Abstract
Users of information systems are the weakest link in information security. Considering their current information security performance is essential for improving information security training. User segmentation can help to improve information security training by dividing users into smaller groups based on their information security performance. In this paper, we present a segmented approach for information security training of users. To test the approach, we used data collected from students at a Slovenian university (N=165) with the Human Aspects of Information Security Questionnaire (HAIS-Q). HAIS-Q data was used to divide users into groups according to their information security performance via clustering. The proposed approach inherently balances adaptation of training to the needs of users and the efforts needed to achieve it which maximizes the key benefits of existing information security training approaches. With improved personalization, it mitigates the challenges related to training boringness and lack of user motivation which are emblematic for traditional information security training approaches. The proposed approach also offers some flexibility regarding the degree of personalization and the efforts related to information security training by fine-tuning the number of user groups. Finally, the proposed approach can help to identify beneficial software security requirements during development of new information systems.
Highlights
P EOPLE are known to be the weakest link in information security [1], [2]
These results indicate that high risk users need substantial training in all seven Human Aspects of Information Security Questionnaire (HAIS-Q) focus areas with special attention to social media use, internet use and incident reporting as their average scores for these focus areas were lower than 2 on the scale from 1 to 5
As this group consists of only 4 users, it may be reasonable to limit their access to the information system until their information security performance improves if possible
Summary
P EOPLE are known to be the weakest link in information security [1], [2]. Lack of sufficient information security can lead to loss of finances and reputation [3]. If we want to know the state of information security in an organization, we need to apply appropriate measurement methods [4] such as qualitative and quantitative metrics. Given that qualitative metrics often lead to uncertain conclusions, quantitative metrics may be more appropriate [4]. Information security has conventionally been focused on technical solutions. The importance of human factors has become increasingly recognized because technical solutions alone cannot sufficiently mitigate security vulnerabilities [1]. In order for users to use information systems securely, they must be properly trained
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
