Cybersecurity Policies Implementation: A Theoretical Model Based on Process Thinking Perspective

In today's digital age, the Internet is a platform upon which several aspects of social and business interactions are made. In the business sense, organisations use the Internet to facilitate tasks, for storing data, and gaining access to information. However, since the Internet was originally conceived as an open- and fault tolerant network, businesses are vulnerable to cyberthreats. Cybersecurity is crucial in the current digital era to protect critical infrastructure and data. To reduce risks and protect assets, organisations must prioritise security despite its challenges. Security risks are always changing, and keeping abreast with compliance standards presents new organisational challenges. To address both these issues, organisations must develop thorough cybersecurity policies. A cybersecurity policy is a set of guidelines, directives, and instructions created to prescribe all end users, networks, and systems operating within an organisation to adhere to minimum standards for IT security and data protection. This study creates a process-based model of how IT department personnel should implement cybersecurity policies. A review of the literature on implementation of cybersecurity policies and how different factors like management support, cybersecurity governance, integrated cybersecurity auditing, and organisational culture revealed to affect their implementation. The analysis in this research shows that process research is necessary to advance the current understanding and procedures in the field of cybersecurity policy implementation. The thesis specifically responds to three research questions: (RQ1.) What factors and contextual conditions influence the implementation of cybersecurity policies in organisations? (RQ2.) What are the processes IT managers go through when implementing cybersecurity policies within IT departments? (RQ3.) How can these processes be depicted in a model?

This study espouses a qualitative method with inductive thinking and an interpretive perspective to create the model. To determine what and how various elements affect the execution of cybersecurity policies, a set of three case studies were constructed around twenty-five semi-structured in-depth interviews. The study concentrated on contextual and procedural aspects involved in implementation. The theory developed from the empirical data suggests that the goals and behaviours of the members of the IT department (e.g., the head of IT, senior IT management, and IT professionals), the procedures they follow, as well as the organisational context in which they are carried out, have a significant impact on the implementation of cybersecurity policy.

The study posits a substantive theory that includes a schematic model with five subprocesses—phase 1 (identifying assets), phase 2 (planning and drafting policies), phase 3 (implementing policies and deployment), phase 4 (improvement), and phase 5 (evaluation)—and a number of theoretical claims. By discussing the ideas with references to the literature, the thesis increases the validity and applicability of theory development from case studies. Risk assessment, policy review, policy training and awareness, and monitoring and updates are the four main dynamic links that connect these five critical activities. These connections examine how the contextual conditions and factors that lead to an efficient cybersecurity policy implementation remain over time.

The resulting model, which is based on the literature, data collected, and their interpretation using process thinking theory, is intended to help IT organisations by making the implementation of cybersecurity policies easier to track.