Internet Acceptable Usage Policy: Arguments and Perils1 Sharman Lichtenstein and Paula M. C. Swatman Department of Information Systems, Monash University, 26 Sir John Monash Drive, Caulfield East, Victoria, 3145, Australia. Email:
[email protected] [email protected] Phone: +613-9903 2703 +613-9903 2768 Fax: +613-9903 2005
Abstract Organisations are now aware of the need to control employee usage of the Internet. An Internet acceptable usage policy contains guidelines for employees indicating both acceptable and unacceptable Internet usages, with the intention of controlling employee behaviours and actions which contribute to the incidence and severity of the organisation’s Internet risks. This paper explores the arguments for an organisational Internet acceptable usage policy, while cautioning about the ineffectiveness of such policy as a solitary Internet security management measure. A case study illustrates the need for these types of policies as well as for supporting infrastructure, within organisations.
Introduction The rapid adoption and diffusion of the Internet by organisations worldwide has been undeniably chaotic the value of Internet connectivity being rather assumed by organisations than justified by means of a business case. The opportunities have been too great and too tempting for organisations to wait out an Internet planning period. Further, it is only recently that Internet planning guidelines for organisations have begun to emerge, recommending (inter alia): the preparation of a business case for Internet connectivity; the development of an Internet strategy which directs usage towards the alignment of business processes with business objectives; and the production of a range of policies to underpin Internet management (Lichtenstein and Swatman, 1997; Logan, 1995; Logan and Logan, 1996; Brockway, 1996; Poon and Swatman, 1995; 1996; Cronin et al., 1994; Bloch et al., 1996; Quelch and Klein, 1996; D’Alotto, 1996). This initial, tumultuous period of Internet technology usage has, in fact, been something of a ‘voyage of discovery’ for many organisations struggling to come to terms with the opportunities and threats posed by instant global communication. Several recent surveys have examined whether the anticipated benefits have actually been realised, and have drawn attention to a range of problems notably the inadequacy of Internet security (see, for example, Cockburn and Wilson, 1996; Ernst & Young, 1996; Abell and Lim, 1996). 1
This paper was published in the proceedings of "PAWEC'97, the 1st Pacific Asia Workshop on Electronic Commerce, Brisbane, Queensland, April 5th.
Internet Acceptable Usage Policy : Arguments and Perils
Internet security for an organisation can be defined as the protection of the confidentiality, integrity and availability of the organisation’s information resources, as well as the protection of the organisation’s image, reputation, finance and viability, from accidental or deliberate attack via Internet connectivity. Doddrell (1995) warns that Internet risks being faced by organisations are increasingly prevalent and damaging, manifesting not only as external attacks (for example, hackers) but also as internal misuses (for example, nonbusiness Internet usage by employees). To address these risks, Internet security protection for an organisation must incorporate a range of technical measures (such as firewalls) and nontechnical measures (such as policies) in order to comprehensively and effectively protect the organisation. An awareness of their own employees’ contribution to Internet risks is leading organisations to attempt to control internal Internet use. Hsieh et al. (1996) believe that individual Internet users should be charged with behaving ethically and responsibly in Internet usage, in order to maximise Internet connectivity benefits while minimising restrictivity. A nontechnical measure for gaining such control is the Internet acceptable usage policy, a document which contains guidelines for employees indicating acceptable and unacceptable Internet usages. This policy aims to control employee behaviour and actions which contribute to Internet risks, while allowing organisations to realise the added business value to be gained from Internet connection. To date, there is little empirical evidence to substantiate the value of such policies (see, for example, Lichtenstein and Swatman, 1997). The aim of this paper is to examine the arguments for an organisational Internet acceptable usage policy and the possible dangers involved. This will be achieved by means of a case study which explores the need for Internet acceptable usage policy within a large Australian tertiary institution. The research study provides: • an understanding of the Internet risks faced by organisations; • support for Internet acceptable usage policy for organisations; and • an appreciation of the need for additional managerial measures to support such policies. Further, the research results also contribute towards the development of comprehensive and effective Internet acceptable usage policies for organisations. Internet acceptable usage policies may be developed for Internet service providers (ISP) (for example, TIOcom, 1996); network providers connecting organisations to the Internet (for example, NSFNET, 1992); or for non-ISP and non-network provider organisations (for example, AHERF, 1995; NASA, 1996). This paper focuses on the last of these three groups — Internet acceptable usage policies for non-ISP and non-network provider organisations. The paper commences by providing a background to the concepts of Internet acceptable usage policy. We then justify the selection of a single case study research method to address the research aim, and follow with a description and discussion of the case study. Finally, we evaluate the research, and outline current and planned research activities.
