Case study: an evaluation of the comprehensibility of information security policies in a South African bank.
Date
2023
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Information security policy and its resultant implementation is seen as pivotal in organisations that want to protect their information both internally and externally. Employees are relied heavily upon to read and understand and therefore comply with the information security policy including all its principles. The study has used readability and comprehension tests to assess the policy to analyse what the minimum required reading level is, how much abbreviations and jargon are contained therein. Employees were surveyed to understand the implications of security policy on them, the study utilised interviews of staff and asked questions pertaining to awareness, ideal ways to eradicate jargon and technical terms as well as views around security policy implementation. Ultimately directing implications around improvements to be made, but not limited to the removal of jargon and technical terms. Further to this, recommendations are detailed for policy writers and implementors, as well as critical success factors for ISMS managers and security specialists who are tasked with crafting policy, embedding this through the organisation and ensuring staff comply and adhere to organisational information security strategy. A conceptual multidimensional framework to coordinate the significant outcomes identified in the study is also developed to enable robust information security design, and monitoring. Within the context of the study a number of important and noteworthy outcomes have been established. Any conceptual framework must provide a dimension to remediate the readability challenges. The other established outcome pertains to awareness and socialisation/training pertaining to policies, where respondents did not believe awareness of information security policies were adequate and accessibility was viewed as problematic, this was confirmed by the interviews where most staff did not know where to locate information security policy/ies. Respondents did not feel included in the development of policy and accompanying improvement mechanisms and consequently any conceptual framework which does not incorporate users is inherently flawed.
Description
Masters Degree. University of KwaZulu-Natal, Durban.
Keywords
Citation
DOI
https://doi.org/10.29086/10413/22589