Information Security Awareness

This research extends existing literature by contributing an approach and empirical model for measuring the required importance and capability of information security awareness within an organisation, thus identifying potential information security risks. The key findings illustrate that the required importance of awareness of information security controls differs from control to control, and differs depending on which stakeholder is involved. Finally, the study’s model calculates Awareness Risk, allowing organisations to establish where awareness is sufficient; as well as where awareness is lacking and likely to present risks.

Bashorun, Worwui, and Parker (2013), Waly, Tassabehji, and Kamala (2012) and Smith (2006) have argued that organizations have embraced the idea that the protection of sensitive information by intense technological solutions itself cannot be attained most efficiently. Technology has become the driving force of every aspect of life today and awareness guarantees enterprise staff of their responsibilities assuring the security of the information assets. It is very critical for organizations to adapt to structural information security awareness approach besides their policies and technological controls.

To overcome the limitation of information security awareness most general tool for assessing information security awareness. Similarly, the study by Namjoo et al. [5], conclude that an organization‟s survival necessitates a security program. Due to the importance of information security awareness in ensuring a successful plan, the study will be adapted to fit the Indian organizational context and will be taken to use to assess awareness levels of organization‟s employees in question. A Security Education, Training and Awareness (SETA) program can be clear defined as an educational program that is planned to reduce the number of security breaches that occur through a lack of employee security awareness. A SETA program sets the security rule for the employees of an organization, particularly if it is made part of the employee orientation. Awareness programs give details the employee‟s role in the area of Information Security. The aim of a security awareness effort is participation. Technology alone cannot solve a problem that is controlled by individuals. A SETA awareness programs give details the organization employee‟s role in the area of Information Security. They show the users where they can play a very important part in the protection of the organization‟s information. They serve to instill a sense of responsibility and purpose in employees who handle and manage information, and motivate to employees to care more about their work environment.

Social networking services become a very popular place to socialise among teenagers. As the usage of social networking services increase, information security awareness has become a necessity to protect teenagers’ privacy and to protect them from the cyber threats. Since, teenagers are on of the most vulnerable group in the internet. Even though many studies had been done on information security awareness, unfortunately majority of the studies are more focus to organisational or corporate. Moreover, according to the preliminary study, teenagers have been sharing a lot of information concerning themselves in the social networking services and lack understanding in information security awareness. This scenario shows that teenagers are very much exposed to the cyber threat in using social networking services. Therefore, it is important to conduct further research into information security awareness among teenagers to find their understanding and attitude towards it, and find the best approach in improving this issue.

The study into the feasibility of a vocabulary test to assess information security awareness conducted by Kruger, Drevin & Steyn [14] identified significant relationships between knowledge of concepts and behaviors. That is, knowing a concept will translate into positive behaviors relating to the concept. However, the current study is in contrast to Kruger, Drevin & Steyn [14]. The results shown in the cross- tabulations between concepts and corresponding behaviors (refer to Table 1) identified surprising results which contradicted Kruger, Drevin & Steyn [14]. For instance, an alarming 74.1% of respondents who knew the concept of phishing still engaged in clicking on links embedded in potential spam. Similarly, an alarming 75.3% of respondents who knew what spam is also engaged in the clicking of links embedded in potential spam. It can be concluded that knowing the concept of spam and phishing did not mean that the employees will not take the risk and click on potentially dangerous links. The likely reason for this may again be attributed to the lack of policy enforcement or promotion. In relation to strong passwords, the results also contradicted Kruger, Drevin & Steyn [14] in that knowing the concept of a strong password still resulted in staff engaging in password sharing, leaving computers unattended and unlocked. Using the respondents result set as an example, 51.7% of staff who knew what a strong password is did not stop them from sharing passwords. Similarly, an alarming 79.3% of staff who knew the concept of a strong password have admitted to leaving their computer terminals unattended and unlocked. The reason for such actions could be a result of the trust formed between co-workers. However, the security risks are clearly present.

The information consider one of the most resources which organizations are very dependent on. If that information of an organization face damage, the organizations could endure difficult problems, that is, in the form of loss of gain, loss of client’ trust and probably law action etc. Thus, the information must be secured and protected. Information security awareness is focusing about ensures that all staff are aware about the rules and laws that relative on securing the data inside the organizations. Subsequently, Information security awareness must be a form an integral aspect of each companies’ information security management plan.

This study is to develop a prototype to evaluate information security awareness level for teacher and student in secondary school. The purpose of the prototype is to identify the level of information security awareness based on assessment model.

