Success in Security Awareness

Purpose The purpose of this study is to examine factors, which influence information security culture among employees of telecommunications companies. The motivation for this study was the rise in the number of data breach incidents caused by the organizations’ own employees. Design/methodology/approach A total of 139 usable responses were collected via a Web-based questionnaire survey from employees of Malaysian telecommunications companies. Data were analysed by using SmartPLS 3. Findings Security education, training and awareness (SETA) programmes and information security awareness were found to have a positive and significant impact on Information Security Culture. Additionally, self-reported employees’ security behaviour was found to act as a partial mediator on the relationship between information security awareness and information security culture. Research limitations/implications The study was cross-sectional in nature. Therefore, it could not measure changes in population over time. Practical implications The empirical data provides a new perspective on significant elements that influence information security culture in an emerging market. Organizations in the telecommunications industry can now recognize that SETA programmes and information security awareness have a significant impact on information security culture. Employees’ security behaviour also mediates the relationship between information security awareness and information security culture. Originality/value This is the first study to analyse the mediating effect of employees’ security behaviour on the relationship between information security awareness and information security culture in the Malaysian telecommunications context.

Download Full-text

Establishing a Personalized Information Security Culture

Contemporary Challenges and Solutions for Mobile and Multimedia Technologies ◽

10.4018/978-1-4666-2163-3.ch004 ◽

2012 ◽

pp. 53-69 ◽

Cited By ~ 1

Author(s):

Shuhaili Talib ◽

Nathan L. Clarke ◽

Steven M. Furnell

Keyword(s):

Information Security ◽

Home Environment ◽

Security Culture ◽

Information Security Awareness ◽

Use Of Technology ◽

Awareness Programs ◽

Awareness Raising ◽

Knowledge And Practice ◽

Information Security Culture ◽

Individual Security

Good security cannot be achieved through technical means alone and a solid understanding of the issues and how to protect one’s self is required from users. Whilst many initiatives, programs and strategies have been proposed to improve the level of information security awareness, most have been directed at organizations. Given people’s use of technology is primarily focused between the workplace and home; this paper seeks to understand the knowledge and practice relationship between these environments. Through a developed survey, it was identified that the majority of the learning about information security occurred in the workplace, where clear motivations, such as legislation and regulation, existed. Results found that users were more than willing to engage with such awareness raising initiatives. From a comparison of practice between work and home environments, it was found that this knowledge and practice obtained at the workplace was transferred to the home environment. Given this positive transferability of knowledge and the willingness to learn about how to remain secure, an opportunity exists to move away from specific organizational awareness programs and to move towards awareness raising strategies that will develop an all-round individual security culture for users independent of the environment they are operating in.

Download Full-text

Building an effective information security awareness program

Central and Eastern European eDem and eGov Days ◽

10.24989/ocg.338.15 ◽

2020 ◽

Vol 338 ◽

pp. 189-200

Author(s):

Ildikó Legárd

Keyword(s):

Information Security ◽

Human Factor ◽

Significant Risk ◽

Security Awareness ◽

Security Culture ◽

Information Security Awareness ◽

Weakest Link ◽

Awareness Program ◽

Awareness Programs ◽

And Behavior

Many researchers and experts in the field of information security agree that the user is the weakest link in an organization’s chain of information security. Even if the system’s and the stored data’s physical and logical protection is well developed, the human factor exposes security to significant risk. The effective protection against the threats is to provide security awareness through implementing a well-developed and successful Information Security Awareness Program. Although organizations are able to recognize the importance of information security awareness, the implementation of the awareness programs can be difficult. The aim of this study is to help organizations to develop an effective Information Security Awareness Program tailored to the characteristics of the organization. The paper presents how we can build a program that influences and improves the user’s knowledge, attitude and behavior the most towards information security and makes positive changes in the security culture of an organization. To achieve that goal, the study identifies the key elements of the implementation, compares traditional awareness programs with modern trainings and highlights the importance of communication channels and methods. There is no single solution to improve information security, the essay summarizes and shows the most effective techniques that experts can use in order to seize the user’s attention toward information security, to establish credibility and trust, and to motivate action.

