Page 1 of 101
Deterministic Study For Correlation And
Interdependency Between Attributing
Features Of People’s Knowledge And
Behaviour Impacting Information Security
Awareness
A RESEARCH THESIS SUBMITTED TO THE FACULTY OF CYBER SECURITY ACADEMY, AFFILIATED TO UNIVERSITY OF LEIDEN, IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN CYBERSECURITY, DEN HAAG 2019
Deepankar Bhagat
Page 2 of 101
STATEMENT OF ORIGINAL AUTHORSHIP
I, Deepankar Bhagat, declare and solemnly affirm to best of my knowledge that the current thesis is my own work of research except as indicated in the references and acknowledgements. This thesis is submitted to Cyber Security Academy in partial fulfilment of the requirements for the Degree of Master of Science in CyberSecurity, affiliated to University Of Leiden. The work in the thesis is not presented thereof, either in whole or part, for a degree at any other university or institution. Further, no rights should be derived for the current thesis now or in future without explicit permission of the author except for referencing and citation where required.
SIGNATORY: Deepankar Bhagat DATE:12-December-2019
Page 3 of 101
ACKNOWLEDGEMENTS
I would like to thank Almighty God, Parents Late Mr. Mangal Bhagat and Mrs. Sneh Prabha Bhagat,
Dr. Elif Kiesow Cortez (Designated First Supervisor – Cyberlaw ,Haagse High School), Professor Jan van der Lubbe (Designated Second Supervisor – TU Delft), Dr. Els De Busser (Program Director – Cyber Security Program),Support Staff at Cyber Security Academy , Fellow Classmates and Everyone else who have supported me one-way or the other in this great and exciting endeavour.
Page 4 of 101
ABSTRACT
The world has evolved tremendously in technological terms within last two decades. This has led to ease of creating, sharing and utilizing information especially pertaining to people. Information being at the forefront makes itself mandatory to be secured and used safely. Information security is hence of paramount importance. Information security as a topic have been gaining significant momentum of late and is duly relevant for all the people. Whether someone is working for big corporate organization, self-employed in catering business, delivering grocery, understanding information security is a must for everyone. Global Digital Reports states that there are 5.11 billion unique mobile users in the world today, up 100 million (2 percent) in the past year, there are 4.39 billion internet users in 2019, an increase of 366 million (9 percent) versus January 2018, There are 3.48 billion social media users in 2019, with the worldwide total growing by 288 million (9 percent) since this time last year and 3.26 billion people use social media on mobile devices in January 2019, with a growth of 297 million new users representing a year-on-year increase of more than 10 percent (Global Digital Report 2019). In 2018, according to web portal Statista approximately 3.6 billion internet users are projected to access cloud computing services, up from 2.4 billion users in 2013(Statista 2018). This surge in numbers comes with its own share of inherent information threats and risk. Data Breach Investigations Report 2018 by Verizon reported over 53,000 confirmed security incidents and 2,216 data breaches (Verizon DBIR 2018). In its Q1 2018 Cybercrime Report, Threat Metrix reported “a record volume of 1 billion bot attacks, 100 million of which came from mobile device users “(ThreatMetrix 2018). Information Security has different perspective and aspects. Among the different aspect of people, process and technology , Information Security dominantly focuses on technology part inclined towards the confidentiality, integrity and availability of systems (von Solms & von Solms 2004). Information security awareness on the other hand is related to people and their behavior. Information Security Forum Standard of Good Practice defines Information Security Awareness as “the extent to which staff /people understand the importance of information security, the level of security required by the organization and their individual security responsibilities (ISF, 2016). Kruger et al 2006 stated that Information Security Awareness is about security positive behavior which helps in conducting personal or business work securely. It is evident in numbers that the outreach and impact of Information security is humongous. Hitherto neglected people aspect therefore cannot be ignored any further. Information Security Awareness, based on past studies and notions, have two important attributing features – Knowledge and Behaviour. Many researchers concluded that people aspect is very difficult to comprehend since people’s behavior cannot be empirically proven right or wrong. Most of the time people’s behaviour is only conditionally and tied to a situation/scenario. Other attributing feature equally important to consider from people aspect is knowledge about Information Security. Many of relevant studies conducted to ascertain impact/effect of knowledge and behavior of people on Information security awareness indeed points to have conclusive correlation . Although such studies were based on very constraint data set like people from particular country , data gathered through technical test limited to selected set of respondents etc. In the complex field of Information Security, does having good knowledge translate to good behavior and vice versa? The current research is of the opinion , based on random global data population projected by means of inferential statistics , that correlation between the attributing features of Information Security Awareness may exist.
Page 5 of 101
TABLE OF CONTENTS
STATEMENT OF ORIGINAL AUTHORSHIP ... 2
ACKNOWLEDGEMENTS ... 3
ABSTRACT ... 4
LIST OF FIGUERS PER CHAPTER ... 7
LIST OF TABLES PER CHAPTER... 9
1.1 Information Security – People, Process And Technology ... 11
1.2 Information Security Awareness – What It Is? ... 13
1.3 Information Security Awareness – Why It Is Important? ... 13
1.4 Information Security Awareness – The Research Problem ... 13
1.5 Information Security Awareness – The Research Objective And Purpose ... 15
1.6 Information Security Awareness – The Research Contribution ... 15
1.7 Information Security Awareness – The Research Design ... 16
1.7.1 Research Approach Corresponding to Design... 19
1.8 Information Security Awareness – The Research Methodology ... 19
1.9 Information Security Awareness – Known Limitations ... 20
2.1 Background - Current Research ... 21
2.2 Literature Review – Design ... 22
2.3 Literature Review – Input Stage ... 22
2.3.1 Keyword Search ... 23
2.3.2 Backward Reference Search ... 24
2.3.3 Forward Reference Search ... 24
2.4 Literature Review – Processing And Output Stage ... 24
2.4.1 Individual Company Focused Awareness Studies ... 25
2.4.2 Specific Geolocation Focused Awareness Studies ... 26
2.4.3 Specific Technique (Phishing) Focused Awareness Studies ... 27
CHAPTER 3 – RESEARCH METHODOLOGY ... 28
3.1 EXPERIMENTAL DESIGN-INFORMATION SECURITY AWARENESS SURVEY ... 29
3.1.1 Clarity - Information Security Awareness Survey ... 29
3.1.2 Preciseness - Information Security Awareness Survey ... 30
3.1.3 Repetitiveness - Information Security Awareness Survey ... 31
3.1.4 Reproducibility - Information Security Awareness Survey ... 31
3.2 EXPERIMENTAL CONFIGURATION-INFORMATION SECURITY AWARENESS SURVEY... 32
3.2.1 Dependent Variable – (Security) Behavior of User ... 32
Page 6 of 101
3.3 DATA ANALYSIS AND RESULT-INFORMATION SECURITY AWARENESS SURVEY .. 34
