ArticlePDF Available

A prototype for assessing information security awareness

Authors:

Abstract and Figures

Due to the intensified need for improved information security, many organisations have established information security awareness programs to ensure that their employees are informed and aware of security risks, thereby protecting themselves and their profitability. In order for a security awareness program to add value to an organisation and at the same time make a contribution to the field of information security, it is necessary to have a set of methods to study and measure its effect. The objective of this paper is to report on the development of a prototype model for measuring information security awareness in an international mining company. Following a description of the model, a brief discussion of the application results is presented.
Content may be subject to copyright.
A prototype for assessing information security
awareness
H.A. Kruger
a,
*, W.D. Kearney
b,1
a
School of Computer-, Statistical- and Mathematical Sciences, North-West University (Potchefstroom Campus),
Private Bag X6001, Potchefstroom 2520, South Africa
b
AngloGold Ashanti, Level 13, St Martins Tower, 44, St Georges Terrace, Perth WA 6000, Australia
article info
Article history:
Received 19 January 2005
Revised 22 December 2005
Accepted 6 February 2006
Keywords:
Information security awareness
Quantitative modelling
Knowledge
Attitude
Behaviour
abstract
Due to the intensified need for improved information security, many organisations have
established information security awareness programs to ensure that their employees are
informed and aware of security risks, thereby protecting themselves and their profitability.
In order for a security awareness program to add value to an organisation and at the same
time make a contribution to the field of information security, it is necessary to have a set of
methods to study and measure its effect. The objective of this paper is to report on the
development of a prototype model for measuring information security awareness in an
international mining company. Following a description of the model, a brief discussion
of the application results is presented.
ª2006 Elsevier Ltd. All rights reserved.
1. Introduction
Security risks associated with information technology are
a topic that has become increasingly significant. As corpora-
tions rely ever more on technology to run their businesses,
security is becoming a major concern rather than an after-
thought. The CERT Co-ordination Center at Carnegie Mellon
University has reported that security incidents, reported secu-
rity attacks that may involve one site or thousands of sites,
have increased by 68% from 2003 to 2004 (CERT/CC, 2004).
Whilst information security generally focuses on protect-
ing the confidentiality, integrity and availability of informa-
tion, information security awareness deals with the use of
security awareness programs to create and maintain secu-
rity-positive behaviour as a critical element in an effective in-
formation security environment. According to Hansche (2001:
p. 14) the goal of a security awareness program is to heighten
the importance of information systems security and the
possible negative effects of a security breach or failure. The In-
formation Security Forum (ISF, 2003) defines information
security awareness as the degree or extent to which every
member of staff understands the importance of information
security, the levels of information security appropriate to
the organisation, their individual security responsibilities,
and acts accordingly.
The effective management of information security re-
quires a combination of technical and procedural controls to
manage information risk. The value of controls usually de-
pends on the people implementing and using them and in
information security that is no different. Controls can be
circumvented or abused by employees who ignore security
policies and procedures. The implementation of effective se-
curity controls is thus dependent upon the creation of a secu-
rity positive environment, where everyone understands and
engages in the behaviours that are expected of them. See for
example Von Solms and Von Solms (2004) who offered
*Corresponding author. Tel.: þ27 18 2992539; fax: þ27 18 2992570.
E-mail addresses: rkwhak@puknet.puk.ac.za (H.A. Kruger), wkearney@anglogoldashanti.com (W.D. Kearney).
1
Tel.: þ61 8 94254621; fax: þ61 8 94254650.
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/cose
0167-4048/$ – see front matter ª2006 Elsevier Ltd. All rights reserved.
doi:10.1016/j.cose.2006.02.008
computers & security 25 (2006) 289–296
guidelines on how to move from information security policies
to a positive information security culture. The change to a se-
curity positive environment or culture is, however, not always
easy and straightforward. The ISF’s Information Security Sta-
tus Survey (ISF, 2002) indicated that most members believe
that the effectiveness of their security awareness initiatives
does not rate especially highly, and that more than four out
of five feel they do not commit sufficient time and resources
to their awareness activities. In a similar vein, a recent com-
puter crime and security survey (CSI, 2004) found that the
vast majority of the organisations in the review view informa-
tion security awareness training as important, though (on
average) respondents from all sectors do not believe their
organisations invest enough in this area.
There appears to be sufficient material to help organisa-
tions with delivering a proper security awareness program
and what to do to influence employees positively, e.g. Infor-
mation Technology – Code of Practice for Information Security
Management (ISO 17799, 2000), The Standard of Good Practice
for Information Security (ISF, 2003), Leach (2003), Furnell et al.
(2002), Hansche (2001) and Spurling (1995). There is, however,
a lot less available in the literature on how to measure the ef-
fectiveness of these programs. Pentasafe Security Technolo-
gies (Pentasafe, 2002) produced a comprehensive security
awareness report that was based on responses from 1348
workers and 583 organisations worldwide. It represents a
major effort to measure how organisations improve security
awareness and how well employees understand and act
upon information security policies, threats and issues in their
respective organisations. Examples of other information secu-
rity measurement aspects can be found in Martins and Eloff
(2001) who suggested that the measurement of information
security management should be performed on two levels,
viz. a business and management process level and a technical
level; Stanton et al. (2005) presented work on the systematical
classification of information security end user behaviours that
could be used when analysing (measure) security behaviour.
Information security awareness is a dynamic process,
made even more difficult in that risks continuously change.
As a result, any awareness program needs to be continually
measured and managed to keep abreast of changes in risk pro-
files. To keep the users current and their memories refreshed,
any awareness program must be ongoing and be an integral
part of the very culture of the enterprise. The key to success
in awareness is keeping the messages relevant and consistent,
while varying the delivery mechanisms, to keep everyone in-
terested. Both the delivery mechanism and the risk areas
could change as the information risk profile changes.
Schlienger and Teufel (2003) discuss this where awareness
and training programs lead from ‘‘become aware’’ to ‘‘stay
aware’’ and ends up in ‘‘be aware’’, which changes a security
culture definitively. To address the issue of continuous change
and measurement of information security awareness, a pro-
ject was initiated at an international gold mining company
to investigate the feasibility of developing a measurement
model. The goal of the model, which forms part of an ongoing
research project, was to monitor change in security behaviour
and as a result revise or repeat security awareness campaigns.
