Effective Internet Acceptable Usage Policy for Organisationsi

Sharman Lichtenstein
and
Paula M.C. Swatman

Department of Information Systems, Monash University,

26 Sir John Monash Drive, Caulfield East, Victoria, 3145, Australia.
Email: sharman.lichtenstein@is.monash.edu.au
paula.swatman@is.monash.edu.au
Phone: +613-9903 2703 +613-99032768
Fax: +613-9903 2005

Abstract
With the Internet increasingly being used for the conduct of electronic commerce, organisations are
now cognisant of the need to control their employees’usage of the Internet. Little research has been
conducted to date into this important concern. An Internet acceptable usage policy is one vehicle for
providing this control, containing guidelines for employees indicating both acceptable and
unacceptable Internet usages. The policy aims to control those employee behaviours and actions
which contribute to the incidence and severity of internal and external Internet risks, while enabling
employees and the organisation to gain maximum business value from the Internet connection. This
paper explores the issues to be considered in the development of an organisation’s Internet
acceptable usage policy, using a case study of a large, Australian organisation to illustrate the
issues. A set of criteria for an effective Internet acceptable usage policy is proposed as a result of this
research.

Introduction
Organisations have readily adopted the Internet as a revolutionary technology for electronic commerce
without justification via either a business case or an Internet strategy (Miers et al., 1996; Lawrence
et al., 1996). However, information systems managers recently underlined the importance of ensuring
that business objectives and added business value drive information technology investments (Broadbent
et al., 1995). Hence, organisations must now look towards developing effective organisational Internet
strategies that direct Internet usage towards the integration and alignment of organisational business
processes with business objectives (Logan, 1995; Logan et al., 1996; Brockway, 1996; Poon and
Swatman, 1995; 1996) and towards the attainment and maximisation of added business value (Cronin
et al., 1994; Bloch et al., 1996; Cockburn et al., 1996; Quelch et al., 1996).

An effective organisational Internet strategy must also cater for diverse problems which may arise as a
result of Internet connection. The diffusion of the Internet within the workplace has introduced serious
new organisational security concerns (Cockburn et al., 1996; Ernst & Young, 1996; Abell and Lim,
1996). The Internet's many vulnerabilities are being exploited by hackers, competitors, disgruntled
employees and ex-employees, often resulting in damage, disruption and uncertainty (Doddrell, 1995).
These vulnerabilities are not likely to disappear in the foreseeable future (Doddrell, 1995) — many
employees who have been granted connection to the Internet for valid business reasons have been

i
This paper was published in the proceedings of "Bled'97 - 10th International Conference on Electronic
Commerce, Bled, Slovenia, June 9-11, 503-522.

1
misusing or abusing it from a lack of awareness of the Internet’s insecurities, a lack of awareness of
valid, value-adding business Internet usages, or from malicious intent.

The Internet’s vulnerabilities and their escalating exploitation both internally and externally, suggest
that an organisation’s Internet strategy should include plans for an Internet security management
programme comprising measures which address organisational Internet risks and other Internet security
concerns. These measures range from policies and procedures through to technological safeguards such
as firewalls (Doddrell, 1995). Policies, procedures, standards and other management instructions are
considered critical in providing information security, being aimed at controlling the decisive human
factor (Wood, 1995)  in this case, the employees.

The Internet acceptable usage policy addresses the employee factor in Internet security and Internet
business value maximisation, its purpose being “to direct staff in the use of Internet services so use will
be acceptable to the public and the (organisation)” (Heard, 1996). The policy contains guidelines for
employees indicating both acceptable and unacceptable Internet usages, with the aim of controlling
those employee behaviours and actions that contribute to the organisation’s Internet risks, while
maximising the benefits to be gained by the organisation through Internet usage.

The aim of this paper is to propose a set of criteria for an effective organisational Internet acceptable
usage policy. This will be achieved by identifying issues from the literature as well as those recognised
in existing policies, exploring these issues further by means of a case study of a large, Australian
organisation, and finally drawing conclusions. It should be noted that the paper focuses on the security
function of the Internet acceptable usage policy — the use of the Internet acceptable usage policy for
the protection of the organisation and its employees from Internet risks — rather than its equally
important use for Internet business value maximisation.

This research study provides:

• a justification of the need for Internet acceptable usage policy in organisations;

• an improved understanding of the Internet risks faced by organisations;
• an appreciation of holistic issues in Internet acceptable usage policy for organisations; and
• a set of criteria to be met for achieving an effective Internet acceptable usage policy

The research results contribute towards the development of comprehensive and effective Internet
acceptable usage policy for organisations that use the Internet for electronic commerce.

Existing Internet acceptable usage policies were developed for Internet service providers (ISP) (for
example, TIOcom, 1996), network providers connecting organisations to the Internet (for example,
NSFNET, 1992), or non-ISP and non-network provider organisations (for example, AHERF, 1995;
NASA, 1996). This paper focuses on the last of these three groups — Internet acceptable usage policies
for non-ISP and non-network provider organisations.