A lack of information security awareness within some parts of society as well as some organisations continues to exist today. Whilst we have emerged from the threats of late 1990s of viruses such as Code Red and Melissa, through to the phishing emails of the mid 2000’s and the financial damage some such as the Nigerian scam caused, we continue to react poorly to new threats such as demanding money via SMS with a promise of death to those who won’t pay. So is this lack of awareness translating into problems within the workforce? There is often a lack of knowledge as to what is an appropriate level of awareness for information security controls across an organisation. This paper presents the development of a theoretical framework and model that combines aspects of information security best practice standards as presented in ISO/IEC 27002 with theories of Situation Awareness. The resultant model is an information security awareness capability model (ISACM). A preliminary survey is being used to develop the Awareness Importance element of the model and will leverage the opinions of information security professionals. A subsequent survey is also being developed to measure the Awareness Capability element of the model. This will present scenarios that test Level 1 situation awareness (perception), Level 2 situation awareness (comprehension) and finally Level 3 situation awareness (projection). Is it time for awareness of information security to now hit the mainstream of society, governments and organisations?

The research followed a five-stage model deductive approach as suggested by Milyankova [20]; deducting a hypothesis from the theory, expressing the hypothesis in operational terms, testing the hypothesis, examining the outcome of the inquiry and modifying the theory in light of results. The time horizon for this research was cross sectional as this research was limited to a specific time frame. The researcher gathered the secondary data from journals, articles, magazines, websites and textbooks and collected primary data to answer the research questions and test the hypothesis. The use of questionnaires as the research instrument allowed the collected data to be standardized and to be easily compiled. The questionnaire was based on the ISO 27001; 2005 which lists the requirements for ISO 27002; 2005 code of practice for ISMS and used self-administered closed ended questions for prompt and honest responses, eliminating any bias that could have occurred in phrasing questions to different respondents. A peer review was done to gauge the suitability of the questions in relation to the research objectives (face and content validity) by exposing them to the university supervisors, peers in the faculty and other experts in IT sector. Based on their feedback, the necessary amendments were made to the questions. A pilot test was conducted in two secondary schools in Vihiga and Siaya Counties and the results used to modify and validate the questionnaire. In criterion-related validity, predictive validity was used to assess the ability to predict awareness and training from management commitment constructs by performing regression analysis between independent variables (management commitment) and corresponding responses on information security awareness and training as dependent variable. There were high correlations providing evidence for predictive validity, that these variables can correctly predict effective information security theoretically. This was backed by the regression coefficients that were found to be significant.

, Information Security dominantly focuses on technology part inclined towards the confidentiality, integrity and availability of systems (von Solms & von Solms 2004). Information security awareness on the other hand is related to people and their behavior. Information Security Forum Standard of Good Practice defines Information Security Awareness as “the extent to which staff /people understand the importance of information security, the level of security required by the organization and their individual security responsibilities (ISF, 2016). Kruger et al 2006 stated that Information Security Awareness is about security positive behavior which helps in conducting personal or business work securely. It is evident in numbers that the outreach and impact of Information security is humongous. Hitherto neglected people aspect therefore cannot be ignored any further. Information Security Awareness, based on past studies and notions, have two important attributing features – Knowledge and Behaviour. Many researchers concluded that people aspect is very difficult to comprehend since people’s behavior cannot be empirically proven right or wrong. Most of the time people’s behaviour is only conditionally and tied to a situation/scenario. Other attributing feature equally important to consider from people aspect is knowledge about Information Security. Many of relevant studies conducted to ascertain impact/effect of knowledge and behavior of people on Information security awareness indeed points to have conclusive correlation . Although such studies were based on very constraint data set like people from particular country , data gathered through technical test limited to selected set of respondents etc. In the complex field of Information Security, does having good knowledge translate to good behavior and vice versa? The current research is of the opinion , based on random global data population projected by means of inferential statistics , that correlation between the attributing features of Information Security Awareness may exist.

The emergence of identity theft and financial fraud from phishing is causing similar concerns to those experienced during the early years of viruses in the late 1990s and early 2000s. The results of a Australian Bureau of Statistics survey on personal fraud (Australian Bureau of Statistics (ABS) 2011) reported 702,100 victims of identity theft, an increase of 499,500 victims since the 2007 survey, although changes to how this survey was conducted (2007 versus 2011) makes directly comparing the two figures difficult. It is unclear whether the increase is a result of more victims or just a greater level of awareness of the problem and consequent increase in reporting incidents. Society’s reliance on information technology for Internet banking, share trading, instant messaging, blogging and social networking, as well as critical infrastructure’s use of information technology, provides a perfect attack vector. Information security controls are the rules and regulations capable of preventing or minimising the impact of such attacks (Hove et al. 2014; Narain Singh, Gupta & Ojha 2014; Siponen & Willison 2009). Knowledge of these controls, through information security awareness, can provide a strong level of defence for organisations. This knowledge includes awareness of a new virus or phishing attack, awareness of identity theft, and what controls can minimise the likelihood and impact of these threats. Understanding how awareness influences the importance, capability and effectiveness of information security controls is important. It provides insight and a challenge for the development of models incorporating measures of importance and capability by linking information security control methodologies and awareness. There is a large body of literature that describes what to include in an information security awareness program. Literature such as Information Security Awareness: Local government and Internet service providers (European Network and Information Security Agency (ENISA) 2007) and Guidelines for Managing the Security of Mobile Devices in the Enterprise (National Institute of Standards and Technology [NIST], Souppaya & Scarfone 2013) are examples of government or industry-body provided information on information security awareness. There is, however, scant information on how awareness influences the effectiveness of the information security controls and little is documented about how capable or effective these awareness programs are, and whether they raise the perception, comprehension and decision making of individuals and organisations in relation to potential information security threats.

