scholarly journals Information security awareness in a developing country context: insights from the government sector in Saudi Arabia

2020 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Raneem AlMindeel ◽  
Jorge Tiago Martins
Keyword(s):  
Saudi Arabia ◽  
Information Security ◽  
Developing Country ◽  
Single Case ◽  
Security Awareness ◽  
Content Type ◽  
Information Security Awareness ◽  
Study Approach ◽  
Government Sector ◽  
The Government

PurposeThe purpose of this paper is to increase understanding of employee information security awareness in a government sector setting and illuminate the problems that public sector organisations in a developing context face when seeking to establish an information security awareness programme.Design/methodology/approachAn interpretive research design was followed to develop an empirically enriched understanding of information security awareness perceptions, aspirations, challenges and enablers in the context of Saudi Arabia as a developing country. The study adopts a single-case study approach, including face-to-face interviews with senior employees, as well as document analysis.FindingsThe paper theorises the importance of individual information security awareness, knowledge and behaviour and identifies a number of facilitating conditions: customisation to employee and organisational needs, interactivity, innovation, frequency, integration of both electronic and physical learning resources and rewarding the acquisition of in-depth security-related actionable knowledge.Originality/valueThis study is one of the first to examine information security awareness as a socio-technical process within a government sector organisation in a developing country context.

Institutional logics and risk management practices in government entities: evidence from Saudi Arabia

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Peter Murr ◽  
Nieves Carrera
Keyword(s):  
Risk Management ◽  
Saudi Arabia ◽  
Management Practices ◽  
Single Case ◽  
Institutional Logics ◽  
Content Type ◽  
Traditional Logic ◽  
Adoption And Implementation ◽  
The Government

Purpose This study aims to understand how institutional logics influence the adoption and implementation of risk management (RM) practices by government entities in a non-western, developing country. Design/methodology/approach This study draws on the institutional logics perspective (ILP) to analyze a case study of a government entity in Saudi Arabia. Data were obtained from semi-structured interviews, observations and documentary evidence. Findings Findings suggest that the adoption and implementation of RM projects by Saudi governmental agencies was rooted in a traditional logic, even though the catalyst of the government for adopting a RM culture across government agencies was framed within a reform program inspired by a modernization logic. In the entity under investigation, the RM project led to an unstable situation where actors were confronted with these two competing logics. Although the project used manifestations of a modernization logic, the actions of individuals within the organization were embedded in a traditional logic. Research limitations/implications The study is based on a single case study in a specific country, limiting the generalizability of the findings. Originality/value This study provides novel evidence of the adoption and implementation of RM in governmental entities in a developing, non-western, country using ILP. Doing so enhances our knowledge about how managers struggle with competing institutional logics in an underexplored setting and enriches current accounts of key drivers and barriers of RM. It also addresses calls for a deeper understanding of the logics and managerial practices interplay in the public sector.

Readiness for information security of teachers as a function of their personality traits and their assessment of threats

2020 ◽  
Vol 72 (5) ◽  
pp. 787-812
Author(s):  
Noa Aharony ◽  
Dan Bouhnik ◽  
Nurit Reich
Keyword(s):  
Information Security ◽  
Personality Traits ◽  
Cultural Change ◽  
Design Methodology ◽  
Educational Institutions ◽  
Security Awareness ◽  
Content Type ◽  
Information Security Awareness ◽  
Secure Information ◽  
The Impact

PurposeThis study examines the impact of personality traits on the degree of challenge experienced by individuals with respect to the threat on their information, the evaluation of their self-efficacy to secure the information and hence, their readiness to secure information.Design/methodology/approachThe study's population consisted of 157 teachers from various educational institutions across Israel. We used five questionnaires to gather data.FindingsFindings reveal a link between participants' personality traits, situation evaluation indicators and their readiness to secure information. Further, the greater subjects' information security awareness and familiarity with information security concepts, the better their application of the tools for securing information will be.Originality/valueThe importance of this research lies primarily in that it highlights the importance of individual differences while dealing with information security awareness. The findings constitute a theoretical and empirical basis for building tools toward guiding teachers to protect their information, as well as for devising educational and pedagogic programs for making a cultural change.

