ISACA Journal
Volume 2, 2,014 

Features 

Security Policy—Keys to Successful Communication 

James Baird, CISM, CISSP, ISO 27001 LI, ITIL (F) 

There is an axiom for authors that states to be a successful writer, one must know the reader. That is to say, when writing something that others will read, and presumably comprehend, the style and content should be delivered in a way that is acceptable and accessible by the consumer of the written output. For instance, when writing a thesis for a doctorate degree, the word choice and sentence structure used should not reflect a child’s reading level, but rather the language and style of someone who has consumed materials written by other advanced academics. Similarly, someone browsing a grade-school library would likely not find a tome with advanced concepts in astrophysics, molecular biology or cryptology, but books with concepts and information at the comprehension level of primary-school students.

When writing security policies, it is difficult to communicate advanced concepts like cryptographic standards and discretionary access controls without using terminology that is foreign to many in today’s workforce. A common approach to aid the reader in comprehension is to provide a reference list or a glossary where the reader can look for definitions to the concepts and terminology used. However, enabling readers to find their own answers is problematic since it is not uncommon for definitions to use other terms that are also foreign to the reader. At the core, the problem is not the reader—it is the policy and the style and comprehension level used to compose the message.

Reading Level is Important

From an information security governance and risk management perspective, it is insufficient to provide a three-ring binder stuffed with policies and handouts to a room full of new employees with the expectation that they will internalize the content to a sufficient extent after an hour-long orientation. ISO 27002 stresses that “an adequate level of awareness, education, and training in security procedures” must be provided and that employees, contractors and third parties “are properly briefed on their information security roles and responsibilities prior to being granted access to sensitive information or information systems.”1 Even when periodic policy updates are publicized to employees, little guidance is offered to the employee to understand the new policy or how it interacts with other policies. Ultimately, the employee is left to his/her own devices to discover the relevant portions of a policy, read and then understand the contents lest he/she suffer the consequences of noncompliance. This effort would be largely successful if policies were written in such a way as to facilitate understanding from the policy audience at large. Instead, many are written at reading levels that surpass the ability of the average employee to comprehend.

A study performed in 2010 by researchers of the School Renaissance Institute and Touchstone Applied Science Associates on two million school students showed that “for the most effective reading practice, students should read material that presents the right level of difficulty.”2 This advice is offered as the best way for students who are learning reading strategies to improve their ability to read. It also shows that readers comprehend written information best when it is written at their reading level.

In the 1950s, when G. R. Klare and B. Buck wrote Know Your Reader: The Scientific Approach to Readability,3 only 34 percent of the US population had earned a high-school diploma (or its equivalent) and only 6 percent of the population achieved a post-secondary degree.4 Klare and Buck found that the average adult read at the ninth-grade level and that recreational reading was best enjoyed when written at two full grade levels below that benchmark.

Figure 1US Census Bureau data from 2010 showed improvement in the educational attainment of the US population. This research shows that high-school completion rates in the general population increased to 87 percent and post-secondary education increased to 30 percent.5 Additional research from the National Center for Higher Education Management Systems (NCHEMS) found that 74.9 percent of the total population in the active US workforce graduated from high school, but only 10 percent more achieved a bachelor’s degree.6 This leads to the conclusion that approximately 75 percent of the self-reporting workforce had no greater than a 12th-grade education (figure 1).

Combining the conclusions drawn from Klare and Buck from their research on reading levels and the educational attainment research performed by NCHEMS, the data appear to show that all comprehension—including reading—is somewhere less than 12th grade for the majority of the current US workforce. It also may be concluded that, again based on Klare and Buck, to be successful, corporate communication, like security policies, must appeal to and be consumable by a reader at two grade levels lower than the highest grade level attained: the average 10th- to 12th-grade high-school student.

Word Lists

Figure 2One way to judge the potential for writing understandable policy based on comprehension is to look at lists of the most frequently used words in the native language. The use of frequency lists as a predictor of reading ease has been popular since the Hellenic times (more than 2,000 years ago).7 The compilation and use of word frequency lists by psychologist Edward Thorndike and others suggests that the more common the word (frequent in usage), the more of the population can understand and interpret its meaning.8 This concept was demonstrated with humor recently in the www.xkcd.com webcomic when artist Randall Munroe decided to label his drawing of the Saturn V rocket using only the 1,000 most frequently used words from the contemporary-fiction word-frequency list on Wiktionary.9 His was an attempt to both expand the audience for his drawing and show how much technical and advanced language is used in explaining scientific concepts. The result of his endeavor is a cartoon drawing titled “Up-Goer Five.”10

This cartoon is interesting in that it took scientific terms and language that are not found in the truncated contemporary word list and replaced them with more common equivalents. Thus, “capsule” becomes “people box” and “rocket” becomes “flying space car.” It is absurdity pushed to its limit, but like most good satire, it has a purpose.