3.3.1 Data Analysis – Analytical Summarization Of Received Responses ... 35
3.3.2 Data Interpretation– Sample Size , Reliability and Significance Testing (Pearson’s r-Coefficient) ... 47
3.3.3 Data Validation– Accepting Hypothesis with Type I/II Error Analysis ... 52
CHAPTER 4 – RESEARCH FINDINGS ... 56
4.1 GENERAL OBSERVATION- RESPONSE DATA INFORMATION SECURITY AWRARENESS SURVEY ... 56
4.2 SAMPLE SIZE AND RATIONALIZATION FOR CURRNET RESEARCH ... 58
4.3 CRONBACH ALPHA COEFFICIENT AND MEANING OF UNIFORMITY TESTING FOR CURRENT RESEAARCH ... 59
4.4 SIGNIFICANCE TESTING AND ACCPETANCE/REJECTION OF HYPOTHESIS FOR MAIN RESEARCH PROBLEM ... 59
CHAPTER 5 – CONCLUSION AND SUMMARY ... 60
5.1 STEPS IN RESEARCH – DSECRIPTION PER CHAPTER ... 61
5.2 OVERVIEW OF SIGNIFICANCE TESTING – ACCEPTANCE OF NULL HYPOTHESIS ... 62
5.3 INDIVIDUAL RESPONSE – ANALYSIS FOR CORROBORATION OF NULL HYPOTHESIS ACCEPTANCE ... 63
CHAPTER 6– RECOMMENDATION AND FURTHER RESEARCH ... 65
6.1 FURTHER RESEARCH AND RELEVANCE OF INFORMATION SECURITY AWARENESS ... 65
CHAPTER 7– EXECUTIVE SUMMARY ... 66
APPENDIX A1- INFORMATION SECUIRTY AWARENESS SURVEY – BETA VERSION ... 76
APPENDIX A2- INFORMATION SECUIRTY AWARNESS SURVEY – FINAL VERSION... 82
APPENDIX B – SETTINGS OF RESPONSE COLLECTOR IN SURVEY BUILDER ... 88
APPENDIX C – UDERKYING DATA USED FOR THE CURRENT RESEARCH ANALYSIS ... 91
APPENDIX D – PARAMETER SETTINGS FOR SAMPLE SIZE CALCULATION IN IBM SPSS P3© ... 97
APPENDIX E – AMENDED DATA FOR FALSIFICATION OF RESEARCH CONCLUSION ... 98
APPENDIX F – PARAMETER SETTINGS FOR CRONBACH COEEFICIENT IN IBM SPSS© ... 100
Page 7 of 101
LIST OF FIGUERS PER CHAPTER
Chapter # Figure #-Description Chapter 1
Figure 1.1 - People, Process & Technology Tripod - Adopted from Merkow and Breithaupt 2014, p74
Figure 1.2 - Schematic Representation Of Main Problem Statement – Formulated for the Current Research
Figure 1.3- Process flow of Research Design, Approaches & Methodology – Adopted from Creswell 2013, p127
Figure 1.4 - Decision Tree for Experimental Research- Adopted from Edgar and Manz 2017,p226
Figure 1.5 - User Behavior Profiling Framework - Adopted from Li & Wheeler 2014,p7
Figure 1.6 - Framework for modeling security culture - Adopted from Sherif and Furnell 2015,p12
Figure 1.7 - Creswell Framework for Research Design and Methodology Steps - Adopted from Creswell 2013,p129
Chapter 2
Figure 2.1 - Input- Process-Output Approach - Adopted from Ellis and Levy 2006,p37
Figure 2.2 – Toulmins Field of Argument - Adopted From Levy and Ellis,p89
Chapter 3
Figure 3.1 - Number of Initial Responses Received for Beta version of Information Security Awareness Survey - Formulated for Current Research Using Survey Tooling Figure 3.2 - Process workflow in Survey Builder of SurveyMonkey© - Formulated for Current Research
Figure 3.3 - Reponses Collection and Result Analysis in Survey Builder of SurveyMonkey© - Formulated for Current Research
Figure 3.4 - Scoring of Responses in Survey Builder of SurveyMonkey© - Formulated for Current Research
Figure 3.5 - Individual Score and Population Ranking Survey Builder of SurveyMonkey© - Formulated for Current Research
Figure 3.6 - : Scoring of Responses in Survey Builder of SurveyMonkey© - Formulated for Current Research
Figure 3.7 - Distribution of Respondent on basis of Job Role plus Expansion of Job Role ‘Other’ – Synthesized from Information Security Awareness Survey for Current Research
Figure 3.8 - Distribution of Respondent on basis of Age - Synthesized from Information Security Awareness Survey for Current Research
Figure 3.9 - Distribution of Respondent on basis of Country of Residence - Synthesized from Information Security Awareness Survey for Current Research Figure 3.10 - Distribution of Respondent on basis of Gender - Synthesized from Information Security Awareness Survey for Current Research
Figure 3.11 - Distribution of Respondent on basis of Working Experience - Synthesized from Information Security Awareness Survey for Current Research Figure 3.12 - Distribution of Respondent on basis of Work Sector and expansion of Work Sector ‘Other’ – Synthesized from Information Security Awareness Survey for Current Research
Page 8 of 101
Figure 3.14 - Distribution of Respondent on basis of Academic Qualification - Synthesized from Information Security Awareness Survey for Current Research Figure 3.15 - Distribution of Respondent on basis of Achieved Security Certification - Synthesized from Information Security Awareness Survey for Current Research Figure 3.16 - Distribution of Respondent on basis of Received Security Awareness Training - Synthesized from Information Security Awareness Survey for Current Research
Figure 3.17 - Distribution of Respondent on basis of self-rating of Information Security Awareness - Synthesized from Information Security Awareness Survey for Current Research
Figure 3.18 - Comparison of scores – Behavior and Knowledge Components for Respondents - Synthesized from Information Security Awareness Survey for Current Research
Figure 3.19 - Sample Size Calculation for Ordinal and Categorical Information Security Awareness Survey – Generated using IBM SPSS©
Figure 3.20 - Scatterplot Between Dependent and Independent Variable for the Information Security Awareness Survey – Formulated for Current Research Figure 3.21 - Input Parameters for Statistical Hypothesis (Significance) Testing – Generated from IBM SPSS©
Figure 3.22 - Summary Result of Bivariate Correlation Analysis Calculation - Generated from IBM SPSS©
Figure 3.23 - Input Parameters for Statistical Hypothesis H-a1 (Significance) Testing – Generated from IBM SPSS©
Figure 3.24 - Input Parameters for Statistical Hypothesis H-a2 (Significance) Testing – Generated from IBM SPSS©
Figure 3.25 - Summary Result of Bivariate Correlation Analysis Calculation For Hypothesis a1 Falsification - Generated from IBM SPSS©
Figure 3.26 - Summary Result of Bivariate Correlation Analysis Calculation For Hypothesis a2 Falsification - Generated from IBM SPSS©
Chapter 4
No Figures
Chapter 5
Figure 5.1 - Scoring Profile of Respondent Knowledge plus Behavior Component in Survey Builder – Generated from SurveyMonkey© for Current Research
Chapter 6
Page 9 of 101
LIST OF TABLES PER CHAPTER
Chapter # Table #-Description Chapter 1
No Tables
Chapter 2
Table 2.1 - Literature Sources from Known Databases – Self Generated for the Current Research
Table 2.2 - Distribution of data based on Keyword Search – Generated from Elsevier Database For Current Research
Table 2.3 - Example of Backward Reference Research – Adopted from List of Reference of Current Research
Table 2.4 - Example of Forward Reference Research – Adopted from List of Reference of Current Research
Chapter 3
Table 3.1 - Characteristics of Good Hypothesis – Adopted from Edgar & Manz 2017, p234
Table 3.2 - Distribution of questions in Information Security Awareness Survey – Formulated for Current Research
Table 3.3 - Amendments in Beta version of Information Security Awareness Survey Questionnaire – Formulated for Current Research
Table 3.4 - Sample Size Calculation for Information Security Awareness Survey based on Neuman Methodology – Adopted from Neuman 2006,p89
Table 3.5 - Cronbach’s Coefficient for Subset of Question from Information Security Awareness Survey – Generated using IBM SPSS©
Table 3.6 - Definition of Type I and Type II Error in Significance Testing – Adopted from Statistical Studies University of Amsterdam
Chapter 4
No Tables
Chapter 5
