Metrics for characterizing the form of security policies

Security policies are widely used tools for the implementation of organizational security, however neither do we have metrics for measuring their effectiveness, nor are there universal standards that can serve as benchmarks. There is considerable variability in security policies based on the way they are written but we have no quantifiable evidence to determine if one kind of policy is better than another. This paper examines the literature on policies and identifies three dimensions (breadth, clarity and brevity) that could be used to characterize how well a security policy is written. These dimensions are validated through a survey of user perceptions. Informed by this empirical evidence, we propose objective metrics (along with algorithms for calculating these metrics), that can be used to assess each of these dimensions. The objective metrics are cross validated with user perceptions and found to be consistent, thus providing a standardized process to characterize the form of a security policy. Such a set of metrics would facilitate the process of evaluating the effectiveness of security policies.