Readability as Lever for Employees’ Compliance With Information Security Policies 

Download Article Article in Digital Form

Information security policies are part of the internal formal regulatory framework for information security and thereby part of an organisation’s information security governance. The purpose of information security policies (policies that involve guidelines and requirements) is to guide decisions and actions within the organisation towards a desired outcome. These policies are understood to be principles or rules that inform, enable and obligate. Therefore, people, not policies, ensure the appropriate and adequate level of security for systems, infrastructure and data.

Employees are frequently identified as the key vulnerability to a company’s information security and a cause of numerous security incidents.1 However, employees can comply only with policies they understand. Readability is key to understanding policies and it is dependent on the education of the target audience—all employees with access to technology, in this case.

Impact of Security Policies

Despite the pivotal role that security policies have on auditing information security compliance and on the design and operation of information systems, relatively little effort is invested in the evaluation and assessment of the policies themselves. Information security policies are less frequently the focus of internal auditor examinations than the information systems, processes and controls designed according to these policies.

Security policies are important for design decisions regarding infrastructure, systems and processes of IT. They describe control objectives and define standard security measures. Information security policies address constraints on people’s behaviour and processes. Serving as a management tool and internal benchmark for design and operation of information systems, they are firmly rooted in the organisation’s governance framework. Internal and external IT auditors take security policies into account to evaluate compliance of the internal regulatory framework with external norms, standards and general—national and international—regulatory frameworks. While auditing the effectiveness of security measures, auditors usually take into account how consistent the implemented measures are with the security policy requirements.

Information security auditors are highly professional and well-trained personnel. They are practiced in reading and interpreting security policies. Their understanding goes far beyond that of the average employee. There is risk even if things are running well after a first-time roll out of policies. First-wave implementation teams frequently communicate with the creators of policies rather than with the staff who are involved in the established process. Policies in the context of information security effectiveness and compliance may prove to be useful to determine whether the information in the policy reaches its audience; thereby, the policy may avoid ineffective execution of controls. When security incidents occur, the root cause may be the security policy itself, i.e., the fact that the staff has not been able to understand it.

Quality of Information Security Policies

What makes a good information security policy? Its quality, obviously. The term “quality” covers a variety of aspects including relevance, completeness and applicability. For example, in the case of a hard-to-grasp policy that is implemented by experienced and skilled staff, while the result—the realized security level—may be good, it does not provide evidence of the quality of how the policy is written. Rather, the end result is due to the experience and skill of the people who implemented it and, ultimately, compensated for the quality deficits of the hard-to-grasp policy.

The result is, in fact, an assessment of the interaction between policies and people. That is, if information security auditors confirm that controls and security measures are working effectively in compliance with the policy, this must be understood as indirect proof of the working interplay of the security policy and the people in charge at that time. In the opposite case, ineffective or inadequate controls and security measures may directly indicate a not-so-good policy.

The matter of the policy is not necessarily the issue here. The cause for an inaccurate implementation of measures may be the incorrect interpretation of the security policy, or even no understanding of it at all. An evaluation of the policy itself can deliver certainty about whether the text transports the obligation, and it gives auditors—and governance officers—an insight into what measures are necessary to improve the status quo.

One must focus on policies’ readability and comprehensibility. How can authors—and auditors evaluating policies under the aspect of effectiveness—determine whether a policy is appropriate for those employees who will have to implement and conduct it? Is it possible to tailor the text to a target audience? Are there metrics for this purpose?

Typical Metrics for Information Security Policies

What metrics help to evaluate the quality of an information security policy in the course of an audit or self-assessment? Typical metrics2 that are used to assess and evaluate information security policies relate to the following issues, among others (figure 1):

Figure 1

  • Dissemination of the policies in the company
  • Application of policies in various divisions
  • Awareness of the policies
  • Exceptions to the policies
  • Timeliness and update mode

Appropriate metrics from figure 1 may be selected, by auditors assessing the evaluation of the adequacy and effectiveness of controls (not the security policy as such) according to the specific audit goals. These metrics are often derived using the goal question paradigm (GQP), a methodology that makes it possible to establish a link between the company’s objectives and performance indicators (e.g., metrics).3

There are, however, some critics of these metrics. Companies should strive to reach a sound understanding of security policies in order to assure their effective implementation. Thus, the standard approach is security instruction once a year (e.g., formally documented in employees’ signature lists) that is sometimes followed by a multiple-choice comprehension test. This measure has flaws. It addresses only the very basic knowledge needs of a general audience, i.e., staff, management, auditors. It does not, however, reflect the complexity of the internal regulatory framework.

What do people need to adopt the more complex content of security policies? One component is simply understanding the text. Is there a way to measurably improve?

