What can we learn from the analysis of information security policies? The case of UK’s schools

Martin Sparrius; Moufida Sadok; Peter Bednar

doi:10.1007/978-3-030-81111-2_7

What can we learn from the analysis of information security policies? The case of UK’s schools

Martin Sparrius, Moufida Sadok^*, Peter Bednar

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

70 Downloads (Pure)

Abstract

Security standards consider that developing a security policy is a cornerstone in information security management. In practice, the development of a security policy is contextually dependent and there is no agreement on what organisations should include in their security policies. This paper argues that analysing information security policy documents could potentially provide new insights into existing issues with security practices. The paper explores and analyses the content and form of 100 UK schools’ information security policies to assess their scope and accessibility. The key findings show that the content varied widely between schools but tended to have a technical focus, many security policies had not been updated to address changes to work practices due to the Covid-19 situation and many policies have poor readability scores preventing readers from engaging with them.

Original language	English
Title of host publication	Human Aspects of Information Security and Assurance - 15th IFIP WG 11.12 International Symposium, HAISA 2021, 2021, Proceedings
Editors	Steven Furnell, Nathan Clarke
Publisher	Springer
Pages	81-90
Number of pages	10
ISBN (Electronic)	9783030811112
ISBN (Print)	9783030811105
DOIs	https://doi.org/10.1007/978-3-030-81111-2_7
Publication status	Published - 8 Jul 2021
Event	15th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2021 - Virtual, Online Duration: 7 Jul 2021 → 9 Jul 2021

Publication series

Name	IFIP Advances in Information and Communication Technology
Volume	613
ISSN (Print)	1868-4238
ISSN (Electronic)	1868-422X

Conference

Conference	15th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2021
City	Virtual, Online
Period	7/07/21 → 9/07/21

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 7 Affordable and Clean Energy
SDG 9 Industry, Innovation, and Infrastructure
SDG 12 Responsible Consumption and Production

Keywords

Covid-19
information security
information security policy
ISO 27002
readability score
UK schools

Access to Document

10.1007/978-3-030-81111-2_7

HAISA_2021_Paper_26_Final_version
This is a post-peer-review, pre-copyedit version of an article published in Sparrius M., Sadok M., Bednar P. (2021) What Can We Learn from the Analysis of Information Security Policies? The Case of UK’s Schools. In: Furnell S., Clarke N. (eds) Human Aspects of Information Security and Assurance. HAISA 2021. IFIP Advances in Information and Communication Technology, vol 613. The final authenticated version is available online at: https://doi.org/10.1007/978-3-030-81111-2_7.
Accepted author manuscript (Post-print), 226 KB

Cite this

Sparrius, M., Sadok, M., & Bednar, P. (2021). What can we learn from the analysis of information security policies? The case of UK’s schools. In S. Furnell, & N. Clarke (Eds.), Human Aspects of Information Security and Assurance - 15th IFIP WG 11.12 International Symposium, HAISA 2021, 2021, Proceedings (pp. 81-90). (IFIP Advances in Information and Communication Technology; Vol. 613). Springer. https://doi.org/10.1007/978-3-030-81111-2_7

Sparrius, Martin ; Sadok, Moufida ; Bednar, Peter. / What can we learn from the analysis of information security policies? The case of UK’s schools. Human Aspects of Information Security and Assurance - 15th IFIP WG 11.12 International Symposium, HAISA 2021, 2021, Proceedings. editor / Steven Furnell ; Nathan Clarke. Springer, 2021. pp. 81-90 (IFIP Advances in Information and Communication Technology).

@inproceedings{251247089ebf4f0eac5d0428ffbead80,

title = "What can we learn from the analysis of information security policies? The case of UK{\textquoteright}s schools",

abstract = "Security standards consider that developing a security policy is a cornerstone in information security management. In practice, the development of a security policy is contextually dependent and there is no agreement on what organisations should include in their security policies. This paper argues that analysing information security policy documents could potentially provide new insights into existing issues with security practices. The paper explores and analyses the content and form of 100 UK schools{\textquoteright} information security policies to assess their scope and accessibility. The key findings show that the content varied widely between schools but tended to have a technical focus, many security policies had not been updated to address changes to work practices due to the Covid-19 situation and many policies have poor readability scores preventing readers from engaging with them.",

keywords = "Covid-19, information security, information security policy, ISO 27002, readability score, UK schools",

