Information security policy compliance-eliciting requirements for a computerized software to support value-based compliance analysis

Abstract

When end users have to prioritize between different rationalities in organisations there is a risk of non-compliance with information security policies. Thus, in order for information security managers to align information security with the organisations’ core work practices, they need to understand the competing rationalities. The Value-based compliance (VBC) analysis method has been suggested to this end, however it has proven to be complex and time-consuming. Computerized software may aid this type of analysis and make it more efficient and executable. The purpose of this paper is to elicit a set of requirements for computerized software that support analysis of competing rationalities in relation to end users’ compliance and non-compliance with information security policies. We employed a design science research approach, drawing on design knowledge on VBC and elicited 17 user stories. These requirements can direct future research efforts to develop computerized software in this area.