Readability as a basis for information security policy assessment

Alkhurayyif, Yazeed and Weir, George R S; (2017) Readability as a basis for information security policy assessment. In: Seventh IEEE International Conference on Emerging Security Technologies (EST). IEEE, Piscataway, NJ. ISBN 9781538640180 (

[thumbnail of Alkhurayyif-Weir-EST2017-Readability-as-a-basis-for-information-security -policy-assessment]
Text. Filename: Alkhurayyif_Weir_EST2017_Readability_as_a_basis_for_information_security_policy_assessment.pdf
Accepted Author Manuscript

Download (352kB)| Preview


Most organisations now impose information security policies (ISPs) or 'conditions of use' agreements upon their employees. The need to ensure that employees are informed and aware of their obligations toward information security is apparent. Less apparent is the correlation between the provision of such policies and their compliance. In this paper, we report our research into the factors that determine the efficacy of information security policies (ISPs). Policies should comprise rules or principles that users can easily understand and follow. Presently, there is no ready mechanism for estimating the likely efficacy of such policies across an organisation. One factor that has a plausible impact upon the comprehensibility of policies is their readability. The present study investigates the effectiveness of applying readability metrics as an indicator of policy comprehensibility. Results from a preliminary study reveal variations in the comprehension test results attributable to the difficulty of the examined policies. The pilot study shows some correlation between the software readability formula results and human comprehension test results and supports our view that readability has an impact upon understanding ISPs. These findings have important implications for users’ compliance with information security policies and suggest that the application of suitably selected readability metrics may allow policy designers to evaluate their draft policies for ease of comprehension prior to policy release. Indeed, there may be grounds for a readability compliance test that future ISPs must satisfy.