Tips for writing easy-to-understand security policies

In this guest post from Ellen Berry, we find out how to take the best from different styles of writing to generate better compliance with user-friendly policy documentation.

For the amount of writing required of IT professionals in leadership roles, serious writing skills are relegated to low bandwidth electives in IT degree programs surprisingly frequently. At best, an aspiring IT security professional may get some solid technical writing experience in school - and if they're smart, some business writing training as well.

Without decent exposure to journalistic writing, adult learning styles and all-important information design, IT leaders may find themselves struggling to effectively convey important information like security policies and awareness.

Effective Infosec policy writing

A well-written security policy statement:

  • Communicates high-level ground rules and consequences thoroughly yet succinctly
  • Explains both the problem and the solution
  • Emphasizes the degree of importance and relevance
  • Is accessible to employees at all applicable levels of responsibility and reading skill
  • Engages readers through relatable wording and real-world examples
  • Persuades and motivates readers to take ownership of and apply their new knowledge

Elements of engaging technical content

It's the job of the policy writer to do the work for the reader - keep their attention, deliver the message, and compel them to adapt their behavior. The best way to meet this responsibility is to incorporate five elements of writing:

Information Design - The study of how information is organized and presented so that it can be used effectively and efficiently, information design uses visual appearance, content structure, and language that engages the reader and maximizes usability. ID courses are often included in graphic design degrees, but are essential for any profession that is responsible for communicating messages such as security policies well.

Technical writing - Originally defined as writing that explains technology concepts and applications to both technical and nontechnical audiences, technical writing has taken on a much broader scope in recent years. It is often referred to as information development, and covers the documentation and communication of complex messages such as organizational structure, policies, processes, procedures, business models, and financial or data reporting for broad audiences.

Business writing - For the most part, no-frills appearance, lingo-laden language, and stiff statements are no longer considered the fundamentals of good business writing.

Today's business writing pivots on communication rather than pomp and circumstance. The new standards are brevity, clarity, approachability, and structure that highlight key points - all essential to writing effective security policies.

Journalistic writing - In order to take often complex stories and turn them into bite-sized bytes, journalists focus on readability. Journalistic writing meets the reader where they reside rather than requiring them to come to the writer's level.

Structured from most important to least important, with all essential facts in the first paragraph and supportive data following, stories are shared using conversational tone, simple language and visual elements such as charts and call-out boxes. Quotes, photos and examples humanize the content, making it more relatable. Consider how these out-of-the-box elements will appeal to and connect with the readers of policies.

Adult Learning - Well-written security policies incorporate basic instructional design approaches such as:

  • Showing the reader the reason why they need to know or learn something
  • Using familiar experiences as examples
  • Explaining how readers can become involved and be part of decision making
  • Showing the immediate relevance to the reader's work duties and success on the job
  • Centering on the problem and solution rather than on simple description
  • Motivating readers from within by bringing meaning to compliance

Tips for eliciting the desired response to written security policies

  • Focus on high level policy. Save descriptions of "how" for guideline and procedure documentation - stick to "this must be done, and this is why."
  • Organize the content from most important to least. Avoid burying pertinent information such as benefits of compliance or requirements further down in the policy document. State all of the necessary facts in the first two or three sentences.
  • Structure the document around five essential questions. When writing the first paragraph of a policy statement, always include brief answers to the questions: who, what, where, when, and why? Each following paragraph in the document should directly support these answers, and the document is complete when all answers have been sufficiently supported with specifics and examples. (Note: There may be circumstances in which "where" and "when" are best answered in the accompanying guidelines or procedures documentation.)
  • Include both problem and solution. Make it clear what the audiences' roles are in the problem, and show through an example how individuals and groups can take small steps to be part of the solution.
  • Keep the wording simple and approachable. It may be tempting to write policies in an officious and authoritative tone in order to convey the importance of them. Let the problem speak to the importance of the policy, and keep the language more conversational to avoid intimidating readers. Try reading policies out loud to hear how they will sound to those who read them. As an exercise in using more conversational language, try writing a policy statement as a script for a video - once the wording is viewer-friendly, both the written policy and video can be used to communicate policies.
  • Sell the reader. Drive home what benefits retaining the knowledge will bring to the reader. These should be summarized near the beginning and supported with examples.

IT professionals who are in roles that require a lot of writing may wish to consider taking training courses in the kinds of writing described above - whether they be online short programs or full-fledged degrees. These skills will not only enhance employability, but provide a complementary career path for extra stability.

For more guidance on writing effective security policies, check out the SANS Security Policy Project and the InfoSec Reading Room.

Ellen Berry writes about a variety of topics related to education and careers for BrainTrack.