Actionability in Information Security Policies

Organisations cannot information security cannot sustain a good information security posture using technical controls only - human behaviour plays a critical role too. Employees are guided by operational information security policies that they must comply with in their daily work. Existing research has for a long time emphasized the importance of clear and understandable information security policies, where the employees are provided actionable advice. One suggested solution is in style guidelines for writing information security policies is to use keywords to ensure that pieces of actionable advice are “useable” for employees.

The aim of this project is to investigate the extent to which existing operational information security policies provide actionable advice through the use of specific keywords. It also seeks to propose quality metrics for measuring the quality of keyword usage in information security policies. Additionally, the project involves a cross-country comparison of information security policies to explore potential differences in the use of keywords in actionable advice, if any. Such a comparison will provide insights into variations in policy language, communication styles, and information security management priorities across different countries. The findings can guide the development of tailored information security policies that address the diverse expectations of employees in different countries while maintaining global consistency in information security management. This research has the potential to significantly contribute to the field of information security management by highlighting how the strategic use of keywords can enhance information security policies effectiveness, ultimately supporting multinational organisations in fostering secure environments worldwide.