In this paper, we initially overview developments in Internet acceptable usage policy, drawing attention
to shortcomings in existing approaches. We then present a model of the Internet risks faced by
organisations, followed by a summary of the various holistic issues whose consideration will increase
the likelihood of an effective Internet acceptable usage policy. We next discuss the research method
selected for this study, and continue with a description and discussion of the case study. Finally, we
propose a list of criteria to be met for an effective organisational Internet acceptable usage policy, and
outline current and planned research activities.

Internet acceptable usage policy

2
This section summarises developments in the area of Internet acceptable usage policy for business. An
Internet acceptable usage policy can be positioned within a company's information security management
infrastructure. One view (Lichtenstein, 1997) recommends that an organisation mount a corporate
information security programme containing many elements, one of these being the Internet security
management programme featuring an Internet security policy — itself comprised of a number of
subpolicies, including: an Internet information protection policy, an Internet information access policy,
an Internet publication policy, an Internet employee privacy policy and the Internet acceptable usage
policy. An essential point to make here is that the Internet acceptable usage policy serves two major
organisational functions — it is not only a security policy, but also an instrument for specifying the
valid Internet usages which support the business objectives of the company and maximise added
business value. As stated earlier, this research concentrates on the security function of the policy, rather
than its added business value function.

While Internet security policies have been given some attention in recent years (IETF, 1991; Pethia
et al., 1991; FNC, 1995a; Lichtenstein, 1997), research into Internet acceptable usage policies is
scarce. Lichtenstein (1996a) describes an approach to the development of such policies, incorporating a
risk assessment of the Internet risks faced by organisations, as well as a consideration of important
holistic issues. Oliver (1997) describes a schema for use in the development of corporate policies for
electronic commerce. In this schema, electronic commerce constituents (employees, customers,
suppliers, etc) are cross-matched with components of electronic space (Intranet, Internet, Web sites,
etc) in order to identify the relevant Internet security issues to be addressed by a corporate electronic
commerce policy.

Other research includes the production of an early set of guidelines for the structure and content of such
policies by The Internet Security Committee of British Columbia, reported in Heard (1996). Heard’s
guidelines recommend that an Internet acceptable use policy contain subpolicies which advocate: high
employee ethical standards, business-only usage, adherence to copyright and licensing laws, and
nondisclosure of confidential information. Acceptable business usages cited are business
communications, professional development communications, and pre-approved postings (unless
disclaimers are attached). Unacceptable business usages cited include non-business related postings,
interference or disruption to other Internet participants, distribution of malicious, rude, obscene or
harassing material, and personal financial gain. The guidelines also stipulate definitions for roles and
responsibilities for individuals and groups, and articulation of sanctions for non-compliance.

Valuable research into defining a comprehensive set of beneficial business usages of the Internet has
been carried out by a number of researchers (for example, Bloch et al., 1997). Such taxonomies may
be of use in deriving a set of acceptable business Internet usages for the Internet acceptable usage
policy. Further guidance in policy structure and content may be obtained from empirical data in the
form of existing policies (for example, AHERF, 1995; NASA, 1996). A final aspect to consider is that
in any Internet acceptable usage policy, there is often cautionary advice warning users that the
acceptable use policies of other organisations and networks unknowingly utilised during Internet
connection may apply, and these may constrain acceptable usage (in other words, there may be several
Internet acceptable use policies with which an Internet user must be compliant).

We suggest that inadequacies in current guidelines (for example, those of Heard, 1996) and existing
policies include: highly general subpolicies which are never made specific, ambiguity, ad hoc
specification of acceptable value-adding Internet usages, the omission of reference to any underlying
corporate Internet strategy and ad hoc, limited identification of the Internet risks faced by the
organisation. It should be noted that the Internet acceptable usage policy itself requires support through
other company policies (for example, the company Code of Conduct), Internet awareness and training
sessions, operational procedures and technical mechanisms (for example, firewalls).

3
Internet risks for organisations

This section overviews Internet risks being faced by organisations engaged in electronic commerce — it
is the employee factor in these risks that is addressed by the Internet acceptable usage policy. Losses
being sustained by organisations due to Internet risks include: the existence of corrupted, erroneous or
pirated software on the organisation's systems, erroneous data, misinformation, loss of privacy,
damaged employee reputations, and monetary or credit damage (NIST, 1996). Hence, Internet risks
should be taken very seriously indeed.