Internet Acceptable Usage : Arguments and Perils
Internet Acceptable Usage Policy While Internet security policies have been given some attention in recent years (IETF, 1991; Pethia et al., 1991; FNC, 1995a; 1995b; Lichtenstein, 1997), research into Internet acceptable usage policy is limited. The Internet acceptable usage policy must reflect a holistic view of information security and Internet security (see for example, NRC, 1991; OECD, 1992; FNC, 1995b; Lichtenstein, 1996a), and should therefore integrate a variety of complex and evolving strategic, legal, administrative, operational, technical and human influences, as outlined below. An organisation planning to employ the Internet should first develop an Internet strategy aligning its use with the corporate strategy and business objectives; a business case justifying the cost/benefits of Internet connectivity should then be prepared. The organisation should familiarise itself with relevant state, national and international laws and standards (for example, Cavazos, 1994). Lichtenstein (1997) suggests that an Internet security programme should be devised within the company’s existing corporate information security programme. This programme should be centred on an Internet security policy itself comprised of a number of subpolicies, including: an Internet information protection policy, an Internet information access policy, an Internet publication policy, an Internet employee privacy policy and the Internet acceptable usage policy (Lichtenstein, 1997). The Internet security programme should support the Internet acceptable usage policy (and the other policies) with a variety of measures (for example, Internet awareness and training sessions). Operational procedures and technical mechanisms (for example, firewalls) are required to support and implement the Internet acceptable usage policy. Catering for the human requirements of employees in Internet acceptable usage will significantly improve the policy’s chances of success. Substantial research has already been conducted into human requirements in information security (for example, Kohl, 1995; Nance et al., 1995, Condon et al., 1985; NIIAC, 1995; EC, 1995; Hartmann, 1995; Rannenberg, 1994; Yngstrom, 1995; Wood, 1995). This work needs to be extended to accommodate the human requirements of employees in Internet acceptable usage policy. Lichtenstein (1996b) points out the special importance of the following employee concerns: national and organisational culture; Internet user etiquette (netiquette); employee rights and freedoms; employee responsibilitites, duties and accountability; policy awareness; policy integration; management commitment; and employee culpability, non-compliance and sanctions. An approach to the development of organisational Internet acceptable usage policies, incorporating a risk assessment of the Internet risks as well as a consideration of the many influences described above, is proposed in Lichtenstein (1996a). The approach uses a model of an organisation’s Internet risks (Figure 1), as an aid to identifying the significant Internet risks to be addressed by the policy. The model has been composed from a consideration of the many diverse Internet risks being faced by organisations (Cheswick and Bellovin, 1994; Cohen, 1995; NIST, 1994a; 1994b; Stallings, 1995), and is described in detail in Lichtenstein (1997).
PAWEC ‘97
63
Internet Acceptable Usage : Arguments and Perils
Other Internet Participants
non-business activities
corrupted or erroneous Internetsoftware transferred threats accidental erroneous businesss transactions
accidental/ deliberate disclosure
Organisation pirated media
hacking low quality data
junk email
inaccurate advertising
Figure 1: Internet Risks for Organisations Some attempts have already been made to develop guidelines for the content and structure of Internet acceptable usage policy. As an example, The Internet Security Committee of British Columbia has produced a set of guidelines, reported in Heard (1996), recommending that an Internet acceptable usage policy contain subpolicies which advocate: high employee ethical standards, business-only usage, adherence to copyright and licensing laws, and nondisclosure of confidential information. Acceptable business usages cited are business communications, professional development communications, and pre-approved postings (unless disclaimers are attached). Unacceptable business usages cited include non-business related postings, interference or disruption to other Internet participants, distribution of malicious, rude, obscene or harassing material, and personal financial gain. The guidelines also state that the policy should define roles and responsibilities for individuals and groups within the organisation, and should warn of the consequences of employee non-compliance with the policy.
PAWEC ‘97
64
Internet Acceptable Usage : Arguments and Perils
Existing policies provide some useful empirical data for guidance in policy structure and content. In any Internet acceptable usage policy, there is often cautionary advice in the policy warning users that the acceptable use policies of other organisations and networks unknowingly utilised during Internet connection may apply, and may constrain acceptable usage. In other words, there may be several Internet acceptable use policies with which an Internet user must comply. Inadequacies observed within current guidelines (for example, those of Heard, 1996 already mentioned) and in existing policies, include: highly general subpolicies which are never made specific, ambiguity, ad hoc specification of acceptable value-adding Internet usages, the omission of reference to underlying corporate Internet strategy; and ad hoc, limited identification of the Internet risks faced by the organisation.
