Readability as a basis for information security policy assessment

Alkhurayyif, Yazeed; Weir, George R. S.

doi:10.1109/est.2017.8090409

Cited by 6 publications

(4 citation statements)

References 18 publications

(19 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This raised the question of adding understandability as an aspect of the information security principle of Availability. Within the information security field, understandability has been studied from the perspective of understanding and compliance with information security policies (Alkhurayyif and Weir, 2017; Nel and Drevin, 2019), but not from the perspective of being an aspect of availability. In an organization such as the municipality where communication of information to the public is one of the most important tasks, whether the communicated information is understood by the receiver of that information, is directly related to the availability of that information.…”

Section: Discussionmentioning

confidence: 99%

An information classification model for public sector organizations in Sweden: a case study of a Swedish municipality

Bergquist

Tinet

Gao

2021

ICS

View full text Add to dashboard Cite

Purpose The purpose of this study is to create an information classification model that is tailored to suit the specific needs of public sector organizations in Sweden. Design/methodology/approach To address the purpose of this research, a case study in a Swedish municipality was conducted. Data was collected through a mixture of techniques such as literature, document and website review. Empirical data was collected through interviews with 11 employees working within 7 different sections of the municipality. Findings This study resulted in an information classification model that is tailored to the specific needs of Swedish municipalities. In addition, a set of steps for tailoring an information classification model to suit a specific public organization are recommended. The findings also indicate that for a successful information classification it is necessary to educate the employees about the basics of information security and classification and create an understandable and unified information security language. Practical implications This study also highlights that to have a tailored information classification model, it is imperative to understand the value of information and what kind of consequences a violation of established information security principles could have through the perspectives of the employees. Originality/value It is the first of its kind in tailoring an information classification model to the specific needs of a Swedish municipality. The model provided by this study can be used as a tool to facilitate a common ground for classifying information within all Swedish municipalities, thereby contributing the first step toward a Swedish municipal model for information classification.

show abstract

Section: Discussionmentioning

confidence: 99%

An information classification model for public sector organizations in Sweden: a case study of a Swedish municipality

Bergquist

Tinet

Gao

2021

ICS

View full text Add to dashboard Cite

show abstract

“…Work by Alkhurayyif and Weir [13] points to readability metrics for countermeasure text assessment to improve users' compliance to controls. By analyzing cybersecurity protection motivation through the lens of an extended PMT model, this paper has clarified how countermeasure readability influences security intentions.…”

Section: Discussionmentioning

confidence: 99%

“…Yet, earlier work exists and has formed an inspiration for our approach. Alkhurayyif and Weir [13] compared the eight most popular traditional readability metrics against manual human comprehension metrics in information security policies (ISPs) and demonstrated a correlation between human and computer metrics.…”

Section: Readability Of Cybersecurity Countermeasuresmentioning

confidence: 99%

“…Increasing readability could very well be a key to persuading users to implement these cybersecurity controls, as readability positively influences people's understanding of information security policies [13,14]. Several widely used readability formulas can be applied to give feedback on the readability of countermeasures before being exposed to end-users.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

The Effect of Countermeasure Readability on Security Intentions

Smit

Haastrecht

Spruit

2021

JCP

View full text Add to dashboard Cite

Human failure is a primary contributor to successful cyber attacks. For any cybersecurity initiative, it is therefore vital to motivate individuals to implement secure behavior. Research using protection motivation theory (PMT) has given insights into what motivates people to safeguard themselves in cyberspace. Recent PMT results have highlighted the central role of the coping appraisal in the cybersecurity context. In cybersecurity, we cope with threats using countermeasures. Research has shown that countermeasure awareness is a significant antecedent to all coping appraisal elements. Yet, although awareness plays a key role within the PMT framework, it is generally challenging to influence. A factor that is easy to influence is countermeasure readability. Earlier work has shown the impact of readability on understanding and that readability metrics make measuring and improving readability simple. Therefore, our research aims to clarify the relationship between countermeasure readability and security intentions. We propose an extended theoretical framework and investigate its implications using a survey. In line with related studies, results indicate that people are more likely to have favorable security intentions if they are aware of countermeasures and are confident in their ability to implement them. Crucially, the data show that countermeasure readability influences security intentions. Our results imply that cybersecurity professionals can utilize readability metrics to assess and improve the readability of countermeasure texts, providing an actionable avenue towards influencing security intentions.

show abstract