Institutional Repository

Addressing ambiguity within information security policies in higher education to improve compliance

Show simple item record Buthelezi, Mokateko Portia 2018-04-16T07:45:13Z 2018-04-16T07:45:13Z 2017-06
dc.description.abstract Information security (InfoSec) policies are widely used by institutions as a form of InfoSec control measure to protect their information assets. InfoSec policies are commonly documented in natural language, which is prone to ambiguity and misinterpretation, thereby making it hard, if not impossible, for users to comply with. These misinterpretations may lead the students or staff members to wrongfully execute the required actions, thereby making institutions vulnerable to InfoSec attacks. According to the literature review conducted in this work, InfoSec policy documents are often not followed or complied with; and the key issues facing InfoSec policy compliance include the lack of management support for InfoSec, organisational cultures of non-compliance, intentional and unintentional policy violation by employees (the insider threat), lack of policy awareness and training as well as the policy being unclear or ambiguous. This study is set in the higher education context and explores the extent to which the non-compliance problem is embedded within the policy documents themselves being affected by ambiguity. A qualitative method with a case study research strategy was followed in the research, in the form of an inductive approach with a cross-sectional time horizon, whereby a selection case of relevant institutional InfoSec policies were analysed. The data was collected in the form of academic literature and InfoSec policies of higher education institutions to derive themes for data analysis. A qualitative content analysis was performed on the policies, which identified ambiguity problems in the data. The findings indicated the presence of ambiguity within the policy documents, making it possible to misinterpret some of the policy statements. Formal methods were explored as a possible solution to the policy ambiguity. A framework was then proposed to address ambiguity and improve on the clarity of the semantics of policy statements. The framework can be used by policy writers in paying attention to the presence of ambiguity in their policies and address these when drafting or revising their policy documents. en
dc.language.iso en en
dc.subject Formal methods en
dc.subject Policy ambiguity en
dc.subject Usable security en
dc.subject Policy clarity en
dc.subject Policy human aspects en
dc.subject Security policy compliance en
dc.subject.ddc 507.12
dc.subject.lcsh Information policy en
dc.subject.lcsh Compliance en
dc.subject.lcsh Ambiguity en
dc.subject.lcsh Science -- Study and teaching (Higher) en
dc.title Addressing ambiguity within information security policies in higher education to improve compliance en
dc.type Dissertation en
dc.description.department School of Computing en

Files in this item

Files Size Format View

There are no files associated with this item.

This item appears in the following Collection(s)

Show simple item record

Search UnisaIR


My Account