Research method Selecting a research strategy may be determined by: "three conditions, consisting of (a) the type of research question posed, (b) the extent of control an investigator has over actual behavioral events, and (c) the degree of focus on contemporary as opposed to historical events" (Yin, 1989:16). Yin notes that although research strategies may not be mutually exclusive, it is possible to identify situations where one strategy is of particular usefulness. He suggests that case studies are especially useful when the researcher is attempting to answer a “how” or “why” question over which s/he has little control an example which is relevant to the present project. Benbasat, Goldstein and Mead (1987:369) suggest that the case study approach is appropriate when investigating: "certain types of problems: those in which research and theory are at their early, formative stages; and sticky, practice-based problems where the experiences of the actors are important and the context of action is critical". They have also specified a list of questions intended to assist the prospective researcher determine whether or not the case study approach is appropriate to his/her topic (Benbasat et al, 1987:372). We can apply these questions to Internet acceptable usage policy: 1.
Can the phenomenon of interest be studied outside its natural setting? No - Internet acceptable usage policies are only relevant to (and within) the organisation attempting to develop the policy.
2.
Must the study focus on contemporary events? Yes - significant organisational use of the Internet in Australia is only 3 years old.
3.
Is control or manipulation of subjects or events necessary? No - observation and recording will provide the clearest evidence of current events.
4.
Does the phenomenon of interest enjoy an established theoretical base? No - there is still very little theoretical work being undertaken in this area.
PAWEC ‘97
65
Internet Acceptable Usage : Arguments and Perils
We therefore decided that a case study would be a suitable method of investigating the issues of Internet acceptable usage implementation. In order to obtain a reasonably wide spectrum of opinion, however, we decided to use personally-administered questionnaires (a technique described in more detail later in this paper), rather than the perhaps more common interview/observation approach.
A Case for Internet Acceptable Usage Policy This section describes the case study conducted at EHL, involving a preliminary risk assessment of student Internet usage within the institution. The study focuses on the value of an Internet acceptable usage policy as a control measure in order to explore both the arguments in favour of Internet acceptable usage policy and the dangers inherent in a poorly contrived or managed policy. We initially provide a case background sourced from existing corporate documents and informal interviews with relevant institute personnel, before discussing the major research instrument used to collect case data a printed questionnaire. Finally, we present an analysis of the case data obtained from the questionnaire. Organisational Background and Internet Infrastructure The organisation under investigation is a large tertiary institute in Australia, which we have given the nom de plume “Effective Higher Learning” (EHL), for reasons of anonymity. EHL is planning to develop an Internet acceptable usage policy in the near future, as a consequence of increasing problems with its Internet usage. The largest group of Internet users is the student population, and therefore this case study concentrates on the particular needs of the institute’s students for Internet acceptable usage policy. The institute has some forty thousand students overall, although the majority of students do not yet make use of the Internet connection facilities provided. The computer-literate students undertaking information technology courses are the main student users. Student Internet usage has grown from several hundred users a few years ago to several thousand student Internet users, comprising undergraduates in their late teens to mid-twenties age range and postgraduate students whose ages primarily range from their twenties to forties. The students are of many different nationalities, with approximately one third being of Asian nationality. EHL has many hundreds of workstations in laboratories (located at several sites), connected to the Internet via various internal Web servers linked to the Australian Academic Research Network (AARNet), which is an internetwork of regional networks connected to one another and internationally to other Internet participants, by Telstra Internet Services (Telstra is the new name of Australia’s former PTT, now a major common carrier competing with other, similar organisations). In the main, students gain Internet connection from these workstations, although many students also use dial-up facilities from home or elsewhere. Each institute workstation has its own Internet connection. The institute’s intention in permitting and encouraging Internet connection is to allow and encourage research, communication, collaboration, information sharing and management, and access to software, in order to fulfil the academic aims and objectives of the various courses.