Recommendations for information security awareness training for college students

2014 ◽  
Vol 22 (1) ◽  
pp. 115-126 ◽  
Author(s):  
Eyong B. Kim
Keyword(s):  
College Students ◽  
Information Security ◽  
New England ◽  
Web Sites ◽  
Security Awareness ◽  
Awareness Training ◽  
Content Type ◽  
Information Security Awareness ◽  
The Status ◽  
Security Awareness Training

Purpose – The purpose of this paper is to survey the status of information security awareness among college students in order to develop effective information security awareness training (ISAT). Design/methodology/approach – Based on a review of the literature and theoretical standpoints as well as the National Institute of Standards and Technology Special Publication 800-50 report, the author developed a questionnaire to investigate the attitudes toward information security awareness of undergraduate and graduate students in a business college at a mid-sized university in New England. Based on that survey and the previous literature, suggestions for more effective ISAT are provided. Findings – College students understand the importance and the need for ISAT but many of them do not participate in it. However, security topics that are not commonly covered by any installed (or built-in) programs or web sites have a significant relationship with information security awareness. It seems that students learned security concepts piecemeal from variety of sources. Practical implications – Universities can assess their ISAT for students based on the findings of this study. Originality/value – If any universities want to improve their current ISAT, or establish it, the findings of this study offer some guidelines.

Factors affecting organizational adoption and acceptance of computer-based security awareness training tools

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Laila Dahabiyeh
Keyword(s):  
Information Security ◽  
Online Reviews ◽  
Security Awareness ◽  
Key Factors ◽  
Awareness Training ◽  
Organizational Adoption ◽  
Content Type ◽  
Information Security Awareness ◽  
Computer Based ◽  
Security Awareness Training

Purpose As insiders remain to be a main reason behind security breaches, effective information security awareness campaigns become critical in protecting organizations from security incidents. The purpose of this paper is to identify factors that influence organizational adoption and acceptance of computer-based security awareness training tools. Design/methodology/approach The paper uses content analysis of online reviews of the top ten computer-based security awareness training tools that received Gartner peer insights Customers’ Choice 2019 award. Findings This study identifies nine critical adoption and success factors. These are synthesized into a conceptual framework based on the technology–organization–environment framework. The findings reveal that technological, organizational and environmental factors come into play in adoption decisions but with varying degrees of importance. Practical implications This study highlights key factors that technology vendors should take into consideration when designing computer-based security awareness training tools to increase adoption rates. Originality/value This research offers a novel contribution to the literature on information security awareness delivery methods by identifying key factors that influence organizational adoption and acceptance of computer-based security awareness training tools. Those factors were identified using content analysis of online reviews, which is a new methodological approach to the information security awareness literature.

Modeling anti-malware use intention of university students in a developing country using the theory of planned behavior

Kybernetes ◽  
2019 ◽  
Vol 48 (8) ◽  
pp. 1565-1585
Author(s):  
Ali Vafaei-Zadeh ◽  
Ramayah Thurasamy ◽  
Haniruzila Hanifah
Keyword(s):  
Information Security ◽  
Theory Of Planned Behavior ◽  
Planned Behavior ◽  
Price Level ◽  
Subjective Norms ◽  
Intention To Use ◽  
Security Awareness ◽  
Content Type ◽  
Information Security Awareness ◽  
Perceived Price

Purpose This paper aims to investigate the impact of perceived price level and information security awareness on computer users’ attitude. Moreover, this study aims to investigate the effect of attitude, subjective norms and perceived behavioral control (PBC) on intention to use anti-malware software. Design/methodology/approach Data were collected using a structured questionnaire from 225 students of five public universities in Malaysia. Purposive sampling technique was used in this study. AMOS 24 was used to test the research framework using a two-step approach. Findings Findings give support to some of the hypotheses developed with R2 values of 0.521 for attitude and 0.740 for intention. Perceived price level had a negative effect on attitude while information security awareness had a positive effect on attitude and intention. Attitude, subjective norms and PBC were all positively related to intention, but perceived price level did not affect intention. This suggests that benefits of using anti-malware are more than its price value. Therefore, the price has no direct effect on intention to use. Research limitations/implications University computer networks are as open and inviting as their campuses. Therefore, this research can be helpful to the universities to safeguard their networks and encourage the students to use anti-malware. However, using anti-malware software will enable an individual to identify and prioritize security risks, quickly detect and mitigate security breaches, improve the understanding of security gaps and safeguard the sensitive data by minimizing the risks related to malware. Originality/value This study ventured to model the information security behavior of anti-malware usage by individual users by using the theory of planned behavior with the addition of two new variables, perceived price level and information security awareness to explain the behavior better.

