Adapting information security policy messaging styles to the targeted audience

Abstract

Current research aims to investigate whether it would be possible to identify all information security policy (ISP) writing styles and how these would influence ISP compliance. Almost all businesses use ISPs to establish boundaries and require secure behaviour from their employees. Unfortunately, professional surveys and academic research demonstrate a high level of non-compliance with the ISP. While the justification for the employee’s behaviour has been discussed, very few research papers have investigated whether the ISP writing style impacted the intent to comply with ISP. The research methodology incorporates content analysis and a quantitative descriptive review of published papers on ISP and non-IS policy compliance. The theoretical research allowed the identification of five major ISP writing styles: belonging, deterrence, goal, motivation, and specialist, as well as writing style influencers such as timeliness and readability. To achieve a higher level of compliance with the ISP, it was suggested that the writing styles of belonging, goal, and motivation be used primarily. Deterrence is generally discouraged. The study enabled us to determine when ISP writing styles were mentioned and the type of influence on the intent to comply with ISP. It also allowed for comparison and possible differences in ISPs versus standard workplace policies. There are proposals on which writing styles to put forward, along with recommendations on creating an ISP.