage policy
7
This section of the paper describes our case study illustrating Internet risks and holistic issues to be considered in the development of an Internet acceptable usage policy. The organisation studied is a large scientific research establishment in Australia, which we have called “Strategic Scientific Research Institute” (SSRI) for reasons of anonymity. SSRI is planning to develop an Internet acceptable usage policy in the near future, due to continued growth of the organisation and its Internet connection to several hundred Internet users by mid-1996. Case data were obtained via two, two-hour semistructured interviews with SSRI's network manager, whose job duties include responsibility for Internet management. We initially provide background information about SSRI’s Internet infrastructure and Internet usage and then present the case results, structured firstly according to the Internet risk types portrayed in the model in Figure 1, and secondly according to the holistic issues discussed in the previous section.
SSRI Internet infrastructure and usage SSRI is located at a single site. Its information technology activities are handled by its Information Technology (IT) department, staffed by several technical personnel including a network manager and a departmental manager. Several hundred workstations are connected to the Internet via a LAN connected to an Australian university Hub. The university utilises AARNet, an internetwork of regional networks connected to each other and internationally to other Internet participants by Telstra Internet Services. SSRI has established an Intranet for internal information sharing. SSRI’s Internet usage grew from single-user several years ago to much larger numbers by mid-1996, sparking concerns regarding the lack of Internet security measures. There are currently several hundred Internet users within the organisation, all employees, composed of senior scientists, postgraduate students, postdoctoral scientists, and support staff. Users share computers, each of which has its own Internet connection. The scientists mostly utilise the research mechanisms of the Internet for scientific research purposes and, to a lesser extent, use the Internet mechanisms available for communication and collaboration, information sharing and management, and access to applications. Electronic trading is not currently carried out through the Internet, as the relevant suppliers do not at present have Web sites set up for trading (all purchases are currently fax-based). To date, there have not been any serious security incidents relating to Internet usage, although a number of small incidents are occurring, as will be described below.
SSRI Internet risks SSRI faces many of the Internet risk types illustrated earlier in Figure 1:
Non-business activities The extent of non-business usage of the Internet during work hours is presently unknown, although it is estimated that 80% of usage during non-work hours is for nonbusiness purposes (surfing, downloading games and images, etc). The organisation is concerned that the level and type of nonbusiness usage during work hours is unknown, although one employee was fired for excessive net surfing. Web sites visited from a given machine can be checked via a proxy server on which both the machine ID and the site are logged. Since some machines are shared, however, it would be difficult at present to track exactly who visited a particular site.
Corrupted or erroneous software The computers are all virus-protected by anti-virus software. One virus was brought in recently from a home computer. The risk still remains, however, of employees downloading virus-infested or buggy software from the Internet.
8
Accidental/deliberate disclosure SSRI's scientific research data and results are regarded as sensitive information. SSRI currently does not stipulate that confidential information should not be disclosed outside the company. However, most information communicated via the Internet by SSRI researchers is public knowledge, as it has already been published. Unpublished research information is regarded as ‘secret’, and retains that sensitivity level until after publication (which typically takes about six months). It would be undesirable for this ‘secret’information to be disclosed over the Internet via email, Web sites, or other posting mechanisms, during the pre-publication period. Only a few research projects at any time are in this ‘secret’ state. Access privileges for relevant SSRI accounts are set and monitored at present, in accordance with the research information sensitivity levels and the users’‘need to know’.
Pirated media Piracy of Internet software may be occurring, but is actively deterred by removal of illegal software on detection, accompanied by a warning.
Low quality data It is not likely that SSRI's scientists would give genuine credence to scientific research data presented via global Web pages, as the scientists, being highly conservative and traditional, only believe in the validity of work which has been published in appropriate, esteemed, reputable, scientific, printed journals. Employees do not currently have their own Web pages, as most do not wish to expend the effort required to learn how to create them. With the recent development of the internal Intranet, however, it is more likely that employees will create their own pages, although interest thus far has been low. In the future, Web pages may be made accessible to the global audience, at which time there would indeed be a risk of low quality pages.
Accidental/erroneous business transactions Because there is no electronic trading occurring in the organisation at present, business transactions do not exist. In the future, however, supplier companies will be setting up facilities for electronic trading via Web sites, and this risk will then exist.
