Enterprise AI Analysis
LAURA: A Framework for Assessing the Usability of IT Security Policies Based on Learnability, Actionability, Understandability, Relevance, and Abstraction
Authors: Mario Hoffmann, Francesca Müller, and Arthur Fleig
IT security policies are essential for security and compliance, yet their usability is often neglected, leading to misinterpretation, inefficiency, and ultimately security risks. Despite these challenges and increased cyber attacks, there is no systematic approach to evaluating policy usability. This paper introduces LAURA, a structured framework for assessing IT security policy usability across five key dimensions: Learnability, Actionability, Understandability, Relevance, and Abstraction. Unlike approaches that focus primarily on enforcement and compliance, LAURA integrates both qualitative and quantitative usability metrics, developed through a deductive-inductive methodology. We apply LAURA to eight IT policies from higher education institutions and uncover systematic usability challenges, such as no learnability-supporting elements, reasoning being limited to a macro level, and predominant use of negative reinforcement. This research provides a structured approach to policy evaluation, allowing both researchers and practi-tioners to systematically assess rule usability, ensuring that rules are followed rather than circumvented.
Key Insights & Executive Impact
The LAURA framework, assessing IT security policy usability across Learnability, Actionability, Understandability, Relevance, and Abstraction, revealed critical shortcomings in university IT policies. Most policies score between 2 and 3 out of 5, indicating significant room for improvement. Key issues include a lack of justification for rules, insufficient actionable instructions, and poor learnability support, leading to user non-compliance and security risks. Policies often rely on negative reinforcement and exhibit high textual complexity, making them difficult for non-experts to read. The framework offers a dual-mode approach for both in-depth research and practical assessment, bridging the gap between policy designers and end users.
2-3 / 5
Average Usability Score
>50%
Policies Lacking Learnability Aids
7 / 8
Policies Lacking Step-by-Step Guidance
100%
Policies 'Very Difficult' to Read (FRE Score)
Deep Analysis & Enterprise Applications
Select a topic to dive deeper, then explore the specific findings from the research, rebuilt as interactive, enterprise-focused modules.
Learnability
Actionability
Understandability
Relevance
Abstraction
Learnability
How easily users acquire, internalize, and retain policy content. Findings: Minimal support; most documents lacked learning aids, self-assessment tools, and primarily used negative reinforcement (sanctions) instead of positive reinforcement or benefits. This hinders independent understanding and application.
Key Finding: Only one guideline offered a case-based example.
Key Finding: No self-assessment tools (checklists, quizzes, feedback) were provided.
Key Finding: Reliance on negative reinforcement (consequences for non-compliance) was predominant.
Key Finding: Lack of structured learning aids or mechanisms for feedback/self-evaluation.
Actionability
The extent to which policies provide clear, structured, and immediately implementable guidance. Findings: Significant limitations; step-by-step instructions were rarely provided. Many policies assume users will independently translate high-level instructions into concrete actions, undermining practical usability.
Key Finding: Act1 (Alignment with Workflow) could not be meaningfully applied due to lack of workflow knowledge.
Key Finding: Act2 (Practical Execution) showed that step-by-step guidance was rare.
Key Finding: Act3 (Actionability Across Scenarios) was present in most guidelines, addressing exceptional scenarios.
Key Finding: Policies often define responsibilities but lack explicit implementation steps.
Understandability
How easily users comprehend and interpret policy information. Findings: Basic structural coherence, but visual aids were absent. Flesch Reading Ease scores objectively classified all documents as 'very difficult' to read, indicating high textual complexity for non-experts.
Key Finding: Basic level of structural coherence (headings, formatting) was present.
Key Finding: Visual aids (diagrams, flowcharts, tables) were entirely absent.
Key Finding: All guidelines scored 'very difficult' on the Flesch Reading Ease score (scores below 50).
Key Finding: Subjective assessments of sentence structure varied, suggesting dependency on reader background.
Relevance
How well policy content aligns with user needs, objectives, and situational context. Findings: Mixed results; while most rules could be linked to user tasks, individual rules often lacked specific problem-solving justifications. Macro-level justifications were common, but micro-level reasoning was absent.
