Acquiring sentiment towards information security policies through affective computing

Information security policies (ISPs) are formalised rules and regulations to which users or employees are required to adhere to in order to safeguard information technology assets. It is an important tool to influence information security behaviour and is mandatory in most organisations. Given the importance of these policies, there is still a significant number of studies that report on the noncompliance to ISPs. Many research projects are conducted to explain this phenomenon -however, little or no attention is given to the opinion of users and employees about ISPs and the contents thereof. Surveys to obtain the opinion of employees on organisation and information security policies often resulted in response bias problems where answers are faked in order to provide an expected opinion. The purpose of this paper is to propose the use of affective computing and sentiment analysis to address this problem of response bias and to contribute to the evaluation of the quality of ISPs. An illustrative example is presented where a dataset based on facial expressions, derived from video recordings, was used to perform sentiment analysis to obtain an opinion. A deep learning neural network model was constructed to perform the sentiment analysis. This model was able to accurately classify opinions as positive, neutral or negative based on the original facial expressions. The paper is concluded with brief remarks and comments on the relevance of the study for ISPs and the opportunities created for further education of users and employees.