Table 5.1 - Description per chapter of the research – Formulated for Current Research Table 5.2 - Manning and Munro Rule of Thumb for Correlation – Adopted from Mohammad & Hairuddin 2016, p21
Table 5.3 - Summary Result of Significance Testing – Formulated for Current Research
Chapter 6
Page 10 of 101
CHAPTER 1 – INTRODUCTION
Aptly quoted as above, Information security being a complex, prevalent and impactful subject has blurred the line between what people know i.e. knowledge and how they act i.e. behavior. During the last two decades or so, society has become increasingly dependent on Information system and associated technologies. Their dependence on one hand created lots of comforts and safety for human utilization but on the other hand also led to the genesis of new class of problem namely information threat and risk. The information threat and risk forms one core of Information security while the other core being the components of people, process and technology (Nickerson & Muthaiyah 2004). While at the inception, technology component had been given greater relevance, not enough attention has been devoted to particularly examining the interaction of people and information system. An impending need though is felt among the academician and research community to study hitherto not so relevant interaction between people and information system David T. Bourgeois stated that “… When thinking about information systems, it is easy to get focused on the technology components and forget that we must look beyond these tools to fully understand how they integrate into an organization. A focus on the people involved in information systems is the next step “. Studying such an interaction although continuously being proven to be difficult since unlike information systems and technology, people doesn’t run on algorithms. Any pattern to decipher the interaction between people and information system for what they do and why they do it is obscure. Staying on track with the stated issue of information system and security, chapter 1 is divided into sub-sections , which delves into background of Information security in terms of people, process and technology (Section 1.1) , what is Information Security Awareness (Section 1.2 ) and why Information Security Awareness is necessary/required (Section 1.3).The chapter ends with further outlining the research problem(Section 1.4), research objectives and purposes (Section 1.5), expected research contributions (Section 1.6), chosen research design (Section 1.7) , adopted research methodology (Section 1.8) and finally known limitations of research (Section 1.9)
Further Chapter 2 follows with Literature review. Literature review investigates the existing researches and academic work done on the relevant topic. It also checks the proposed suggestions and recommendations in line with the stated research problem. Chapter 3 gets into the details of research methodology following the brief introduction in Chapter 1. It also presents the analysis of collected data and interpretation in terms of hypothesis testing. Chapter 4 summarizes the actual findings of the research in terms of collected data and statistical conclusion based on it. Chapter 5 concludes the research in terms of achievements and actual contributions made to Information Security awareness field. These actual contributions will tag along with expected contribution as outlined in Chapter 1. Chapter 6 details and outlines the recommendations for further discussion on the subject.
Page 11 of 101
1.1 Information Security – People, Process And Technology
Information Security pertains to secure operating effectiveness of Information system using technology binding to set of process used by the people. It is to protect the confidentiality, integrity and availability of information assets, whether in storage, processing or transmission achieved via application of policy, education, training, awareness and
technology (Whitman & Mattord). NIST SP 800-37 defines Information security as “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability” (NISTR 2013). The definitions though are very narrowly focused and inclined towards process and technological aspect. People are the next most important security component. Often, people are the weakest link in any security infrastructure (Andress 2007). The three components are required in balancing proportions for stable Information security (See Figure 1.1)
People component refers but not limited to individuals who are creating, maintaining, using and improving the Information system. They are involved in every possible and imaginable way with Information System. These individuals—whether they are end users, managers, or IT professionals— have their own set of skills, attitudes, preconceptions, and personal agendas that determine what they are able to do and what they will elect to do as part of the information system(Piccolo & Pigni, 2018).Depending on the specific role they play, further categorization (indicative but not exhaustive) is as follows:
• Business Analyst
The role of business analyst is responsible for gathering, interpreting and formulating the Information System requirements into workable functional design specification. The role encompasses both the functional (business requirements) and non-functional (information technology) skills.
• System Developer
The role of system developer is responsible for converting a functional design specification into a workable technical design specification. The technical design specification forms the basis for system developer to code using programming languages to create a workable Information System.
• System Operator
The role of system operator is responsible for keeping the Information System in running state. This is achieved by ensuring that disk, memory and critical services are performing at optimal level.
• System Risk Analyst
The role of system risk analyst is responsible for detailing and managing the information risk of the information system in terms of acceptance, avoidance, transference and mitigation. The role also entails explaining risk to senior managers, system developers etc. in a bare bone structure.
Page 12 of 101 • System User
The role of system user is about using the Information System for the intended purposes making sure that Information System neither harmed nor being used to harm other Information System or system users. The system user is of varied skill set, academic and cultural background.
Process component refers but not limited to ongoing training, monitoring, prevention and detection, repair and repose to keep the Information system up and running in safe and secure manner. Process are set of coordinated steps executing in order to make the Information System perform its desired functionality and goal. One of the important features of the process is its documentation. The documentation details how the process is getting executed to achieve its end results. When procedures /processes are well documented, they can greatly reduce training costs and shorten the learning curve (Stair& Reynolds, 2018). Process therefore acts as nervous system coordinating the various component of Information System thereby making it perform as one integrated unit. A poorly designed and implemented process can render the efforts of possibly best trained people and highly effective technology worthless. Awareness therefore about them is also an important factor. The current research has duly taken the aspect into consideration while formulating the information security awareness survey.