Hacking An activity report listing accessed Web sites is scanned manually each day by the network manager, who is able to spot well-known, troublesome newsgroup addresses. On one occasion, a hacker site had been accessed several times. The network manager queried the motives for the access with the employee concerned, and no further irresponsible activity took place. In a separate incident, SSRI was unsuccessfully attacked by a hacker.
Inaccurate advertising Email and other postings may be misrepresenting official SSRI positions and views disclaimers are not required at present. The planned employee home pages will, however, require disclaimers. Research information posted by the employees at SSRI via Internet mechanisms currently lacks credibility with global readers, as stated earlier.
Junk email
9
One employee was mail-bombed as a result of correcting the information in a particular posting received via a mailing list. The ISP of the original poster rebuked him for carrying out the mailbombing.
Internet-transferred threats The local university network has had problems which have brought SSRI's network connection down on several occasions.
Holistic issues in Internet acceptable usage policy at SSRI A number of different issues for SSRI to consider in the development of its Internet acceptable usage policy surfaced:
Legal issues SSRI employees are currently not informed of relevant laws and standards, and it is left up to the employees to familiarise themselves with these, SSRI being in accord with the old legal slogan: ‘ignorance is no excuse’. The question must be asked whether this approach is still warranted, considering the risks.
Managerial, administrative and operational issues SSRI does not possess an Internet security strategy, Internet security management programme, Internet security policy or Internet acceptable usage policy. The IT departmental manager is totally responsible and accountable for Internet management. There is no delegation of authority, although a certain amount of independent activity by other IT staff ensures that the necessary actions to resolve Internetrelated problems are undertaken (with the manager's approval). The local university through which Internet connection is obtained does not itself inflict any acceptable usage policy on the organisation. However, the university is subject to the acceptable use policy of AARNet (1995), and therefore also to the policies of Telstra Internet Services. Users usually do not check these policies. SSRI's philosophy regarding policies in general is one of ‘user beware’, in the belief that if existing policies were to be explained or highlighted in any way, users would blame the organisation when accused of breaching policy, claiming that the relevant policy had either not been explained at all, or had been inadequately explained! This view can be restated as ‘If you tell users something, you must tell them everything’, a goal which appears unattainable. As we have already mentioned, SSRI's supporting philosophy has been “ignorance is no excuse’; this is now being regarded as an untenable attitude.
Technical issues Although no firewall exists at present, one is planned in the near future, in order to comply with auditing requirements. Various other technical Internet security measures are provided, however (for example, antivirus software).
Human issues SSRI’s culture is one of employee IT usage being controlled by the power of the IT department. Users are therefore reluctant to misuse the Internet, at least during working hours. This form of control is not considered ideal, however, and with the steady growth of the organisation (as well as increased numbers of connected Internet users), SSRI has recognised that it needs an Internet acceptable usage policy. An
10
important concern voiced, however, is that employees may not consult an Internet acceptable usage policy, if one existed — except, perhaps, for a few experienced Internet users — although such a policy could prove useful as a weapon following misuse. At present, the risk of Internet misuse during work hours is also inadvertently managed by the employees’immediate managers keeping them occupied with work-related tasks. A further concern is that employees expect unlimited freedom on the Internet — they are expected to resent and possibly resist any attempt to curtail their current, unconstrained usage. Any misuse is handled informally at present, with non-compliant employees being ‘spoken to’. Despite lacking a prior history of serious breaches, SSRI is nonetheless aware of prevailing and damaging Internet risks via plentiful and regular media publicity given to Internet misuses and abuses in organisations world-wide.
Conclusions In this paper, we have argued for an Internet acceptable usage policy for each organisation employing the Internet, as a critical managerial measure for reducing the losses incurred due to misuse or abuse of the Internet, both internally and externally. To this end, we presented a model of Internet risks being faced by organisations (Figure 1), which such a policy would address, as well as a discussion of the legal, managerial, administrative, operational, technical and human aspects of Internet acceptable usage which impinge upon the effectiveness of such a policy. We illustrated the realities of the Internet risks and the holistic issues by way of a case study. In a companion paper (Lichtenstein and Swatman, 1997), we produced further case study evidence of these risks and holistic issues. It was stressed at the start of the paper that we have concentrated in this research on the security function of the Internet acceptable usage policy, rather than its business function of maximising Internet benefits for the organisation. With both these policy functions in mind, and after considering the literature to date and the case study, we propose a set of criteria for achieving effective organisational Internet acceptable usage policies: 1.
