Benchmarking Methodology for Information Security Policy (BMISP): Artifact Development and Evaluation

The benchmarking of information security policies has two challenges. Organizations are reluctant to share data regarding information security and no two organizations are identical. In this paper, we attempt to propose an artifact for a benchmarking method of information security policy, which can resolve the above challenges. We employ design science methodology, activity theory and international standards to design the artifact as a proof of concept. The artifact facilitates the implementation of efficient information security policies. Organizations can utilize the artifact to analyze and benchmark information security policies. We illustrate the completeness and reliability of the artifact through a case study using information security policies from six companies.