Six Design Theories for IS Security Policies and Guidelines

Abstract

The unpredictability of the business environment drives organizations to make rapid business decisions with little preparation. Exploiting sudden business opportunities may require a temporary violation of predefined information systems (IS) security policies. Existing research on IS security policies pays little attention to how such exceptional situations should be handled. We argue that normative theories from philosophy offer insights on how such situations can be resolved. Accordingly, this paper advances six design theories (the conservative-deontological, liberal-intuitive, prima-facie, virtue, utilitarian and universalizability theories) and outlines the use of their distinctive application principles in guiding the application of IS security policies. Based on the testable design product hypotheses of the six design theories, we derive a theoretical model to explain the influence of the different normative theories on the success of IS security policies and guidelines.