Research Review on Measuring Information Security Awareness

Abstract

One of the factors that contributes to unauthorized parties releasing confidential company information, including employee personal information, is a lack of awareness of employee information security. This is a critical concern that needs to be addressed immediately by strengthening the company's information security culture and raising employee awareness of security. To enhance the clarity and emphasis of the reform policy, it is crucial to evaluate employee awareness of information security. This paper discusses several approaches that have been employed, either as models or frameworks, to evaluate an organization's level of information security awareness. With the aid of inclusion and exclusion criteria, we chose 16 papers out of the 842 that were included in the systematic literature review. Three components are commonly used to assess information security awareness: knowledge (what is already known), attitude (what is thought to be appropriate to do), and habit (what is usually done). Measurements that encompass these three aspects employ the Knowledge, Attitude, and Behavior (KAB) paradigm. This study might be a reference for organizations to measure their employees’ security awareness. Several findings are also discussed in this paper.