An organisation must first develop an Internet strategy setting out planned, value-adding, valid uses of the Internet. These uses should be identified by investigating the ways in which the Internet may enable business processes which are themselves aligned with business objectives. The identified uses will then constitute the core, acceptable uses clearly approved within the Internet acceptable usage policy.
2.
An organisation requires a comprehensive Internet security management programme to support the Internet acceptable usage policy, featuring a range of elements including: an Internet security policy (which contains the Internet acceptable usage policy); policy education and awareness sessions; policy monitoring; and a compliance process which handles instances of non-compliance. Policies should be implemented via firewalls and other technical security mechanisms.
3.
A risk assessment of the Internet risks being confronted by the organisation is required in order to identify significant Internet risks to be addressed within the policy.
4.
Subpolicies to address significant Internet risks should be included within the policy.
5.
An organisation should support the policy actively through education and awareness activities, rather than expecting each employee to familiarise him/herself with the policy independently.
6.
Relevant laws should be drawn to the employees’attention by the policy.
11
7.
The policy should reflect the organisation’s culture in its subpolicies, degree of restrictivity, rules for netiquette, and specification of responsibilities, duties and accountabilities.
8.
The policy should include unambiguous lists of acceptable and unacceptable Internet uses.
9.
The roles and responsibilities of individuals and groups should be clearly defined in the policy.
10.
Sanctions for non-compliance should be clearly specified in the policy, however the compliance process should allow for discourse and resolution in the event of exceptions.
11.
Attention should be drawn within the policy to other acceptable use policies which may apply (for example, those of network providers providing Internet connection), as well as to other relevant corporate policies (for example, company code of conduct, and company confidentiality policy).
This research summary and case study have highlighted important issues in the role, development, content and management of Internet acceptable usage policy, as well as the difficulties of planning for such policies in the early days of Internet diffusion within organisations. Further case studies are planned, to build on the indicative results obtained. In particular, it would be useful to study a commercial organisation with the added Internet usage complications engendered by electronic trading. It is also crucial to investigate the equally important, non-security-related function of Internet acceptable usage policies in depth — that is, its use for obtaining maximum business Internet benefit. A study of existing policies should further add useful empirical data to build a better picture of the issues to be addressed. Finally, surveys of employee opinions regarding Internet acceptable usage will add to an understanding of the important human concerns in developing policy.
12
References AARNet (1995) Policy on Allowed Access to the Internet via AARNet Members, http://www.avcc.edu.au/avcc/aarnet/aarnpols/access.htm, October 11th, 1995 (Accessed October 22nd, 1996). Abell, W. and Lim, L. (1996) “Business Use of the Internet in New Zealand: an Exploratory Study” in Proceedings AUSWEB 96 - the Second Australian World Wide Web Conference, Southern Cross University, Gold Coast, Australia. AHERF (1995) AHERF (Allegheny Health, Education and Research Foundation) Internet Acceptable Use Statement, http://www.mcphu.edu/campus/howto/policies/aup.html, November 15th, 1995 (Accessed October 18th, 1996). Benbasat I., Goldstein D.K. and Mead M. (1987) The Case Research Strategy in Studies of Information Systems MIS Quarterly, Vol. 11, No. 3, September, 369-386. Bloch, M., Pigneur, Y. and Segev, A. (1996) "Leveraging Electronic Commerce for Competitive Advantage: a Business Value Framework" in Proceedings of Ninth International Conference on EDI-IOS, Bled, Slovenia. Branstad, D., Oldehoff, A., Aiken, R. and others (1995) "Security Policy for Use of the National Research and Education Network", in FNC (1995b), Appendix 4. Bonoma T.V. (1985) Case Research in Marketing: Opportunities, Problems and a Process Journal of Marketing Research, Vol. 22, May, 199-208. Broadbent, M., Butler, C., Hansell, A. and Dampney, CNG (1995) "Business Value, Quality and Partnerships: Australasian Information Systems Management Issues", Australian Computer Journal, Vol. 27, No. 1. Brockway, D.W. (1996) "Knowledge technologies and business alignment", Information Management & Computer Security, Vol. 4, No. 1, MCB University Press. Cavazos, E.A. and Morin, G. (1994) Cyberspace and the Law: Your Rights and Duties in the On-Line World, MIT Press. Cheswick, W. and Bellovin, S. (1994) Firewalls and Internet Security, Massachusetts, USA: AddisonWesley Publishing Company. Cockburn, C. and Wilson, T. D. (1996) "Business Use of the World-Wide Web", International Journal of Information Management, Vol. 16, No. 2. Cohen, F.B. (1995) Protection and Security on the Information Superhighway, John Wiley & Sons, Inc. Condon J.C. and Yousef, F. (1985) An Introduction to Intercultural Communication, MacMillan. Cronin, B., Overfelt, K., Fouchereauz, K., Manzvanzvike, T., Cha, M. and Sona, E. (1994) "The Internet and Competitive Intelligence: a Survey of Current Practice", International Journal of Information Management, Vol. 14.
