Information Security Training Research Articles

SETA and Security Behavior

This article contends that information security education, training and awareness programs can improve employee security behavior. Empirical studies have analyzed the direct effects of employee security training on security behavior without taking into account the mediating role of employee relations, monitoring, and accountability. Based on employee relations and accountability theories, this study proposes and tests a causal model that estimates the direct effect of employee security training on security behavior as well as its indirect effects as mediated by employee relations, monitoring, and accountability. The empirical analysis relies on a survey data from a cross section of employees from five major industry sectors and a structural equation modeling approach via SmartPLS 3.0. The results show that employee security training has indirect and significant effects on security behavior through its influence on employee relations, monitoring, and accountability. However, the result does not indicate direct and significant effect of security training on employee security behavior.

Аналіз міжнародного досвіду при підготовці майбутніх фахівців з інформаційної безпеки

To date, the training system for future IT professionals on information security and integrated information security systems is quite conservative and has some inertia that must be taken into account when reforming the higher education system, including the cybersecurity training system (information security), in line with the goals and objectives of Ukraine's European integration in higher education in the context of the Bologna Process and the transition to new lists of training areas for professionals in information technology. Given that the training of future information security professionals is relatively new (since it was launched in Ukraine only in 1997 in accordance with the law of Ukraine No. 537-V) and the most dynamic in its activity, the relevance of the development of information security training system is even more relevant. That is why, in this article, we considered how the training of future information security specialists is carried out in institutions of higher education of leading countries in the world. In particular, we have considered countries such as the United States of America, the German Federal Republic, the United Kingdom of Great Britain and Northern Ireland, the French Republic, the Republic of Austria and the Republic of Poland. Basically, in this article we have identified the directions in which future information security specialists are trained in the leading countries of the world, reviewed and analyzed educational programs for the training of information security specialists and disciplines related to professional disciplines. In addition, we identified the main differences in training in a particular country and made a comparative analysis between the training of future information security professionals in Ukraine and the leading countries of the world.

An approach to information security culture change combining ADKAR and the ISCA questionnaire to aid transition to the desired culture

PurposeEmployee behaviour is a continuous concern owing to the number of information security incidents resulting from employee behaviour. The purpose of this paper is to propose an approach to information security culture change management (ISCCM) that integrates existing change management approaches, such as the ADKAR model of Prosci, and the Information Security Culture Assessment (ISCA) diagnostic instrument (questionnaire), to aid in addressing the risk of employee behaviour that could compromise information security.Design/methodology/approachThe ISCCM approach is constructed based on literature and the inclusion of the ISCA diagnostic instrument. The ISCA diagnostic instrument statements are also presented in this paper. The ISCCM approach using ISCA is illustrated using data from an empirical study.FindingsThe ISCCM approach was found to be useful in defining change management interventions for organisations using the data of the ISCA survey. Employees’ perception and acceptance of change to ensure information security and the effectiveness of the information security training initiatives improved significantly from the as-is survey to the follow-up survey.Research limitations/implicationsThe research illustrates the ISCCM approach and shows how it should be combined with the ISCA diagnostic instrument. Future research will focus on including a qualitative assessment of information security culture to complement the empirical data.Practical implicationsOrganisations do not have to rely on or adapt organisational development approaches to change their information security culture – they can use the proposed ISCCM approach, which has been customised from information security and change management approaches, together with the presented ISCA questionnaire, to address information security culture change purposefully.Originality/valueThe proposed ISCCM approach can be applied to complement existing information security management approaches through a holistic and structured approach that combines the ADKAR model, Prosci’s approach of change management and the ISCA diagnostic instrument. It will enable organisations to focus on transitioning to a positive or desired information security culture that mitigates the risk of the human element in the protection of information.

Information Security: Awareness and Training Program in the Middle East Universities

An effective Security Awareness and Training (SAT) program enables organizational members to understand the organization’s security strategies, know their responsibilities, and control risks that are caused by security incidents. Therefore, deploying a SAT program is one of the most important steps for any organization to assure that information assets are appropriately secured. The aim of this paper is into folds: first, to gain an insight and determine the information security awareness and training program levels in Middle Eastern higher education sector through a case study that examined 182 institute websites over eight countries. Second, to provide recommendations based on the findings that aid information security professionals to establish a new or improved existing awareness and training program. Literature showed that no study has been done on the SAT program at the level of the Middle Eastern region. However, there was a need to this investigation and therefore, it was a pioneering study at the region level in the field of information security.