Technology component refers but not limited to telecommunication and network equipment operating using software with associated middleware functioning as consolidated stack. It is primarily an empirical implementation of scientific knowledge used for practical purposes. Technology is further broken down in to following
• Hardware
This are the physical component of technology. This includes servers, cables, memory rack, disk, telecommunication devices like routers, switches, hubs etc.
• Software
This are the intangible component of technology. It is set of programmatic instructions which intended to convert the human readable instructions into machine readable commands. • Data
This is another intangible component of technology. It represents fact and information about everything associated with Information System including people and process. The data can be aggregated, indexed, randomly organized or in raw unstructured form.
• Firmware
The program and data components of a cryptographic module that are stored in hardware within the cryptographic boundaries and cannot be dynamically written or modified during the execution. Alternatively, firmware are computer programs and data stored in hardware – typically in read only memory or programmable read only memory – such that the program and data cannot be dynamically written or modified during execution of programs (Kissel 2011)
• Networks
Page 13 of 101
1.2 Information Security Awareness – What It Is?
As information system are getting deeply ingrained in people’s life, it is only but essential for us to understand the consequences and ramifications of using it i.e. being aware about it. Information security awareness can be defined as the level of comprehension that users have about the importance of information security best practices (Abawajy 2012). Information Security Awareness pertains to (changing)behaviour or reinforce good security practices. NIST special publication 800-16 defined it as “Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. “(Wilson & Hash 2003). Uplifting the information security awareness of user (self or otherwise) is an important part of information security and its management. Being security aware is about establishing, promoting and maintaining good security habits, which in turn help people to navigate through the vast and complex technical ocean.
1.3 Information Security Awareness – Why It Is Important?
Information security and its awareness is duly relevant for everyone. People using mobiles, tablets, laptops etc to conduct personal and business task are constantly on the rise. This has created a new class of information threats and risk. Not everyone has the apt knowledge regarding the information threats and risk. Having an Information security awareness hence allows people to recognize those threats and risk. The recognition then led people to respond in a manner which reduces either the likelihood or impact or both for a given threat and risk. Awareness creates and improves the opportunities for people to stay alert, think before doing and act wisely (Corda 2016). It is mandatorily required since people often considered the weakest link in Information security are the target of attacks. It is also to be noted that technology and process at times are not just enough to prevent and mitigate a threat from materializing. People hence needs to understand that being aware is primarily beneficial for them in the ecosystem of Information system and security. Being ignorant i.e. not aware doesn’t extend any legal recourse if people do get attacked/breached which results in loss of personal data, money etc. For ex while connecting to a Wi-Fi in public places, always connect to a secure encrypted WIFI hotspot or simply don’t.
1.4 Information Security Awareness – The Research Problem
Page 14 of 101
a user ?. Does a user demonstrating good (security) behaviour in realm of Information system always has knowledge background in terms of say academic qualification etc. ? Ample evidences in terms of past research exist which claims to both contradicts and support the above questions. Stanton et al 2005 noted impacting knowledge through a training regarding better password management actually exposed user to bad behaviour of writing down the password in paper. They observed that “training, awareness, knowledge of monitoring, and rewards exhibited positive associations with changing passwords more frequently and choosing better passwords. Unfortunately, improvements in these areas also seemed to associate with a greater likelihood of writing down one’s password”. This example, therefore, inclines towards the understanding that good knowledge does not lends to good (security) behaviour. It is thus demonstrative of the view that no correlation/interdependency exist between the two attributing features of Information security awareness. Alternatively, Brucks 1985 w studying the product knowledge on the information search behaviour observed that “experience -based measures of knowledge are less directly linked to behavior than are the other types of knowledge measures”. In other words, user tends to behave more dominated by subjective behavior (i.e. learn from experience) rather than objective knowledge (i.e. learn from memory). Quoting the stated examples, the current research is of the opinion that correlation and interdependency between the attributing features of knowledge and behavior concerning Information security awareness is ambiguous. Therefore, it endeavors to investigate the existence of correlation and interdependency (whether or not) between knowledge and behavior in context of Information Security Awareness. To that end, the main research problem for which the current research is trying to seek answer is
In context of having impact on Information Security Awareness , does the attributing features of knowledge and behaviour of people have correlation and interdependency among them?
Schematically, Figure 1.2 depicts the main problem statement for the current research i.e. the correlation and interdependency existence of knowledge and behavior of people having impact on Information Security Awareness .Pertinently, a parallel can be drawn from field of chemistry whereas molecule of water cannot be deciphered without discussing its constituents namely molecule of hydrogen and molecule of oxygen and their underlying interaction
Page 15 of 101
To arrive at a valid and reliable answer to main research problem, following sub-questions are also detailed out.
1. What is Information Security in terms of people, process and technology? (Section 1.1 - Information Security – People, Process And Technology)
2. What is Information Security Awareness? (Section 1.2 - Information Security Awareness – What It Is )
3. Why Information Security Awareness is important? (Section 1.3 - Information Security Awareness – Why It Is Important )
1.5 Information Security Awareness – The Research Objective And Purpose
Any research conducted without an inherent objective and purpose is a lost cause. The current research is therefore conducted, in back drop of other related and relevant work, to determine the correlation and interdependency between the attributing feature of knowledge and behaviour in terms of following hypothesis
• Null Hypothesis (H0) - A good knowledge of Information security may guarantee a good
(security) behavior there by indicating positive correlation and interdependency between them and impacting the level of people’s Information Security Awareness
• Alternative Hypothesis (H1)– A good knowledge of Information security may not guarantee a good (security) behavior there by indicating no/negative correlation and interdependency between them and may not impacting the level of people’s Information Security Awareness
1.6 Information Security Awareness – The Research Contribution
Information security and its awareness is a need rather than a norm. The pace with which the Information systems are becoming the way of life is breath taking and outrageous at times.Kuznekoff et al 2013 noted that that roughly 75% of online adults (18-24 year old) have profiles on a social networking site, and 89% of online adults use those sites to keep in touch with friends. Due to this pervasive use, it is pertinent that people should make a clear distinction about what they know of Information system f.e. mobile phones and how they use/should use it f.e. uploading every piece of daily life on social networking site like birthday celebrations, graduation ceremony, acquiring a driving license etc. to name few.
In that dimension, the current research paper contribution is to inform users of Information system and technology that
• Information security and its awareness is applicable to all irrespective of age, education background, job profile, place of residence etc.
