Management, compliance & auditing

Tips for Drafting Efficient Employee Information Security Policies

December 15, 2017 by Daniel Dimov

1. Introduction

Employee information security policies impose obligations on employees of organizations which aim to reduce the risks of cyber-attacks. Such policies usually contain instructions on how to choose strong passwords, apply patches and updates, detect phishing schemes, protect sensitive information, and respond to information security incidents. There is an abundance of online materials about how to draft a comprehensive employee information security policy. However, many of those materials do not address the disadvantages of such policies.

The purpose of this article is to provide tips on how to draft employee information security policies which are not only comprehensive but also efficient. More particularly, this article suggests authors of such policies NOT to require the employees of their organizations to use excessively strong passwords (Section 2); read complex documents (Section 3); obtain explicit permissions from the IT security team for transactions having low risks (Section 4). At the end of the article, we provide a conclusion (Section 5).

2. Excessively strong passwords

The writers of employee information security policies often believe that too strong protection is better than strong protection. This belief may often lead to serious security problems. For example, if an organization requires its employees to use fifteen-digit passwords composed of random numbers and letters, such as “a57bd_22cddeOpr” or “7gpre1nwc_54abo”, the employees will likely put the password on a paper sheet of paper or save it in a file in their computer. Thus, fraudsters (e.g., other employees) can easily get access to the “very strong” password. Furthermore, a study conducted in 2010 by computer scientists at University College London found that excessively strict password rules may lead to stress for users.

To avoid the problems mentioned above, organizations are advised to require their employees to use strong passwords which, however, are not difficult to memorize. To illustrate, passwords such as “7Rainb0wF0rest” and “5OceaNH0teL9”, are strong enough and can be much easier to remember in comparison with the two passwords above. A study conducted by Institute of Electrical and Electronics Engineers clearly indicates that organizations rarely use such balanced passwords. The study found that: “users rarely choose passwords that are both hard to guess and easy to remember.”

3. Obligations to read complex documents

Organizations often wrongly believe that complex and lengthy documents protect them against information security incidents. After reading such complex documents, employees may become unaware or forget their obligations due to the volume and complexity of the information included in them. In this regard, Andrea Plato (a security expert) states in relation to the readability of information security policies, “It is not the readers’ responsibility to untangle your convoluted writing. If a document is inaccessible to a reader, they simply will not read it. Moreover, if they do not read it, they also do not respect whatever rules are contained within.” If the organization regularly updates its policies, it will make the task of complying with them even more difficult. Furthermore, a complex policy will lead to many cases of non-compliance which, in turn, will require the company to devote significant human resources to address such cases.

Instead of preparing documents having the size of the King James Bible, organizations are advised to require their employees to engage in interactive information security training which will provide them with practical skills and knowledge on how to respond to cyber threats. Such e-learning methods are especially effective because they involve the participants not only intellectually, but also emotionally. Examples of interactive e-learning methods include methods utilizing virtual reality (VR), augmented reality (AR), and crowdsourcing. For more information on these methods, see the article “Innovative Methods of Information Security Training” written by us.

Such information security training will raise awareness amongst employees which, in turn, will decrease the risks of information security incidents. Statistics show that just about 6% of the organizations require their new employees to participate in information security awareness programs. Also, empirical research indicates that about 35% of global organizations do not make their employees of any possible cyber threats.

4. Excessive requests for permissions from the IT security team

Organizations may require their employees to obtain permissions from the IT team if they plan to complete mundane tasks, such as having Skype calls, visit an unknown website or open Word attachments. As a result, employees often spend a significant amount of their time sending requests for permissions to conduct such low-risk transactions. When they receive a malicious attachment and the opening of that attachment does not require a permission, the employees may, tired of constant discussions with the IT security team, not contact the IT team and fell prey to the attackers. To avoid such issues, the members of the IT security team need to be seen as trusted partners and not as regulators whose only task is to give permissions. This can be achieved by training employees to self-assess security threats and enabling them to, in their sole discretion, ask and receive advice from the IT security team.

5. Conclusion

This article clearly demonstrated that too strong information security measures could be seen as a weakness rather than an advantage. We presented tips on how to draft effective employee information security policies which are not overprotective. Each of these tips can be vital to the information security of private and governmental organizations.




Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (, a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master’s degree in IP & ICT Law.

Posted: December 15, 2017
Daniel Dimov
View Profile

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (, a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.