Evaluating the explanatory power of theoretical frameworks on intention to comply with information security policies in higher education

Higher education institutions have invested heavily in their high-tech infrastructure to ensure the security and integrity of their information. Incompliance with information technology policies has shown to lead to mass information leaks, reputational damage and potential litigation. Little research has been conducted on the subject of employees’ compliance with such sensitive protocols. This paper presents a comprehensive theoretical model based on Theory of Planned Behavior, Protection Motivation Theory, General Deterrence Theory and Organizational Theory for predicting intentions of higher education employees' compliance with information security policies. Utilizing a survey instrument and using Structural Equation Modeling-Partial Least Squares method, this study found that perceived vulnerability, response efficacy and response cost to be the most predictive indicators that are positively associated with intentions of information security compliance among university staff and faculty. But, little support was found for the General Deterrence Theory, Theory of Planned Behavior and Organizational Theory in explaining the variance of higher education staff intentions to comply with information security policies. Results indicated that the Protection Motivation Theory provides the best theoretical framework to understand higher education employees’ behavior with respect to compliance with information security. Such results confirmed earlier empirical investigations attempting to understand the basic question of why do employees differ with respect to compliance with information security. Consistent with the prior research, severe sanctions, close management supervision, peers’ pressure and attitudes towards information security do not matter as much as perceived vulnerability and response efficacy in ensuring higher levels of intentions to comply with ISPs in organizations. The study recommends universities and colleges to invest in applied information security training for their staff, as well as for the university overall community.

Identifying HRM Practices for Improving Information Security Performance

This article focuses on identifying key human resource management (HRM) practices necessary for improving information security performance from the perspective of IT professionals. The Importance-Performance Map Analysis (IPMA) via SmartPLS 3.0 was employed and 232 samples were collected from information technology (IT) professionals in 43 organizations. The analysis identified information security training, background checks and monitoring as very important HRM practices that could improve the performance of organizational information security. In particular, the study found training on mobile devices security and malware; background checks and monitoring of potential, current and former employees as of high importance but with low performance. Thus, these key areas need to be improved with top priority. Conversely, the study found accountability and employee relations as being overly emphasized by the organisations. The findings raised some useful implications and information for HR and IT leaders to consider in future information security strategy.

ANALYSING CHALLENGES OF DEVELOPING ECOTOURISM VILLAGE IN SLEMAN, YOGYAKARTA, INDONESIA: A COMMUNITY DEVELOPMENT APPROACH

Ideally, every government agency must be able to develop training programs and information security awareness in its own environment. But the fact is in Indonesia, not all of government agencies have implemented training programs and information security awareness. Thirteen percent of the respondents surveyed said they already had the program but were not structured and had no guidance, so the program was not well organized. This study provides a structured guide to building an effective information security training and awareness program, based on the ADDIE instructional design model approach (analyze, design, develop, implement, and evaluate). The results of the study state that the ADDIE instructional design model can be used to construct training programs and information security awareness in government agencies in a structured manner and can guarantee that training, awareness, education and professional development are not stagnant and can always be relevant in answering information security issues that occur in organizations.

기업의 정보보호 교육 현황 분석

기업의 정보보호 교육 현황 분석

FORMING THE AWARENESS OF EMPLOYEES IN THE FIELD OF INFORMATION SECURITY

Research purpose: The aim of this study is to present the essence and importance of information security awareness in the organisation and to analyse selected methods used in forming employee awareness in terms of information security. Methodology/ approach: This paper is based on literature studies and available reports. Findings: The presented paper suggests that in order to create a positive change in the organisation, information security training should focus on the attitude and behavior of employees. Concentration is primarily about what they do and how their actions affect the results. In order to minimise the risk of data breaches, often resulting from human error, training methods must meet the needs of today's employees. Effective information security awareness strategies should address the needs of both the organisation itself and the learning people. Limitations/implications: The study is based on the theoretical analysis, indicating the need of conducting further empirical research. Originality/value: The main value of the study is to clarify the need for forming employees' awareness of information security while indicating a number of available methods enabling the implementation of awareness programs in the organisation.

A performance evaluation of information security training in public sector

Recently, as the incidents of the security breach and the personal information leakage in public institutions and the major information/communication infrastructure have increased, the importance of the development and training of human resources specialized in cybersecurity, who can immediately respond to this are emphasized. Accordingly, the government has announced policies for the development of human resources, established and operated public sector cybersecurity training centers; however, there is no method for understanding the investment performance and effect of the present cybersecurity education/training in the public sector. For the establishment of a training system and the quality control of continuing education, a method for evaluating the performance of the training is needed, and this can prove the justification of the promotion of the training program and the sustainability of the training center. The goal of this study is to analyze the outcome of education and training in the field of information security and economic return on investment. For this purpose, through literature research on the outcome of the domestic and overseas education and training, this study drew a model that can apply.