• Emphasize the fact that knowledge and behavior are important attributing factors to have impact on one’s Information Security Awareness
• Information Security awareness being an intangible parameter measured in terms of its attributing factors like knowledge and behaviour which is primarily the focal point for the current research
• A good knowledge of Information security may/may not guarantee a good (security) behavior thereby impacting the level of one’s Information Security Awareness
Page 16 of 101
1.7 Information Security Awareness – The Research Design
Research design ensures that evidence obtained allows researcher to answer the initial research problem as clearly and precisely as possible. Research design `deals with a logical problem and not a logistical problem' (Yin 2011). Research design, therefore, deals with what needs to be done to accomplish the solution for the main/ sub research problems. Research methodology on the other hand deals with how the experiment conducted in order to arrive at the solution for the main/sub research problems. Depicted in Figure 1.3, A Framework for Research-The Interconnection of Worldviews, Design and Research Methods, is used to conceptualize the current research (Creswell 2013). Each step of the design and methodology has been mapped with the relevant sections of current research in order to maintain the sequential flow.
Following the framework, the research design and methodology chosen for the current research is Quantitative Experimental i.e. Experimental design. According to Edgar et al 2017, experimental design covers experiment science. It is a design where researcher takes concept and beliefs gained from observation and theorizing and creates targeted controlled experiments to generate evidence in support of, or in contradiction, to their premise. Supporting the definition of experimental design, it is also observed that “ An experimental design is a plan for assigning experimental units to treatment levels and the statistical analysis associated with the plan. Furthermore, The primary goal of an experimental design is to establish a causal connection between the independent and dependent variables. A secondary goal is to extract the maximum amount of information with the minimum expenditure of resources” ( Fisher 2015) . There are many different variants of experimental design and Figure 1.4 presents the logic path for selection of specific type of experimental design adopted by Edgar and Manz for the current research. Considering that extraction of maximum information with the use of minimum expenditure on resources is one of the prime goals of the experimental design, the current research has chosen the quasi experimental design. This in line with the limited time availability for finishing the research beside the stymied financial capability of the researcher.
Page 17 of 101
It is however imperative to know that Creswell, Edgar & Manz are not the only researcher proposed experimentation methodology pertaining to human behavior. Current research, therefore, intends to investigate other proposal before rationalizing on zeroing in on a methodology. Li & Wheeler et al 2014 have proposed a methodology to evaluate the behavior profile of user on mobile devices. According to them “With more than 6.3 billion subscribers around the world, mobile devices play a significant role in people’s daily life. People rely upon them to carry out a wide variety of tasks, such as accessing emails, shopping online, micro-payments and e-banking. It is therefore essential to protect the sensitive information that is stored on the device against misuse”. The methodology consists of utilizing the applications or service usage to verify the individual’s behavior in continuous manner. The data collected from 76 user (of their application’s activities) over a period of four weeks were subjected to series of simulations. The framework used to validate the behavior profiling methodology is depicted in figure 1.5
Figure 1.4 : Decision Tree for Experimental Research- Adopted from Edgar and Manz 2017,p226
Figure 1.3 (Adopted from Edgar and Manz 2017)
Page 18 of 101
Although a good framework, the current research is of the view that behaviour of user on mobile devices doesn’t not cover the full spectrum of information system used now. Beside not every user adapts at using all the applications in the mobile devices and hence behaviour profiling using the stated methodology might be a complex endeavour fraught with erroneous assumptions.
Sherif & Furnell et al 2015 formulated a methodology to decipher the human behaviour in terms of culture namely security, national and organizational culture. A per them “A significant volume of security breaches occur as a result of the human aspects and it is consequently important for these to be given attention alongside technical aspects. Many breaches occur due to human error. Researchers have argued that security culture stimulates appropriate employees’ security behaviour towards adherence and therefore developing a culture of security can contribute in minimizing or avoiding security breaches”. The design model conceptualized a framework covering the relation between organizational, national and security culture. They adopted the instruments of survey and questionnaire conducted by large security companies like Symantec and other governmental agencies. Model depicting the relation between the types of culture (excluding security compliance) is shown in figure 1.6
The framework opined that security culture should be view as part of organization culture and hence knowledge of information security is only needed for employees to do their normal job function. The onus of security therefore replies with organization and employees must follow what has been told to them. It is also the view of the view that “organizational cultures do emulate national culture characteristics along three finely defined dimensions: knowledge sharing, traditions, and behaviour “.The current research on basis of above conclusions does not consider the methodology fit for purpose since it is more oriented towards people like employees working in controlled and supervised environment. The world of information security and its ramifications goes beyond an organization and country. The current research therefore follows the design and methodology from Creswell and Edgar/Manz respectively considering it as suitable for the research purpose and problem statement. Philosophical Worldviews Corresponding to Design
Following the Creswell’s framework, the current research will pursue the philosophical world view of postpositivism. The chosen view has following features – Determination, Reductionism, Empirical observation and measurement, Theory Verification. Among the defined features of postpositivism, empirical observation and measurement (related to current research in terms of measuring correlation and interdependency between attributing feature of knowledge and behaviour) which is the main problem statement ( Section 1.4 Information Security Awareness – The Research Problem) and theory verification ( related to current research in terms of verifying the validity and veracity of
Page 19 of 101
null or alternate hypothesis) performed by means of falsification ( Section 3.3.3 Data Validation– Accepting Hypothesis with Type I/II Error Analysis ) are more relevant. The feature of determination pertains to the “motivationsfor and commitment to research are central and crucial to the enterprise” (Ryan 2016). For the current research, it is imperative to know that through background vetting of the topics is done before Information security awareness being picked up. Hence the commitment and motivation are intrinsic to the endeavor. Feature of reductionism relates to research being broad and not specialized. For the current research, the topic of Information security awareness though looks specialized, as stated before being intangible, the study of its attributing factors is quite broad. 1.7.1 Research Approach Corresponding to Design
Quantitative approach is for testing objectives theories by examining the relationship among the variables. These variables can be measured typically on numeric scales, so that numbered data can be analysed using statistical procedures. For the current research as stated before, based on the definition, quantitative approach pertaining to experimental design has been chosen. Deducing the correlation and interdependency between the attributing features of knowledge and behaviour using inferential statics fits precisely with the chosen approach. Inferential statics “is being used to make inferences from our data to more general conditions, while descriptive statistics is used simply to describe what is there in our data” (Gupta 2015)
1.8 Information Security Awareness – The Research Methodology
Research methodology is different from research design in terms of former focuses on ‘How’ and later focus on ‘What’ aspect of research. Following the decision tree depicted in Figure 1.3, the research follows the “Quasi-Experimental” methodology. Like Hypothetic-deductive methodology, it also centres on hypotheses or predictions of behaviour and follows the same research format. The bulk of the work is the design of experiments or quasi experiments and the rigorous collection of evidence (in terms of data gathering) purportedly support for or against the research hypotheses either Null or Alternative. The core steps in the methodology of Edgar and Manz and its associated/related steps from Creswell’s framework are thematically depicted in Figure 1.7
Cresswell Framework
Figure 1.7 : Creswell Framework for Research Design and Methodology Steps - Adopted from Creswell 2013,p129
Experimental Design
•
The process research will take to execute the experiment
•
Creswell Framewrok Step -Questionnaire]
•
Section 3.1
Experimental Configuration
•
Define system or population under test and enviornment set up to execute
experiment
•
Creswell Framewrok Step - Data collection
•
Section 3.2
Data Analysis/Results
•
Performing data analysis and interpreation for result
Page 20 of 101
1.9 Information Security Awareness – Known Limitations
The current research has adopted a two-step approach towards distributing the survey for gathering the response. During the first step, the beta version of the survey questionnaire was sent to limited set of respondents. The idea behind the beta version was to check the acceptability of survey questions in terms of being clear, concise and unambiguous. It was also important that survey can be done in such a feasible timeframe (between 5-7 minutes) so as not to burden the respondents in giving pattern response out of haste and hurriedness. It was also desired to check that questions are not leading in a sense of obvious choices, no negative connotations attached to deter respondents from not choosing such options etc. Issues like this in survey are known to exhibit biases. More details regarding the beta version of survey questionnaire and subsequent responses can be gathered from Appendix A1 and section 3.1 (EXPERIMENTAL DESIGN-INFORMATION SECURITY AWARENESS SURVEY) respectively. After analysing the responses and making the appropriate correction, as a second step the final survey questionnaire was send out to all the respondents. More details regarding the final version of survey questionnaire can be gathered from Appendix B. Refer to Appendix G for the sample of request email/correspondence sent to participants for responding to Information Security Awareness Survey.