PAWEC ‘97
66
Internet Acceptable Usage : Arguments and Perils
Internet Security at EHL: Abuse and Misuse There have been a number of serious security incidents relating to Internet usage, as would be anticipated in a large tertiary organisation. For example, hackers have broken into the institute’s systems at different times, and hackers from within the institute have attacked external organisations. Abuse and misuse is handled informally at present. EHL is aware of Internet risks via the plentiful and regular media publicity given to Internet misuses and breaches in other organisations worldwide. The organisation currently lacks formal Internet security management. There is no formal Internet security strategy, Internet security programme, Internet security policy or Internet acceptable usage policy. There is, however, currently in place a set of computer use regulations which treat Internet security or Internet acceptable use matters in a cursory manner. The institute is subject to the acceptable use policy of AARNet (1995), and therefore also to the policies of Telstra Internet Services, although student users do not currently consult these policies. There are also several firewalls in place to protect isolated parts of the organisation at present, and plans exist for the development of further firewalls. Security policies for those firewalls do not currently provide much protection for student Internet use. Various other technical Internet security measures are in place thoughout the organisation — for example, antivirus software is available for students if required. Case Instrument A printed questionnaire entitled “Internet Acceptable Use Policy at EHL” was distributed to a class of 55 final-year undergraduate students enrolled in a computing degree. All these students were regular users of the Internet at the time, with free and liberal Internet connection supplied by EHL. 49 students returned the questionnaire, although some questions were answered completely or partially, while other questions were left unanswered. The students were informed that the purpose of the questionnaire was to determine: • Internet risks faced by students at EHL; • the need for an EHL Internet acceptable usage policy to control student Internet usage; • guidelines for the content of such a policy; and • the effectiveness of such a policy, as stated earlier. The questionnaire consisted of ten sections, each of which addressed one of the risk types portrayed in Figure 1. For each risk type, students were asked:
PAWEC ‘97
67
Internet Acceptable Usage : Arguments and Perils
(a) to indicate a frequency rating with which the risk probably occurred at EHL, using a Likert scale (0 - 10): 0 - 2 Rarely 3 - 5 Occasionally (about once a month) 6 Often (about once a week) 7 About once a day 8 About once an hour 9 About once every five minutes 10 About once a minute, or even more frequently (b) to descibe any incidence of the risk at EHL of which they were aware (c) to indicate whether a written policy would help to control the risk (d) to indicate the advice to be given to students in a written policy (e) to indicate why a policy may not help to control the risk Thus, an informal risk assessment of each Internet risk faced by EHL was conducted via the questionnaire, using the Likert scale requested in question (a) to quantitatively measure the likelihood of a risk occurring, and the students’ comments in question (b) to qualitatively measure the impact of a risk (the two major components of risk are likelihood and impact). Students were specifically requested to asess the effectiveness of an Internet acceptable usage policy in controlling an Internet risk via questions (c), (d) and (e). It should be noted that this risk assessment did not suggest or evaluate any other types of security measures for controlling Internet risks, as other measures were not the focus of this research. Case Analysis The analysis which follows is structured according to the risk type sections on the questionnaire (which correspond to the risk types in Figure 1). In view of the size of the sample and its comparatively unrepresentative nature, we have not endeavoured to provide statistical calculations based on the results, believing that the following, qualititative analysis provides an indication of opinion, rather than a formal investigation of the attitudes of all student Internet users at EHL. Non-institute (business)-related activities The majority of students gave this a frequency rating of 8, 9 or 10, indicating that there is indeed a significant level of frivolous Internet usage. One student commented that “85% of the institute Internet usage will be for these activities”. Student after student stated that many students were occupying the computers for non-institute Internet purposes, preventing those having a more serious or academic purpose from using the computers.
PAWEC ‘97
68
Internet Acceptable Usage : Arguments and Perils
Most students believed that a policy would help control this risk type. Many suggestions were made for such a policy, including: • informing students of those Internet uses which were considered to be misuses • warning students that only legal Web sites may be visited • limiting time for student Internet usage, for example to two hours per week • only permitting Internet usage in some of the laboratories, rather than in all of them • forcing students to give up computers which are being used for non-academic reasons to others who intend to do valid, academic work • reporting harassment of other students to the due authority • filtering transactions to and from student accounts • spot checking of the laboratories to detect misuses • banning of multiuser games • specifying the consequences of frivolous misuse (suggestions ranged from denial or closure of student accounts to expulsion from the institute) A significant proportion of students did not believe a policy would help with this risk type, many giving reasons such as: • students would misuse these facilities irrespective of policy (typical comments: “It can’t be stopped” , “the Internet is just too attractive” and “it’s uncontrollable”) • the purpose of the Internet is to share information • difficulty in differentiating valid from frivolous usage • a policy would not work unless it were monitored • no-one reads policies Within this particular risk type, students were asked to rate the frequency of occurrence of the following risks: Excessive email The majority of students gave this a rating of 8 or 9. One student’s explanation for this was that “Students use Internet email as a social tool”. Many students apparently regularly send personal email to overseas locations. Some students disclose the email addresses of others to chat groups, and these addresses are then bombarded with email. Impersonation Via Email This was not nearly as highly rated as the other risks in this group, mostly scoring from 0 to 4. However, a monthly frequency is still significant, as is the seriousness of this risk. Surfing This rated between 6 and 10, and often scored either 8, 9 or 10. It was commented on by many students, with most comments being of the following kind: “Students with spare time, or who are bored, always/often surf the Internet”