A model of Internet risks for an organisation is illustrated in Figure 1 (a detailed description of each
risk type may be found in Lichtenstein (1996a, 1997)). This model has been compiled from earlier
findings (for example, Cheswick et al., 1994; NIST, 1994a, 1996; Cohen, 1995; Stallings, 1995; FNC,
1995b). Both deliberate and accidental types of risks have been included, although the difference
between deliberate and accidental is often extremely difficult to determine (for example, Vanbokkelen
(1990) remarked that “Security is subjective; one site might view as idle curiosity what another would
view as a hostile probe”).

In Figure 1, the central circle denotes an organisation with Internet connection. The outer ring labelled
‘Other Internet Participants’ denotes other members of the Internet community. The two-way arrows
portray Internet risks that can emanate from within the organisation and affect other Internet
participants, or that can emanate from other Internet participants and affect the organisation. Each
arrow represents a different type of Internet risk.

4
 Other Internet Participants

corrupted
non-business or erroneous Internet-
activities software transferred
threats

accidental
accidental/ erroneous
deliberate businesss
disclosure transactions
Organisation

pirated
hacking
media

low
inaccurate
quality
advertising
data junk
email

Figure 1: Internet Risks for an Organisation

Note that although many risks included in the model may exist even without an Internet connection (for
example, ‘corrupted or erroneous software’), the Internet manifestations of these risks are distinctive,
and are exacerbated by the global scope and magnitude of access provided via the Internet. Hence,
Internet risks deserve Internet-specific policy for effective control. A risk assessment of the Internet
risks will enable an Internet acceptable usage policy to be developed which controls the risks and hence
limits the losses incurred. Employees should be made aware through the policy and supporting
education of the significant risks, consequent losses and recommended remedies.

Holistic issues in Internet acceptable usage policy

This section summarises holistic issues that impact Internet acceptable usage policy (a detailed
discussion may be found in Lichtenstein (1996a, 1996c)). Recently, researchers have argued for
holistic perspectives of information security (for example, Hartmann, 1995; Olson et al., 1995;
Yngstrom, 1995; Lichtenstein, 1996a, 1996b, 1996c, 1997), suggesting that Internet acceptable usage
policy, too, should reflect a holistic perspective of organisational Internet security.

Legal issues

It is incumbent upon an organisation to be aware of relevant laws and standards prior to setting policy.
An extensive treatment of legal issues in cyberspace may be found in Cavazos et al. (1994). The
Internet acceptable usage policy must notify employees of illegal Internet operations.

5
Managerial, administrative and operational issues

Critical managerial measures which support the Internet acceptable usage policy include: management
commitment; an effective Internet strategy which specifies valid, value-adding Internet usages; a
comprehensive Internet security management programme centred on Internet security policies and
Internet acceptable usage policies; Internet education; and Internet security awareness. Administrative
and operational tasks must also be defined (for example, the procedures for applying, monitoring and
auditing security policies (Branstad et al., 1995)).

Technical issues

Procedures must be specified for ensuring that appropriate technical mechanisms (for example,
firewalls) are selected, configured, installed, and monitored.

Human issues

Extensive work has been carried out to determine human information security requirements and human
Internet security requirements (for example, Kohl, 1995; Nance et al., 1995, Condon et al., 1985;
NIIAC, 1995; EC, 1995; Rannenberg, 1994). Many important human issues of concern to employees
must be considered in order to develop an effective Internet acceptable use policy.

National and organisational cultural differences, and netiquette

Cultural differences impact heavily on individual ethical behaviour and the effectiveness of Internet
communication and collaboration. Some guidance as to the handling of cultural differences is therefore
advisable within the Internet acceptable usage policy. An organisation may wish to specify Internet user
etiquette (netiquette) to suit its peculiar culture, within the Internet acceptable usage policy.

Rights and freedoms

Employee rights and freedoms should be recognised within an Internet acceptable usage policy. An
employee's right to privacy is especially important within the context of global exposure (for example,
employees may not desire personal information about themselves to be published and made available on
the Internet via Web pages or other postings). Employees will not only demand their rights but also
their freedoms in the workplace, as illustrated by the traditionally permitted (albeit limited) personal
usage of the office telephone. In many organisations, a total ban on personal usage of the Internet may
cause resentment or indeed strong protest from employees, who may feel that they should be completely
free to send personal email, surf the Internet, download games and images, subscribe to listservers, and
so forth. Cultural patterns will influence the amount and types of freedom which employees expect.

Responsibilities, duties and accountability

Specific policies must clarify business and nonbusiness usages of the Internet, although it may be
increasingly difficult to define a given usage as personal or business, as communication and
collaboration may involve personal exchanges as a cultural expectation (see earlier discussion on
culture). Employees may be held accountable for their Internet activities as well as for residual system
conditions after an Internet misuse or abuse. Policies which clarify employee accountability are
essential, yet extremely difficult to formulate. For example, data exchanged by employees over the
Internet may be of poor quality, yet current legal and ethical guidelines for determining liability and
accountability for the quality of Internet information are inadequate (Mathieu et al., 1995). In such
conditions, how can policies lay the blame for poor data quality upon the employee?