Despite the two-step approach due to number of extenuating circumstances and boundaries, like any other research endeavours, the current research also has set of limitations which are worthwhile to mention and noted herewith.
• Researcher have no control over the respondent’s sincerity while taking the survey • Sample size used to infer the Significance/hypothesis testing conclusion should be
used with caution for generalisation. It therefore entails further studies on the relevant subject (Section 6.1 FURTHER RESEARCH AND RELEVANCE OF INFORMATION SECURITY AWARENESS)
• Individual responses concerning the attributing features Information Security Awareness i.e. knowledge and behaviour are momentary indicator aka point in time. Responses for both the attributing features may change over period due to many factors beyond of realm current research. The current research, therefore, has not taken the probable shift in participants’ response while accepting/rejecting the relevant research hypothesis
• Despite sending the reminder emails, the response rate was lower than initially anticipated and therefore future research may think of offering material benefits like coffee coupons, academic help etc to the respondents for their due participation • Response bias might have creeped in for the question on self-assessment of
information security approach as people tends to portray the best image of themselves (Groves et al, 2009)
• Negative Cronbach Alpha Coefficient reflects non uniformity of survey design but considering the number of questions based on Likert scale is small in proportion, the negative coefficient may not be the absolute reflection of the non-uniformity for the Information Security Awareness Survey
Page 21 of 101
CHAPTER 2– LITERATURE REVIEW
A methodological review of past literature is a crucial endeavor and task for any academic research (Webster and Watson 2002). Cronin & Ryan 2019 propagates literature review as “ an objective, thorough summary and critical analysis of the relevant available research and non - research literature on the topic being studied. Its goal is to bring the reader up to date with current literature on a topic and form the basis for another goal, such as the justification for future research in the area. A good literature review gathers information about a subject from many sources. It is well written and contains few if any personal biases. It should contain a clear search and selection strategy”. Literature review therefore is a very important stage during the research. It acts as a foundation for any given research which base its objectives and goals on the accumulated information of previous relevant literature. As quoted above, lending support to one’s research objective utilizing the work of others is considered a good approach from time immemorial. Levy et al 2006 stated that a good literature review accomplishes the following
• Helping the researcher understand the existing body of knowledge • Providing a solid theoretical foundation for the proposed study • Substantiating the presence of the research problem
• Justifying the proposed study as one that contributes something new to the Book of Knowledge
• Framing the valid research methodologies, approach, goals, and research questions for the proposed study
2.1 Background - Current Research
The rapid advancement and development of Information system has touched and impacted most of the people. The current research, in turn, urges that people should have more understanding of threat and risk associated with Information System i.e. Information Security. The proper understanding of Information Security at times aids people in determining the appropriate conduct while interacting with Information System and Technology. The appropriate conduct is the reflection of people’s behaviour which is an important attributing feature of Information Security Awareness and has been amply outlined in Section 1.2 - Information Security Awareness – What It Is? Information Security Awareness concerns behaviour of the people in the domain of Information System and Technology. It is paramount that people understand the value of it, which is otherwise intangible and difficult to measure. Section 1.3 - Information Security Awareness – Why It Is Important? details out the importance of Information Security Awareness for the people. Following the detailing of its importance, the later sections makes it amply evident that attributing features of knowledge and behaviour of people in toto is having an impact towards level of Information Security Awareness. But ambiguity is whether the attributing feature of knowledge and behaviour of Information Security Awareness are correlated and interdependent. Section 1.5 -Information Security Awareness – The Research Objective And Purpose - sets the objective and purpose for the current research in terms of translating the main research problem into Null and Alternative hypothesis. The purpose of hypothesis is to decipher the understanding regarding the correlation and interdependency between the attributing features of knowledge and behaviour of people for the Information Security Awareness.
Page 22 of 101
Considering the objective current research is trying to accomplish for the main research problem, it is imperative to delve deeper into the relevant work and studies already performed by other researchers. Section 2.2 details the literature review design for the current research to follow. A good literature review design is pertinent, among other things, for setting up the solid and firm foundation of proposed research in terms of solving the main/sub research problems. Following the literature review design, Section 2.3, Section 2.4 and Section 2.5 will investigate the phases of input, processing and output phases respectively pertaining to literature review design. The input phase concerns about quality and process of gathering the relevant literature. The processing phase deals sequential steps of mean making of the gathered literature. The information gained from this phase is passed on to output phase which details out the contribution current research will be making towards work written in existing literature.
