Review of Information Security Policy based on Content Coverage and Online Presentation in Higher Education

Policies are high-level statements that are equal to organizational law and drive the decision-making process within the organization. Information security policy is not easy to develop unless organizations clearly identify the necessary steps required in the development process of an information security policy, particularly in institutions of higher education that largely utilize IT. An inappropriate development process or replication of security policy content from other organizations could fail in execution. The execution of a duplicated policy could fail to act in accordance with enforceable rules and regulations even though it is well developed. Hence, organizations need to develop appropriate policies in compliance with the organization regulatory requirements. This paper aims to reviews policies from selected universities with regards to ISO 27001:2013 minimum requirements as well as effective online presentation. The online presentation review covers the elements of aesthetics, navigation and content presentation. The information on the security policy document resides on the universities’ website.


INTRODUCTION
The aim of information security is to protect the organization's information assets from any unauthorized access, disclosure or breaches. To enforce an effective information security, organizations need to develop good management practices comprising policies and controls [35]. Technical solutions provide support to protect information assets. However, technical solution alone cannot eliminate the risks of information leakage, modification or breaches. As this may cause significant loss, information security is critical to the business operation of most organizations, especially government and public bodies as the financial and nonfinancial costs are much greater compared to other organizations [37]. Similarly, information leakage or breaches may cause great losses for a higher education institution that store a large amount of student information within the management system, administrative systems and student portals [35], [38]. For example, a university credibility and integrity can be damaged due to illicit grade changes and constant difficulties with registration or financial systems [21].
The importance of information security and confidentiality in universities has been discussed since 1975 [36]. Universities and colleges are being targeted for cyber-attacks due to two main reasons. First, due to a large amount of computer power possess by universities and colleges. And second, due to the open access, they make available to the public. Universities' networking infrastructures are not only available to staff and students but are also available to other students, visitors, and researchers worldwide. While providing access to the public and promoting information sharing, there should be a balance to ensure the security of information assets [21].
Information security and protection against internal risks are focal concerns in many organizations. Technological solutions alone cannot guarantee data protection against various threats. Even though there are advanced technologies, human factor still remains as the major risk to the integrity of information systems security [17] [24]. At this point, numerous security experts believe that implementation of security policy and enforcement are the most sensible approach to protect information systems security [15] and the key to an effective security control program [15] [22]. ‗Development process' [13] [26] and ‗contents' of the security policy are the two elements that mainly determine the effectiveness of security policy [8] [19] [12].
Protection of organizations' information which is progressively stored, processed and disseminated is becoming more intricated and challenging. This is even more complex for knowledge-intensive organizations including universities as teaching and research activities are becoming more dependent on the availability, integrity, and accuracy of electronic information resources. This paper intends to study how to write general outlines and the structure of what a policy should contain, rather than the content of information security policies [7]. In addition, the online presentations of the policies are also reviewed based on a principle of good design.

II. ROLE AND SCOPE OF THE INFORMATION SECURITY POLICY
The literature shows that the information security policy is gradually becoming a significant corporate document to protect the availability, confidentiality, and integrity of organization information resources. More specifically, it is argued that the policy document should establish the mechanism for an organization to proactively manage www.ijacsa.thesai.org information security [14]. Hence, an effective information security policy should define individual responsibilities, outline authorized and unauthorized use of the system, create room for users to report any suspected or identified threats to the system, clarify penalties in case of violations, and specify methods for updating a policy [7].
One of the most significant roles of information security policy is to precisely specify user's rights and responsibilities and to successfully communicate it to all users, to ensure there is a mutual and coherent understanding of information security that is embraced by the organization [11]. This eliminates excuses for employees who fail to follow and execute security practices aligned with the organization's policy [23]. As a result, policy document must act as a catalyst of employees' belief and behavior with respect to information security, and by doing so, it becomes the foundation of effective security management [7].
The objective of information security is to protect organizations' information assets from unauthorized uses, breaches, and disclosure. As defined by ISO/IEC 27001:2013, information security refers to the preservation of confidentiality, integrity, and availability of information. The goal is providing access to only those authorized personnel who need the access, keeping the information accurate and complete and making sure the information is available to the authorized user when they need it.
Proper management practices containing policies and controls should be established to ensure the effectiveness of implementation and enforcement of information security policy. According to ISO/IEC 27002:2013, information security policy aims to provide management with guidance and support in accordance with corporate requirements and regulations when dealing with information security. Undoubtedly, information security policy plays an important role to ensure the organization's well-being by protecting the information assets. However, the development and implementation process of an effective information security is unclear [9].
Due to lack of guidance, policy developers often refer to developed policies by other organizations, available commercial sources, or public templates from the Internet. Thus, the policy document created from such sources will not provide proper guidance for information security to protect that individual organization. Moreover, the developed policy may not be applicable to the threats and risks that they are supposed to mitigate, and thus they will not resolve the security issues that a particular organization is facing. -Sadly, many IT security experts do not recognize and comprehend the business risks, and eventually make lengthy security policies documents that attempt to protect everything‖ [9].
The development process and implementing of an effective information security policy is not a clear cut and is triggered by various issues including regulatory requirements, complications of advanced technologies, internal and external risks and threats. The literature underlines a number of information security policy development process and implementation methods [1], although these methods do not offer a comprehensive and integrated method that includes a step-by-step guideline [9].

