CEC Theses and Dissertations

Date of Award


Document Type


Degree Name

Doctor of Philosophy in Information Systems (DISS)


Graduate School of Computer and Information Sciences


Maxine S. Cohen

Committee Member

Amon B. Seagull

Committee Member

Constance C. Mussa


Every member of the organization must be involved in proactively and consistently preventing data loss. Implementing a culture of security has proven to be a reliable method of enfranchising employees to embrace security behavior. However, it takes more than education and awareness of policies and directives to effect a culture of security. Research into organizational culture has shown that programs to promote organizational culture - and thus security behavior - are most successful when the organization's values are congruent with employee values. What has not been clear is how to integrate the security values of the organization and its employees in a manner that promotes security culture. This study extended current research related to values and security culture by applying Value Sensitive Design (VSD) methodology to the design of an end user security policy. Through VSD, employee and organizational security values were defined and integrated into the policy. In so doing, the study introduced the concept of value sensitive security policy (VSP) and identified a method for using VSPs to promote a culture of security. At a time when corporate values are playing such a public role in defining the organization, improving security by increasing employee-organization value congruence is both appealing and practical.