scholarly journals Building an effective information security awareness program

2020 ◽  
Vol 338 ◽  
pp. 189-200
Author(s):  
Ildikó Legárd
Keyword(s):  
Information Security ◽  
Human Factor ◽  
Significant Risk ◽  
Security Awareness ◽  
Security Culture ◽  
Information Security Awareness ◽  
Weakest Link ◽  
Awareness Program ◽  
Awareness Programs ◽  
And Behavior

Many researchers and experts in the field of information security agree that the user is the weakest link in an organization’s chain of information security. Even if the system’s and the stored data’s physical and logical protection is well developed, the human factor exposes security to significant risk. The effective protection against the threats is to provide security awareness through implementing a well-developed and successful Information Security Awareness Program. Although organizations are able to recognize the importance of information security awareness, the implementation of the awareness programs can be difficult. The aim of this study is to help organizations to develop an effective Information Security Awareness Program tailored to the characteristics of the organization. The paper presents how we can build a program that influences and improves the user’s knowledge, attitude and behavior the most towards information security and makes positive changes in the security culture of an organization. To achieve that goal, the study identifies the key elements of the implementation, compares traditional awareness programs with modern trainings and highlights the importance of communication channels and methods. There is no single solution to improve information security, the essay summarizes and shows the most effective techniques that experts can use in order to seize the user’s attention toward information security, to establish credibility and trust, and to motivate action.

Information Security Awareness

2009 ◽  
pp. 307-324 ◽  
Author(s):  
Gary Hinson
Keyword(s):  
Information Security ◽  
Technical Information ◽  
Security Awareness ◽  
Educational Activities ◽  
Security Culture ◽  
Information Security Awareness ◽  
Security Controls ◽  
Employee Communications ◽  
Awareness Programs ◽  
Security Awareness Training

This chapter highlights the broad range of factors that are relevant to the design of information security awareness programs, primarily by reference to the literature. It emphasizes the need to supplement technical information security controls with security awareness, training and educational activities to address human vulnerabilities. It outlines requirements noted in standards, laws and regulations, and explains the value of motivational employee communications techniques in creating a security culture.

Establishing a Personalized Information Security Culture

2012 ◽  
pp. 53-69 ◽  
Author(s):  
Shuhaili Talib ◽  
Nathan L. Clarke ◽  
Steven M. Furnell
Keyword(s):  
Information Security ◽  
Home Environment ◽  
Security Culture ◽  
Information Security Awareness ◽  
Use Of Technology ◽  
Awareness Programs ◽  
Awareness Raising ◽  
Knowledge And Practice ◽  
Information Security Culture ◽  
Individual Security

Good security cannot be achieved through technical means alone and a solid understanding of the issues and how to protect one’s self is required from users. Whilst many initiatives, programs and strategies have been proposed to improve the level of information security awareness, most have been directed at organizations. Given people’s use of technology is primarily focused between the workplace and home; this paper seeks to understand the knowledge and practice relationship between these environments. Through a developed survey, it was identified that the majority of the learning about information security occurred in the workplace, where clear motivations, such as legislation and regulation, existed. Results found that users were more than willing to engage with such awareness raising initiatives. From a comparison of practice between work and home environments, it was found that this knowledge and practice obtained at the workplace was transferred to the home environment. Given this positive transferability of knowledge and the willingness to learn about how to remain secure, an opportunity exists to move away from specific organizational awareness programs and to move towards awareness raising strategies that will develop an all-round individual security culture for users independent of the environment they are operating in.

scholarly journals Old Monarchy in the New Cyberspace: Empirical Examination of Information Security Awareness among Austrian and Hungarian Enterprises

2015 ◽  
Vol 14 (1) ◽  
pp. 63-78
Author(s):  
Péter Sasvári ◽  
András Nemeslaki ◽  
Wolf Rauch
Keyword(s):  
Information Security ◽  
Empirical Data ◽  
Digital Literacy ◽  
Company Size ◽  
Security Awareness ◽  
Business Sector ◽  
Security Measures ◽  
Empirical Examination ◽  
Information Security Awareness ◽  
And Behavior

Information security awareness is part of organizational culture, a way of thinking and behavior which ensures that the employees of the organizations are committed to acknowledging the legitimacy of security measures, they abide by them and they also make them known to others and enforce their application. After collecting empirical data from 280 Austrian and 470 Hungarian employees of different companies we concluded that the level of information security awareness of managers and employees in the Austrian and Hungarian business sector depends on company size. The level of this type of awareness can be regarded as good in the case of corporations both in Austria and Hungary. A good level of information security awareness was observed among the Austrian medium-sized enterprises. However, in a fifth of their Hungarian counterparts, the employees need further trainings in this area. Security problems can be traced back to poor organization at a fifth of the Austrian small-sized enterprises, a third of the Austrian microenterprises, and three-quarters of the Hungarian microenterprises. In 20% of the Austrian and Hungarian enterprises, employees have distressing gaps in their knowledge in this area, furthermore, it can also be concluded that employees with higher digital literacy have a higher level of information security awareness in Austria compared to the Hungarian business sector.