Download Full-text

Establishing A Personalized Information Security Culture

International Journal of Mobile Computing and Multimedia Communications ◽

10.4018/jmcmc.2011010105 ◽

2011 ◽

Vol 3 (1) ◽

pp. 63-79 ◽

Cited By ~ 7

Author(s):

Shuhaili Talib ◽

Nathan L. Clarke ◽

Steven M. Furnell

Keyword(s):

Information Security ◽

Home Environment ◽

Security Culture ◽

Information Security Awareness ◽

Use Of Technology ◽

Awareness Programs ◽

Awareness Raising ◽

Knowledge And Practice ◽

Information Security Culture ◽

Individual Security

Good security cannot be achieved through technical means alone and a solid understanding of the issues and how to protect one’s self is required from users. Whilst many initiatives, programs and strategies have been proposed to improve the level of information security awareness, most have been directed at organizations. Given people’s use of technology is primarily focused between the workplace and home; this paper seeks to understand the knowledge and practice relationship between these environments. Through a developed survey, it was identified that the majority of the learning about information security occurred in the workplace, where clear motivations, such as legislation and regulation, existed. Results found that users were more than willing to engage with such awareness raising initiatives. From a comparison of practice between work and home environments, it was found that this knowledge and practice obtained at the workplace was transferred to the home environment. Given this positive transferability of knowledge and the willingness to learn about how to remain secure, an opportunity exists to move away from specific organizational awareness programs and to move towards awareness raising strategies that will develop an all-round individual security culture for users independent of the environment they are operating in.

Download Full-text

Information Security Awareness

Handbook of Research on Social and Organizational Liabilities in Information Security ◽

10.4018/978-1-60566-132-2.ch019 ◽

2009 ◽

pp. 307-324 ◽

Cited By ~ 1

Author(s):

Gary Hinson

Keyword(s):

Information Security ◽

Technical Information ◽

Security Awareness ◽

Educational Activities ◽

Security Culture ◽

Information Security Awareness ◽

Security Controls ◽

Employee Communications ◽

Awareness Programs ◽

Security Awareness Training

This chapter highlights the broad range of factors that are relevant to the design of information security awareness programs, primarily by reference to the literature. It emphasizes the need to supplement technical information security controls with security awareness, training and educational activities to address human vulnerabilities. It outlines requirements noted in standards, laws and regulations, and explains the value of motivational employee communications techniques in creating a security culture.

Download Full-text

The Contributions of Information Security Culture and Human Relations to the Improvement of Situational Awareness

Situational Awareness in Computer Network Defense ◽

10.4018/978-1-4666-0104-8.ch002 ◽

2012 ◽

pp. 10-28 ◽

Cited By ~ 2

Author(s):

Janne Merete Hagen

Keyword(s):

Information Security ◽

Situational Awareness ◽

Near Miss ◽

Business Practices ◽

Human Relations ◽

Security Culture ◽

General Deterrence ◽

Information Security Awareness ◽

Technical Theory ◽

Information Security Culture

The chapter gives an overview of business practices and how people and human relations influence situational awareness and information security in an organization. There is still a long way to go in training employees in information security and improving employees’ information security awareness. Motivated and trained employees have the ability to detect and report security weaknesses and breaches, including near-miss incidents, and in this way, they may provide a valuable defense-in-depth-capability that is often lacking. The chapter discusses two approaches to overcome the barriers to building situational awareness promulgated in the general deterrence theory and socio-technical theory.