13
Doddrell, G.R. (1995), "Information security and the Internet", Information Management & Computer Security, Vol. 3 No. 4. EC (1995) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the European Communities, 23rd November, No. L. 281. Ernst & Young (1996) “The Ernst & Young International Information Security Survey 1995”, Information Management & Computer Security, Vol. 4 No. 4, MCB University Press. FNC (Federal Networking Council) (1995a) Federal Internet Security Plan (FISP), Federal Networking Council, Security Working Group. FNC (Federal Networking Council) (1995b) FEDERAL INTERNET SECURITY - A Framework for Action - Draft, Federal Networking Council, Security Working Group. Hartmann, A. (1995) "Comprehensive Information Technology Security: A New Approach to Respond Ethical and Social Issues Surrounding Information Security in the 21st Century", in Information Security - the Next Decade, IFIP/Sec '95, Proc. of the IFIP TC11 Eleventh International Conference on Information Security (Eloff, J.H.P. and Von Solms, H.S., eds.), Chapman and Hall. Heard, F.T. (1996) "Internet Security Policies and Internet Appropriate Use Policies", Proceedings of EDPAC 96 Conference, Perth, Australia. IETF (1991) Site Security Handbook (Holbrook P. and Reynolds, J. eds.), IETF RFC 1244. Kohl, U. (1995) "From Social Requirements to Technical Solutions - Bridging the Gap with UserOriented Data Security", in Information Security - the Next Decade, IFIP/Sec '95, Proc. of the IFIP TC11 Eleventh International Conference on Information Security (Eloff, J.H.P. and Von Solms, H.S., eds.), Chapman and Hall. Lawrence, E., Murry, J. and Tidwell, A. (1996) "Cyberpresence Strategies for Business Executives" in Proceedings AUSWEB 96, Australia. Lichtenstein, S. (1996a) "Internet Acceptable Usage Policy", Computer Audit Update, Elsevier Advanced Technology, UK, December. Lichtenstein, S. (1996b) "Internet Security Policy: a Holistic and Organisational Approach", Proceedings of 2nd Joint Conference AUUG 96/APWWW (Bossomaier, T. and Chubb, L., eds.), AUUG'96 and Asia Pacific World Wide Web, World Congress Centre, Melbourne, Australia. Lichtenstein, S. (1996c) Internet Acceptable Usage Policy: Human Issues, Working Paper 10/96, Department of Information Systems, Monash University, Melbourne, Australia. Lichtenstein, S. (1997) "Developing Internet Security Policy for Organisations", in Proceedings of the Thirtieth Annual Hawaii International Conference on Systems Sciences (Nunamaker, J.F. and Sprague, R.H., eds), Hawaii, IEEE Computer Society Press, Los Alamitos, California. Lichtenstein, S. and Swatman, P.M.C. (1997) “Internet Acceptable Usage Policy: Arguments and Perils”, in Proceedings of PAWEC’97 (Swatman, P.M.C, Swatman, P. and Cooper, J., eds), Brisbane, Australia.
