{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,6]],"date-time":"2026-03-06T11:20:41Z","timestamp":1772796041814,"version":"3.50.1"},"reference-count":39,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2024,4,17]],"date-time":"2024-04-17T00:00:00Z","timestamp":1713312000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2024,9,25]]},"abstract":"\nPurpose<\/jats:title>\nThis paper aims to investigate how congruent keywords are used in information security policies (ISPs) to pinpoint and guide clear actionable advice and suggest a metric for measuring the quality of keyword use in ISPs.<\/jats:p>\n<\/jats:sec>\n\nDesign\/methodology\/approach<\/jats:title>\nA qualitative content analysis of 15 ISPs from public agencies in Sweden was conducted with the aid of Orange Data Mining Software. The authors extracted 890 sentences from these ISPs that included one or more of the analyzed keywords. These sentences were analyzed using the new metric \u2013 keyword loss of specificity \u2013 to assess to what extent the selected keywords were used for pinpointing and guiding actionable advice. Thus, the authors classified the extracted sentences as either actionable advice or other information, depending on the type of information conveyed.<\/jats:p>\n<\/jats:sec>\n\nFindings<\/jats:title>\nThe results show a significant keyword loss of specificity in relation to pieces of actionable advice in ISPs provided by Swedish public agencies. About two-thirds of the sentences in which the analyzed keywords were used focused on information other than actionable advice. Such dual use of keywords reduces the possibility of pinpointing and communicating clear, actionable advice.<\/jats:p>\n<\/jats:sec>\n\nResearch limitations\/implications<\/jats:title>\nThe suggested metric provides a means to assess the quality of how keywords are used in ISPs for different purposes. The results show that more research is needed on how keywords are used in ISPs.<\/jats:p>\n<\/jats:sec>\n\nPractical implications<\/jats:title>\nThe authors recommended that ISP designers exercise caution when using keywords in ISPs and maintain coherency in their use of keywords. ISP designers can use the suggested metrics to assess the quality of actionable advice in their ISPs.<\/jats:p>\n<\/jats:sec>\n\nOriginality\/value<\/jats:title>\nThe keyword loss of specificity metric adds to the few quantitative metrics available to assess ISP quality. To the best of the authors\u2019 knowledge, applying this metric is a first attempt to measure the quality of actionable advice in ISPs.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-10-2023-0187","type":"journal-article","created":{"date-parts":[[2024,4,15]],"date-time":"2024-04-15T09:00:41Z","timestamp":1713171641000},"page":"492-508","source":"Crossref","is-referenced-by-count":3,"title":["Qualitative content analysis of actionable advice in information security policies \u2013 introducing the keyword loss of specificity metric"],"prefix":"10.1108","volume":"32","author":[{"given":"Elham","family":"Rostami","sequence":"first","affiliation":[]},{"given":"Fredrik","family":"Karlsson","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2024,4,17]]},"reference":[{"key":"key2024092315395430000_ref001","article-title":"Information security policy: a management practice perspective","year":"2015","journal-title":"Australasian Conference on Information Systems"},{"issue":"1","key":"key2024092315395430000_ref002","doi-asserted-by":"crossref","first-page":"42","DOI":"10.1177\/1744987117741667","article-title":"Directed qualitative content analysis: the description and elaboration of its underpinning methods and data analysis process","volume":"23","year":"2018","journal-title":"Journal of Research in Nursing"},{"issue":"5\/6","key":"key2024092315395430000_ref003","doi-asserted-by":"crossref","first-page":"337","DOI":"10.1108\/09576050210447019","article-title":"An information security meta-policy for emergent organizations","volume":"15","year":"2002","journal-title":"Logistics Information Management"},{"key":"key2024092315395430000_ref004","doi-asserted-by":"crossref","first-page":"183","DOI":"10.1016\/j.jbusres.2019.04.024","article-title":"Reacting to the scope of a data breach: the differential role of fear and anger","volume":"101","year":"2019","journal-title":"Journal of Business Research"},{"issue":"12","key":"key2024092315395430000_ref005","doi-asserted-by":"crossref","first-page":"1290","DOI":"10.1080\/0144929X.2019.1583769","article-title":"The