Matching training to individual learning styles improves information security awareness

2019 ◽  
Vol 28 (1) ◽  
pp. 1-14 ◽  
Author(s):  
Malcolm Pattinson ◽  
Marcus Butavicius ◽  
Meredith Lillie ◽  
Beau Ciccarello ◽  
Kathryn Parsons ◽  
...  
Keyword(s):  
Information Security ◽  
Learning Styles ◽  
Cyber Security ◽  
Security Awareness ◽  
Content Type ◽  
Information Security Awareness ◽  
Security Controls ◽  
Human Aspects ◽  
Security Training ◽  
Different Types

Purpose This paper aims to introduce the concept of a framework of cyber-security controls that are adaptable to different types of organisations and different types of employees. One of these adaptive controls, namely, the mode of training provided, is then empirically tested for its effectiveness. Design/methodology/approach In total, 1,048 working Australian adults completed the human aspects of the information security questionnaire (HAIS-Q) to determine their individual information security awareness (ISA). This included questions relating to the various modes of cyber-security training they had received and how often it was provided. Also, a set of questions called the cyber-security learning-styles inventory was used to identify their preferred learning styles for training. Findings The extent to which the training that an individual received matched their learning preferences was positively associated with their information security awareness (ISA) level. However, the frequency of such training did not directly predict ISA levels. Research limitations/implications Further research should examine the influence of matching cyber-security learning styles to training packages more directly by conducting a controlled trial where the training packages provided differ only in the mode of learning. Further research should also investigate how individual tailoring of aspects of an adaptive control framework (ACF), other than training, may improve ISA. Practical implications If cyber-security training is adapted to the preferred learning styles of individuals, their level of ISA will improve, and therefore, their non-malicious behaviour, whilst using a digital device to do their work, will be safer. Originality/value A review of the literature confirmed that ACFs for cyber-security does exist, but only in terms of hardware and software controls. There is no evidence of any literature on frameworks that include controls that are adaptable to human factors within the context of information security. In addition, this is the first study to show that ISA is improved when cyber-security training is provided in line with an individual’s preferred learning style. Similar improvement was not evident when the training frequency was increased suggesting real-world improvements in ISA may be possible without increasing training budgets but by simply matching individuals to their desired mode of training.

Organisational culture, procedural countermeasures, and employee security behaviour

2017 ◽  
Vol 25 (2) ◽  
pp. 118-136 ◽  
Author(s):  
Lena Yuryna Connolly ◽  
Michael Lang ◽  
John Gathegi ◽  
Doug J. Tygar
Keyword(s):  
Information Security ◽  
Organisational Culture ◽  
Security Awareness ◽  
Deterrence Theory ◽  
Content Type ◽  
General Deterrence ◽  
Information Security Awareness ◽  
Security Breaches ◽  
Technical Issues ◽  
Security Countermeasures

Purpose This paper provides new insights about security behaviour in selected US and Irish organisations by investigating how organisational culture and procedural security countermeasures tend to influence employee security actions. An increasing number of information security breaches in organisations presents a serious threat to the confidentiality of personal and commercially sensitive data. While recent research shows that humans are the weakest link in the security chain and the root cause of a great portion of security breaches, the extant security literature tends to focus on technical issues. Design/methodology/approach This paper builds on general deterrence theory and prior organisational culture literature. The methodology adapted for this study draws on the analytical grounded theory approach employing a constant comparative method. Findings This paper demonstrates that procedural security countermeasures and organisational culture tend to affect security behaviour in organisational settings. Research limitations/implications This paper fills the void in information security research and takes its place among the very few studies that focus on behavioural as opposed to technical issues. Practical implications This paper highlights the important role of procedural security countermeasures, information security awareness and organisational culture in managing illicit behaviour of employees. Originality/value This study extends general deterrence theory in a novel way by including information security awareness in the research model and by investigating both negative and positive behaviours.

Managing information security awareness at an Australian bank: a comparative study

2017 ◽  
Vol 25 (2) ◽  
pp. 181-189 ◽  
Author(s):  
Malcolm Pattinson ◽  
Marcus Butavicius ◽  
Kathryn Parsons ◽  
Agata McCormac ◽  
Dragana Calic
Keyword(s):  
Information Security ◽  
Learning Styles ◽  
International Standards ◽  
Future Research ◽  
Security Awareness ◽  
Web Based ◽  
Content Type ◽  
Information Security Awareness ◽  
Human Aspects ◽  
Major Factors