A Framework for an Effective Information Security Awareness Program in Healthcare

Electronic Health Record (EHR) is a valuable asset of every healthcare and it needs to be protected. Human errors are recognized as the major information security threats to EHR systems. Employees who interact with EHR systems should be trained about the risks and hazards related to information security. However, there are limited studies regarding the effectiveness of training programs. The aim of this paper is to propose a framework that provides guidelines for healthcare organizations to select an effective information security training delivery method. In addition, this paper proposes a guideline to develop information security content for awareness training programs. Lastly, this study attempts to implement the proposed framework in a selected healthcare for evaluation. Hence, a serious game is developed as a training method to deliver information security content for the selected healthcare. An effective training program raises employees’ awareness toward information security with a long-term impact. It helps to gradually change employees’ behavior over time by reducing their negligence towards secure utilization of healthcare EHR systems.

Can perceptual differences account for enigmatic information security behaviour in an organisation?

Information security in organisations is often threatened by risky behaviour of users. Despite information security awareness and training programmes, the human aspect of information security remains a critical and challenging component of a safe and secure information environment, and users reveal personal and confidential information regularly when asked for it. In an effort to explain and understand this so-called privacy paradox, this paper investigates aspects of trust and perceptual differences, based on empirical research. Two preceding social engineering exercises form the basis of the research project and are also presented as background information. Following the empirical work, a safe and secure information model is proposed. It is then argued that perceptual alignment of different organisational groups is a critical and prerequisite requirement to reach information security congruence between groups of people. In the context of the proposed model, the perceptual differences also offer some explanation as to why users with high levels of security awareness as well as high levels of trust in own and organisational capabilities so often fall victim to social engineering scams. The empirical work was performed at a large utility company and results are presented together with appropriate discussions.

Development of cyber information security education and training system

Due to recent expansion of internet, use of personal internet banking and E-commerce is rapidly increasing. Additionally, services and marketing in corporations, government and banks are rapidly increasing mostly at the internet shopping malls and web sites. Accordingly, there are increasing number of cyber attacks like intelligent and high-tech APT attack, cyber intrusion access and digitalized information. However, countermeasures, operation exercise and security education about these security accidents are not executed properly. Therefore, this study is to develop cyber information security training system based on the internet. Additionally, in order to deal with security accidents caused by malicious emails and attaching files that frequently occur at public institutions and private companies, information security education is tried to be executed targeting affiliated employees and education and training subjects using the system. Through this, security accidents caused by malicious emails could be prevented in advance and economic loss could be minimized by preventing information loss or paralysis state in computer system.

Analysis of Transactional Analysis (TA) Styles with respect to Information Security (IS)

Transactional Analysis (TA) is a method of understanding people's behavior by analyzing the ‘transactions ’or interactions which transpire between people. Transactional Analysis (TA) can be used in organizations to improve the working effectiveness between the managers and his employees or between two individuals. This approach is useful to improve the interpersonal communication in organization and in social life. There are twelve TA styles. Usually, one of these styles is a Dominant style among people and one or two are backup styles. An indigenous TSI scale developed by Udai Pareek was used for the study. Organisations are conducting training programmes to improve the computer and information security level but the numbers of cyber crime rate is not going down. The authors have tried to explore different factors and its link with TA styles. It will help to design effective computer and information security training programmes.

Improving the information security culture through monitoring and implementation actions illustrated through a case study

The human aspect, together with technology and process controls, needs to be considered as part of an information security programme. Current and former employees are still regarded as one of the root causes of information security incidents. One way of addressing the human aspect is to embed an information security culture where the interaction of employees with information assets contributes to the protection of these assets. In other words, it is critical to improve the information security culture in organisations such that the behaviour of employees is in compliance with information security and related information processing policies and regulatory requirements. This can be achieved by assessing, monitoring and influencing an information security culture. An information security culture can be assessed by using an approach such as an information security culture assessment (ISCA). The empirical data derived from an ISCA can be used to influence the information security culture by focussing on developmental areas, of which awareness and training programmes are a critical facet.In this paper we discuss a case study of an international financial institution at which ISCA was conducted at four intervals over a period of eight years, across twelve countries. Comparative and multivariate analyses were conducted to establish whether the information security culture improved from one assessment to the next based on the developmental actions implemented. One of the key actions implemented was training and awareness focussing on the critical dimensions identified by ISCA. The information security culture improved from one assessment to the next, with the most positive results in the fourth assessment.This research illustrates that the theoretical ISCA tool previously developed can be implemented successfully in organisations to positively influence the information security culture. Empirical evidence is provided supporting the effectiveness of ISCA in the context of identified shortcomings in the organisation's information security culture. In addition, empirical evidence is presented indicating that information security training and awareness is a significant factor in positively influencing an information security culture when applied in the context of ISCA.