impact of time pressure on cybersecurity behaviour: a systematic literature review","volume":"38","year":"2019","journal-title":"Behaviour and Information Technology"},{"issue":"6","key":"key2024092315395430000_ref006","doi-asserted-by":"crossref","first-page":"605","DOI":"10.1057\/s41303-017-0059-9","article-title":"Organizational information security policies: a review and research framework","volume":"26","year":"2017","journal-title":"European Journal of Information Systems"},{"issue":"4","key":"key2024092315395430000_ref007","doi-asserted-by":"crossref","first-page":"673","DOI":"10.2307\/20650322","article-title":"How ethics can enhance organizational privacy: lessons from the choicepoint and TJX data breaches","volume":"33","year":"2009","journal-title":"MIS Quarterly"},{"key":"key2024092315395430000_ref008","article-title":"Orange: data mining toolbox in python","volume":"14","year":"2013","journal-title":"Journal of Machine Learning Research"},{"key":"key2024092315395430000_ref009","volume-title":"Information Security Policy \u2013 A Development Guide for Large and Small Companies","year":"2021"},{"issue":"1","key":"key2024092315395430000_ref010","doi-asserted-by":"crossref","first-page":"55","DOI":"10.1016\/j.cose.2005.09.009","article-title":"Aligning the information security policy with the strategic information systems plan","volume":"25","year":"2006","journal-title":"Computers and Security"},{"issue":"4","key":"key2024092315395430000_ref011","doi-asserted-by":"crossref","first-page":"281","DOI":"10.1016\/j.jsis.2010.10.002","article-title":"Metrics for characterizing the form of security policies","volume":"19","year":"2010","journal-title":"The Journal of Strategic Information Systems"},{"issue":"6","key":"key2024092315395430000_ref012","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1016\/S1353-4858(02)06011-7","article-title":"What makes an effective information security policy?","volume":"2002","year":"2002","journal-title":"Network Security"},{"issue":"2","key":"key2024092315395430000_ref013","doi-asserted-by":"crossref","first-page":"104","DOI":"10.1108\/09685220610655861","article-title":"An empirical study of information security policy on information security elevation in Taiwan","volume":"14","year":"2006","journal-title":"Information Management and Computer Security"},{"issue":"9","key":"key2024092315395430000_ref014","doi-asserted-by":"crossref","first-page":"1277","DOI":"10.1177\/1049732305276687","article-title":"Three approaches to qualitative content analysis","volume":"15","year":"2005","journal-title":"Qualitative Health Research"},{"key":"key2024092315395430000_ref015","article-title":"IOS\/IEC 27002:2022 information security, cybersecurity and privacy protection \u2013 information security controls","author":"ISO","year":"2022"},{"key":"key2024092315395430000_ref016","doi-asserted-by":"crossref","first-page":"267","DOI":"10.1016\/j.cose.2016.12.012","article-title":"Practice-based discourse analysis of information security policies","volume":"67","year":"2017","journal-title":"Computers and Security"},{"issue":"2","key":"key2024092315395430000_ref017","doi-asserted-by":"crossref","first-page":"105","DOI":"10.1504\/IJADS.2021.113532","article-title":"Understanding human aspects for an effective information security management implementation","volume":"14","year":"2021","journal-title":"International Journal of Applied Decision Sciences"},{"key":"key2024092315395430000_ref018","volume-title":"Information Security Policies, Procedures, and Standards \u2013 A Practitioner's Reference","year":"2017"},{"issue":"2","key":"key2024092315395430000_ref019","doi-asserted-by":"crossref","first-page":"173","DOI":"10.2307\/249574","article-title":"Threats to information systems: today's reality, yesterday's understanding","volume":"16","year":"1992","journal-title":"MIS Quarterly"},{"key":"key2024092315395430000_ref020","first-page":"513","article-title":"Applying action research in the formulation of information security policies","volume-title":"New Contributions in Information Systems and Technologies","year":"2015"},{"key":"key2024092315395430000_ref021","volume-title":"Information Security Handbook: A Guide for Managers","author":"Nist","year":"2006"},{"key":"key2024092315395430000_ref022","volume-title":"Information Security Policies and Procedures \u2013 a Practitioner's