III. INFORMATION POLICY STRUCTURE VS. POLICY GUIDELINE
Even though there is a substantial body of literature underlying the importance of the policy document, there is a debate on the structure and key elements of the policies. The literature has mostly explored the structure of policy, generally from a conceptual perspective. For instant reference [3] argue if there should be a single policy or whether it should be divided into subdocuments with different types. The previous study [29] proposes two models namely ‗computeroriented and people/organizational' policies. However, literature [30] suggests a three-level model that are ‗institutional policy, institutional ISP and technical ISP'. In [31] recommends a four-level model including ‗system security policy, product security policy, community security policy and corporate information security policy'. Whilst there is increasing debate about the number of policies and how they are inter-related, reference [31] state that practically organizations are more likely to have a single policy document. Other scholars are focusing on the difference between high and low levels of policy practices [32], although it should provide guidelines on ‗means' as well as ‗ends' [33]. Over the years, more studies have been conducted on the effective configuration for information security documentation, but surely minimum effort to resolve the issue. In fact, the issue has become even more complex due to the manifestation of new forms of security documents such as ‗Internet and email usage policies' [2]; ‗copyright policies'' [18] that could complement the information security policy. As a result, there is a significant need for a focused, empirical study to examine the structural arrangements of information security policies, as they are currently being adapted and practiced by organizations [7].
The structure of information security policy has been largely discussed in the literature (although it lacks in empirical contributions and consensus). However, in academic, there is a fairly limited discussion about the particular issues that need to be addressed by the information security policy. The international standard 17799 ISO:2005 gives indications about the types of issues that can be addressed by information security policy, but the issues are less subjected to academic security. One of the very few attempts to precisely fill this gap was an empirical study by [7] about information security policies across large organizations in the UK, based on a framework where potential policy issues extracted from the literature. Even though the research offers useful insights, it lacks inconsistency of approach and terminology, because the study was drawn based on perceptions of IT decision makers about their own content of policy, rather than focusing on the actual content of policy [7].
In addition to concerns regarding the structure and content of policy, there are also concerns regarding policy effectiveness. Many organizations claim to have developed and implemented information security policy [20]. However, looking at the results, high degrees of information security www.ijacsa.thesai.org incidents and breaches suggest that there is a lack of effectiveness and/or communication of policy. In fact, the study by [34] revealed that there had been no significant changes in the number of security breached in organizations that had adopted an information security policy in comparison with those that had not. One possible reason for the ineffectiveness of information security policies is that organizations follow narrow policies that only focus on issues of information confidentiality, integrity, and availability. Unfortunately, infrastructure technology has failed to address increasingly important human and organizational aspects [6]. In fact, the most commonly adopted policy standard ISO 17799 (2005) @24) focus on the technically oriented conceptualization of information security (availability, confidentiality, and integrity), and ignores human factors such as trust, ethicality and the integrity of users [7].

A. Policy Writing Guidelines
Policies are high-level statements that correspond to corporate law that drives decision making in a university that is subject to a serious review process. The university's information security policies are accessible on their website. Standards are minimum requirements developed to address specific issues and requirements that ensure compliance with policies. Standards are used for verification purposes for audit and assessment. Every faculty and department are required to follow the standards and the adoption of local standards are encouraged to surpass the minimum requirements. A procedure is step-by-step instructions to accomplish certain tasks. Procedures can be also used to maintain compliance with regulations. Guidelines provide additional recommendations that provide a framework to help compliance with policies. They are more technical in nature compared to policies and standards. They are also updated more frequently to address changes in technology and university practices [28]. Fig. 1 presents the policy-making process.
Policy writing task should be done by reaching the intended audience with policies that are Clear, Easy to read and provide the right level of information to those affected by the content. If users understand a policy, they are more likely to follow it and incorporate it into their daily work. The key elements of a policy document are identified as 1) Policy Title

 Use Language That Reflects the Policy's Intent:
Select the words carefully. Words like -should‖ and -may‖ imply a choice. For example, "Faculty and staff should not smoke in class." This means they shouldn't smoke but will be allowed if they do. The statement also does not address restrictions applicable to students. Examples of alternative phrasing would be: "Faculty, staff, and students are prohibited from smoking in class." this is much better, but only addresses a class setting. The best way to rewrite is "Smoking is not allowed inside University buildings".