6
Non-Compliance

Sanctions for breaching the policy should be clearly defined and should be acceptable to employees.

Research method
This section discusses our use of a single case study to illustrate the research topic. Bonoma suggests
that case research methods are useful where "a phenomenon is broad and complex, where the existing
body of knowledge is insufficient to permit the posing of causal questions and when a phenomenon
cannot be studied outside the context in which it occurs" (Bonoma, 1985). Benbasat, Goldstein and
Mead provide additional support for the use of the case study approach to investigate "certain types of
problems: those in which research and theory are at their early, formative stages; and sticky,
practice-based problems where the experiences of the actors are important and the context of action
is critical" (Benbasat, Goldstein and Mead, 1987).

Yin believes that the reason for selecting one particular research strategy over another is determined by:
"three conditions, consisting of (a) the type of research question posed, (b) the extent of control an
investigator has over actual behavioural events, and (c) the degree of focus on contemporary as
opposed to historical events" (Yin, 1989). He then notes that although the research strategies are not
mutually exclusive, it is possible to identify situations where one particular strategy is of particular
usefulness. He suggests that case studies are especially useful when the researcher is attempting to
answer a “how” or “why” question over which s/he has little control - an example which is relevant to
the present project.

Benbasat, Goldstein and Mead have also set out a list of questions intended to assist the prospective
researcher determine whether or not the case study approach is appropriate to his/her topic (Benbasat
et al, 1987). We apply these questions to Internet acceptable usage policy:

1. Can the phenomenon of interest be studied outside its natural setting?

No - Internet acceptable usage policies are only relevant to (and within) the organisation
attempting to develop the policy.

2. Must the study focus on contemporary events?

Yes - significant organisational use of the Internet in Australia is only 3 years old.

3. Is control or manipulation of subjects or events necessary?

No - observation and recording will provide the clearest evidence of current events.

4. Does the phenomenon of interest enjoy an established theoretical base?

No - there is still very little theoretical work being undertaken in this area.

The lack of existing theoretical work suggests that a case study approach is an appropriate research
method for this project. Even though the results of a single case study cannot be generalised to other
organisations, they can certainly provide indicative evidence of the issues under study. We therefore
decided that a single case study would be a suitable approach for illustrating important issues to be
considered in the development of an Internet acceptable usage policy. It is instructional to note that this
study forms only part of a longer-term research project and that the results of this exploratory pilot case
study have formed the basis for a series of case studies which are currently underway.

A case for Internet acceptable usage policy

7
This section of the paper describes our case study illustrating Internet risks and holistic issues to be
considered in the development of an Internet acceptable usage policy. The organisation studied is a
large scientific research establishment in Australia, which we have called “Strategic Scientific Research
Institute” (SSRI) for reasons of anonymity. SSRI is planning to develop an Internet acceptable usage
policy in the near future, due to continued growth of the organisation and its Internet connection to
several hundred Internet users by mid-1996. Case data were obtained via two, two-hour semistructured
interviews with SSRI's network manager, whose job duties include responsibility for Internet
management. We initially provide background information about SSRI’s Internet infrastructure and
Internet usage and then present the case results, structured firstly according to the Internet risk types
portrayed in the model in Figure 1, and secondly according to the holistic issues discussed in the
previous section.

SSRI Internet infrastructure and usage

SSRI is located at a single site. Its information technology activities are handled by its Information
Technology (IT) department, staffed by several technical personnel including a network manager and a
departmental manager. Several hundred workstations are connected to the Internet via a LAN
connected to an Australian university Hub. The university utilises AARNet, an internetwork of regional
networks connected to each other and internationally to other Internet participants by Telstra Internet
Services. SSRI has established an Intranet for internal information sharing.

SSRI’s Internet usage grew from single-user several years ago to much larger numbers by mid-1996,
sparking concerns regarding the lack of Internet security measures. There are currently several hundred
Internet users within the organisation, all employees, composed of senior scientists, postgraduate
students, postdoctoral scientists, and support staff. Users share computers, each of which has its own
Internet connection. The scientists mostly utilise the research mechanisms of the Internet for scientific
research purposes and, to a lesser extent, use the Internet mechanisms available for communication and
collaboration, information sharing and management, and access to applications. Electronic trading is
not currently carried out through the Internet, as the relevant suppliers do not at present have Web sites
set up for trading (all purchases are currently fax-based). To date, there have not been any serious
security incidents relating to Internet usage, although a number of small incidents are occurring, as will
be described below.

SSRI Internet risks

SSRI faces many of the Internet risk types illustrated earlier in Figure 1:

Non-business activities

The extent of non-business usage of the Internet during work hours is presently unknown, although it is
estimated that 80% of usage during non-work hours is for nonbusiness purposes (surfing, downloading
games and images, etc). The organisation is concerned that the level and type of nonbusiness usage
during work hours is unknown, although one employee was fired for excessive net surfing. Web sites
visited from a given machine can be checked via a proxy server on which both the machine ID and the
site are logged. Since some machines are shared, however, it would be difficult at present to track
exactly who visited a particular site.