PAWEC ‘97
69
Internet Acceptable Usage : Arguments and Perils
Harassment As with the “impersonation via email” risk, this was not typically highly rated, mostly scoring from 0 to 2. However, several students referred to it in their recommendations for policy sanctions, showing a concern. Downloading Games and Images This was very highly rated, mostly scoring from 7 to 10. Many comments were made about students downloading pornographic/dubious images from the Internet. One comment stated that this occurred during tutorial time (when tutors were in the room), commenting “That should be stopped immediately”. Significant numbers also commented on the playing of noisy, multiuser games in the laboratories for example, one student stated “I personally hate this kind of attitude”. Another referred to “rooms full of people playing games”. Newsgroups and Mailing Lists This was highly rated, mostly scoring from 6 to 10. Internet Relay Chatting This was highly rated, mostly scoring from 6 to 8. It is interesting to note that the two “serious” categories of “harassment” and “impersonation via email” were consistently rated the least common risks of the set of risks provided. This suggests that students do not see these undeniably disturbing trends as being common within their environment. Corrupted or Erroneous Software This risk type was rated as reasonably frequent, with typical responses in the range 2 to 6. Students referred to downloading “buggy” software or viruses via shareware sites or FTP. Many students believed that a policy would help control this risk type. Suggestions made for a policy were made, including: • advise on detecting risky sites and software prior to downloading • advise to scan downloaded software for viruses prior to use • advise on virus avoidance procedures • advise on how to use available antivirus software • advise against downloading software from other than a recognised source or organisation Many students commented that a policy would not help, as: • students will take this risk anyway, in order to obtain the software • accidental risks cannot be controlled by policy only deliberate risks can be controlled by policy
PAWEC ‘97
6 10
Internet Acceptable Usage : Arguments and Perils
Accidental/Deliberate Disclosure Students knew very little about this risk, commonly assigning this a value of between 2 to 5, witht most being unable to cite specific incidences of occurrence. Some rated it as highly as 8. Some students cited the unauthorised reading of email. Students were unable to advise as to how this type of risk could be controlled through policy, other than by issuing a warning and stipulating sanctions. Pirated Media Piracy was rated very highly (7 to 10) by almost all students, with several citing the downloading of software with limited trial periods which are deliberately exceeded by students. Many students believed that a policy would help control this risk type. Suggestions made for a policy include: • severe sanctions • warning of legal liabilities • raids Many students commented that a policy would not help, as: • software is far too expensive for students to purchase legally • students will always try and obtain software the cheapest way Low Quality Data This risk type was rated between 2 and 7, with a typical rating of 5. Students were given the following examples of this risk type: viewing inaccurate Web pages, viewing inaccurate data from another organisation’s database, or recipt of inaccurate email. Many students described the receipt of email hoaxes informing of viruses, the receipt of low quality email via mailing lists, the receipt of email with corrupted messsage bodies, inaccurate Web page content (for example, “information about various music bands was inaccurate”), and low quality Web pages (with misleading or ambiguous content). A few students believed that a policy would help control this risk type. Suggestions made for a policy included: • authenticate Web page data with an authority • advise that not all Web page information is acccurate Most students, however, did not believe that a policy would help, noting that policies cannot control accidental risks
PAWEC ‘97
6 11
Internet Acceptable Usage : Arguments and Perils
Accidental/Erroneous Business Transactions Students related to the experience of sending email to an incorrect email address, rating this risk type at about 8. Most students did not think that a policy would help, as this was an accidental, rather than deliberate, risk. Those students who felt that a policy would help suggested advising students to double-check the email send address prior to despatching email. Hacking Students varied in their rating of this issue, most rating it between 1 and 5, and typically around 3, although some students rated it as highly as 7. These figures suggest that hacking may be happening as often as once a month. Further, the impact may be severe. Some students were able to cite specific incidences of hacking, although many did not know of any specific incidences, despite being aware that hacking was, indeed, occurring. Students who did cite incidences referred to the hacking of their internal accounts by others (note that this may not have involved the Internet), and a few cited an isolated headline-grabbing international incident from several years earlier. Many students believed that a policy would help control this risk type, and made suggestions including: • indicate the severity with which hacking is regarded • specify severe sanctions for hacking • advise how to avoid hacking • advise how to protect one’s authentication mechanism, for example, safeguarding one’s password • advise how to recover after hacking Many students also commented that a policy would not help, as: • hacking would still occur (hacking was fun, hackers knew how to avoid being caught, hackers could crack any system, etc.) • hackers may be non-students, and therefore policies would not apply • people who liked hacking disregarded laws anyway, and policies were essentially laws Inaccurate Advertising (eg via inaccurate Web site) Students rated this with extremely varying values in the range 0 - 7. Few were able to discuss this risk or cite an incident. Many gave the rating 0, indicating a blissful lack of awareness of the possibility of inaccurate advertising material on Web sites. A few students believed that a policy would help control this risk type, making suggestions such as “educate students to differentiate between personal opinion and fact on Web sites”. Some students also commented that a policy would not help, as “internal policy cannot control an external risk”. Junk Email PAWEC ‘97
