Information Security by Words Alone: The Case for Strong Security Policies

Effective information security extends beyond using software controls that are so prominently discussed in the popular and academic literature. There must also be management influence and control. The best way to control information security is through formal policy and measuring the effectiveness of existing policies. The purpose of this research is to determine 1) what security elements are embedded in Web-based information security policy statements and 2) what security-related keywords appear more frequently. The authors use these findings to propose a density measure (the extent to which each policy uses security keywords) as an indicator of policy strength. For these purposes, they examine the security component of privacy policies of Fortune 100 Web sites. The density measure may serve as a benchmark that can be used as a basis for comparison across companies and the development of industry norms.