 Use as Few Words as Possible to State a Case
For instance, "All University faculty and staff, under the leadership of its officers, are obligated to ensure that University funds are used only for mission-related purposes.‖ This statement implies that only those under the leadership are required to follow the policy. An alternative to the above statement is: -Employees must ensure that University funds are used only for mission-related purposes."

 Ensure that Clarifying a Statement Did Not Alter Its
Meaning: For example, -All faculty and staff must attend weekly meetings‖ The word -all‖ is redundant. Simply stating "Faculty and staff" implies all unless an exception is also written.

A. A Generic Framework for Information Security Policy Development
Reference [12] proposed a general framework to enhance security policies development process of higher education, using content analysis and cross-case analysis methods (Fig. 2). The proposed framework could be used as a guide to developing more comprehensive and sustainable information security policies in the institution of higher education. The framework can be used as a guideline to improve or develop a policy management program. However, the framework is too general, and it is necessary to explore more specific development processes such as the Acceptable Use Policy or any specific system security policy.
In [12] identified risk assessment as the major part policy development process since it systematically identifies, analyzes and evaluates the information security threats related to information systems and services as well as required controls to manage them. The process of risk identification involves identifying information assets, threats, and vulnerabilities. These are the important elements in identifying 413 | P a g e www.ijacsa.thesai.org the origin of incidents that could potentially affect the university information assets. The findings indicate that comprehension of security policy's content could be determined by the risk assessment.

B. The Policy Development Framework Including the ISPDLC Components
The result of a study by [9] shows that the most important of constructs is Risk Assessment (Fig. 3). Therefore, Risk Assessment should be the prior step in developing an information security policy in order to identify the risks that need to be mitigated. Subsequently, Management Support is the second most important construct. Managers use policies to clarify their management intentions and direction. The result of the study also shows that Policy Monitoring was the least important construct. This suggests that the area of Policy Monitoring requires more attention. The content analysis implied similar results, with information security monitoring being the lowest frequency of tags among all categories.   The study by [9] has some limitations. The first one is the demographics of the respondents in the survey. The responded were only selected from the U.S. and the U.K. which makes it difficult to generalize the findings of the study, as the two countries are developed with advanced technology. Hence, while developing a framework, one should provide guidelines that can be adopted by both developed and underdeveloped countries to enhance their information security policy development process. In many developed countries, by law, senior managers or a board of directors are in charge of information security and risk management. Therefore, organizations have to spend resources to ensure the protection of an organization's information. However, this may not necessarily happen, especially in smaller organizations.
The second limitation is the time and cost involved in implementing the processes proposed in the framework. It requires organizations to have sufficient budget to cover all the costs such as the costs of conducting a risk assessment, constructing the information security policy, consulting with stakeholders, conducting training and education sessions and monitoring users' activities by, perhaps, using an automated monitoring system. Moreover, the costs are even higher for larger organizations as they require a significant amount of time and other resources. Lastly, the decision to develop and implement an information security policy should be based on organization security needs. Thus, a cost-benefit analysis should be carried on to understand whether it is worth for a particular organization to spend a large number of resources to do this exercise [9].

V. METHODOLOGY
As content analysis is helpful to identify trends and patterns in documents, this study focuses on two level of content analysis; first, to study information security policy development process for institutions of higher education, and second, to compare it to the common security information policy development adopted by organizations, which is discussed in the following sections. To fulfill this requirement, this study focused on the comparison of eleven universities' information security policy [12]. Information security policy is largely recognized as the most important information security mechanism to prevent, detect and respond to security breaches. Therefore, it plays important role in IT-enable organizations especially defining the scope and content of information security policies. Each university's website was reviewed to identify the available policy documents and the information security coverage. Furthermore, the policies were reviewed in terms of aesthetics, navigation, and content.