Readability Metrics

Details on how the information security policies should be amended to improve their effectiveness can be derived from the metrics that relate to their inherent properties: the text, its readability and reading ease. The presumption is that if the policy is not understood or its content is difficult to read, the policy will either not be applied or will be applied poorly. Readability and reading-ease metrics make it possible to assess how easy it is to understand the document.

The readability metrics may be used to assess (lexical) reading ease of the information security policy. The readability index (or score) is measured by means of statistical text analysis consisting of several measurements, such as length of sentences, number of syllables, and number of words with three or more syllables. This metric says that the longer the text, the longer the sentence, or the more words with more than three syllables, the harder it is to understand the text. That is, the higher the reading-ease index, the easier it is to understand the document.

The most widely used reading-ease index is the Flesch Reading Ease Index,4 which can be calculated according to the following formula:

FI = 206.835 - (1.015 x ASL) - (84.6 x ASW)
FI = Flesch Reading Ease readability score
ASL = Average sentence length in words (average number of words in a sentence, calculated by dividing the number of words by the number of sentences)
ASW = Average syllables per word (the number of syllables divided by the number of words)

Figure 2The calculated score—the obtained Flesch Index—based on the statistical text analysis is mapped to the standardised values indicating the readability level. The index is typically a number between 0 and 100, but values may also occur beyond these limits (see figure 2).

Who Understands the Security Policy

Evaluating the Flesch Index of the information security policy may help to assess how difficult it is to read and understand the document. Consequently, if the text is difficult to read, auditors may suggest formulating it in a less complex way (e.g., introducing shorter sentences, fewer long words), so that it is easier to read in general.

Reading ease is, however, only one aspect of security policy readability. Another aspect is the question of whether the reading ease of the policy meets the demands of the target group to which it is addressed. The readability level metrics may be used to answer this question.

The popular Flesch-Kincaid Grade Level Index may be utilised as a metrics of readability level. The test is based on a score created by Rudolf Flesch and later enhanced by John P. Kincaid. It maps the Flesch Index to US grade levels. It can also mean the number of years of education generally required to understand the text. It is used by the US Department of Defense as a standard test, required for all kinds of internal requirements and instructions.5

Figure 3This score analyses and rates text on a US grade school level based on the average number of syllables per word and words per sentence (like the Flesch Index). For example, a score of 60.0 means that an average student in eighth grade would understand the text (figure 3).

The education required to understand a document of a specific Flesch Index is different from country to country.

Closing Remarks

If, for example, the calculated Flesch Index for the information security policy is below the value of 20, its reading ease would correspond with that of a professional essay or doctoral thesis. This is obviously inappropriate if the particular policy is aimed at the average employee whose areas of expertise do not include information security.

Furthermore, many executives and experts do not have the time for a thorough study of administrative matters, such as security policies. This group also benefits from the reading ease that comes with a high Flesch Index. “Time is money” is also true in the case of understanding security policies. It takes much less time to read and understand a document that is easy to read (e.g., has a higher reading-ease index) than to study a text with a reading-ease index indicating research essay qualities.

By appropriate linguistic revision of the text, the reading ease for these polices can be improved and, in turn, the level of security in an organisation is improved.

Metrics for information security policies can be used to assess the quality and effectiveness of the document, i.e., how easy it is to be understood and consequently the requirements to be followed. Additionally, metrics concerning the level of distribution, implementation, timeliness or awareness can be utilised for monitoring exceptions from security policies and the grade of compliance organisations achieve when implementing policies.


1 Independent Oracle Users Group (IOUG), Closing the Security Gap: 2012 IOUG Enterprise Data Security Survey,
2 For examples of typical security metrics and maturity models, see: Chapin, A.; S Akridge; “How Can Security Be Measured?,” Information Systems Control Journal, vol. 2, 2005,
3 Sowa, A.; S. Fedtke; Metriken—der Schlüssel zum erfolgreichen Security und Compliance Monitoring: Design, Implementierung und Validierung in der Praxis, Vieweg Springer, 2011
4 The test is based on a score created in the 1940s by Austrian-born American author Rudolf Flesch. The formula to compute the Flesch Index is one of the best known and most popular for readability indicators. However, the formulas differ for different languages. The formula provided here is true only for English documents.
5 Hayden, L.: IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data, McGraw-Hill Professional, USA, 2010

Franz-Ernst Ammann, Ph.D., is employed by Deutsche Telekom AG. Ammann previously worked in IT strategy and conducted related assessments on the German Act to Modernize Accounting Law (BilMoG).

Aleksandra Sowa, Ph.D., ITCM, is employed by Deutsche Telekom AG. Sowa initiated the Horst Görtz Institute for Security in Information Technology, a European university-based institution for interdisciplinary research in the field of IT security, and worked as an auditor in the financial services industry.

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2013 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.