Extensive research shows that communication is critical to security compliance, and that gaps in communication directly undermine it. While there are calls to make security policies more usable and to integrate human factors, the field still lacks a structured, holistic framework that explains how these factors interact to drive compliance. This paper addresses that gap by reviewing socio-technical theories that highlight the non-technical elements shaping security behaviour and compliance, and by examining current approaches and common pitfalls in security communication and policy design. Based on this review, we propose Empathic Policy Engineering, a conceptual framework that applies core principles from communication and strengthen compliance.
Arunkumar et al. (Thu,) studied this question.