Practice-based discourse analysis of information security policies

- We propose tentative quality criteria for design of information security policies.
- The criteria emphasise information security policies as useful tools for employees.
- The criteria are anchored in practice-based discourse analysis.
- We illustrate the usefulness of practice-based discourse analysis.

To address the “insider” threat to information and information systems, an information security policy is frequently recommended as an organisational measure. However, having a policy in place does not necessarily guarantee information security. Employees' poor compliance with information security policies is a perennial problem for many organisations. It has been shown that approximately half of all security breaches caused by insiders are accidental, which means that one can question the usefulness of current information security policies. We therefore propose eight tentative quality criteria in order to support the formulation of information security policies that are practical from the employees' perspective. These criteria have been developed using practice-based discourse analysis on three information security policy documents from a health care organisation.