6 12
Internet Acceptable Usage : Arguments and Perils
Most students rated this risk type at around 5, frequently citing the receipt of chain mail. Some students cited receipt of email from commercial companies who had obtained their email addresses somehow. It was felt by the majority that a policy could not control this risk type. A few students believed that a policy would help to control this risk type, making suggestions including “advise students not to send junk mail”. Internet-transferred Threats This risk type refers to problems in other Internet components exposed to security breaches. All students rated this in the range 0 - 2, and were unable to cite any specific incidences. Nevertheless, a few students believed that a policy would help to control this risk type, making suggestions such as “advise students how to recover from Internet-transferred threats”. General comments made in favour of an Internet acceptable usage policy also included: • policy should be distributed when students first register • policy is essential to eliminate the liability of EHL should a breach occur • there should be policing of policy, and sanctions for misuse • support is required for written policy, for example, online advice when a risk threatens Some comments made many times over against Internet acceptable usage policy for all the risk types included: • using the Internet is fun, and therefore policy will be unsuccessful • students do not check or follow policy (“too lazy”, “won’t read it”, “will forget it”, or “won’t listen” until confronted with a related problem) • some students will always deliberately break rules • there is no way to enforce a policy The case study results signal the existence of significant Internet risks, and the need to take actions for their control, but suggest that students find it as difficult to propose ways of controlling Internet misuse as organisations do. It was clear from the tone of many of the responses that there is general dissatisfaction with those students who are indulging in noninstitute Internet activities at the expense of other students wishing to engage in valid academic pursuits. Students are uncertain of their rights and responsibilities vis-a-vis Internet connection, and have a touching but as yet undeserved faith and optimisim in the Internet, its infrastructure and what it stands for. At present, most lack the necessary awareness and education required to instill the missing Internet skills and knowledge. Policies will go some of the way to addressing this situation, but much more is obviously needed.
Conclusion Our case study found that EHL was, indeed, facing and experiencing the Internet risks depicted in Figure 1, to varying degrees, respondents making it abundantly clear that they PAWEC ‘97
6 13
Internet Acceptable Usage : Arguments and Perils
required far greater control of their Internet environment. EHL has thus far handled the associated problems and issues as they have arisen, and lacks an Internet security management infrastructure which would allow for any developed policy to be effective. Students at EHL were found to be experiencing the sorts of difficulties which arise when management of a critical work tool is inadequate or absent. They expressed uncertainty over the effectiveness of an Internet acceptable usage policy, indicating a lack of confidence in supporting infrastructures for policies no doubt founded on past experiences. These experiences and attitudes, while clearly being representative only of a small group, suggest that similar experiences and attitutudes might well be occurring in the business environment. An extended survey of such views is planned as a later stage of the longer-term research project of which the current study forms a part. It is clear from this case study that some guidelines for achieving effective Internet acceptable usage policies are needed. A set of criteria for this purpose has been proposed in Lichtenstein and Swatman (1997), and is summarised below: • an initial Internet strategy to define valid Internet uses • an Internet security management programme, featuring a range of elements including: an Internet security policy (containing the Internet acceptable usage policy), policy education and awareness sessions, policy monitoring, compliance procedures, and technical measures that implement policy (such as firewalls) • an initial Internet risk assessment to determine significant Internet risks to be addressed by the Internet acceptable usage policy • subpolicies in the Internet acceptable usage policy to address identified significant Internet risks • active Internet acceptable usage policy support through education and training • specification of relevant Internet laws in Internet acceptable usage policy • Internet acceptable usage policy which reflects the organisation’s specific culture in terms of degree of restrictivity, netiquette, responsibilities, duties and accountability • unambiguous lists of acceptable and unacceptable Internet usages • well-defined roles and responsibilities in the Internet acceptable usage policy • clear sanctions for non-compliance to be in the Internet acceptable usage policy • references to other relevant policies (for example, Code of Conduct) to be in the Internet acceptable usage policy The present research has clearly demonstrated the arguments for an organisational Internet acceptable usage policy, and has provided new evidence for use of the above set of criteria in order to support the policy and hence make it effective. The combination of increasing levels of Internet risks to organisations and ever-increasing organisational and employee expectations of Internet usage, suggests that an organisation's Internet acceptable usage policy should form a critical element within an organisation’s Internet security management infrastructure.
