Abstract
Information security policies (ISPs) are an essential type of formal control that must be designed in a manner that is easily understandable for employees. Prior studies have recommended the inclusion of actionable advice; however, it is unclear how such advice should be worded to minimize the scope for interpretation. Therefore, this study investigates existing ISPs to assess how clear the pieces of actionable advice are and provide suggestions on how actionable advice should be worded in order to be clear. A qualitative content analysis of 15 ISPs from public agencies in Sweden was conducted with the aid of Orange Data Mining Software. First, the findings revealed an unbalance between the ISPs, where one-third of the ISPs provide over 50% of the analyzed actionable advice. Second, around two-thirds offer advice that is ambiguous and does not provide advice that employees can act upon. We, therefore, recommended that ISP designers exercise caution when using words in the ISP and maintain consistency in their word choices throughout.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alshaikh, M., Maynard, S.B., Ahmad, A., Chang, S.: Information security policy: a management practice perspective. In: Australasian Conference on Information Systems (2015)
Assarroudi, A., Heshmati Nabavi, F., Armat, M.R., Ebadi, A., Vaismoradi, M.: Directed qualitative content analysis: the description and elaboration of its underpinning methods and data analysis process. J. Res. Nurs. 23(1), 42–55 (2018)
Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)
Chowdhury, N.H., Adam, M.T., Skinner, G.: The impact of time pressure on cybersecurity behaviour: a systematic literature review. Behav. Inf. Technol. 38(12), 1290–1308 (2019)
Demsar, J., et al.: Orange: data mining toolbox in python. J. Mach. Learn. Res. 14 2349–2353 (2013).https://jmlr.org/papers/volume14/demsar13a/demsar13a.pdf
Diver, S.: Information Security Policy - A Development Guide for Large and Small Companies. SANS Institute (2021)
Goel, S., Chengalur-Smith, I.N.: Metrics for characterizing the form of security policies. J. Strateg. Inf. Syst. 19(4), 281–295 (2010)
Höne, K., Eloff, J.H.P.: What makes an effective information security policy? Netw. Secur. 2002(6), 14–16 (2002b)
Hsieh, H.-F., Shannon, S.E.: Three approaches to qualitative content analysis. Qual. Health Res. 15(9), 1277–1288 (2005)
Karlsson, F., Hedström, K., Goldkuhl, G.: Practice-based discourse analysis of information security policies. Comput. Secur. 67, 267–279 (2017). https://doi.org/10.1016/j.cose.2016.12.012
Kör, B., Metin, B.: Understanding human aspects for an effective information security management implementation. Int. J. Appl. Decis. Sci. 14(2), 105–122 (2021)
Loch, K.D., Carr, H.H., Warkentin, M.E.: Threats to information systems: today’s reality, yesterday’s understanding. MIS Q. 16, 173–186 (1992)
Ponemon Institute LLC. Cost of Insider Threats: Global Report (2020). https://www.ibm.com/downloads/cas/LQZ4RONE
PWC. The Information Security Breaches Survey - Technical Report. Department for Business, Innovation and Skills (BIS), London, UK (2014).
Rostami, E.: Tailoring information security policies–a computerized tool and a design theory Örebro universitet] (2023)
Rostami, E., Karlsson, F., Gao, S.: Requirements for computerized tools to design information security policies. Comput. Secur. 99, 102063 (2020)
Rostami, E., Karlsson, F., Gao, S.: Policy components–a conceptual model for modularizing and tailoring of information security policies. Inf. Comput. Secur. 31, 331–352 (2023)
SFS. 2009:400 Offentlighets- och sekretesslag. Justitiedepartementet, Stockholm (2009)
Stahl, B.C., Doherty, N.F., Shaw, M.: Information security policies in the UK healthcare sector: a critical evaluation. Inf. Syst. J. 22, 77–94 (2012)
Sundt, C.: Information security and the law. Inf. Secur. Tech. Rep. 11(1), 2–9 (2006)
Whitman, M.: Security policy: from design to maintenance. In: Straub, D.W., Goodman, S.E., Baskerville, R. (eds.) Information security: Policy, processes, and practices, pp. 123–151. M. E. Sharpe, New York (2008)
Willison, R., Warkentin, M.: Beyond deterrence: an expanded view of employee computer abuse. MIS Q. 37, 1–20 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 IFIP International Federation for Information Processing
About this paper
Cite this paper
Rostami, E., Karlsson, F. (2023). A Qualitative Content Analysis of Actionable Advice in Swedish Public Agencies’ Information Security Policies. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2023. IFIP Advances in Information and Communication Technology, vol 674. Springer, Cham. https://doi.org/10.1007/978-3-031-38530-8_13
Download citation
DOI: https://doi.org/10.1007/978-3-031-38530-8_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38529-2
Online ISBN: 978-3-031-38530-8
eBook Packages: Computer ScienceComputer Science (R0)