The remainder of this paper is organised as follows. Sec-
tion 2briefly introduces the international gold mining
company where the study was performed. Section 3describes
the methodology used while Section 4deals with an applica-
tion of the model, the modelling results and recommendations.
Section 5concludes the paper with some general comments.
2. Background
An international gold mining company, which recently imple-
mented a security awareness program worldwide at all their
operations agreed to assist with the research project. The
company is a global African gold producer with 25 operations
in 11 countries and has gold production of over 6 million oun-
ces annually. The company was formed in 2004 out of the
merging of two existing gold mining companies. The merged
company has one of the world’s largest reserves and resource
bases and focused exploration activities around the globe.
Employing more than 62,500 people around the world, the
company is listed on the following exchanges: JSE Securities
Exchange, NYSE, ASX, LSE, GSE and the Euronext Paris and
Euronext Brussels.
In an organisation of this size and diverse locations of op-
erations, it was clear that there is no silver bullet or clean and
simple answer to create an effective and secure information
environment. The management of the risk in this fluid and dy-
namic environment involves significant expenditure together
with an ongoing business and information technology part-
nership. The company, like every other organisation using in-
formation technology, faces a real internal and external threat
in terms of information risk. Information security apathy and
ignorance are some of the biggest threats to computer sys-
tems and a significant and lasting improvement in informa-
tion security will not be achieved by throwing more
technical solutions and sophisticated processes at the prob-
lem – it is by raising the general level of information security
awareness and educating all computer users in the basics of
information security. One of the first steps in this challenge
was then to create an awareness of the risks and then to en-
sure the risk is managed. The initial aim or objective was to
ensure that computer users are aware of the risks associated
with using information technology as well as understanding
and abiding by the policies and procedures that are in place.
To achieve this, an information security awareness pro-
gram was initiated. Briefly the program involved the follow-
ing. A comprehensive toolkit was purchased from a vendor
and detailed development of the program started in mid-
2003. The first priority was to narrow the focus of the program
into a manageable size. After careful deliberation and follow-
ing a risk elimination process, the program was focused on six
critical risk areas or ‘Golden Rules’, the first five being:
Always adhere to company policies
Keep passwords and personal identification numbers (PINs)
secret
Use e-mail and the Internet with care
Be careful when using mobile equipment
Report incidents like viruses, thefts and losses
The last is the heart of the program, namely Be aware, all ac-
tions carry consequences – once again, back to the people issue.
computers & security 25 (2006) 289–296290
The toolkit purchased, consisted of a complete awareness
solution, and it was decided to use only those portions rele-
vant to the specific needs of the company and to customise
other areas to suit specific needs. The program was rolled
out to all computer users, not all employees.
The program was developed as follows:
Basic presentation to all computer users, including a video,
not longer than an hour
Brochures to all participants
Different posters put up in all regional offices and Business
Units
Website with all details, including ‘‘Ask a question’’ option
available on the global Intranet
Articles in the company’s in-house magazine
Presentations were geared towards different audiences,
with a similar core message but delivered to suit the audience.
The video was customised with the company’s logo and
name, as well as digital images of Business Units, staff mem-
bers and corporate office. The video has been translated into
French, Spanish and Brazilian Portuguese, together with UK,
Australian, South African and American English versions.
While it may seem excessive, it was very important to get
the local buy-in and identification with the program. Presenta-
tions, posters and brochures were in English, Spanish, French
and Portuguese.
Following the implementation of the program there was
a need to evaluate and measure the success and effectiveness
of it. The purchased toolkit contains a basic measuring tool
based on multiple-choice questions that a respondent has to
answer. The number of right answers is then used as an indi-
cation of the awareness in a certain region. There was, how-
ever, a need for a more comprehensive measuring tool that
can be applied globally and that will address the company’s
unique requirements at the different operations.
3. Methodology
The methodology used to develop the measuring tool was
based on techniques borrowed from the field of social psy-
chology that proposes that learned predispositions to respond
in a favourable or unfavourable manner to a particular object
have three components: affect, behaviour and cognition. The
affect component encompasses one’s positive and negative
emotions about something, the behaviour component con-
sists of an intention to act in a particular manner while the
cognition component refers to the beliefs and thoughts one
holds about an object (Feldman, 1999; Michener and Delam-
ater, 1994). These three components were used as a basis
and the model was developed on three equivalent dimensions
namely what does a person know (knowledge); how do they
feel about the topic (attitude); and what do they do (behav-
iour). This approach is not completely new and other re-
searchers have already performed work where the social
sciences were related to the field of information security
awareness. Thomson and Von Solms (1998) have shown how
social psychological principles could be utilised to improve
the effectiveness of an information security awareness
program while Schlienger and Teufel (2003) made use of so-
cial–cultural measures to define a model for analysing infor-
mation security culture in organisations.
To develop a measuring tool and perform the actual mea-
surements, the researcher or decision maker is confronted
with two distinctive challenges: what to measure and how
to measure it. In this study, requirements such as sustainabil-
ity, ease of use, the use of scientific methods and complying
with the organisation’s unique requirements, all add to the
challenge of finding a suitable methodology to create the mea-
suring tool with.
3.1. What to measure
A global information security awareness level for the organi-
sation was the main measurement required. To achieve this,
it would be necessary to measure awareness levels at each re-
gion and then in a meaningful way combine those regional
levels into an overall measurement.
It was agreed that one ‘‘set of aspects’’ would be measured
at all the regions although they might not be of equal impor-
tance in all the regions – importance was handled through
a weighting system which is discussed later on. This approach
called for the identification of key factors that would form the
basis of the evaluation. To assist in the problem structuring
process a hierarchy of criteria was identified using a tree
structure. This process is often referred to as a value tree,
which is a simple representation, capturing the essence of
a problem, extracted from a complex problem description
and can be constructed by using either a top-down or bot-
tom-up approach. The top-down approach was used, as it is
objective led, beginning with a general statement of the over-
all objective and expanding the initial values into more de-
tailed concepts, which help to explain or clarify the former.
A complete discussion of value trees, how they are con-
structed and used, can be found in Belton and Stewart (2002).