14
Logan, M. and Logan, R. (1996) "Alignment: How to do Business on the Internet" in Proceedings INET 96. Logan, R. (1995) The Fifth Language, Toronto: Stoddart. Mathieu, R.G. and Woodard, R.L. (1995) "Data integrity and the Internet: implications for management", Information Management & Computer Security, Vol. 3 No. 2. Miers, D. and Hutton, G. (1996) "The Strategic Challenges of Electronic Commerce", Enix Consulting Limited, UK. Nance, K.L. and Strohmaier, M. (1995) "Ethical Information Security in a Cross-Cultural Environment", in Information Security - the Next Decade, IFIP/Sec '95, Proc. of the IFIP TC11 Eleventh International Conference on Information Security (Eloff, J.H.P. and Von Solms, H.S., eds.), Chapman and Hall. NASA (1996) NASA Internet Acceptable Usage Policy, NASA, US. NIIAC (1995) Commentary on the Privacy and Related Security Principles, Mega Project III of the National Information Infrastructure Advisory Council, US. NIST (1994a) Reducing the Risks of Internet Connection and Use, Computer Systems Laboratory Bulletin, US. NIST (1996) The World Wide Web: Managing Security Risks, Computer Systems Laboratory Bulletin, US. NSFNET (1992) The NSFNET Backbone Services Acceptable Use Policy, http://www.haystack.edu/ysp/ computer/nsfnet.html, June, 1992 (Accessed Oct 18th, 1996). Oliver, R. W. (1997) “Corporate Policies for Electronic Commerce”, in Proceedings of the Thirtieth Annual Hawaii International Conference on Systems Sciences (Nunamaker, J.F. and Sprague, R.H., eds.), Hawaii, IEEE Computer Society Press, Los Alamitos, California. Olson, I.M. and Abrams, M.D. (1995) "Information Security Policy", in Information Security - an Integrated Collection of Essays (Abrams, M.D., Jajodia, S. and Podell, H.J., eds.), IEEE Computer Society Press, Los Alamitos, California. Pethia, R., Crocker, S. and Fraser, B. (1991) Guidelines for the Secure Operation of the Internet, IETF RFC1281. Poon, S. and Swatman, P.M.C. (1995) ‘The Internet for Small Businesses: an enabling infrastructure for competitiveness’. Proceedings of the Fifth Internet Society Conference, Hawaii, 221-231 (Jun). Poon, S. and Swatman, P.M.C. (1996) ‘Electronic Networking Among Small Business in Australia An Exploratory Study’In Swatman P.M.C., Gricar J. and Novak J. (Eds.) (1996) Electronic Commerce for Trade Efficiency and Effectiveness–Proceedings of the Ninth International Conference on EDI-IOS, Bled, Slovenia, June 10-12, Moderna Organizacija Kranj, Slovenia, 446-460. Quelch, J. A. and Klein, L. R. (1996) "The Internet and International Marketing", Sloan Management Review, Spring.
15
Rannenberg, K. (1994) "Recent Development in Information Technology Security Evaluation - The Need for Evaluation Criteria for Multilateral Security", in Proc. Security and Control of Information Technology in Society (Sizer, R., Yngstrom, L., Kaspersen, H. and Fischer-Hubner, S., eds.), IFIP Transactions A43, Elsevier Science B.V. (North-Holland). Stallings, W. (1995) Internet Security Handbook, IDG Books Worldwide, Inc. TIOcom (1996) Terms and Conditions for User Access and User Services, The Internet Outsourcing Group, http://www.tio.com/terms.html, April 27th, 1996, (Accessed October 18th, 1996). Vanbokkelen, J. (1990) The Internet Oral Tradition, IETF RFC1173. Wood, C. C. (1995) "Writing InfoSec Policies", Computers & Security, Vol. 14. Yin R. K. (1989) Case Study Research: Design and Methods, Revised Edition, Sage Publications, Newbury Park, London. Yngstrom, L. (1995) "A Holistic Approach to IT Security", in Information Security - the Next Decade, IFIP/Sec '95, Proc. of the IFIP TC11 Eleventh International Conference on Information Security (Eloff, J.H.P. and Von Solms, H.S., eds.), Chapman and Hall.
16