References
PAWEC ‘97
6 14
Internet Acceptable Usage : Arguments and Perils
AARNet (1995) “Policy on Allowed Access to the Internet via AARNet Members”. URL http://www.avcc.edu.au/avcc/aarnet/aarnpols/access.htm Abell W. and Lim L. (1996) "Business Use of the Internet in New Zealand: an Exploratory Study" in Proceedings AUSWEB 96 - The Second Australian World Wide Web Conference, Southern Cross University, Gold Coast, Australia. AHERF (1995) “AHERF (Allegheny Health, Education and Research Foundation) Internet Acceptable Use Statement”. URL http://www.mcphu.edu/campus/howto/policies/aup.html Benbasat I., Goldstein D.K. and Mead M. (1987) "The Case Research Strategy in Studies of Information Systems", MIS Quarterly, 11(3), September, 369-386. Bloch M., Pigneur Y. and Segev A. (1996) "Leveraging Electronic Commerce for Competitive Advantage: a Business Value Framework" in Proceedings of Ninth International Conference on EDI-IOS, Bled, Slovenia. Bonoma T.V. (1985) "Case Research in Marketing: Opportunities, Problems and a Process", Journal of Marketing Research, 22, May, 199-208. Brockway D.W. (1996) "Knowledge technologies and business alignment", Information Management & Computer Security,4 (1), MCB University Press. Cavazos E. A. (1994) Cyberspace and the Law: Your Rights and Duties in the Online World, MIT Press. Cheswick W. and Bellovin S. (1994) Firewalls and Internet Security, Massachusetts, USA: Addison-Wesley Publishing Company. Cockburn C. and Wilson T. D. (1996) "Business Use of the World-Wide Web", International Journal of Information Management,16 (2). Cohen F.B. (1995) Protection and Security on the Information Superhighway, John Wiley & Sons, Inc. Condon J.C. and Yousef F. (1985) An Introduction to Intercultural Communication, MacMillan. Cronin B., Overfelt K., Fouchereauz K., Manzvanzvike T., Cha M. and Sona E. (1994) "The Internet and Competitive Intelligence: a Survey of Current Practice", International Journal of Information Management, 14. D’Alotto L.J. (1996) “Internet Firewalls Policy Development and Technology Choices”, Proceedings of 19th National Information Systems Security Conference, Baltimore, MD, USA. Doddrell G.R. (1995), "Information security and the Internet", Information Management & Computer Security, 3 (4), MCB University Press. PAWEC ‘97
6 15
Internet Acceptable Usage : Arguments and Perils
EC (1995) "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data", Official Journal of the European Communities, 23rd November, No. L. 281. Ernst & Young (1996) “The Ernst & Young International Information Security Survey 1995”, Information Management & Computer Security, 4 (4), MCB University Press. FNC (Federal Networking Council) (1995a) “Federal Internet Security Plan (FISP)”, Federal Networking Council, Security Working Group, U.S. FNC (Federal Networking Council) (1995b) “FEDERAL INTERNET SECURITY - A Framework for Action” - Draft, Federal Networking Council, Security Working Group, U.S. Hartmann A. (1995) "Comprehensive Information Technology Security: A New Approach to Respond Ethical and Social Issues Surrounding Information Security in the 21st Century", in Information Security - the Next Decade, IFIP/Sec '95, Proc. of the IFIP TC11 Eleventh International Conference on Information Security (Eloff J.H.P. and Von Solms H.S., eds.), Chapman and Hall. Heard F.T. (1996) "Internet Security Policies and Internet Appropriate Use Policies", Proceedings of EDPAC 96 Conference, Perth, Australia. Hsieh C., Schubert S. and Lin E. (1996) “Potential Risks of Internet Access and Some Managment Strategies”, Journal of Computer Information Systems, Fall. IETF (1991) Site Security Handbook (Holbrook P. and Reynolds, J., eds.), IETF RFC 1244. Kohl U. (1995) "From Social Requirements to Technical Solutions - Bridging the Gap with User-Oriented Data Security", in Information Security - the Next Decade, IFIP/Sec '95, Proc. of the IFIP TC11 Eleventh International Conference on Information Security (Eloff J.H.P. and Von Solms H.S., eds.), Chapman and Hall. Lichtenstein S. (1996a) "Internet Acceptable Usage Policy", Computer Audit Update, Elsevier Advanced Technology, UK, December. Lichtenstein S. (1996b) “Internet Acceptable Usage Policy: Human Issues”, Working Paper 10/96, Department of Information Systems, Monash University, Melbourne, Australia. Lichtenstein S. (1997) "Developing Internet Security Policy for Organisations", Proceedings of theThirtieth Annual Hawaii International Conference on Systems Sciences (eds. Nunamaker J.F. and Sprague R. H.), Hawaii, IEEE Computer Society Press, Los Alamitos, California. Lichtenstein S. and Swatman P.M.C. (1997) “Effective Internet Acceptable Usage Policy for Organisations”, submitted to Tenth International Bled Electronic Commerce Conference, Bled, Slovenia. PAWEC ‘97
6 16
Internet Acceptable Usage : Arguments and Perils