Establishing A Personalized Information Security Culture

2011 ◽  
Vol 3 (1) ◽  
pp. 63-79 ◽  
Author(s):  
Shuhaili Talib ◽  
Nathan L. Clarke ◽  
Steven M. Furnell
Keyword(s):  
Information Security ◽  
Home Environment ◽  
Security Culture ◽  
Information Security Awareness ◽  
Use Of Technology ◽  
Awareness Programs ◽  
Awareness Raising ◽  
Knowledge And Practice ◽  
Information Security Culture ◽  
Individual Security

Good security cannot be achieved through technical means alone and a solid understanding of the issues and how to protect one’s self is required from users. Whilst many initiatives, programs and strategies have been proposed to improve the level of information security awareness, most have been directed at organizations. Given people’s use of technology is primarily focused between the workplace and home; this paper seeks to understand the knowledge and practice relationship between these environments. Through a developed survey, it was identified that the majority of the learning about information security occurred in the workplace, where clear motivations, such as legislation and regulation, existed. Results found that users were more than willing to engage with such awareness raising initiatives. From a comparison of practice between work and home environments, it was found that this knowledge and practice obtained at the workplace was transferred to the home environment. Given this positive transferability of knowledge and the willingness to learn about how to remain secure, an opportunity exists to move away from specific organizational awareness programs and to move towards awareness raising strategies that will develop an all-round individual security culture for users independent of the environment they are operating in.

Information Security Awareness at Saudi Arabians’ Organizations

2012 ◽  
Vol 6 (3) ◽  
pp. 38-55 ◽  
Author(s):  
Zakarya A. Alzamil
Keyword(s):  
Information Security ◽  
Public Relations ◽  
The State ◽  
Security Threats ◽  
Security Awareness ◽  
Organizational Attitudes ◽  
Information Security Awareness ◽  
It Employees ◽  
Awareness Programs ◽  
Saudi Arabians

Information security awareness is human and organizational attitudes which can be described as a behavior or an attitude of an organization and/or its members towards protecting the organization’s information assets. The goal of this paper is to understand the state of the information security awareness at some of the Saudi Arabians’ organizations, i.e., governments and privates by investigating the perception of their information technology’s employees. The author believes that understanding the state of information security awareness of IT employees can give a better understanding of the level of awareness at the entire organization. The results of this study show that most of the IT employees at the surveyed organizations have some misconceptions about information security practices. In addition, many responses indicated that many IT employees are not aware of the internal information security threats. Such results required very urgent actions from the top management of these organizations to consider the information security awareness programs within their public relations and training programs.

scholarly journals A Reliable Measure of Information Security Awareness and the Identification of Bias in Responses

2017 ◽  
Vol 21 ◽  
Author(s):  
Agata McCormac ◽  
Dragana Calic ◽  
Marcus Butavicius ◽  
Kathryn Parsons ◽  
Tara Zwaans ◽  
...  
Keyword(s):  
Information Security ◽  
Security Awareness ◽  
Cultural Changes ◽  
Information Security Awareness ◽  
Training Interventions ◽  
Human Aspects ◽  
Current State ◽  
Awareness Programs ◽  
Test Retest Reliability ◽  
Security Incidents

The Human Aspects of Information Security Questionnaire (HAIS-Q) is designed to measure Information Security Awareness. More specifically, the tool measures an individual’s knowledge, attitude, and self-reported behaviour relating to information security in the workplace. This paper reports on the reliability of the HAIS-Q, including test-retest reliability and internal consistency. The paper also assesses the reliability of three preliminary over-claiming items, designed specifically to complement the HAIS-Q, and identify those individuals who provide socially desirable responses. A total of 197 working Australians completed two iterations of the HAIS-Q and the over-claiming items, approximately 4 weeks apart. Results of the analysis showed that the HAIS-Q was externally reliable and internally consistent. Therefore, the HAIS-Q can be used to reliably measure information security awareness. Reliability testing on the preliminary over-claiming items was not as robust and further development is required and recommended. The implications of these findings mean that organisations can confidently use the HAIS-Q to not only measure the current state of employee information security awareness within their organisation, but they can also measure the effectiveness and impacts of training interventions, information security awareness programs and campaigns. The influence of cultural changes and the effect of security incidents can also be assessed. 

Sign in / Sign up

Export Citation Format

Share Document