As a first classification of what to measure, it was decided
to measure the three dimensions’ knowledge (what you
know), attitude (what you think) and behaviour (what you
do). Each one of these dimensions was then subdivided into
the six focus areas as discussed in Section 2and on which
the awareness program was based. Where appropriate and
through consensus the six focus areas were further subdi-
vided into specific factors, for example, the focus area Pass-
words was broken down into two subcategories Purpose of
passwords and Confidentiality of passwords. Confidentiality of
passwords was then further broken down into Writing down
of passwords and Giving passwords to others.
It is significant to note that the construction of the tree of
aspects that could be measured is directly linked to the overall
complexity of the model i.e. data gathering, importance
weights for different factors, use and interpretation of results,
justification for results, etc. Keeping it simple but meaningful
was one of the major challenges in the design. An illustration
of the tree structure developed is shown in Fig. 1.
Once the factors to be measured were identified, it was
clear that they would not contribute in equal proportions to
the final awareness level measurement. Therefore, another
issue that needed to be measured was the importance of con-
tributing factors. This was achieved through a measurement
computers & security 25 (2006) 289–296 291
process where importance weights were allocated to all fac-
tors in a specific branch of the tree of factors. For example,
the different regions will have different weights as they
have different influences on the overall awareness levels;
the three dimensions, knowledge, attitude and behaviour
will have different importance levels; and the six focus areas
will have different importance weights if management de-
cides that it is more important to measure specific focus areas
than others.
3.2. How to measure
The use of a value tree suggests solving the tree in a backward
manner i.e. the tree is solved from the lowest level working
upwards through the different levels. This was done using
a simple scorecard approach defined as VðaÞ¼Pn
i¼1viðaÞwi
where V(a) is the overall value of alternative a,v
i
(a) is the value
score reflecting alternative a’s performance on criterion iand
w
i
, the weight assigned to reflect the importance of criterion i.
This additive model is one of the most widely used forms of
a value function and is described in detail in Belton and
Stewart (2002).
Scoring models are well known management science tech-
niques and a complete description of the technique can be
found in many textbooks. See for example Taylor (2002).
The performance, v
i
(a), was determined using a question-
naire. Thirty-five questions were designed to test the knowl-
edge, attitude and behaviour of respondents pertaining to
the six main focus areas and their factors and sub-factors.
Some of the questions were answered on a 3-point scale –
true, don’t know and false, while others only needed a true
or false response. This way of measuring how respondents
may act is in line with methods suggested in social psychology
(Michener and Delamater, 1994) and agrees with methods
used and proposed by other researchers and practitioners in
the field of information security awareness e.g. Pentasafe’s
security awareness report (Pentasafe, 2002), Schlienger and
Teufel (2003), Teare and Da Veiga (2003) and Martins and Eloff
(2001).Fig. 2 shows an example of a question in each of the
three dimensions.
It is important to note that actual behaviour may not be
measured accurately by a questionnaire alone as respondents
do not necessarily tell the truth when asked about their
behaviour. It should also be accepted that not all respondents
will lie about their behaviour and that the use of a question-
naire will, in general, give at least an indication of the level
of security behaviour. The measuring process can be sup-
ported by physical tests to verify actual behaviour and Internal
Audit departments may be a valuable source of help in this
regard. The incorporation of physical tests and other mea-
sures, to confirm actual security behaviour, forms part of an
ongoing research process and is currently being investigated.
The importance weights, w
i
, was determined using the an-
alytic hierarchy process (AHP). The AHP approach makes use
of pairwise comparisons to provide a subjective evaluation
of factors based on management’s professional judgment
and opinion. The comparisons are made using a preference
scale, which assigns numerical values to different levels of
preference. A square matrix is then derived from the pairwise
comparisons and a scale is extracted based on the matrix’s ei-
genvector associated with the largest eigenvalue. When this
vector is normalised to sum to one, the solution is unique
and represents a numerical measure of the decision maker’s
perceptions of the relative importance of criteria. A consis-
tency index can then be computed to measure the degree of
inconsistency in the pairwise comparisons. Saaty developed
the AHP and a good description of the technical details and ap-
plication possibilities can be found in Saaty (1980) and Vargas
and Dougherty (1982). A comprehensive literature review of
AHP applications in different fields and areas can also be
found in Vaida and Kumar (2006).
The methodologyoutlined above complies withthe organisa-
tion’s specific requirements. It is specific to the mining company
in the sense that it is based on thesix focus areas as approved by
senior management and it can be applied to each one of their
regions to providea final global awareness level. The method is
sustainable as it can be applied over and over. It is fairly easy to
use and output is given in a quantitative manner that is easy to
understand. The techniques and principles used, such as value
trees, scorecards and the analytic hierarchy process, are all
acceptedscientific methods thathave been used numerous times
before inresearch projects. In general the methodology provides
a number of opportunities to benefit from.
Not only will the model provide an overall global awareness
level, but awareness levels are also measured (and reported
Overall
Awareness
level
Region 1 Attitude
Policies
Confiden-
tiality
Write
Region n
Region 2
Behavior
Knowledge
Password Give
Purpose
Regions Dimensions 6 focus
areas Factors
Sub-
Factors
Fig. 1 – Tree structure of problem.
computers & security 25 (2006) 289–296292
on) at intermediate levels i.e. per region, dimension, focus
area and factor per focus area. If needed, low-level informa-
tion from the questionnaires and importance weights can fi-
nally be used to explain specific performances.
The data and the tree structure can be used to prepare a drill
down system. Such a drill down facility would enable man-
agement to easily view the awareness at different levels of
detail and plan accordingly what actions to take and where
to focus these actions.
By applying the model at regular intervals, the change in
awareness levels can be measured and an index of aware-
ness can be constructed. This will assist management to
measure the change towards, or away from, security-
positive behaviour over time, and to take corrective action
if necessary. The index figure of awareness levels may also
act as an important indicator of when to review, and possibly
adjust, importance weights of those aspects being measured.
Sensitivity analysis can be performed e.g. if management
wants to change the importance weights of the different
branches in the tree or when they want to study the effect
of adding or deleting factors from the tree.
A possible negative aspect is the time it takes to perform
the pairwise comparisons necessary to calculate the impor-
tance weights. This can take long depending on the number
of factors identified in the tree structure as well as the number
of managers involved in the process. Simplifying the process
with user-friendly graphic interfaces or the use of an alterna-
tive weighting process is currently considered as part of the
ongoing research process.