Logan M. and Logan R. (1996) "Alignment: How to do Business on the Internet" in Proceedings INET 96, Montreal, Canada. Logan R. (1995) The Fifth Language, Toronto: Stoddart. Mathieu R.G. and Woodard R.L. (1995) "Data integrity and the Internet: implications for management", Information Management & Computer Security, 3 (2), MCB University Press. Nance, K.L. and Strohmaier, M. (1995) "Ethical Information Security in a Cross-Cultural Environment", in Information Security - the Next Decade, IFIP/Sec '95, Proc. of the IFIP TC11 Eleventh International Conference on Information Security (Eloff J.H.P. and Von Solms H.S., eds.), Chapman and Hall. NASA (1996) NASA Internet Acceptable Usage Policy, NASA, U.S. NIIAC (1995) Commentary on the Privacy and Related Security Principles, Mega Project III of the National Information Infrastructure Advisory Council, U.S. NIST (1994a) Reducing the Risks of Internet Connection and Use, Computer Systems Laboratory Bulletin, U.S. NIST (1996) The World Wide Web: Managing Security Risks, Computer Systems Laboratory Bulletin, U.S. NRC (1991) Computers at Risk. Safe Computing in the Information Age, System Security Study Committee Computer Science and Telecommunications Board Commission on Physical Sciences, Mathematics, and Applications, National Research Council, National Academy Press. NSFNET (1992) The NSFNET Backbone Services Acceptable Use Policy. URL http://www.haystack.edu/ysp/computer/nsfnet.html OECD (1992) Guidelines for the Security of Information Systems, OECD/GD(92)190, Paris. Olson I.M. and Abrams M.D. (1995) "Information Security Policy", in Information Security an Integrated Collection of Essays (Abrams M.D., Jajodia S. and Podell H.J., eds.), IEEE Computer Society Press, Los Alamitos, California. Pethia R., Crocker S. and Fraser B. (1991) Guidelines for the Secure Operation of the Internet, IETF RFC1281. Poon S. and Swatman P. M. C. (1995) “The Internet for Small Businesses: an enabling infrastructure for competitiveness”, in Proceedings of the Fifth Internet Society Conference, Hawaii, 221-231 (Jun). Poon S. and Swatman P.M.C. (1996) “Electronic Networking Among Small Business in Australia - An Exploratory Study”, in Electronic Commerce for Trade Efficiency and PAWEC ‘97
6 17
Internet Acceptable Usage : Arguments and Perils
Effectiveness – Proceedings of the Ninth International Conference on EDI-IOS (Swatman P.M.C., Gricar J. and Novak J., eds.), Bled, Slovenia, June 10-12, Moderna Organizacija Kranj, Slovenia, 446-460. Quelch J. A. and Klein L. R. (1996) "The Internet and International Marketing", Sloan Management Review, Spring. Rannenberg K. (1994) "Recent Development in Information Technology Security Evaluation The Need for Evaluation Criteria for Multilateral Security", in Proc. Security and Control of Information Technology in Society (Sizer, R., Yngstrom, L., Kaspersen, H. and FischerHubner, S., eds.), IFIP Transactions A43, Elsevier Science B.V. (North-Holland). Stallings W. (1995) Internet Security Handbook, IDG Books Worldwide, Inc. TIOcom (1996) Terms and Conditions for User Access and User Services, The Internet Outsourcing Group. URL http://www.tio.com/terms.html Wood C. C. (1995) "Writing InfoSec Policies", Computers & Security, 14. Yin R. K. (1989) Case Study Research: Design and Methods, Revised Edition, Sage Publications, Newbury Park, London. Yngstrom, L. (1995) "A Holistic Approach to IT Security", in Information Security - the Next Decade, IFIP/Sec '95, Proc. of the IFIP TC11 Eleventh International Conference on Information Security (Eloff J.H.P. and Von Solms H.S., eds.), Chapman and Hall.
PAWEC ‘97
6 18
Internet Acceptable Usage : Arguments and Perils
Biographies Sharman Lichtenstein Sharman Lichtenstein is a Senior Lecturer within the Department of Information Systems at Monash University in Melbourne, Australia. She worked for many years as a programmer and systems analyst, before entering academic life. Sharman has lectured and published widely in the areas of information systems and information security, and has also been extensively involved in information security research, consulting and university teaching and course development. She is currently undertaking a PhD in “Internet Security Policy for Business”. Paula Swatman Associate Professor Paula Swatman spent over ten years working in the banking and information technology industries before moving into academic life in 1988. She is currently Deputy Head of the Department of Information Systems at Monash University, where she also leads the Electronic Commerce Research Group. Paula researches and teaches in the areas of inter-organisational systems, supply-chain management, virtual communities, Internet-based electronic commerce and information security. She has presented widely on her areas of interest, both within Australia and overseas, in addition to consulting to both private and public sector organisations
PAWEC ‘97
6 19
