Explaining policy differences as a function of diverse governance institutions

Abstract

This study asks the question: “How does the structure of cybersecurity policy relate to differences in structure of policy governance of universities and colleges?” The study has three objectives. First, the study seeks to add to the body of knowledge concerning the relationship between the structure of cybersecurity policy processes and the security policies developed by those processes. Second, the study seeks to demonstrate the usefulness of the Institutional Grammar Tool, Rules Configurations, and other methods employed to analyze institutional configurations. Third, the study seeks to provide pragmatic suggestions for cybersecurity practitioners to systematically identify deficiencies in policy structure that contribute to less than optimum outcomes. Research on this question is necessary as no integrative framework exists for describing or predicting how organizations adopt and implement cyber security policy. The study proposes such a framework by integrating an ideal model for cyber security governance with the principles of the Institutional Analysis and Design framework (IAD). Four research universities of the University System of Georgia are subjected to a cross-case comparison of information security policies. Interviews and policy documents provide a database of institutional statements that are analyzed using IAD methods and tools. Prior research suggests that elements of policy structure, such as how the policy fits the organization’s objectives and culture, are linked to policy effectiveness. Research also suggests that how those elements of policy structure reflect external threats and organizational factors are determined by how the cybersecurity policy development is integrated into the governance of university wide policy. In addition to demonstrating the utility of an integrated approach to studying the problem of creating effective policy, findings demonstrate how a well-integrated cybersecurity governance structure provides better fit, constructs policies of appropriate scope, and is more likely to include the components of governance necessary for policy effectiveness. Findings also suggest that policy form, the readability of policy, may be improved if the documents are analyzed using the institutional grammar tools suggested by the IAD and if collaboration with users and managers to construct policy is encouraged. The capability of the methods employed by the study to identify deficiencies in cyber security governance structure that are manifested in less effective policy outcomes may aid policy makers as they strive to develop policy solutions to an ever changing security threat