Roadblocks to Comprehension

A common complaint about many security policies in technical fields is that they are littered with concepts that are foreign to outsiders. Acronyms and abbreviations in particular are known to be barriers to understanding.11 An additional burden is borne by those for whom the language used in the policy is not in their native tongue and others whose fluency in the language is limited. According to research, fluency is an important and potentially independent factor that contributes to comprehension skills.12 When trying to relay a concept such as a policy statement, the language used must be acceptable to the communicator and those who will need to understand the information presented. Fluency in technical jargon, such as acronyms and industry concepts, cannot be assumed.

Testing the Message

The contemporary-fiction word-frequency list used by Munroe was also used by Theo Sanderson13 to create an online text editor14 that is named after the Up-Goer Five comic. This online text editor draws attention to those words that are not included in the frequency list and helps writers choose alternate words that may be used as a substitute.

A potentially useful approach to determine if your message will be understood by your audience is to take advantage of The Up-Goer Five text editor to analyze the words in the message and identify those that may not be understood by the average worker.

The following test using the “Personal Communication Devices and Voicemail Policy” from SANS can be used as an example.15 This policy statement is consistent with the type of message that might be included in a company’s bring your own device (BYOD) statement—designed to instruct the layperson on the appropriateness of personal communications gear in the workplace. This policy is the kind of message that should be well understood by the entire working population and should be written at a reading level that is available to the majority of the population.

In this test, the following subsection of the policy was used:

Personal Communication Devices (PCDs) will be issued only to personnel with duties that require them to be in immediate and frequent contact when they are away from their normal work locations. For the purpose of this policy, PCDs are defined to include handheld wireless devices, cellular telephones, laptop wireless cards and pagers. Effective distribution of the various technological devices must be limited to persons for whom the productivity gained is appropriate in relation to the costs incurred.

Handheld wireless devices may be issued, for operational efficiency, to personnel who need to conduct immediate, critical business. These individuals generally are at the executive and management level. In addition to verbal contact, it is necessary that they have the capability to review and have documented responses to critical issues.16

The policy text used in the test contained 134 words in total, including one acronym used twice. Of that set of words, 64 (48 percent) were not listed in the top 1,000 frequently used words list.

The research from NCHEMS showed that three-fourths of US workers have only a high-school education. Based on that research, it can be concluded from this test that 48 percent of the SANS policy would not be readily understood by 75 percent of the typical US workforce.17

Using another example, the Microsoft Support web site includes instructional text titled “Description of the Automatic-updates Feature in Windows.”18 This text is intended to be understood by the average computer user with no assumed technical knowledge. Microsoft designed the text to inform the user on the process to correctly configure the Windows operating system to install security updates. Without this configuration, “herd immunity”19 against hackers and malicious code cannot be achieved. More specifically, an incorrectly configured system will fail to protect an individual user against significant malicious attacks from the untrusted Internet. This is a very important message to deliver to a large population—one with widely varying understanding of technology and advanced threats.

When run through the Up-Goer Five text editor, the output from the Microsoft support document test showed that 71 words out of the 231 sampled (31 percent) were not accessible by most of the population, per the NCHEMS research. That means that one-third of the words were beyond the average consumer’s reading level.

As a demonstration, the following excerpt shows those words not found in the modified list as obfuscated from the rest of the text. This shows where confusion may cause assumptions and guessing—not something sought after when instructing users on a topic as important as this.

The +++++++++ +++++++ +++++++ is +++++++ with Windows 7, Windows +++++ and Windows XP. With the +++++++++ +++++++ +++++++, Windows can +++++++++++++ keep the computer up to date with the latest +++++++ and ++++++++++++. You no longer have to search for ++++++++ +++++++ and +++++++++++; Windows ++++++++ them ++++++++ to the computer. Windows recognizes when you are ++++++ and uses your ++++++++ ++++++++++ to search for +++++++++ from the Windows ++++++ +++ ++++ or from the Microsoft ++++++ +++ ++++. An ++++ appears in the ++++++++++++ area every time new +++++++ are +++++++++.

You can +++++++ how and when you want Windows to ++++++ the computer. For +++++++, you can set up Windows to +++++++++++++ ++++++++ and +++++++ +++++++ on a ++++++++ that you +++++++. Or, you can have Windows ++++++ you ++++++++ it finds +++++++ +++++++++ for the computer. Windows will then ++++++++ the +++++++ in the ++++++++++. This lets you continue to work +++++++++++++. After the ++++++++ is complete, an ++++ appears in the ++++++++++++ area with a +++++++ that the +++++++ are ready to be +++++++++. When you +++++ the ++++ or +++++++, you can +++++++ the new +++++++ in several simple steps. If you do not +++++++ a ++++++++ ++++++ that has been ++++++++++, Windows +++++++ its +++++ from the computer. If you change your mind later, you can ++++++++ the ++++++ again by +++++++++ ++++++++ +++++++.20

The examples from SANS and Microsoft were not shown here to show weakness in their policies, but instead to make the observation that the construction of well-understood and comprehensible policies and policy statements is difficult.