4. Application
The prototype tool was applied to the Australian regional office
of the company discussed in Section 2. The choice of region was
based on a management request as well as the fact that the en-
vironment (staff, infrastructure, etc.) was reasonably stable.
The staff complement was small enough to easily obtain the re-
quired feedback and input, and all of them have already been
exposed to the information security awareness program.
The first task was to determine what to measure. To this
end, a value tree, similar to the one in Fig. 2, was constructed.
From the tree, 44 aspects were identified that could be
measured to cover the knowledge, attitude and behaviour di-
mensions with the associated six focus areas in each dimen-
sion. Next, a simple questionnaire, containing 35 questions
(some questions were used to measure more than one aspect),
to capture the information required was developed and tested
at the region’s head office as well as at one of the operational
sites in the region. Different tests were performed and include
tests using open-ended questions, multiple-choice questions,
one-on-one contact with respondents and the use of e-mail
facilities. These tests have provided valuable input and
helped to refine the questionnaire. The refinement process
took some time and involved a number of iterations with
samples from staff to ensure that a model was developed
which complies with the principles of sustainability, ease of
use and scientifically sound. The final questionnaire was
distributed and a response rate of almost 51% was recorded.
Finally, the importance weights were determined using the
AHP. The Information Security Manager, responsible for the
organization’s global information security, provided the pair-
wise comparisons to calculate the importance weights. Natu-
rally importance weights will be based on input from all
relevant managers – this study, however, was more focused
on the feasibility and development of an acceptable method-
ology and therefore initial ratings from only one (and
probably the most appropriate) manager were accepted as
sufficient.
Questionnaire results and importance weights were pro-
cessed in a spreadsheet application and output was finally
presented in the form of graphs and awareness maps. Fig. 3
contains one example of a graph showing the overall aware-
ness level (as being average) as measured with the prototype
tool. Similar graphs were produced for each dimension as
well as for each focus area. The following awareness scale,
which was defined in accordance with management’s view
on awareness performance, was used to explain the level of
awareness:
Example question to test knowledge:
Internet access on the company’s systems is a corporate resource and should be used for
business purposes only 1. True 2. False 3. Do not know
Example question to test attitude:
Mobile equipment is usually covered with existing insurance cover and there is no special need
to include them in security policies 1. True 2. False 3. Do not know
Example question to test behaviour:
I am aware that you should never give your password to somebody else – however, my work is
of such a nature that I do give my password from time to time to a colleague (only to those that I
trust!) 1. True 2. False
Fig. 2 – Example questions.
Awareness Measurement (%)
Good 80–100
Average 60–79
Poor 59 and less
computers & security 25 (2006) 289–296 293
The overall awareness in the region reviewed was mea-
sured as 65% and according to the awareness scale considered
as ‘average’.
The output of the measurement was also used to construct
a colour coded ‘Regional Awareness Map’ – see Fig. 4(a). Using
this map it is easy to see immediately how the region is per-
forming in each dimension and each focus area. For example,
Fig. 4(a) shows that the overall awareness for the region is
65%. This is made up by the three dimensions, which mea-
sured as 77% awareness in terms of knowledge, 76% aware-
ness in terms of attitude, and 54% in terms of behaviour.
The colour codes immediately show that information security
behaviour in the region needs attention while knowledge and
attitude were measured as average. The map also details mea-
surements for each focus area. Consider for example the focus
area Adhere to policies – the total awareness for this area is 44%
and is made up of 18% awareness in terms of behaviour, 55%
for attitude and 81% for knowledge. The colour codes suggest
that the focus area needs attention and that the attention
should be directed towards behaviour and attitude with ac-
ceptable knowledge. In the same manner, management can
easily identify where to focus attention in each one of the
six focus areas, thereby addressing the complete security
awareness needs in the region.
Having produced a regional awareness map for each re-
gion, a final ‘Global Awareness Map’, consisting of the aware-
ness levels in each region, can be constructed to show the
global awareness level. Colour codes were again added to fa-
cilitate the direction of new or changed awareness campaigns
to those dimensions and/or focus areas that did not measure
satisfactorily. Fig. 4(b) shows the global awareness map – the
global awareness figure (86%) was inserted for illustrative
purposes.
4.1. Recommendations
The prototype tool, as applied in practice, was in line with ini-
tial management requirements and was regarded as success-
ful with significant results. This section will highlight some of
the issues that were identified during the development and
verification process that need more attention to ensure ongo-
ing and effective use. The recommendations form part of an
ongoing research and development process and some of
them are currently being addressed.
A comprehensive and complete bank of questions should be devel-
oped. It is recommended that some quality time be spent to
research this aspect of the model more in depth. The model
can only be successful if the ‘‘right’’ questions are asked to
obtain correct data as input to the model. Cognizance
should be taken from current best practices as described
by various resources/organizations e.g. the Information Se-
curity Forum (ISF) and ISO 17799.
A comprehensive set of questions is necessary to ensure,
firstly that a different set of randomly selected questions is
used every time the model is applied (if respondents have to
answer the same questions every time, they might ‘‘learn’’
what the expected responses are) and secondly, to present
different questions, randomly selected, to respondents in
Awareness
65%
Non-
awareness
35%
Fig. 3 – Overall awareness level.
(a) (b)
00E-mail and Internet
00
00
00
00
Adhere to policies
Keep passwords secret
Mobile equipment
Report security incident
00
00
00
00 00 00 65 00
Behavior
Attitude
Knowledge
Overall Awareness
GLOBAL AWARENESS
86
South Africa
Corporate Office
East and West Africa
Australia
North America
South America
Regions
Dimensions
Focus Areas
00 00
00
00
77 00
00 76 00
0000
00
00
54 00 00
00 00 44 0000
00 00 83 00 00
00 00 81 00 00
00
00 00
00
64
74
00 00
00
00
Actions 00 00 51 00 0000
Unsatisfactory –action required
Monitor –action potentially require
Adhere to policies
Focus Areas
Behavior (50)
Attitude (20)
Knowledge (30)
Total awareness/dimension
Total awareness/focus area
Dimensions (weight)
65
TOTAL REGIONAL AWARENESS
Keep passwords secret
E-mail and internet
Mobile equipment
Report security incidents
Actions consequences
Satisfactory –no need for action
18 93
54 55
84
81
76
44
81
76
83
83
87
74
64
77
50
77
78
87 51
67
91
74
59
32
77
consequences
Fig. 4 – (a) Regional awareness map of Australia; (b) global awareness map.
computers & security 25 (2006) 289–296294
the same office or region (to prevent respondents discussing
questions and come up with consensus answers).