Corrupted or erroneous software

The computers are all virus-protected by anti-virus software. One virus was brought in recently from a
home computer. The risk still remains, however, of employees downloading virus-infested or buggy
software from the Internet.

8
Accidental/deliberate disclosure

SSRI's scientific research data and results are regarded as sensitive information. SSRI currently does
not stipulate that confidential information should not be disclosed outside the company. However, most
information communicated via the Internet by SSRI researchers is public knowledge, as it has already
been published. Unpublished research information is regarded as ‘secret’, and retains that sensitivity
level until after publication (which typically takes about six months). It would be undesirable for this
‘secret’information to be disclosed over the Internet via email, Web sites, or other posting mechanisms,
during the pre-publication period. Only a few research projects at any time are in this ‘secret’ state.
Access privileges for relevant SSRI accounts are set and monitored at present, in accordance with the
research information sensitivity levels and the users’‘need to know’.

Pirated media

Piracy of Internet software may be occurring, but is actively deterred by removal of illegal software on
detection, accompanied by a warning.

Low quality data

It is not likely that SSRI's scientists would give genuine credence to scientific research data presented
via global Web pages, as the scientists, being highly conservative and traditional, only believe in the
validity of work which has been published in appropriate, esteemed, reputable, scientific, printed
journals. Employees do not currently have their own Web pages, as most do not wish to expend the
effort required to learn how to create them. With the recent development of the internal Intranet,
however, it is more likely that employees will create their own pages, although interest thus far has been
low. In the future, Web pages may be made accessible to the global audience, at which time there
would indeed be a risk of low quality pages.

Accidental/erroneous business transactions

Because there is no electronic trading occurring in the organisation at present, business transactions do
not exist. In the future, however, supplier companies will be setting up facilities for electronic trading
via Web sites, and this risk will then exist.

Hacking

An activity report listing accessed Web sites is scanned manually each day by the network manager,
who is able to spot well-known, troublesome newsgroup addresses. On one occasion, a hacker site had
been accessed several times. The network manager queried the motives for the access with the
employee concerned, and no further irresponsible activity took place. In a separate incident, SSRI was
unsuccessfully attacked by a hacker.

Inaccurate advertising

Email and other postings may be misrepresenting official SSRI positions and views  disclaimers are
not required at present. The planned employee home pages will, however, require disclaimers.
Research information posted by the employees at SSRI via Internet mechanisms currently lacks
credibility with global readers, as stated earlier.

Junk email

9
One employee was mail-bombed as a result of correcting the information in a particular posting
received via a mailing list. The ISP of the original poster rebuked him for carrying out the mail-
bombing.

Internet-transferred threats

The local university network has had problems which have brought SSRI's network connection down on
several occasions.

Holistic issues in Internet acceptable usage policy at SSRI

A number of different issues for SSRI to consider in the development of its Internet acceptable usage
policy surfaced:

Legal issues

SSRI employees are currently not informed of relevant laws and standards, and it is left up to the
employees to familiarise themselves with these, SSRI being in accord with the old legal slogan:
‘ignorance is no excuse’. The question must be asked whether this approach is still warranted,
considering the risks.

Managerial, administrative and operational issues

SSRI does not possess an Internet security strategy, Internet security management programme, Internet
security policy or Internet acceptable usage policy. The IT departmental manager is totally responsible
and accountable for Internet management. There is no delegation of authority, although a certain
amount of independent activity by other IT staff ensures that the necessary actions to resolve Internet-
related problems are undertaken (with the manager's approval).

The local university through which Internet connection is obtained does not itself inflict any acceptable
usage policy on the organisation. However, the university is subject to the acceptable use policy of
AARNet (1995), and therefore also to the policies of Telstra Internet Services. Users usually do not
check these policies. SSRI's philosophy regarding policies in general is one of ‘user beware’, in the
belief that if existing policies were to be explained or highlighted in any way, users would blame the
organisation when accused of breaching policy, claiming that the relevant policy had either not been
explained at all, or had been inadequately explained! This view can be restated as ‘If you tell users
something, you must tell them everything’, a goal which appears unattainable. As we have already
mentioned, SSRI's supporting philosophy has been “ignorance is no excuse’; this is now being regarded
as an untenable attitude.

Technical issues

Although no firewall exists at present, one is planned in the near future, in order to comply with
auditing requirements. Various other technical Internet security measures are provided, however (for
example, antivirus software).