The Human Aspects of Information Security Questionnaire (HAIS-Q) is designed to measure Information Security Awareness. More specifically, the tool measures an individual’s knowledge, attitude, and self-reported behaviour relating to information security in the workplace. This paper reports on the reliability of the HAIS-Q, including test-retest reliability and internal consistency. The paper also assesses the reliability of three preliminary over- claiming items, designed specifically to complement the HAIS-Q, and identify those individuals who provide socially desirable responses. A total of 197 working Australians completed two iterations of the HAIS-Q and the over-claiming items, approximately 4 weeks apart. Results of the analysis showed that the HAIS-Q was externally reliable and internally consistent. Therefore, the HAIS-Q can be used to reliably measure information security awareness. Reliability testing on the preliminary over-claiming items was not as robust and further development is required and recommended. The implications of these findings mean that organisations can confidently use the HAIS-Q to not only measure the current state of employee information security awareness within their organisation, but they can also measure the effectiveness and impacts of training interventions, information security awareness programs and campaigns. The influence of cultural changes and the effect of security incidents can also be assessed.

We invite unpublished novel, original, empirical and high quality research work pertaining to recent developments & practices in the areas of Computer Science & Applications; Commerce; Business; Finance; Marketing; Human Resource Management; General Management; Banking; Economics; Tourism Administration & Management; Education; Law; Library & Information Science; Defence & Strategic Studies; Electronic Science; Corporate Governance; Industrial Relations; and emerging paradigms in allied subjects like Accounting; Accounting Information Systems; Accounting Theory & Practice; Auditing; Behavioral Accounting; Behavioral Economics; Corporate Finance; Cost Accounting; Econometrics; Economic Development; Economic History; Financial Institutions & Markets; Financial Services; Fiscal Policy; Government & Non Profit Accounting; Industrial Organization; International Economics & Trade; International Finance; Macro Economics; Micro Economics; Rural Economics; Co-operation; Demography: Development Planning; Development Studies; Applied Economics; Development Economics; Business Economics; Monetary Policy; Public Policy Economics; Real Estate; Regional Economics; Political Science; Continuing Education; Labour Welfare; Philosophy; Psychology; Sociology; Tax Accounting; Advertising & Promotion Management; Management Information Systems (MIS); Business Law; Public Responsibility & Ethics; Communication; Direct Marketing; E-Commerce; Global Business; Health Care Administration; Labour Relations & Human Resource Management; Marketing Research; Marketing Theory & Applications; Non-Profit Organizations; Office Administration/Management; Operations Research/Statistics; Organizational Behavior & Theory; Organizational Development; Production/Operations; International Relations; Human Rights & Duties; Public Administration; Population Studies; Purchasing/Materials Management; Retailing; Sales/Selling; Services; Small Business Entrepreneurship; Strategic Management Policy; Technology/Innovation; Tourism & Hospitality; Transportation Distribution; Algorithms; Artificial Intelligence; Compilers & Translation; Computer Aided Design (CAD); Computer Aided Manufacturing; Computer Graphics; Computer Organization & Architecture; Database Structures & Systems; Discrete Structures; Internet; Management Information Systems; Modeling & Simulation; Neural Systems/Neural Networks; Numerical Analysis/Scientific Computing; Object Oriented Programming; Operating Systems; Programming Languages; Robotics; Symbolic & Formal Logic; Web Design and emerging paradigms in allied subjects.

Using the results provided by this paper, there are a number of conclusions that can be drawn. The first conclusion is there are varying definitions that have been used for security awareness. These definitions fell short of completely defining security awareness, and as a result, most of the previous research inadequately investigated security awareness. This paper provides a clear, concise definition of security awareness. It is the effort to impart knowledge of or about factors in information security to the degree that it influences users' behavior to conform to policy.