Importance weightings should be obtained from relevant
managers. The effectiveness of measurements, produced
by the model, is dependent on proper evaluation (impor-
tance weights) of factors. These importance evaluations of
factors are based on management’s professional judgment
and opinion and it is therefore imperative that the right
level of management be identified and that sufficient time
is allowed for gathering their ratings and then to convert it
into input to the model.
The use of practical system data obtained from, for example,
a system administrator should be considered. Due to time
constraints this was not fully explored during the test of
the prototype. Practical data from a system could (should)
be used as additional input to the model to test behaviour
factors. Such data would be more reliable (not subjective
or human dependent) and easy to get without making use
of staff’s working time to complete (longer) questionnaires.
Examples may include number of virus infections, requests
to visit unauthorized websites, number of IT security inci-
dents, etc. To further enhance the quality of behaviour
data, the Internal Audit department might be considered
as an aid to assist with compliance tests.
The tool should be automated. The information gathering pro-
cess and the importance weight allocation process should
be developed into a web-based tool that is controlled from
a central point and then be made available to regions. The
tool should:
- Randomly generate a new set of questions every time it is
used and then present it to the respondents
- Facilitate the allocation of importance weights
- Automatically feed the responses (questionnaires and im-
portance weights) into the model
- Solve the model and perform reporting activities (graphs,
awareness maps and drill down facilities)
- Keep track of responses from regions (database)
- Keep track of awareness levels each time the model is
applied
- Automatically calculate, update and report on changes
from one model application to the next (index figures)
5. Conclusion
There are numerous reasons why organisations have to spend
effort and resources on the evaluation or measurement of in-
formation security awareness successes. Posthumus and Von
Solms (2004) motivated the need to integrate information se-
curity into corporate governance and proposed a framework
to aid organisations in their integration efforts. The impor-
tance of an information security awareness-measuring tool
can therefore – apart from reasons such as return on invest-
ment, re-directing of security campaigns, etc. – also be linked
to the highest management level in an organisation. Informa-
tion security has much to do with management and aspects,
such as directing and controlling, are important. These as-
pects are functions of the Board of directors of a company
and for them to fulfill their role and have a proper corporate
and information security governance framework in place;
they need feedback on what is happening in the company in
terms of information security. The awareness measurement
tool, developed in this study, may assist a great deal in provid-
ing feedback to the Board of directors on the success of an in-
formation security awareness program, and will assist them
in their function of controlling and directing strategic objec-
tives set for information security.
Having implemented an information security awareness
program does not automatically guarantee that all employees
understand their role in ensuring the security and safeguard-
ing of information and information assets. In order for secu-
rity awareness programs to add value to an organisation and
at the same time make a contribution to the field of informa-
tion security it is necessary to follow a structured approach to
study and measure its effect.
This paper described the development of a prototype to
measure information security awareness at an international
gold mining company. The model makes use of a simple
data gathering process and weighting system and, combined
with certain multi-criteria problem solution techniques,
provides a quantitative measurement of security awareness
levels. It is based on the sound principles of sustainability,
sophistication and scientific validity and could be used as
a basis for a more comprehensive and sophisticated measur-
ing system. The model offers several opportunities for
enhancement and several aspects are currently considered
to improve the model, e.g. the use of a 5- or 7-point Likert-
type scale to evaluate questions, a more user-friendly system
to derive importance weights, etc. The tool will also be
applied in other regions and more data will increase insight
into the model and the framework and may lead to further
enhancements.
Acknowledgement
The authors would like to thank Prof Rossouw von Solms of
the Nelson Mandela Metropolitan University for the useful
comments and suggestions made. The authors alone are re-
sponsible for any errors and omissions.
references
Belton V, Stewart TJ. Multiple criteria decision analysis. An inte-
grated approach. Dordrecht: Kluwer Academic Publishers;
2002.
CERT/CC. Date revised. CERT/CC statistics 1988–2004. Web:
<http://www.cert.org/cert_stats.html>; 2004 [accessed
September 2004].
CSI. CSI/FBI computer crime and security survey. Computer
Security Institute; 2004.
Feldman RS. Understanding psychology. 5th ed. Boston, River
Ridge, IL: McGraw-Hill College; 1999.
Furnell SM, Gennatou M, Dowland PS. A prototype tool for infor-
mation security awareness and training. Logistics Information
Management 2002;15(5/6):352–7.
Hansche S. Designing a security awareness program: Part 1, in-
formation. Systems Security January/February 2001:14–22.
computers & security 25 (2006) 289–296 295
ISF. Effective security awareness – workshop report. Information
Security Forum; April 2002.
ISF. The standard of good practice for information security. Ver-
sion 4.0. Information Security Forum; 2003.
ISO 17799. Information technology, code of practice for informa-
tion security management. Geneva: International Standards
Organisation; 2000.
Leach J. Improving user security behaviour. Computers and Se-
curity 2003;22(8):685–92.
MartinsA, Eloff JHP.Measuringinformationsecurity,<http://philby.
ucsd.edu/wcse291_IDVA/papers/rating-position/Martins.pdf>;
2001 [accessed August 2004].
Michener HA, Delamater JD. Social psychology. 3rd ed. Orlando,
Florida: Harcourt Brace College Publishers; 1994.
Pentasafe. Security awareness index report: the state of security
awareness among organisations worldwide. Pentasafe Secu-
rity Technologies; 2002. p. 55.
Posthumus S, Von Solms R. A framework for the governance of
information security. Computers and Security 2004;23(8):
638–46.
Saaty TL. The analytic hierarchy process. McGraw-Hill; 1980.
Schlienger T, Teufel S. Information security culture – from
analysis to change. South African Computer Journal 2003;31:
46–52.
Spurling P. Promoting security awareness and commitment.
Information Management and Computer Security 1995;3(2):
20–6.