Human issues

SSRI’s culture is one of employee IT usage being controlled by the power of the IT department. Users
are therefore reluctant to misuse the Internet, at least during working hours. This form of control is not
considered ideal, however, and with the steady growth of the organisation (as well as increased numbers
of connected Internet users), SSRI has recognised that it needs an Internet acceptable usage policy. An

10
important concern voiced, however, is that employees may not consult an Internet acceptable usage
policy, if one existed — except, perhaps, for a few experienced Internet users — although such a policy
could prove useful as a weapon following misuse. At present, the risk of Internet misuse during work
hours is also inadvertently managed by the employees’immediate managers keeping them occupied with
work-related tasks. A further concern is that employees expect unlimited freedom on the Internet —
they are expected to resent and possibly resist any attempt to curtail their current, unconstrained usage.

Any misuse is handled informally at present, with non-compliant employees being ‘spoken to’. Despite
lacking a prior history of serious breaches, SSRI is nonetheless aware of prevailing and damaging
Internet risks via plentiful and regular media publicity given to Internet misuses and abuses in
organisations world-wide.

Conclusions
In this paper, we have argued for an Internet acceptable usage policy for each organisation employing
the Internet, as a critical managerial measure for reducing the losses incurred due to misuse or abuse of
the Internet, both internally and externally. To this end, we presented a model of Internet risks being
faced by organisations (Figure 1), which such a policy would address, as well as a discussion of the
legal, managerial, administrative, operational, technical and human aspects of Internet acceptable usage
which impinge upon the effectiveness of such a policy. We illustrated the realities of the Internet risks
and the holistic issues by way of a case study. In a companion paper (Lichtenstein and Swatman,
1997), we produced further case study evidence of these risks and holistic issues.

It was stressed at the start of the paper that we have concentrated in this research on the security
function of the Internet acceptable usage policy, rather than its business function of maximising Internet
benefits for the organisation. With both these policy functions in mind, and after considering the
literature to date and the case study, we propose a set of criteria for achieving effective organisational
Internet acceptable usage policies:

1. An organisation must first develop an Internet strategy setting out planned, value-adding, valid
uses of the Internet. These uses should be identified by investigating the ways in which the
Internet may enable business processes which are themselves aligned with business objectives.
The identified uses will then constitute the core, acceptable uses clearly approved within the
Internet acceptable usage policy.

2. An organisation requires a comprehensive Internet security management programme to support

the Internet acceptable usage policy, featuring a range of elements including: an Internet
security policy (which contains the Internet acceptable usage policy); policy education and
awareness sessions; policy monitoring; and a compliance process which handles instances of
non-compliance. Policies should be implemented via firewalls and other technical security
mechanisms.

3. A risk assessment of the Internet risks being confronted by the organisation is required in order
to identify significant Internet risks to be addressed within the policy.

4. Subpolicies to address significant Internet risks should be included within the policy.

5. An organisation should support the policy actively through education and awareness activities,
rather than expecting each employee to familiarise him/herself with the policy independently.

6. Relevant laws should be drawn to the employees’attention by the policy.

11
7. The policy should reflect the organisation’s culture in its subpolicies, degree of restrictivity,
rules for netiquette, and specification of responsibilities, duties and accountabilities.

8. The policy should include unambiguous lists of acceptable and unacceptable Internet uses.

9. The roles and responsibilities of individuals and groups should be clearly defined in the policy.

10. Sanctions for non-compliance should be clearly specified in the policy, however the compliance
process should allow for discourse and resolution in the event of exceptions.

11. Attention should be drawn within the policy to other acceptable use policies which may apply
(for example, those of network providers providing Internet connection), as well as to other
relevant corporate policies (for example, company code of conduct, and company
confidentiality policy).

This research summary and case study have highlighted important issues in the role, development,
content and management of Internet acceptable usage policy, as well as the difficulties of planning for
such policies in the early days of Internet diffusion within organisations. Further case studies are
planned, to build on the indicative results obtained. In particular, it would be useful to study a
commercial organisation with the added Internet usage complications engendered by electronic trading.
It is also crucial to investigate the equally important, non-security-related function of Internet
acceptable usage policies in depth — that is, its use for obtaining maximum business Internet benefit.
A study of existing policies should further add useful empirical data to build a better picture of the
issues to be addressed. Finally, surveys of employee opinions regarding Internet acceptable usage will
add to an understanding of the important human concerns in developing policy.

12
References
AARNet (1995) Policy on Allowed Access to the Internet via AARNet Members,
http://www.avcc.edu.au/avcc/aarnet/aarnpols/access.htm, October 11th, 1995 (Accessed October 22nd,
1996).

Abell, W. and Lim, L. (1996) “Business Use of the Internet in New Zealand: an Exploratory Study” in
Proceedings AUSWEB 96 - the Second Australian World Wide Web Conference, Southern Cross
University, Gold Coast, Australia.

