Readability as a basis for information security policy assessment

Yazeed Alkhurayyif, George R S Weir

Research output: Chapter in Book/Report/Conference proceedingConference contribution book

1 Citation (Scopus)
28 Downloads (Pure)

Abstract

Most organisations now impose information security policies (ISPs) or 'conditions of use' agreements upon their employees. The need to ensure that employees are informed and aware of their obligations toward information security is apparent. Less apparent is the correlation between the provision of such policies and their compliance.
In this paper, we report our research into the factors that determine the efficacy of information security policies (ISPs). Policies should comprise rules or principles that users can easily understand and follow. Presently, there is no ready mechanism for estimating the likely efficacy of such policies across an organisation. One factor that has a plausible impact upon the comprehensibility of policies is their readability.
The present study investigates the effectiveness of applying readability metrics as an indicator of policy comprehensibility. Results from a preliminary study reveal variations in the comprehension test results attributable to the difficulty of the examined policies. The pilot study shows some correlation between the software readability formula results and human comprehension test results and supports our view that readability has an impact upon understanding ISPs.
These findings have important implications for users’ compliance with information security policies and suggest that the application of suitably selected readability metrics may allow policy designers to evaluate their draft policies for ease of comprehension prior to policy release. Indeed, there may be grounds for a readability compliance test that future ISPs must satisfy.
Original languageEnglish
Title of host publicationSeventh IEEE International Conference on Emerging Security Technologies (EST)
Place of PublicationPiscataway, NJ
PublisherIEEE
Number of pages8
ISBN (Electronic)9781538640180
DOIs
Publication statusPublished - 2 Nov 2017

Keywords

  • information security policy
  • readability
  • compliance
  • information security

Fingerprint Dive into the research topics of 'Readability as a basis for information security policy assessment'. Together they form a unique fingerprint.

  • Cite this

    Alkhurayyif, Y., & Weir, G. R. S. (2017). Readability as a basis for information security policy assessment. In Seventh IEEE International Conference on Emerging Security Technologies (EST) IEEE. https://doi.org/10.1109/EST.2017.8090409