Stanton JM, Stam KR, Mastrangelo P, Jolton J. Analysis of end user
security behaviours. Computers and Security 2005;24(2):
124–33.
Taylor BW. Introduction to management science. 7th ed. Prentice
Hall; 2002.
Teare G, Da Veiga A. Information security culture and awareness.
Paper presented at the 2003 ISSA Conference, Sandton Con-
vention Centre, South Africa; 9–11 July 2003.
Thompson ME, Von Solms R. Information security awareness:
educating your users effectively. Information Management
and Computer Security 1998;6(4):167–73.
Vaida OS, Kumar S. Analytic hierarchy process: an overview of
applications. European Journal of Operational Research 2006;
169(1):1–29.
Vargas LG, Dougherty JJ. The analytic hierarchy process and
multicriterion decision making. American Journal of Mathe-
matical and Management Sciences 1982;19(1):59–92.
Von Solms R, Von Solms B. From policies to culture. Computers
and Security 2004;23(4):275–9.
Kruger HA is an Associate Professor in the School of Com-
puter-, Statistical- and Mathematical Sciences at the North-
West University (Potchefstroom Campus) in South Africa. He
previously worked for Anglo American Corporation as a senior
Computer Auditor and has more than 10 years experience in
Information Risk Management. He has a PhD in Computer Sci-
ence, a MCom (Information Systems) and an MSc (Mathemat-
ical Statistics). His current interests include decision modeling
and the use of linear programming models.
Kearney WD currently works as a Manager, IT Risk and Com-
pliance. He has over 15 years experience in Information Risk
Management in a number of positions in large international
companies, the last 5 years with AngloGold Ashanti. He has
an MSc degree, numerous diplomas, and earned a number of
certifications, including CISA and CIA. He was also successful
in passing the CISM exam and has applied for certification. He
is currently registered for a PhD (Information Security) and is
a member of ISACA (Perth Chapter) and the Computer Society
of South Africa.
computers & security 25 (2006) 289–296296
... The research framework for this study is firmly rooted in a robust theoretical background that integrates the principles of information security and awareness with the psychological underpinnings of human behavior in cybersecurity. This framework is informed by the foundational theories of the Knowledge-Attitude-Behavior (KAB) [14] model and the Human Aspects of Information Security Questionnaire (HAIS-Q) [15], [16]. Together, these theories guide the development of a conceptual model that hypothesizes the influence of educational levels on information security awareness among ewallet users. ...
... Building upon the framework introduced by Krugger and Kearney [14] for assessing the degree of information awareness, the study utilizes the HAIS-Q within the KAB model to create research instruments. These instruments are designed to assess each area of information security awareness, starting with password management, email use, internet use, information handling, mobile device use, social media use, and incident reporting. ...
... The AHP's reliance on expert judgment ensures that the weights are not arbitrary but are instead based on a comprehensive understanding of the importance of the criteria [23], [24]. This methodological rigor, a cornerstone of our research, is exemplified by the weights assigned to the dimension variables in this study, which follow the precedent set by Kruger and Kearney [14]. Table 1 in the study, a beacon of transparency, delineates these weights, ensuring the utmost confidence in the research process. ...
... Furthermore, Kruger and Kearney (2006) developed a security awareness benchmark model that evaluates the effectiveness of an organization's training programs. They concluded that organizations with high levels of security awareness among employees tend to have fewer incidents of security breaches caused by human error. ...
... Furthermore, Kruger and Kearney (2006) examined how socio-technical frameworks can be applied to improve phishing resilience. Their research revealed that a combination of technical measures, user education, and cognitive training programs significantly reduces employees' susceptibility to phishing attacks. ...
Article
Full-text available
This study investigates the critical role of the human factor in enhancing organizational cybersecurity resilience, particularly within the context of tertiary institutions in Nigeria. As organizations increasingly depend on digital technologies, understanding how employee knowledge, behavior, and awareness impact information security is paramount. The research highlights the significant contribution of human error to security breaches, underscoring that even the most sophisticated technological defenses are vulnerable when individuals do not adhere to security protocols. Utilizing a comprehensive literature review, the study examines the implications of human behavior, including negligence and social engineering, on organizational security outcomes. Key findings indicate that insufficient training, lack of supervision, and poor understanding of security policies exacerbate vulnerabilities. Recommendations include implementing robust security awareness programs and ensuring that only qualified personnel teach keyboarding skills, as these practices can mitigate risks. Ultimately, the research advocates for a socio-technical approach to cybersecurity, emphasizing the need for collaboration between technical solutions and human factors to foster a more secure operational environment in the educational sector.
... Both academic and commercial November 2024 edition Vol. 20,No.33 www.eujournal.org 4 communities have given attention to information security awareness in recent years. Organizations are increasingly acknowledging the significance of their information assets and the development of effective strategies to enhance awareness within the company. ...
... November 2024 edition Vol. 20,No.33 www.eujournal.org 5 Training programs are significant for disseminating security awareness to users to do their jobs (Bada & Sasse, 2014). ...
Article
Full-text available
The abundance of information available through the internet, mobile applications, and cloud computing has made it convenient for users to access a wide range of data. However, this convenience comes at a cost, as this information is constantly at risk of being compromised by cybercriminals and hackers. While the recognition of potential information security dangers is increasing in developed countries, regions like Libya in North Africa still exhibit insufficient protection levels. The purpose of this study is to compare various factors that may influence or affect users' practices and awareness in home and work environments. Specifically, the factors investigated are policy, behavior, IT knowledge, and education. To achieve the study's goals, a quantitative methodology was employed, and a survey was created to assess the correlation between these key factors and security awareness and practices in home and workplace settings. The survey attracted 220 respondents and was analyzed using statistical methods to determine the relationship between the independent variables and the dependent variables. The results of this study indicate a moderate positive correlation between policy, IT knowledge, and education with security awareness and practice in both home and workplace environments. Only the behavior factor had a low correlation for home users. These findings indicate that the level of security awareness and practices at home and in the workplace is generally moderate. This study aims to serve as an initial step in emphasizing the importance of security training sessions for employees and highlighting the need to increase knowledge of information security. The findings are intended to inspire further research and focus on providing security information to the public, thereby disseminating new knowledge on the importance of security training and enhancing awareness of information security.