AHERF (1995) AHERF (Allegheny Health, Education and Research Foundation) Internet Acceptable
Use Statement, http://www.mcphu.edu/campus/howto/policies/aup.html, November 15th, 1995
(Accessed October 18th, 1996).

Benbasat I., Goldstein D.K. and Mead M. (1987) The Case Research Strategy in Studies of
Information Systems MIS Quarterly, Vol. 11, No. 3, September, 369-386.

Bloch, M., Pigneur, Y. and Segev, A. (1996) "Leveraging Electronic Commerce for Competitive
Advantage: a Business Value Framework" in Proceedings of Ninth International Conference on
EDI-IOS, Bled, Slovenia.

Branstad, D., Oldehoff, A., Aiken, R. and others (1995) "Security Policy for Use of the National
Research and Education Network", in FNC (1995b), Appendix 4.

Bonoma T.V. (1985) Case Research in Marketing: Opportunities, Problems and a Process Journal of
Marketing Research, Vol. 22, May, 199-208.

Broadbent, M., Butler, C., Hansell, A. and Dampney, CNG (1995) "Business Value, Quality and
Partnerships: Australasian Information Systems Management Issues", Australian Computer Journal,
Vol. 27, No. 1.

Brockway, D.W. (1996) "Knowledge technologies and business alignment", Information Management
& Computer Security, Vol. 4, No. 1, MCB University Press.

Cavazos, E.A. and Morin, G. (1994) Cyberspace and the Law: Your Rights and Duties in the On-Line
World, MIT Press.

Cheswick, W. and Bellovin, S. (1994) Firewalls and Internet Security, Massachusetts, USA: Addison-
Wesley Publishing Company.

Cockburn, C. and Wilson, T. D. (1996) "Business Use of the World-Wide Web", International Journal
of Information Management, Vol. 16, No. 2.

Cohen, F.B. (1995) Protection and Security on the Information Superhighway, John Wiley & Sons,
Inc.

Condon J.C. and Yousef, F. (1985) An Introduction to Intercultural Communication, MacMillan.

Cronin, B., Overfelt, K., Fouchereauz, K., Manzvanzvike, T., Cha, M. and Sona, E. (1994) "The
Internet and Competitive Intelligence: a Survey of Current Practice", International Journal of
Information Management, Vol. 14.

13
Doddrell, G.R. (1995), "Information security and the Internet", Information Management & Computer
Security, Vol. 3 No. 4.

EC (1995) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data and on the free movement
of such data, Official Journal of the European Communities, 23rd November, No. L. 281.

Ernst & Young (1996) “The Ernst & Young International Information Security Survey 1995”,
Information Management & Computer Security, Vol. 4 No. 4, MCB University Press.

FNC (Federal Networking Council) (1995a) Federal Internet Security Plan (FISP), Federal
Networking Council, Security Working Group.

FNC (Federal Networking Council) (1995b) FEDERAL INTERNET SECURITY - A Framework for
Action - Draft, Federal Networking Council, Security Working Group.

Hartmann, A. (1995) "Comprehensive Information Technology Security: A New Approach to Respond

Ethical and Social Issues Surrounding Information Security in the 21st Century", in Information
Security - the Next Decade, IFIP/Sec '95, Proc. of the IFIP TC11 Eleventh International Conference
on Information Security (Eloff, J.H.P. and Von Solms, H.S., eds.), Chapman and Hall.

Heard, F.T. (1996) "Internet Security Policies and Internet Appropriate Use Policies", Proceedings of
EDPAC 96 Conference, Perth, Australia.

IETF (1991) Site Security Handbook (Holbrook P. and Reynolds, J. eds.), IETF RFC 1244.

Kohl, U. (1995) "From Social Requirements to Technical Solutions - Bridging the Gap with User-
Oriented Data Security", in Information Security - the Next Decade, IFIP/Sec '95, Proc. of the IFIP
TC11 Eleventh International Conference on Information Security (Eloff, J.H.P. and Von Solms, H.S.,
eds.), Chapman and Hall.

Lawrence, E., Murry, J. and Tidwell, A. (1996) "Cyberpresence Strategies for Business Executives" in
Proceedings AUSWEB 96, Australia.

Lichtenstein, S. (1996a) "Internet Acceptable Usage Policy", Computer Audit Update, Elsevier
Advanced Technology, UK, December.

Lichtenstein, S. (1996b) "Internet Security Policy: a Holistic and Organisational Approach",

Proceedings of 2nd Joint Conference AUUG 96/APWWW (Bossomaier, T. and Chubb, L., eds.),
AUUG'96 and Asia Pacific World Wide Web, World Congress Centre, Melbourne, Australia.

Lichtenstein, S. (1996c) Internet Acceptable Usage Policy: Human Issues, Working Paper 10/96,
Department of Information Systems, Monash University, Melbourne, Australia.