A. University Selection
To ensure the consistency and accuracy of data collection from the information security policies of each university, a pro forma was devised. This pro forma was used to review the policies of eleven universities. The pro forma data collection document comprised the following four broad components:  University Details (Table I): Name, abbreviation, country, position in worldwide university ranking, website address; eleven universities have been selected from North America, Europe, Australia and Asia. All the selected universities are ranked below 250 worldwide, based on QS 2018 rankings.

 Policy Administration Details (Table I):
Details about the responsible department for the creation, management, and maintenance of the policy which includes responsible unit, phone number, and email address. Only responsible units are added to Table I to avoid invasion of personal privacy.
 Policy structure (Table II): Types of available policy on the university website, besides the information security policy (e.g. Acceptable Use of Information Technology Resources Policy, Data Security Classification Policy). (Table II):

 Policy Coverage
Information security coverage and policy titles are listed here from each university's website. This task was crosschecked during the investigation by sending out emails to the respective university to ensure the accuracy and consistency. The contents of the pro forma were then summarized in Tables I and II to enable comparisons to be made.   TABLE I. UNIVERSITY AND POLICY ADMINISTRATION DETAILS

B. Information Security Policies and Coverage
The introduction part of every university' policy was helpful to understand its overall standpoint of information security. Some universities are concerned more about hardware protection or physical security, whereas other universities are more focused on confidentiality and integrity aspects of information assets and administrative data. There are some universities that emphasize the need for information for research. Therefore, they want to ensure security practices help to promote research activities while protecting against attack. Because there are various areas of focus by different universities, we are not surprised to have found out there are also various policy structural arrangements and coverage. As illustrated in Table II the selected universities have different policies and the information security content coverage varies among them. The differences are determined during the risk analysis when the policy development team identifies the internal and external threats, vulnerabilities, incidents and information security assets.

C. Online Presentation and Content Coverage
In [39] define aesthetic as the study of emotions and mind in the related notions such as the beautiful, the ugly as applicable to the fine arts. The aesthetic issue can influence user perception of a website. User's emotion and attitude can play an important role to attract the user's attention and keeping website trustworthy. Factor influencing the perception of beauty are balance proportion, informational content and complexity, contrast and clarity, and symmetry. Factors for aesthetic design features are visual complexity, color, and balance and symmetry [39].
In the case of navigation, it should lead the user to an easy, convenient and efficient browsing experience. Pagination navigation should not be invisible for users, hard to understand and difficult to identify [41]. In order to reduce the risk of users feeling disoriented and to assist them in finding information, navigation link should be the same from page to page [40].
The focus for content strategy is on the planning, creation, delivery, and governance content which might represent by text, images and multimedia [43]. Best practice for creating content meaningful identified by [43] are: www.ijacsa.thesai.org  Reflect your organization's goals and the user's needs.
 Understand how the user's think and speak about a subject.
 Communicate to people in a way that they understand.
 Be useful.
 Stay up-to-date and remain factual.
 Be accessible to all people.
 Be consistent.
 Be able to be found.
 Help define the requirements for the overall site.
In this study, the policies of 11 HEI Information Security Policies have been reviewed based on the criteria suggested by [42] as follows: Aesthetics:  What feel does the website give orderly or messy?
Sparse or crowded? Playful or formal?
 Is the style consistent throughout the website?
 Where are photos or decorative touches getting in the way of my message? Navigation:  How easy is it to find information?
 Is there a search button for visitors?
 Do all the links work? Content:  Does the design make content easy to find?
 Will this content be relevant to the reader?
 Is the content concise but still useful?

University of Malay
 Appealing and simple design -Orderly, sparse, formal.  The style is consistent throughout the website  photos or decorative touches do not get in the way of the message  Simple navigation without the need to guess  There is a search button on the main page only  All links work  Information is not easy to find as the content is missing for some the policies and related documents  Content is relevant but not in single/default language. Some of the content is provided in English whereas the others in the Malay version.  Hyperlinks are not active for all PDF documents.