Key Finding: Intended users were often broadly defined, hindering tailored advice.
Key Finding: Most rules linked to user tasks (R1.1), indicating real-world grounding.
Key Finding: Only three guidelines consistently linked individual rules to specific problems (R1.2).
Key Finding: Justifications for rules were often at a macro-level, not for individual rules, leading to lack of perceived necessity.
Abstraction
The degree to which content generalizes specific details into broader principles. Findings: Policies focused on concise rules but often underdefined practical implementation. While avoiding excessive generalization, increased abstraction came at the cost of concrete, step-by-step guidance.
Key Finding: None of the guidelines exhibited excessive generalization (Abs1.1).
Key Finding: Rules were tightly focused on core objectives (Abs1.2).
Key Finding: Rules framed to cover unexpected scenarios (Abs2.1) in half the guidelines.
Key Finding: Increased abstraction often lacked concrete, step-by-step guidance, shifting interpretive burden to users.
Enterprise Process Flow
World-Café (3 rounds)
→
Group Discussions
→
Deductive Coding Scheme
→
Coding & Data Analysis
→
Intercoder Reliability Test
→
Optimization LAURA Model
→
Quantitative Questionnaire
2-3
Average Usability Score for IT Policies
All evaluated guidelines scored between 2 and 3 (out of 5), indicating significant room for improvement in usability.
| Qualitative Mode (For Researchers) | Quantitative Mode (For Practitioners) | |
|---|---|---|
| Key Features |
|
|
The Impact of Low Readability Scores
A critical finding was that all analyzed IT security policies from higher education institutions were objectively classified as 'very difficult' to read based on the Flesch Reading Ease (FRE) score (scores below 50). This high textual complexity significantly hinders comprehension for non-expert audiences, potentially leading to misinterpretation, non-compliance, and increased security risks. It highlights a fundamental barrier to effective policy communication, underscoring the need for simpler, clearer language.
Learnings for Your Enterprise
Policies require simpler language and sentence structures to be accessible to all users.
Technical jargon must be avoided or clearly explained for non-expert audiences.
Poor readability directly impacts user understanding and willingness to comply.
Improving readability is a direct path to enhancing security policy usability and effectiveness.
Calculate Your Potential AI Impact
Estimate the efficiency gains and cost savings your enterprise could achieve by optimizing policy usability with AI-driven tools.
Estimated Annual Savings
$0
Employee Hours Reclaimed Annually
0
Your AI Implementation Roadmap
A typical phased approach to integrating AI for enhanced policy usability and compliance in your enterprise.
Phase 1: Assessment & Strategy
Conduct a comprehensive audit of existing IT security policies using the LAURA framework. Identify key usability gaps and define AI integration strategy and goals, focusing on Learnability, Actionability, and Understandability improvements. Establish baseline metrics for compliance and policy comprehension.
Phase 2: AI-Powered Policy Redrafting & Tools
Utilize AI (e.g., LLMs) to redraft policies for clarity, conciseness, and user-centricity, addressing issues like readability and abstraction. Develop or integrate AI-driven tools for interactive learning (e.g., chatbots, quizzes) and self-assessment checklists to boost Learnability and Actionability.
Phase 3: Rollout, Training & Feedback
Implement the revised policies and AI tools. Provide targeted training for employees on new policies and how to use the interactive tools. Collect continuous user feedback to identify areas for further refinement, ensuring policies remain relevant and actionable in real-world workflows.
Phase 4: Continuous Optimization & Compliance Monitoring
Leverage AI for ongoing policy analysis, compliance monitoring, and automatic updates to adapt to evolving threats and regulations. Regularly assess policy effectiveness using LAURA's quantitative metrics, ensuring sustained improvements in usability and security posture.
Ready to Transform Your Policy Usability?
Enhance compliance, reduce risks, and empower your employees with AI-driven, user-centered IT security policies.
Ready to Get Started?
Book Your Free Consultation.
Let's Discuss Your AI Strategy!
Lets Discuss Your Needs
Select a Date
Sun
Mon
Tue
Wed
Thu
Fri
Sat