i-com (Mar 2025)
From usable design characteristics to usable information security policies: a reconceptualisation
Abstract
Information Security Policies (ISPs) are crucial artefacts in organisations, governments, and civil societies to mitigate information security threats and risks. However, poorly designed ISPs can lead to hidden costs and decreased compliance in daily practices. While behavioural factors such as social norms, positive attitudes, and knowledge are well-known to influence compliance, the usability of ISPs, which takes the context of use seriously, remains understudied. To address this, we introduce the concept of Usable Information Security Policy (UISP). This concept is derived from the argument that usability is not just about the usable design of the document itself, but a relational property of the ISP in a specific context of regulation. We argue that UISPs integrate usability as an inherent feature of policies besides compliance. Based on this, an extended scope of content, adapted policy management methods, and strong alignment with said context are required. Our research provides implications for theory and practice. By providing a new concept for engagement including a research agenda, we provide usable security research with a new tool to increase protection between socio-technical contexts and artefacts. For practitioners, the concept provides first guidance on how to incorporate usability more strongly in the otherwise formal policy-making processes.
Keywords