2.2 Literature Review – Design
Due to the vastness and complexity inherent to topic of Information System, Security and Awareness, there is a lack of standard design and methodology towards literature review. It was noted that the field may greatly benefit from effective methodological literature reviews that are “… strengthening Information system as a field of study” (Webster and Watson, 2002). To avoid wandering aimlessly through the plethora of material available on the relevant topic, the current research has chosen the systematic “input-processing-output” approach of literature review (Ellis and Levy, 2006). The pictorial representation of the approach is depicted in Figure 2.1
2.3 Literature Review – Input Stage
The input stage of literature review is concerned with two aspects. Firstly, what is the quality of literature and secondly, the process of gathering the literature. Putting the attention on first aspect of input stage, the literature associated with leading peer reviewed journals serves as good indicator of the quality. Levy et al suggested that such literature forms the profound theoretical basis as well as guide for other relevant literatures. Books from authors who did commendable work in the relevant field also proposition itself to quality. Literature presented in various authentic and famous conferences indicates quality since the contents are vetted and ratified based on sound evidential basis. For the current research, literature sources (including vendor database name) and type of literature retrieved as depicted in Table 2.1 are used. Information system and Technology has greatly aided in the input phase by means of accessibility to online catalogues, journals, books etc. at the fingertip from anywhere.
NB: The examples depicted in Table 2.1 are indicative not exhaustive. The purpose is to present the reference of literature sources and not the full contents in those sources.
Figure 2.1 : Input- Process-Output Approach - Adopted from Ellis and Levy 2006,p37
Page 23 of 101
Literature Source (Vendor Database)
Type Of Literature Retrieved
Example Authors
ScienceDirect (Elsevier) Journals A prototype for assessing information security awareness
H.A Kruger W.D Kearney Universiteit Leiden (Online
Catalogue)
Journals, Books, Scientific articles
Information Security: Principles and Practice
Mark S Merkow Jim Breithaupt
get Abstract (Online Portal) Books, Scientific papers,
TED videos What’s Wrong with Your Password? Lorrie Faith Cranor
Booksc.Org (Online Portal) Books, Scientific papers, Journals
From Attitudes to Behavior: Basic and Applied Research on the Theory of Planned Behavior
Christopher J Armitage
Table 2.1: Literature Sources from Known Databases – Self Generated for the Current Research Turning the attention towards the second aspect of the Input phase, the process of gathering relevant literature for the current research is achieved through Keyword Search, Backward Reference Search and Forward Reference Search. All the relevant search methodology is detailed below.
2.3.1 Keyword Search
It is the process of searching a word or phrase i.e. keyword via online databases in journals, books, scientific papers etc. appropriate for the current research. For example, terms like Information Security Awareness, Knowledge and Behavior etc. are specifically used as criteria for the search .Using the approach, Table 2.2 depicts the number of books, journals and scientific papers appeared on the search list per keyword at Elsevier database.
NB: Data from 2015 is considered for the current research though literature and citation appeared in the list is backward referenced (Section 2.3.2 - Backward Reference Search ). For other topics like research methodology, literature review etc. , studies and research conducted before 2015 and their subsequent conclusion are considered for referencing
NB: Not all the literatures counted under column “Number of Hits” in the Table 2.2 has been reviewed. The numbers are only indicative of the popularity of the information security awareness as a topic
Keyword Numbers Of Hits Distribution % Per year
Information Security Awareness 4710
Information Security – Knowledge and Behavior
4495
Page 24 of 101 2.3.2 Backward Reference Search
It is the process of looking further into the into the references from the literature yielded by keyword search (Section 2.3.1 - Keyword Search).Table 2.3 depicts example of a literature used in the current research, obtained through stated approach.
NB: The reference mentioned in Table 2.3 is an example and not the exhaustive list.
Keyword Yielded Literature Backward Referenced Literature
Information Security Awareness Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) (Pattison et al)
A prototype for assessing information security awareness (Kruger et al)
Table 2.3 : Example of Backward Reference Research – Adopted from List of Reference of Current Research
2.3.3 Forward Reference Search
It is the process of review a literature that have cited one of the yielded literatures either from keyword search (Section 2.3.1) or backward reference search (Section 2.3.2). Table 2.4 depicts example of a literature which has cited one of the literatures obtained from keyword search.
NB: The reference mentioned in Table 2.4 is an example and not the exhaustive list.
Keyword Cited Literature Forward Reference (Cited By)
Information Security Awareness The 10 deadly sins of information security management (van Solms et al)
A prototype for assessing information security awareness (Kruger et al)
Table 2.4 : Example of Forward Reference Research – Adopted from List of Reference of Current Research
2.4 Literature Review – Processing And Output Stage
The processing stage concerns with the processing of identified literature into the relevant analysis based on which foundation for the current research is constructed. The output stage entails about presenting the gathered information with empirical backing based on the augmentation theory. The structure of the theory based “Fields of Argument “ is depicted in Figure 2.2 (Levy & Ellis , 2006)
Page 25 of 101
Although the model proposed from Levy and Ellis has processing and output stage panned separately, the current research has coupled the two stages for the purpose of maintaining a single, coherent and consolidated approach (of citing a literature and using it structurally for the problem statement). Past studies conducted on the Information Security Awareness and its attributing features of knowledge and behaviour, has been scoped and limited in their methodology, approach and conclusion. The current research has categorized all the relevant and considered example of conducted studies in order to apply the proper argumentation as promulgated by Augmentation Theory of Toulmins NB: The categorization is indicative and not exhaustive since may studies overlap the defined category. That is evident from the cross referencing and citation of literature in respective research.
2.4.1 Individual Company Focused Awareness Studies
Kruger, Kearney et al performed a very detailed study focusing on an International gold mining company in Africa. The company had 25 operations in 11 countries and has gold production of over 6 million ounces annually. The company came into existence after the merger of two other gold mining companies. The total employee head count of the company post-merger stood around 62,500. In terms of the capacity, the company stood as top of the global extraction and exploration in mining activities. The information risk management in company of such size and scale involves significant expenditure and scale of efforts. It was understood by the management that company is facing plethora of internal and external information threat. To mitigate such threats, mere throwing a sophisticated technological or process-oriented solution is not enough. People component must be equally investigated and hence program is created to spread the awareness of the information risks and then to ensure the it is managed.A comprehensive toolkit was purchased from a vendor and detailed development of the program started in mid-2003.The program was focused on six critical risk areas or ‘Golden Rules’, detailed below
• Always adhere to company policies
• Keep passwords and personal identification numbers (PINs) secret • Use e-mail and the Internet with care
• Be careful when using mobile equipment • Report incidents like viruses, thefts and losses • Be aware, all action carry consequences The program was developed as follows
• Basic presentation to all computer users, including a video, not longer than an hour • Brochures to all participants
• Different posters put up in all regional offices and Business Units
• Website with all details, including ‘‘Ask a question’’ option available on the global Intranet • Articles in the company’s in-house magazine
Page 26 of 101
• Evidences shows that training is associated with imparting knowledge. Information Security Awareness as stated has attributing feature of behavior besides knowledge. Measuring the attributing feature of behavior based on training may not yield the actual behavioral traits of the employees and known to suffer from “under observation” bias. The respondent may simply demonstrate to have good knowledge by virtue of being observed (Hubbard 2014) • Questionnaire based survey and awareness campaign have limitation of not sure about the
participant’s response is indicative of actual (security) behavior or otherwise based on imparted knowledge. Answering questions correctly does not mean that the individual is motivated to behave according to the knowledge gained during an awareness program (Bada et al 2016)
• Critical information risk areas are sample representation of the whole gambit of Information risk category and hence conclusion drawn based on selected areas might not indicate the depth of awareness being measured for all the other areas which has been excluded from the experiment.
