What Can We Learn from the Analysis of Information Security Policies? The Case of UK’s Schools

Security standards consider that developing a security policy is a cornerstone in information security management. In practice, the development of a security policy is contextually dependent and there is no agreement on what organisations should include in their security policies. This paper argues that analysing information security policy documents could potentially provide new insights into existing issues with security practices. The paper explores and analyses the content and form of 100 UK schools’ information security policies to assess their scope and accessibility. The key findings show that the content varied widely between schools but tended to have a technical focus, many security policies had not been updated to address changes to work practices due to the Covid-19 situation and many policies have poor readability scores preventing readers from engaging with them.