Reference","year":"2004"},{"key":"key2024092315395430000_ref023","doi-asserted-by":"crossref","unstructured":"Ponemon Institute Llc (2020), \u201cCost of insider threats: global report\u201d, available at: www.ibm.com\/downloads\/cas\/LQZ4RONE","DOI":"10.1016\/S1353-4858(20)30017-9"},{"key":"key2024092315395430000_ref024","volume-title":"The Information Security Breaches Survey \u2013 Technical Report","author":"Pwc","year":"2014"},{"key":"key2024092315395430000_ref025","volume-title":"The Global State of Information Security Survey 2018","author":"Pwc","year":"2018"},{"key":"key2024092315395430000_ref026","volume-title":"Tailoring Information Security Policies\u2013a Computerized Tool and a Design Theory","year":"2023"},{"key":"key2024092315395430000_ref027","first-page":"157","article-title":"A qualitative content analysis of actionable advice in Swedish public agencies\u2019 information security policies","year":"2023"},{"key":"key2024092315395430000_ref028","doi-asserted-by":"crossref","first-page":"102063","DOI":"10.1016\/j.cose.2020.102063","article-title":"Requirements for computerized tools to design information security policies","volume":"99","year":"2020","journal-title":"Computers and Security"},{"issue":"3","key":"key2024092315395430000_ref029","article-title":"Policy components \u2013 a conceptual model for modularizing and tailoring of information security policies","volume":"31","year":"2023","journal-title":"Information and Computer Security"},{"key":"key2024092315395430000_ref030","article-title":"2009:400 Offentlighets \u2013 och sekretesslag. Justitiedepartementet, Stockholm","author":"Sfs","year":"2009"},{"issue":"3","key":"key2024092315395430000_ref031","doi-asserted-by":"crossref","first-page":"487","DOI":"10.2307\/25750688","article-title":"Neutralization: new insights into the problem of employee information systems security policy violations","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"key":"key2024092315395430000_ref032","volume-title":"The Definitive Guide to Writing Effective Information Security Policies and Procedures","year":"2010"},{"issue":"1","key":"key2024092315395430000_ref033","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1111\/j.1365-2575.2011.00378.x","article-title":"Information security policies in the UK healthcare sector: a critical evaluation","volume":"22","year":"2012","journal-title":"Information Systems Journal"},{"key":"key2024092315395430000_ref034","volume-title":"Basics of Qualitative Research: techniques and Procedures for Developing Grounded Theory","year":"1998"},{"issue":"1","key":"key2024092315395430000_ref035","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1016\/j.istr.2005.11.003","article-title":"Information security and the law","volume":"11","year":"2006","journal-title":"Information Security Technical Report"},{"key":"key2024092315395430000_ref036","volume-title":"Threat Intelligence Report 2023","author":"Truesec","year":"2023"},{"issue":"1","key":"key2024092315395430000_ref037","doi-asserted-by":"crossref","first-page":"43","DOI":"10.1016\/j.ijinfomgt.2003.12.003","article-title":"In defense of the realm: understanding threats to information security","volume":"24","year":"2004","journal-title":"International Journal of Information Management"},{"key":"key2024092315395430000_ref038","first-page":"123","article-title":"Security policy \u2013 from design to maintenance","volume-title":"Information Security \u2013 Policy, Processes, and Practices","year":"2008"},{"issue":"8","key":"key2024092315395430000_ref039","doi-asserted-by":"crossref","first-page":"667","DOI":"10.1016\/0167-4048(96)81706-8","article-title":"Writing InfoSec policies","volume":"14","year":"1995","journal-title":"Computers and Security"}],"container-title":["Information & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-10-2023-0187\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-10-2023-0187\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:17Z","timestamp":1753406597000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/32\/4\/492-508\/1235786"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,4,17]]},"references-count":39,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2024,4,17]]},"published-print":{"date-parts":[[2024,9,25]]}},"alternative-id":["10.1108\/ICS-10-2023-0187"],"URL":"https:\/\/doi.org\/10.1108\/ics-10-2023-0187","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,4,17]]}}}