... For example, the Verizon 2024 data breach investigations report concluded that 68% of breaches involved the human element [4], and the Sophos 2024 threat report indicated that attacks on mobile device users, including social engineering-based scams, have grown exponentially, affecting individuals and small businesses [5]. As adversaries become more sophisticated, individuals and organizations must improve their critical thinking, knowledge, skills, and attitude toward security -collectively referred to as information security awareness (ISA) -to effectively recognize and counteract SE threats [6]. ...
... While misconceptions, as well as common protocols and security guides, can be used to assess LLMs' knowledge concerning various focus areas of the ISA taxonomy, knowledge is only one dimension of ISA. Attitude and behavior are also important in facilitating safe information security behavior [6]. In this study, we measure the actual security-related behavior of LLMs rather than their knowledge. ...
Preprint
The popularity of large language models (LLMs) continues to increase, and LLM-based assistants have become ubiquitous, assisting people of diverse backgrounds in many aspects of life. Significant resources have been invested in the safety of LLMs and their alignment with social norms. However, research examining their behavior from the information security awareness (ISA) perspective is lacking. Chatbots and LLM-based assistants may put unwitting users in harm's way by facilitating unsafe behavior. We observe that the ISA inherent in some of today's most popular LLMs varies significantly, with most models requiring user prompts with a clear security context to utilize their security knowledge and provide safe responses to users. Based on this observation, we created a comprehensive set of 30 scenarios to assess the ISA of LLMs. These scenarios benchmark the evaluated models with respect to all focus areas defined in a mobile ISA taxonomy. Among our findings is that ISA is mildly affected by changing the model's temperature, whereas adjusting the system prompt can substantially impact it. This underscores the necessity of setting the right system prompt to mitigate ISA weaknesses. Our findings also highlight the importance of ISA assessment for the development of future LLM-based assistants.
... Therefore, raising cybersecurity awareness is crucial to protecting Internet users from potential cybercrimes. Nurbojatmiko et al. (2020) analysed the information security awareness level of Indonesian university students using Kruger and Kearney's (2006) approach, the KAB model, a five-point Likert scale, and the six dimensions of knowledge, attitudes, behaviour, confidentiality, integrity and availability. The results showed that students' information security awareness was at an average level, or 75% of security awareness. ...
Article
Purpose The purpose of this study is to identify the most common characteristics that make Internet users at the Estonian Academy of Security Sciences (SKA) vulnerable to various threats. This includes password management habits, online banking, shopping and payment behaviours, time spent online, use of public Wi-Fi, gaming and watching movies online. Additionally, the study seeks to review the dangers users encounter and how cautious they are, such as which online activities they consider the most dangerous and which they perceive as safe. Design/methodology/approach The data used in this paper is based on an overview of relevant literature, highlighting previous studies and methodologies and explaining why the human factor is considered the weakest link in cybersecurity. This research aims to help characterise the patrons of the SKA and make suggestions for future training and research. For this purpose, the students, administrative employees and academic staff of the SKA were investigated. A five-point scale questionnaire with 54 questions was used as the methodology of the study, considering the following four scales: risky behaviour, conservative behaviour, risk exposure behaviour and risk perception behaviour. The results are interpreted based on the literature, and data obtained from the completed questionnaires were analysed using Excel’s Data Analysis ToolPak. The results are presented mostly as tables and bar charts. Findings The research results show that the cybersecurity behaviour of employees and students is generally at a good level. However, some aspects of conservative behaviour need increased attention, such as the use of USB and other external media, opening links in emails too readily, monitoring the authenticity of visited websites and deleting browsing history before logging out. Cyber training has a noticeable effect on behaviour, particularly in the context of password management. Originality/value No previous research on cyber behaviour has been conducted in the context of Estonian higher education, despite the increasing number of cyber-attacks in this sector.
Article
Full-text available
In the digital era, information security and privacy are of paramount importance, particularly among students who utilize information technology on a daily basis. This study aims to quantify the level of information security and privacy awareness among university students by utilising the Human Aspects of Information Security Questionnaire (HAIS-Q) instrument. The HAIS-Q assesses three principal dimensions, namely attitude, knowledge, and behavior towards information security, across seven focus areas, including security controls, security incident reporting, and misperceptions related to digital risks. Furthermore, this study also investigates privacy awareness, encompassing perceived surveillance, perceived intrusion, and secondary use of information.
Article
Full-text available
Despite the rising literature on data mining (DM) approaches, there is a lack of a complete literature review and categorization system within risk research. This paper presents the first recognized academic literature review on the application of data mining tools in risk research provides an up-to-date SCOPUS literature database. Based on bibliometric analysis, 5422 papers related torisk were identified from a total of 77,410 studies on data mining and thoroughly analyzed. Each of the selected 5422 papers was classified into four risk categories: global risk, public health risk, molecular and biomedical risk, and pharmaceutical risk. Each primary risk category was further subdivided to highlight the specific research focuses within each domain. Global risks encompass business, environmental, and social risks. Scholars have predominantly focused on the banking, market, and construction sectors within business risk, while environmental risk includes catastrophe-related risks. Social risks encompass areas such as education, traffic safety, and transportation concerns. Clinical data is usually employed in public health risk research, while various radiomic databases are utilized in genetic and molecular biology research. In pharmaceutical research, DM is primarily used to detect adverse drug effects. According to the findings of this review, the fields of computer science and medicine received the most significant research attention. The review also discusses limitations and provides a roadmap to guide future research, aiming to enhance knowledge development related to the application of data mining techniques in risk-related studies.
Article
Full-text available
This paper introduces a comprehensive risk assessment of various wide area network (WAN) technologies as applied to Operational Technology (OT) infrastructures, thus uncovering which WAN technology is best suited for OT to mitigate the risks of Denial of View (DoV), Denial of Control (DoC), and Denial of Service (DoS). A new risk weight-based evaluation approach is proposed following NIST CSF and ISA/IEC 62443 standard risk scoring (RS). In this approach, RS was modified by introducing new risk metrics, namely, risk (Rn), mitigation (Mm), risk prioritization (WRn), and mitigation prioritization (WMm) to create a specialized probability formula to assess risks on OT WAN infrastructure. The proposed formula has been implemented to automate data analysis and risk scoring across nine WAN technologies. The obtained results demonstrated that software-defined wide area network (SD-WAN) has the best security features that even overshadow its vulnerabilities to perform not just as a WAN solution but as a security solution against DoV, DoC, and DoS. Furthermore, this paper identifies and highlights what to prioritize when designing and assessing an SD-WAN setup. In addition, this paper proposes an SD-WAN-based architecture to reduce DoV, DoC, and DoS risks.