Purpose The aim of this study was first to confirm that a specific bank’s employees were generally more information security-aware than employees in other Australian industries and second to identify the major factors that contributed to this bank’s high levels of information security awareness (ISA). Design/methodology/approach A Web-based questionnaire (the Human Aspects of Information Security Questionnaire – HAIS-Q) was used in two separate studies to assess the ISA of individuals who used computers at their workplace. The first study assessed 198 employees at an Australian bank and the second study assessed 500 working Australians from various industries. Both studies used a Qualtrics-based questionnaire that was distributed via an email link. Findings The results showed that the average level of ISA among bank employees was consistently 20 per cent higher than that among general workforce participants in all focus areas and overall. There were no significant differences between the ISA scores for those who received more frequent training compared to those who received less frequent training. This result suggests that the frequency of training is not a contributing factor to an employee’s level of ISA. Research limitations/implications This current research did not investigate the information security (InfoSec) culture that prevailed within the bank in question because the objective of the research was to compare a bank’s employees with general workforce employees rather than compare organisations. The Research did not include questions relating to the type of training participants had received at work. Originality/value This study provided the bank’s InfoSec management with evidence that their multi-channelled InfoSec training regime was responsible for a substantially higher-than-average ISA for their employees. Future research of this nature should examine the effectiveness of various ISA programmes in light of individual differences and learning styles. This would form the basis of an adaptive control framework that would complement many of the current international standards, such as ISO’s 27000 series, NIST’s SP800 series and ISACA’s COBIT5.

Exploring the relationship between student mobile information security awareness and behavioural intent

2015 ◽  
Vol 23 (4) ◽  
pp. 406-420 ◽  
Author(s):  
Bukelwa Ngoqo ◽  
Stephen V. Flowerday
Keyword(s):  
Information Security ◽  
Mobile Phone ◽  
Undergraduate Students ◽  
Security Awareness ◽  
Human Errors ◽  
Content Type ◽  
Information Security Awareness ◽  
Student Information ◽  
Key Aspects ◽  
The Relationship

Purpose – The purpose of this paper was to analyse existing theories from the social sciences to gain a better understanding of factors which contribute to student mobile phone users’ poor information security behaviour. Two key aspects associated with information security behaviour were considered, namely, awareness and behavioural intent. This paper proposes that the knowing-and-doing gap can possibly be reduced by addressing both awareness and behavioural intent. This research paper explores the relationship between student mobile phone user information security awareness and behavioural intent in a developmental university in South Africa. Design/methodology/approach – Information security awareness interventions were implemented in this action research study, and student information security behavioural intent was observed after each cycle. Findings – The poor security behaviour exhibited by student mobile phone users, which was confirmed by the findings of this study, is of particular interest in the university context, as most undergraduate students are offered a computer-related course which covers certain information security-related principles. Existing researchers in the field of information security still grapple with the “knowing-and-doing” gap, where user information security knowledge/awareness sometimes does not result in safer behavioural practises. Originality/value – Zhang et al. (2009) suggest that understanding human behaviour is important when dealing with the problems caused by human errors. Harnesk and Lindstrom (2011) expressed a concern that existing research does not address the interlinked relationship between anticipated security behaviour and the enactment of security procedures. This study acknowledges Choi et al. (2008) contribution in their discussions on the “knowing-and-doing gap” suggests a link between awareness and actual behaviour that is confirmed by the findings of this study.

Predicting information security culture among employees of telecommunication companies in an emerging market

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Nurul Asmui Azmi Md Azmi ◽  
Ai Ping Teoh ◽  
Ali Vafaei-Zadeh ◽  
Haniruzila Hanifah
Keyword(s):  
Information Security ◽  
Emerging Market ◽  
Mediating Effect ◽  
Security Awareness ◽  
Content Type ◽  
Security Culture ◽  
Information Security Awareness ◽  
The Relationship ◽  
Information Security Culture ◽  
Telecommunications Companies

Purpose The purpose of this study is to examine factors, which influence information security culture among employees of telecommunications companies. The motivation for this study was the rise in the number of data breach incidents caused by the organizations’ own employees. Design/methodology/approach A total of 139 usable responses were collected via a Web-based questionnaire survey from employees of Malaysian telecommunications companies. Data were analysed by using SmartPLS 3. Findings Security education, training and awareness (SETA) programmes and information security awareness were found to have a positive and significant impact on Information Security Culture. Additionally, self-reported employees’ security behaviour was found to act as a partial mediator on the relationship between information security awareness and information security culture. Research limitations/implications The study was cross-sectional in nature. Therefore, it could not measure changes in population over time. Practical implications The empirical data provides a new perspective on significant elements that influence information security culture in an emerging market. Organizations in the telecommunications industry can now recognize that SETA programmes and information security awareness have a significant impact on information security culture. Employees’ security behaviour also mediates the relationship between information security awareness and information security culture. Originality/value This is the first study to analyse the mediating effect of employees’ security behaviour on the relationship between information security awareness and information security culture in the Malaysian telecommunications context.

Sign in / Sign up

Export Citation Format

Share Document