Information security policy compliance-eliciting requirements for a computerized software to support value-based compliance analysis

When end users have to prioritize between different rationalities in organisations there is a risk of noncompliance with information security policies. Thus, in order for information security managers to align information security with the organisations' core work practices, they need to understand the competing rationalities. The Value-based compliance (VBC) analysis method has been suggested to this end, however it has proven to be complex and time-consuming. Computerized software may aid this type of analysis and make it more efficient and executable. The purpose of this paper is to elicit a set of requirements for computerized software that support analysis of competing rationalities in relation to end users' compliance and non-compliance with information security policies. We employed a design science research approach, drawing on design knowledge on VBC and elicited 17 user stories. These requirements can direct future research efforts to develop computerized software in this area. (C) 2021 The Authors. Published by Elsevier Ltd.

Automated summary

There is a risk of noncompliance with information security policies when end users have to prioritize between different rationalities in organizations. The purpose of this paper is to elicit a set of requirements for computerized software that support analysis of competing rationalities in relation to end users' compliance and non-compliance with information security policies.