2.4.2 Specific Geolocation Focused Awareness Studies
The inclination towards elaborating the connection between the people and information security aspects is immense. In that direction, a decorated research scoping people of Malaysia utilizing the Five Factor Model and measures of behaviors towards information security risks were used concurrently to predict individuals’ relationships to information security risks was conducted (Ong, 2017). The research draw data from 503 usable questionnaire totaling about 1203 questions. The respondents are from 11 tertiary institutions in Malaysia. Among the noted findings of the research, couple of them stood out in terms of stating the relation between attributing features of knowledge and behavior for Information Security Awareness
• Individuals’ behavioral intentions towards email management and malicious software protection are significant predictors of individuals’ self-awareness of information security risk
• Individuals’ personality traits, behavioral intentions and self-awareness of information security risks are highly correlated.
The findings of research support the notion of an information security learning continuum (i.e. awareness, training and education). Albeit the research is extensive, there are few limitations which according to current research is worthwhile mentioning.
• Surveys targeting specific geolocation and people from similar cultural background tend to be influenced by the local culture of that location. Findings based on such surveys should be cautiously generalized for other locations/deemed generic i.e. applicable to all • Survey research are prone to response bias and hence any generalization is harder to make. This is even true for such an extensive survey which the researcher conducted over a course of two year
Page 27 of 101
2.4.3 Specific Technique (Phishing) Focused Awareness Studies
Page 28 of 101
CHAPTER 3 – RESEARCH METHODOLOGY
As detailed out in Section 1.8 - Information Security Awareness – The Research Methodology, the current research is following the quasi-experimental methodology to achieve its end goal i.e. the solution for the main/sub research problem statements. Edgar & Manz et al noted that “experimentation is one of the strongest methods to understand the behaviour and response of a system under different conditions”. Like hypothetic-deductive method, quasi experimental methodology also entails a research question propagated via hypothesis and evidence in support of /against the hypothesis is gathered through set of experiments or test. Indicated in Section 1.5 -Information Security Awareness – The Research Objective And Purpose, the Null (H0) and Alternative hypothesis (H1) are proposed. A good hypothesis has following characteristics as depicted in Table 3.1, against which the current research proposed hypothesis are weighed upon.
Hypothesis Characteristics Hypothesis (Null -H0 and Alternative-H1)
Observable and testable Attributing features of Information Security Awareness i.e. knowledge and corresponding behaviour has been measured through a well-crafted Information Security Awareness Survey questionnaire (Appendix A1 and A2). The survey is divided into four categories namely – Demographic, Knowledge Component, Behaviour Component and Self-Rating of Security Awareness Each of the knowledge and behaviour component questions are scored for correct response. Individual score generated on those sets is analysed using inferential statistics to observe the (no)correlation and interdependency between them
Clearly defined Past studies conducted on the subject have made inferences that knowledge and behaviours are attributing features of Information Security Awareness. The current research is proposing to check if any correlation and interdependency exist between the attributing features. The proposal is based on the hypothesis defined in Section 1.5 - Information Security Awareness – The Research Objective And Purpose
Single Concept The existence of correlation and interdependency between the attributing features of knowledge and corresponding behaviour as indicator of Information Security Awareness is being tested by current research. The variables are knowledge (independent) and behaviour (dependent) are used to decipher the same
Predictive The existence of correlation and interdependency between the
attributing features of knowledge and corresponding behaviour as indicator of Information Security Awareness is being tested by current research It is testing whether the assumption that good knowledge leads to good (security) behaviour in Information Security holds
Table 3.1: Characteristics of Good Hypothesis – Adopted from Edgar & Manz 2017, p234
Page 29 of 101
Following the proposed hypothesis – Null (H0) and Alternative (H1) in hand, the experiment to gather data and further analysis is set up based on the framework described in Figure 1.7 - Creswell Framework for Research Design and Methodology Steps.
3.1 EXPERIMENTAL DESIGN-INFORMATION SECURITY AWARENESS SURVEY
Based on the Creswell Framework (Figure 1.7), the method for data gathering for the proposed hypothesis has been achieved by means of Information Security Awareness Survey Questionnaire. The survey is distributed to the participants via E -Mail and they have been duly requested to respond. In addition, participants have also been requested to forward the survey in their own personal and professional network (Information Security is applicable for everyone). Refer to Appendix G - Sample Mail Request to the Participant Of Information Security Awareness Survey 2019 - for details regarding of Email sent to participants. Edgar, Manz et al prescribed various features for the research experimentation. The various features in form of steps are detailed out in the following Sections from 3.1.1 to 3.1.4
3.1.1 Clarity - Information Security Awareness Survey
The Information Security Awareness Survey is set up in two versions namely the beta and final version. Both the version of survey has 27 questions. The questions are demarcated into following category as depicted in Table 3.2
Category Number of Questions Position in Survey
Demographic (for ex age, sex, qualification etc)
10 Question 1- Question 10
Knowledge component 8 Question 11 – Question 18
Behaviour component 8 Question 19 – Question 26
Self-Rating of Security Awareness
1 Question 27
Table 3.2 : Distribution of questions in Information Security Awareness Survey – Formulated for Current Research
The beta version of Information Security Awareness Survey is initially sent to limited group of people in different countries. The survey is kept open for three weeks giving enough time to respondents for their feedback. There are total of 13 responses received as schematically depicted in Figure 3.1
Figure 3.1: Number of Initial Responses Received for Beta version of Information Security Awareness Survey - Formulated for Current Research Using Survey Tooling
Page 30 of 101
Builder of SurveyMonkey© - Formulated for Current Research). The Table 3.3 below details out those amendments which were made from Beta to Final version of Information Security Awareness Survey
Question Number
Information Security Awareness Survey - Beta Version
Information Security Awareness Survey - Final Version
Comments
11 Complexity of
answering options increased
15 Direction of question
change with answering option diversified
17 Answering option
made more random
21 The last option was
made elaborate to judge awareness of topic.
26 Text of the question
change to remove ambiguity
Table 3.3 : Amendments in Beta version of Information Security Awareness Survey Questionnaire – Formulated for Current Research
NB: Refer to Appendix A1 & A2 for the details of Beta and Final version of the Information Security Awareness Survey Questionnaire respectively.
3.1.2 Preciseness - Information Security Awareness Survey