Article
Full-text available
Higher Education is one of the public service providers that wants to provide the best service to internal and external parties who need information, namely by utilizing academic information systems. The use of academic information systems is prone to data and information crimes, which are problems experienced by many system users and this also occurs in Indonesia. The method in this study uses a qualitative description method in this study and data collection is obtained using triangulation techniques. The results of the study, that it is necessary to improve information security from various threats, thus ensuring the security of valuable information assets. Information security using The International Organization for Standardization (ISO)/IEC 27001. In addition, it is also necessary to perform two-factor authentication which adds a two-step verification process to access the account.
Article
Full-text available
Information systems security is a critical issue for all organisations with a significant dependence upon information technology. However, it is a requirement that is often difficult to address, particularly within small organisations, as a result of a lack of resources and expertise. This paper identifies the need for security awareness and describes the prototype implementation of a software tool that enables individuals to pursue self-paced security training. The tool provides an environment that permits the user to simulate the introduction of security into a number of pre-defined case study scenarios. This enables staff to become familiar with the types of countermeasures available, the situations in which they are appropriate and any constraints that they may impose. This would be particularly valuable in small organisations where specialist knowledge is often scarce and issues need to be addressed by existing staff.
Article
Full-text available
This article presents a literature review of the applications of Analytic Hierarchy Process (AHP). AHP is a multiple criteria decision-making tool that has been used in almost all the applications related with decision-making. Out of many different applications of AHP, this article covers a select few, which could be of wide interest to the researchers and practitioners. The article critically analyses some of the papers published in international journals of high repute, and gives a brief idea about many of the referred publications. Papers are categorized according to the identified themes, and on the basis of the areas of applications. The references have also been grouped region-wise and year-wise in order to track the growth of AHP applications. To help readers extract quick and meaningful information, the references are summarized in various tabular formats and charts.A total of 150 application papers are referred to in this paper, 27 of them are critically analyzed. It is hoped that this work will provide a ready reference on AHP, and act as an informative summary kit for the researchers and practitioners for their future work.
Article
Full-text available
Many organisations suspect that their internal security threat is more pressing than their external security threat. The internal threat is predominantly the result of poor user security behaviour. Yet, despite that, security awareness programmes often seem more likely to put users to sleep than to improve their behaviour. This article discusses the influences that affect a user's security behaviour and outlines how a well structured approach focused on improving behaviour could be an excellent way to take security slack out of an organisation and to achieve a high return for a modest, low-risk investment.
Article
The purpose of this paper is to explore the development of a new perspective on problems of choice by drawing on T.L. Saaty’s work on analytic hierarchies and multicriterion decision making. Application is made to the problem of choosing the “best” route for a commuter. We construct a hierarchic structure as a model for evaluating a general service system, and obtain the best route using the priorities of the factors involved, which we derive by a method of ratio-scale estimation. We investigate this hierarchy for two purposes: (1) to determine its compatibility with the measures of effectiveness used by current transport system methods, and (2) to evaluate alternative transportation strategies, utilizing a specific example.
Chapter
The Analytic Hierarchy Process (AHP) is a theory of relative measurement of intangible criteria. With this approach to relative measurement, a scale of priorities is derived from pairwise comparison measurements only after the elements to be measured are known. The ability to do pairwise comparisons is our biological heritage and we need it to cope with a world where everything is relative and constantly changing and thus, there are no fixed standards to measure things on. In traditional measurement, one has a scale that one applies to measure any element that comes along that has the property the scale is for, and the elements are measured one by one, not by comparing them with each other. In the AHP, paired comparisons are made with judgments using numerical values taken from the AHP absolute fundamental scale of 1 to 9. A scale of relative values is derived from all these paired comparisons and it also belongs to an absolute scale that is invariant under the identity transformation like the system of real numbers. The AHP is useful for making multicriteria decisions involving benefits, opportunities, costs, and risks. The ideas are developed in stages and illustrated with examples of real-life decisions. The subject is transparent and easy to understand why it is done the way it is along the lines discussed here. The AHP has a generalization to dependence and feedback; the Analytic Network Process (ANP) is not discussed here. Keywords: analytic hierarchy process; decision making; prioritization; benefits; costs; complexity
Article
Many information security specialists believe that promoting good end user behaviors and constraining bad end user behaviors provide one important method for making information security effective within organizations. Because of the important of end user security-related behaviors, having a systematic viewpoint on the different kinds of behavior that end users enact could provide helpful benefits for managers, auditors, information technologists, and others with an interest in assessing and/or influencing end user behavior. In the present article, we describe our efforts to work with subject matter experts to develop a taxonomy of end user security-related behaviors, test the consistency of that taxonomy, and use behaviors from that taxonomy to conduct a U.S. survey of an important set of end user behaviors. We interviewed 110 individuals who possessed knowledge of end user security-related behaviors, conducted a behavior rating exercise with 49 information technology subject matter experts, and ran a U.S. survey of 1167 end users to obtain self-reports of their password-related behaviors. Results suggested that six categories of end user security-related behaviors appeared to fit well on a two-dimensional map where one dimension captured the level of technical knowledge needed to enact the behavior and another dimension captured the intentionality of the behavior (including malicious, neutral, and benevolent intentions). Our U.S. survey of non-malicious, low technical knowledge behaviors related to password creation and sharing showed that password “hygiene” was generally poor but varied substantially across different organization types (e.g., military organizations versus telecommunications companies). Further, we documented evidence that good password hygiene was related to training, awareness, monitoring, and motivation.
Article
This paper highlights the importance of protecting an organization's vital business information assets by investigating several fundamental considerations that should be taken into account in this regard. Based on this, it is illustrated that information security should be a priority of executive management, including the Board and CEO and should therefore commence as a corporate governance responsibility. This paper, therefore, motivates that there is a need to integrate information security into corporate governance through the development of an information security governance (ISG) framework. This paper further proposes such a framework to aid an organization in its ISG efforts.