Download Full-text

Setting up an Effective Information Security Awareness Programme

ISSE/SECURE 2007 Securing Electronic Business Processes ◽

10.1007/978-3-8348-9418-2_5 ◽

2007 ◽

pp. 49-58 ◽

Cited By ~ 2

Author(s):

Dirk De Maeyer

Keyword(s):

Information Security ◽

Security Awareness ◽

Information Security Awareness ◽

Awareness Programme

Download Full-text

Key elements of an information security culture in organisations

Information and Computer Security ◽

10.1108/ics-12-2016-0095 ◽

2019 ◽

Vol 27 (2) ◽

pp. 146-164 ◽

Cited By ~ 3

Author(s):

Frans Nel ◽

Lynette Drevin

Keyword(s):

South Africa ◽

Information Security ◽

Design Methodology ◽

Online Survey ◽

Security Awareness ◽

Content Type ◽

Security Culture ◽

Key Aspects ◽

Information Security Culture ◽

Initial Framework

Purpose The purpose of this paper is to report on a study that investigated the information security culture in organisations in South Africa, with the aim of identifying key aspects of the culture. The unique aspects for building an information security culture were examined and presented in the form of an initial framework. These efforts are necessary to address the critical human aspect of information security in organisations where risky cyber behaviour is still experienced. Design/methodology/approach Literature was investigated with the focus on the main keywords security culture and information security. The information security culture aspects of different studies were compared and analysed to identify key elements of information security culture after which an initial framework was constructed. An online survey was then conducted in which respondents were asked to assess the importance of the elements and to record possible missing elements/aspects regarding their organisation’s information security culture to construct an enhanced framework. Findings A list of 21 unique security culture elements was identified from the literature. These elements/aspects were divided into three groups based on the frequency each was mentioned or discussed in studies. The number of times an element was found was interpreted as an indication of how important that element/aspect is. A further four aspects were added to the enhanced framework based on the results that emerged from the survey. Originality/value The value of this research is that an initial framework of information security culture aspects was constructed that can be used to ensure that an organisation incorporates all key aspects in its own information security culture. This framework was further enhanced from the results of the survey. The framework can also assist further studies related to the information security culture in organisations for improved security awareness and safer cyber behaviour of employees.

Download Full-text

Computer and information security culture: Findings from two studies

PsycEXTRA Dataset ◽

10.1037/e577452012-006 ◽

2005 ◽

Author(s):

Sara Kraemer ◽

Pascale Carayon

Keyword(s):

Information Security ◽

Security Culture ◽

Information Security Culture

Download Full-text

The formation of information security culture of college students

Informatics and Education ◽

10.32517/0234-0453-2019-34-9-29-36 ◽

2019 ◽

pp. 29-36

Author(s):

I. D. Rudinskiy ◽

D. Ya. Okolot

Keyword(s):

College Students ◽

Information Security ◽

Information Society ◽

Technical Aspect ◽

Data Sources ◽

Structural Components ◽

Security Culture ◽

The Individual ◽

Information Security Culture ◽

Ability And Willingness

The article discusses aspects of the formation of information security culture of college students. The relevance of the work is due to the increasing threats to the information security of the individual and society due to the rapid increase in the number of information services used. Based on this, one of the important problems of the development of the information society is the formation of a culture of information security of the individual as part of the general culture in its socio-technical aspect and as part of the professional culture of the individual. The study revealed the structural components of the phenomenon of information security culture, identified the reasons for the interest in the target group of students. It justifies the need for future mid-level specialists to form an additional universal competency that ensures the individual’s ability and willingness to recognize the need for certain information, to identify and evaluate the reliability and reliability of data sources. As a result of the study, recommendations were formulated on the basis of which a culture of information security for college students can be formed and developed and a decomposition of this process into enlarged stages is proposed. The proposals on the list of disciplines are formulated, within the framework of the study of which a culture of information security can develop. The authors believe that the recommendations developed will help future mid-level specialists to master the universal competency, consisting in the ability and willingness to recognize the need for certain information, to identify and evaluate the reliability and reliability of data sources, as well as to correctly access the necessary information and its further legitimate use, which ultimately forms a culture of information security.

Download Full-text