author = "Martin Sparrius and Moufida Sadok and Peter Bednar",

year = "2021",

month = jul,

day = "8",

doi = "10.1007/978-3-030-81111-2\_7",

language = "English",

isbn = "9783030811105",

series = "IFIP Advances in Information and Communication Technology",

publisher = "Springer",

pages = "81--90",

editor = "Steven Furnell and Nathan Clarke",

booktitle = "Human Aspects of Information Security and Assurance - 15th IFIP WG 11.12 International Symposium, HAISA 2021, 2021, Proceedings",

address = "Netherlands",

note = "15th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2021 ; Conference date: 07-07-2021 Through 09-07-2021",

}

Sparrius, M , Sadok, M & Bednar, P 2021, What can we learn from the analysis of information security policies? The case of UK’s schools. in S Furnell & N Clarke (eds), Human Aspects of Information Security and Assurance - 15th IFIP WG 11.12 International Symposium, HAISA 2021, 2021, Proceedings. IFIP Advances in Information and Communication Technology, vol. 613, Springer, pp. 81-90, 15th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2021, Virtual, Online, 7/07/21. https://doi.org/10.1007/978-3-030-81111-2_7

What can we learn from the analysis of information security policies? The case of UK’s schools. / Sparrius, Martin ; Sadok, Moufida ; Bednar, Peter.
Human Aspects of Information Security and Assurance - 15th IFIP WG 11.12 International Symposium, HAISA 2021, 2021, Proceedings. ed. / Steven Furnell; Nathan Clarke. Springer, 2021. p. 81-90 (IFIP Advances in Information and Communication Technology; Vol. 613).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - What can we learn from the analysis of information security policies? The case of UK’s schools

AU - Sparrius, Martin

AU - Sadok, Moufida

AU - Bednar, Peter

PY - 2021/7/8

Y1 - 2021/7/8

N2 - Security standards consider that developing a security policy is a cornerstone in information security management. In practice, the development of a security policy is contextually dependent and there is no agreement on what organisations should include in their security policies. This paper argues that analysing information security policy documents could potentially provide new insights into existing issues with security practices. The paper explores and analyses the content and form of 100 UK schools’ information security policies to assess their scope and accessibility. The key findings show that the content varied widely between schools but tended to have a technical focus, many security policies had not been updated to address changes to work practices due to the Covid-19 situation and many policies have poor readability scores preventing readers from engaging with them.

AB - Security standards consider that developing a security policy is a cornerstone in information security management. In practice, the development of a security policy is contextually dependent and there is no agreement on what organisations should include in their security policies. This paper argues that analysing information security policy documents could potentially provide new insights into existing issues with security practices. The paper explores and analyses the content and form of 100 UK schools’ information security policies to assess their scope and accessibility. The key findings show that the content varied widely between schools but tended to have a technical focus, many security policies had not been updated to address changes to work practices due to the Covid-19 situation and many policies have poor readability scores preventing readers from engaging with them.

KW - Covid-19

KW - information security

KW - information security policy

KW - ISO 27002

KW - readability score

KW - UK schools

UR - https://www.scopus.com/pages/publications/85112287570

U2 - 10.1007/978-3-030-81111-2_7

DO - 10.1007/978-3-030-81111-2_7

M3 - Conference contribution

AN - SCOPUS:85112287570

SN - 9783030811105

T3 - IFIP Advances in Information and Communication Technology

SP - 81

EP - 90

BT - Human Aspects of Information Security and Assurance - 15th IFIP WG 11.12 International Symposium, HAISA 2021, 2021, Proceedings

A2 - Furnell, Steven

A2 - Clarke, Nathan

PB - Springer

T2 - 15th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2021

Y2 - 7 July 2021 through 9 July 2021

ER -

Sparrius M , Sadok M , Bednar P. What can we learn from the analysis of information security policies? The case of UK’s schools. In Furnell S, Clarke N, editors, Human Aspects of Information Security and Assurance - 15th IFIP WG 11.12 International Symposium, HAISA 2021, 2021, Proceedings. Springer. 2021. p. 81-90. (IFIP Advances in Information and Communication Technology). doi: 10.1007/978-3-030-81111-2_7

What can we learn from the analysis of information security policies? The case of UK’s schools

Abstract

Publication series

Conference

UN SDGs

Keywords

Access to Document

Fingerprint

Cite this