Case study: an evaluation of the comprehensibility of information security policies in a South African bank.
Loading...
Date
2023
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Information security policy and its resultant implementation is seen as pivotal in
organisations that want to protect their information both internally and externally.
Employees are relied heavily upon to read and understand and therefore comply with the
information security policy including all its principles. The study has used readability and
comprehension tests to assess the policy to analyse what the minimum required reading level
is, how much abbreviations and jargon are contained therein. Employees were surveyed to
understand the implications of security policy on them, the study utilised interviews of staff
and asked questions pertaining to awareness, ideal ways to eradicate jargon and technical
terms as well as views around security policy implementation. Ultimately directing
implications around improvements to be made, but not limited to the removal of jargon and
technical terms. Further to this, recommendations are detailed for policy writers and
implementors, as well as critical success factors for ISMS managers and security specialists
who are tasked with crafting policy, embedding this through the organisation and ensuring
staff comply and adhere to organisational information security strategy. A conceptual multidimensional
framework to coordinate the significant outcomes identified in the study is also
developed to enable robust information security design, and monitoring. Within the context
of the study a number of important and noteworthy outcomes have been established. Any
conceptual framework must provide a dimension to remediate the readability challenges.
The other established outcome pertains to awareness and socialisation/training pertaining to
policies, where respondents did not believe awareness of information security policies were
adequate and accessibility was viewed as problematic, this was confirmed by the interviews
where most staff did not know where to locate information security policy/ies. Respondents
did not feel included in the development of policy and accompanying improvement
mechanisms and consequently any conceptual framework which does not incorporate users
is inherently flawed.
Description
Masters Degree. University of KwaZulu-Natal, Durban.