In regard with the finding that has been found in two separated studies mentioned that 79 percent of social media users do not much concern on changing of the default settings as can be obviously seen in Twitter, whereby about 99 percent of users preferred default its settings, this study was conducted by Mannan. Yet, only 1.2 percent indicated that the percentage of users who changed the default privacy setting is very small number, this was found in Gross‟s study [19]. Moreover, another study had been conducted in 2009 represented that there are 51% of students, 44% of employees, and 5% of the other from 144 participants. It is summarized that 76% of those participants do not notice about the risk of representing some of their information online warned by OSN providers. There is nearly 45% of students show that users are not given any list or guideline by OSN providers regarding this issue [20].

Those that are using online banking services were given the opportunity in the questionnaire to select multiple reasons for using online banking. From their responses 46 online banking respondents at 31.5% indicated that they used online banking services because of the swift and accuracy of their transactions. 40 respondents with 27.5% said due it convenient in terms of 24/7 access anywhere provided there is internet connection, 32 respondents at 21.9% revealed that it saves time in terms of not going to the bank before you make transactions and save them from waiting on a queue in the bank, amazingly, only 12 respondents at 8.2% believed that online banking offered better security and 16 respondents with 10.9% felt that online banking also minimised some expenses which means it saves money. The percentage of respondents that chose swift and accuracy, convenience, and time saving are much compare to other reasons, which means these three factors are the major reasons why most online banking users welcome it. The table below shows respondents reasons for using online banking.

Sharing other kind o f personal information on Twitter, Besides personally identifiable information, could be taken as an advantage o f placing people at risk For instance, in June 2009 Israel Hyman, an Arizona-based video podcaster, tweeted that he was looking forward to his family vacation to Saint Louis where they would be visiting family friends for the week. Once, they had safely arrived in Missouri, He tweeted again. Several thousands o f dollars o f computer and video equipment has been stolen from their house, the moment they were away (Van Grove, 2009).

Today, the Internet can be considered to be a basic commodity, similar to electricity, without which many businesses simply cannot operate. However, information security for both private and business aspects is important. Experts believe that technology cannot solely guarantee a secure environment for information. Users' behaviour should be considered as an important factor in this domain. The Internet is a huge network with great potential for information security breaches. Hackers use different methods to change confidentiality, integrity, and the availability of information in line with their benefits, while users inten- tionally or through negligence are a great threat for information security. Sharing their ac- count information, downloading any software from the Internet, writing passwords on sticky paper, and using social security numbers as a username or password are examples of their mistakes. Users' negligence, ignorance, lack of awareness, mischievous, apathy and resistance are usually the reasons for security breaches. Users' poor information security behaviour is the main problem in this domain and the presented model endeavours to reduce the risk of users' behaviour in this realm. The results of structural equation modelling (SEM) showed that Information Security Awareness, Information Security Organization Policy, Information Security Experience and Involvement, Attitude towards information security, Subjective Norms, Threat Appraisal, and Information Security Self-efficacy have a positive effect on users' behaviour. However, Perceived Behavioural Control does not affect their behaviour significantly. The Protection Motivation Theory and Theory of Planned Behaviour were applied as the backbone of the research model.

A study that was done among higher education students, reveal that the cyber security behaviour of the participants were not satisfactory and some of the threats facing them could be eliminated if they were aware of these threats (Muniandy, Muniandy & Samsudin, 2017). Information security awareness (ISA) is regarded as an effective way to deal with threats because people are potential targets of cyber criminals due to development of technology (Aldawood & Skinner, 2018). Awareness initiatives can be used to develop a positive information security culture (Da Veiga, 2016).

two groups home and organizational users and they asserted that information security awareness plays a vital role in both groups. This study has also revealed that delivery methods and enforcement components play important roles in this domain. Information security awareness can stem from employees’ experience in this domain. Information security experience leads to comprehension, familiarity, as well as the ability and skill to manage incidents [17]. The awareness program should communicate to users the organizations IS security policies and make users aware of the risks and potential losses. [18] take into consideration the user’s role when presenting a model for implementing and enhancing the culture of IS security. The model focuses on three levels of organizational behavior: the organizational level, the group level, and the individual level. The model suggests that the organizations are security culture must be improved by taking human behavior into account. It also suggests that each user should be informed, through IS security awareness, of his role in protecting information assets. [19] discussed the implementation of continuous IS a security awareness training program as part of the corporate asset protection program. [20] argue that organizations should introduce IS security awareness and make their ethical policy clear to their employees and ensure that strong deterrents are in place. [21] argues that the incompetence of users who underestimate the dangers inherent in their actions represent the biggest IS security problems. An efficient IS security awareness program can overcome this problem. The organizations are better prepared to screen their information security awareness position, their limits and the day by day weights influencing the organization, therefore enabling them to configuration better- coordinated strategies and procedures to encourage safe operating limits [22]. The information security focus areas included in this organization information security policies are password management; use of email, the Internet and social networking sites; mobile computing; and information handling. However, the maturity levels of these elements varied among focus areas due to a lack of information security policies awareness and compliance among users [23].