Recommendations

When drafting a security policy—or any communication sent out to a large heterogeneous population—the following steps are recommended:

  • Consider the audience. Levels of comprehension will differ among an audience of highly educated individuals and groups without the benefit of post-secondary education. Non-native speakers of the language may have more difficulty with not only the words used, but also with how they are used. It might be useful to use multiple communications, each tailored to fit a different audience.
  • Write policy statements that are accessible. There are many books on writing styles and the Up-Goer Five text editor is only one example of the kind of tool that should be in every policy writer’s toolbox.
  • Create a review board from various parts of the company. Entertain comments from the group on the approach, style, word usage and complexity of the document.
  • Create a glossary and include it in the policy. Research has shown that vocabulary is the single best predictor of comprehension ability.21 If words or acronyms that may not be understood by the target population must be included in the policy, define them in the policy. This gives the readers the ability to resolve their own potential questions and helps to grow the comprehension for the entire organization. It is important that the definitions used for a term or concept do not use other terms or concepts that may cause further gaps in understanding.
  • Measure compliance. Create tests or scenarios to test for policy comprehension. Adjust wording or style according to the results of the tests.

Conclusion

The selection of words can be a strong indicator as to the ability for readers to comprehend the idea behind a message such as a policy statement. Studies show that there are multiple variables that influence the ability for readers to understand and internalize information they read. Some factors include the reader (his/her cultural background and environmental influences), the reader’s fluency with the language used and the ability of the reader to use a variety of reading strategies to accomplish a purpose for reading (strategic reading).22

Writing policy for diverse audiences can be challenging. Surely, one of the more difficult documents to write for general consumption, the security policy must be read and understood by staff at all levels of the organization and its compliance measured. Without measuring compliance, it is not possible to determine with any accuracy the effectiveness of the statements written inside the policy.

While the use of the 1,000 most frequently used words is not a scientifically rigorous approach, it is useful as awareness for writers to gain a better understanding of the potential limitations of their audience. Just as colorblindness simulators show the unaffected how those impacted are limited, The Up-Goer Five text editor is useful in showing those responsible for communicating where pitfalls may lie in their efforts to broadcast their messages to the desired audience.

Endnotes

1 International Organization for Standardization, ISO/IEC 27002:2005(E), 2005, p. 43
2 School Renaissance Institute and Touchstone Applied Science Associates, http://doc.renlearn.com/KMNet/R005577721AC3667.pdf
3 Klare, G. R.; Buck, B.; Know Your Reader: The Scientific Approach to Readability, Hermitage House, USA, 1954
4 US Census Bureau, www.census.gov/hhes/socdemo/education/data/census/half-century/files/US.pdf
5 US Census Bureau, www.census.gov/compendia/statab/2012/tables/12s0229.pdf
6 National Center for Higher Education Management Systems (NCHEMS), http://www.nchems.org/
7 Schmitt, N.; McCarthy, M.; Vocabulary: Description, Acquisition and Pedagogy, Cambridge University Press, USA, 1998
8 DuBay, W.H.; “Unlocking Language: The Classic Readability Studies,” Impact Information, 2007
9 Wiktionary, http://en.wiktionary.org/wiki/Wiktionary:Frequency_lists/Contemporary_fiction
10 xkcd, http://xkcd.com/1133/
11 Kushlan, J. A.; “Use and Abuse of Abbreviations in Technical Communication,” Journal of Child Neurology, 1995
12 Landi, N.; “An Examination of the Relationship Between Reading Comprehension, Higher-level and Lower-level Reading Sub-skills in Adults,” 2 May 2009, Springer, www.haskins.yale.edu/Reprints/HL1546.pdf
13 https://twitter.com/TheoSanderson
14 http://splasho.com/upgoer5/
15 SANS, www.sans.org/security-resources/policies/Personal_Communication_Device.pdf
16 Ibid.
17 Data from areas outside the US were not available for this article.
18 http://support.microsoft.com/kb/294871
19 “Herd immunity” is a term used in medicine to describe a heightened level of protection for those without immunity to vaccine-defensible contagious diseases when a significant portion of the local population (the herd) has been vaccinated. By using software defense mechanisms (e.g., patches, antivirus), one could be “vaccinated” against common Internet ills. When more computers are “vaccinated,” the chance that a computer virus will spread to others is reduced. See also www.niaid.nih.gov/topics/pages/communityimmunity.aspx.
20 Used with permission from Microsoft.
21 Op cit, Landi
22 Anderson, N. J.; Practical English Language Teaching, McGraw Hill, USA, 2003

James Baird, CISM, CISSP, ISO 27001 LI, ITIL (F), has more than 20 years of experience in information technology and the protection of information across many industries and small, medium and large enterprises. Baird is director of compliance and information security for a leading provider of billing and payment software and services.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.