Lichtenstein, S. (1997) "Developing Internet Security Policy for Organisations", in Proceedings of the
Thirtieth Annual Hawaii International Conference on Systems Sciences (Nunamaker, J.F. and
Sprague, R.H., eds), Hawaii, IEEE Computer Society Press, Los Alamitos, California.

Lichtenstein, S. and Swatman, P.M.C. (1997) “Internet Acceptable Usage Policy: Arguments and
Perils”, in Proceedings of PAWEC’97 (Swatman, P.M.C, Swatman, P. and Cooper, J., eds), Brisbane,
Australia.

14
Logan, M. and Logan, R. (1996) "Alignment: How to do Business on the Internet" in Proceedings
INET 96.

Logan, R. (1995) The Fifth Language, Toronto: Stoddart.

Mathieu, R.G. and Woodard, R.L. (1995) "Data integrity and the Internet: implications for
management", Information Management & Computer Security, Vol. 3 No. 2.

Miers, D. and Hutton, G. (1996) "The Strategic Challenges of Electronic Commerce", Enix Consulting
Limited, UK.

Nance, K.L. and Strohmaier, M. (1995) "Ethical Information Security in a Cross-Cultural

Environment", in Information Security - the Next Decade, IFIP/Sec '95, Proc. of the IFIP TC11
Eleventh International Conference on Information Security (Eloff, J.H.P. and Von Solms, H.S., eds.),
Chapman and Hall.

NASA (1996) NASA Internet Acceptable Usage Policy, NASA, US.

NIIAC (1995) Commentary on the Privacy and Related Security Principles, Mega Project III of the
National Information Infrastructure Advisory Council, US.

NIST (1994a) Reducing the Risks of Internet Connection and Use, Computer Systems Laboratory
Bulletin, US.

NIST (1996) The World Wide Web: Managing Security Risks, Computer Systems Laboratory Bulletin,
US.

NSFNET (1992) The NSFNET Backbone Services Acceptable Use Policy,

http://www.haystack.edu/ysp/ computer/nsfnet.html, June, 1992 (Accessed Oct 18th, 1996).

Oliver, R. W. (1997) “Corporate Policies for Electronic Commerce”, in Proceedings of the Thirtieth
Annual Hawaii International Conference on Systems Sciences (Nunamaker, J.F. and Sprague, R.H.,
eds.), Hawaii, IEEE Computer Society Press, Los Alamitos, California.

Olson, I.M. and Abrams, M.D. (1995) "Information Security Policy", in Information Security - an
Integrated Collection of Essays (Abrams, M.D., Jajodia, S. and Podell, H.J., eds.), IEEE Computer
Society Press, Los Alamitos, California.

Pethia, R., Crocker, S. and Fraser, B. (1991) Guidelines for the Secure Operation of the Internet,
IETF RFC1281.

Poon, S. and Swatman, P.M.C. (1995) ‘The Internet for Small Businesses: an enabling infrastructure
for competitiveness’. Proceedings of the Fifth Internet Society Conference, Hawaii, 221-231 (Jun).

Poon, S. and Swatman, P.M.C. (1996) ‘Electronic Networking Among Small Business in Australia -
An Exploratory Study’In Swatman P.M.C., Gricar J. and Novak J. (Eds.) (1996) Electronic
Commerce for Trade Efficiency and Effectiveness–Proceedings of the Ninth International Conference
on EDI-IOS, Bled, Slovenia, June 10-12, Moderna Organizacija Kranj, Slovenia, 446-460.

Quelch, J. A. and Klein, L. R. (1996) "The Internet and International Marketing", Sloan Management
Review, Spring.

15
Rannenberg, K. (1994) "Recent Development in Information Technology Security Evaluation - The
Need for Evaluation Criteria for Multilateral Security", in Proc. Security and Control of Information
Technology in Society (Sizer, R., Yngstrom, L., Kaspersen, H. and Fischer-Hubner, S., eds.), IFIP
Transactions A43, Elsevier Science B.V. (North-Holland).

Stallings, W. (1995) Internet Security Handbook, IDG Books Worldwide, Inc.

TIOcom (1996) Terms and Conditions for User Access and User Services, The Internet Outsourcing
Group,
http://www.tio.com/terms.html, April 27th, 1996, (Accessed October 18th, 1996).

Vanbokkelen, J. (1990) The Internet Oral Tradition, IETF RFC1173.

Wood, C. C. (1995) "Writing InfoSec Policies", Computers & Security, Vol. 14.

Yin R. K. (1989) Case Study Research: Design and Methods, Revised Edition, Sage Publications,
Newbury Park, London.

Yngstrom, L. (1995) "A Holistic Approach to IT Security", in Information Security - the Next Decade,
IFIP/Sec '95, Proc. of the IFIP TC11 Eleventh International Conference on Information Security
(Eloff, J.H.P. and Von Solms, H.S., eds.), Chapman and Hall.

16