User-defined relevance criteria: an exploratory study
Journal of the American Society for Information Science - Special issue: relevance research
An introduction to Kolmogorov complexity and its applications (2nd ed.)
An introduction to Kolmogorov complexity and its applications (2nd ed.)
Fighting computer crime: a new framework for protecting information
Fighting computer crime: a new framework for protecting information
Users' criteria for relevance evaluation: a cross-situational comparison
Information Processing and Management: an International Journal
Document representations and clues to document relevance
Journal of the American Society for Information Science
Writing Information Security Policies
Writing Information Security Policies
The economics of information security investment
ACM Transactions on Information and System Security (TISSEC)
Enemy at the gate: threats to information security
Communications of the ACM - Program compaction
Privacy policies as decision-making tools: an evaluation of online privacy notices
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Why there aren't more information security research studies
Information and Management
Relevance criteria identified by health information users during Web searches: Research Articles
Journal of the American Society for Information Science and Technology
Beyond accuracy: what data quality means to data consumers
Journal of Management Information Systems
Security Metrics: Replacing Fear, Uncertainty, and Doubt
Security Metrics: Replacing Fear, Uncertainty, and Doubt
Employees' Behavior towards IS Security Policy Compliance
HICSS '07 Proceedings of the 40th Annual Hawaii International Conference on System Sciences
HIPAA's Effect on Web Site Privacy Policies
IEEE Security and Privacy
Measuring network security using dynamic bayesian network
Proceedings of the 4th ACM workshop on Quality of protection
Techniques for enterprise network security metrics
Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies
Compression of individual sequences via variable-rate coding
IEEE Transactions on Information Theory
Risks in the use of information technology within organizations
International Journal of Information Management: The Journal for Information Professionals
Access control: principle and practice
IEEE Communications Magazine
The problem of information overload in business organisations: a review of the literature
International Journal of Information Management: The Journal for Information Professionals
Feature: What Makes an Effective Information Security Policy?
Network Security
Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis
Information Resources Management Journal
| Hi-index | 0.00 |
Security policies are widely used tools for the implementation of organizational security, however neither do we have metrics for measuring their effectiveness, nor are there universal standards that can serve as benchmarks. There is considerable variability in security policies based on the way they are written but we have no quantifiable evidence to determine if one kind of policy is better than another. This paper examines the literature on policies and identifies three dimensions (breadth, clarity and brevity) that could be used to characterize how well a security policy is written. These dimensions are validated through a survey of user perceptions. Informed by this empirical evidence, we propose objective metrics (along with algorithms for calculating these metrics), that can be used to assess each of these dimensions. The objective metrics are cross validated with user perceptions and found to be consistent, thus providing a standardized process to characterize the form of a security policy. Such a set of metrics would facilitate the process of evaluating the effectiveness of security policies.