Universiti Kebangsaan Malaysia
 Appealing and simple design -Sparse and formal.  The style is consistent throughout the website  photos or decorative touches do not get in the way of the message  Poor navigation as information is spread across multiple pages without direct links  There is a search button  No links to connect the relevant pages  Some of the links do not work  Some link load PDF in the browser whereas the others download the PDF without permission  Information is not easy to find -Only covers UKM web security policy  Information security policies are presented as highlights and the content cannot be found  There is no default language as the English content is mixed with Malay version  Spelling mistakese.g. Guidelines  Does not state the objective and scope of UKM information security policy National University of Singapore Reviews from selected websites have been divided into three criteria aesthetics, navigation and content, as shown in Table III. Based on the table, we further highlight the existence of the respective criteria as shown in Table IV.
The strength of online presentation of this policies in terms of aesthetic elements are being attractive, orderly, sparse, simple, consistent, photos/decorative do not get in the way of the message, formal and appealing. However, some of the policies have issues in term of being inconsistent, crowded, playful and photos and decorative touches can get in the way of the message. Navigation strength of these policies are: simple navigation without the need to guess, search button available and link work.
Nonetheless, other identified issues are poor navigation where the user might get lost while searching for certain information, information is spread on multiple pages without a direct link, search functions are available on home page only, some link is not working and load pdf and download pdf without permission.
The strengths related to content are; easy to find, relevant content, concise but useful, and comprehensive. However, other identified issues are information not easy or cannot be found, brief and mixed, content is displayed in question and point form. Identified strengths from related websites can be a guide in order to design a good interface and avoiding some bad design issue of a website.  The selected universities' policies were reviewed in order to investigate the compliance with mandatory and non-mandatory documents and records by ISO 27001:2013. This task was cross-checked during the investigation by sending out emails to the respective university to ensure the accuracy and consistency. The findings were then summarised in Tables VI, VII and VIII to enable comparisons to be made. Table VI results show that none of the selected universities complied with all mandatory and no-mandatory documents and records from ISO 27001 Annex A. This is again due to the policy development process, where the risk analysis task gives direction to policymakers to focus on certain information security issues. For instance, the University of Arizona made 8 out of 16 mandatory annex A documents available on the university's website, whereas the University Kebangsaan Malaysia has only 1 document available to be accessed by the visitors. Developing and dividing the information security content into standalone documents makes it easier to deliver the message to the intended audience and make the process more efficient.

VI. DISCUSSION
An effective information security policy should convert an organization's requirements into precise, measurable objectives that are readable and consistent [10]. Developing such information security policy that fulfills an organization's requirement is not easy an easy task. Duplicating a policy document from other organizations may not be sufficient to address issues such as compliance with regulatory requirements even though the replicated policy document is well-developed and properly referenced [16][3] [4]. Thus, the security policy document must be developed based on the organization's culture, operations, environmental factors and policy requirement [25]. Therefore, the development process of information security policy should be tailored based on characteristics of the organizations, organizational culture, the potential technology changes in hardware and software, users and management support [5]. This applies to industries such as Higher Education where each university comprises diverse management structures, faculties, and departments, and practice different forms of behavior [21]. According to [13] [9] studies often focus on the structure and content of policy but less on the development process, especially the step-by-step process. Hence, this paper exclusively focused on information security policy development in institutions of higher education [12].
If organizations seek to obtain ISO certification they must meet ISO 27001:2013 minimum requirement. These requirements are known as Annex A which includes mandatory and non-mandatory documents for organizations to create their policies based on. Many universities tend to develop a single document for all the policies and procedures (e.g. UKM), whereas other universities develop standalone policy documents based on ISO requirements. It is necessary to develop multiple policy documents because makes it possible to reach out to a targeted audience. This paper conducted a comparative review of information security policy documents of eleven universities. The objective is to review policy documents based on i) ISO 27001: 2013 mandatory and unmannerly requirements and ii) available frameworks and guidelines for the development of policy for higher education. The findings show that none of the selected universities have produced documents for all required mandatory and unmannerly requirements. This is due to risk analysis that should be the initial stage of policy development where the universities must identify the organization-specific issues as well as the organization regulatory agreements. Thus, developing a policy document for all Annex A requirements may not be necessary for every organization.
The information security policies must be accessible from the university website. However, not all policies should be accessible by the public. The policies should be divided into two categories including public and privet. The policies intended for the public must be accessible by everyone whereas the privet policies should be restricted by user authentication or require to be accessed within the university internal network. The privet policies are made for university stakeholders and internal use only. Making these policies accessible makes the organization vulnerable by giving an edge to those with prying eyes.

VII. CONCLUSION
The process of developing and implementing an effective information security policy is not a clear cut. It is vital for universities to realize the significance of the development process of information security policy for the institutions of higher education. The challenge for higher education institutions is to understand how to develop and implement information security policy effectively based on risk analysis in accordance with the organization's requirements. Otherwise, in case of security breaches or violations, it is less likely to enforce regulations due to incomplete or incomprehensible security policies document. This paper selected 11 universities to review their information security policies in contrast with ISO 27001:2013 minimum requirements to reach a concise understanding of the policywww.ijacsa.thesai.org making process and what is being practiced in higher education. This study can be used as a guide for other universities who are developing or improving their information security policy to comply with ISO 27k series.