Measuring user satisfaction with information security practices

Information security is a major concern of organizational management. Security solutions based on technical aspects alone are insufficient to protect corporate data. Successful information security depends on appropriate user behavior while using information systems. User satisfaction is widely used to measure the success of information systems. The objective of this research is to develop a model to measure user satisfaction with information security practices. An instrument was developed based on this model. A survey was conducted, and 173 valid responses were obtained. Structural equation modeling was used for the data analysis. The results indicated that users understand the benefits of information security practices, but the use of information systems with security controls is considered a complex matter, which reduces information systems productivity. The measurement of the user satisfaction with information security practices is a starting point to diagnose the behavior of users in relation to information security, providing metrics to management evaluate the investment in information security training and awareness program.

정보보호관리체계(ISMS) 항목의 중요도 인식과 투자의 우선순위 비교 연구

최근의 개인정보 유출과 같은 정보보안 사고들이 기업의 매출 감소와 이미지 손실에 직접적인 영향을 주는 심각한 위험 관리 요소가 됨에 따라 체계적인 정보보호 관리를 위해 정보보호관리체계를 도입하는 기업들이 증가하고 있다. 그러나 기업 내 정보보호 인식과 달리 적은 투자로 인해, 한정된 예산으로 다양한 정보보호 요소들을 효과적으로 관리할 수 있는 방안이 중요해지고 있다. 본 연구에서는 정보보호관리체계의 13개 항목들에 대해 정보보호전문가들의 중요도 평가를 통해 우선순위를 도출하여, 단계적으로 정보보호관리체계를 구축할 수 있는 방향을 제공한다. 그리고 각 항목들에 대한 투자 정도도 평가하여 중요도와 투자 간의 우선순위 차이를 비교 분석하였다. 연구 결과 침해사고 관리가 가장 중요한 것으로 나타났으며, 투자 정도에서는 IT 재해복구가 가장 높은 것으로 확인되었다. 그리고 정보보호 중요도와 투자 간의 우선순위 차이가 큰 정보보호 항목은 암호통제, 정보보호정책, 정보보호교육, 인적보안으로 확인되었다. 본 연구 결과는 정보보호관리체계 도입을 고려하거나 운영 중인 기업들이 한정된 예산을 고려하여 효과적인 정보보호 투자에 대한 의사결정 자료로 활용될 수 있을 것으로 기대한다. Recently, organizational efforts to adopt ISMS(Information Security Management System) have been increasingly mandated and demanded due to the rising threat and the heavier cost of security failure. However there is a serious gap between awareness and investment of information security in a company, hence it is very important for the company to control effectively a variety of information security threats within a tight budget. To phase the ISMS, this study suggests the priorities based on evaluating the Importance of 13 areas for the ISMS by the information security experts and then we attempt to see the difference between importance and investment through the assessment of the actual investment in each area. The research findings show that intrusion incident handling is most important and IT disaster recovery is the area that is invested the most. Then, information security areas with the considerable difference between priorities of importance and investment are cryptography control, information security policies, education and training on information security and personnel security. The study results are expected to be used in making a decision for the effective investment of information security when companies with a limited budget are considering to introduce ISMS or operating it.

최고경영층의 정보보호 리더십에 따른 정보보호 통제활동의 차이 분석

This paper is to analyze how the information security leadership of top management affects controls of information security. Controls of information security include the activity related to making information security policy, the activity related to making up information security organizational structure and job responsibilities, the activity related to information security awareness and training, the activity related to technical measures installation and operation, and the activity related to emergency response, monitering and auditing. Additionally we will analyze how Internet incidents affect controls of information security and find implications.

국내대학 정보보호전공 교육과정 분석 및 융합교육정책

Abstract In this paper, we analyzed academic curriculum of information security major in domestic university and in center of education contents, reviewed about eduction distinction direction in each university. Also in center of domestic information security industry, it compared and analyzed status of recruitment demand in each information security range and training student in the university, and analyzed whether to meet the degree of information security workforce. In addition, we were examined future needs and direction of the convergency field of information security personnel in terms of information security major curriculum. Key Words : Information Security Education, Curriculum, Security, Convergency Received 20 December 2013 Revised 20 January 2014Accepted 20 January 2014Corresponding Author: Jin-Keun Hong(Baekseok University) Email: jkhong@bu.ac.krⒸ The Society of Digital Policy & Management. All rights reserved. This is an open-access article distributed under the terms of the Creative Commons Attribution Non-Commercial License (http://creativecommons.otg/licenses/by-nc/3.0), which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is ISSN: 1738-1916 properly cited.

Personal Denial of Service Attacks (PDOS) and Online Misbehavior: The Need for Cyber Ethics and Information Security Education on University Campuses

The authors examine the need to provide basic information security and cyber ethics training for all university students, not just those pursuing an information security-related degree. The authors also discuss the need to include ethical hacking, as part of an emphasis on cyber ethics, into information securitydegreeprograms.Bothofthesetopicsarediscussedwithinthecontext of a new category of cyber crime, a Personal Denial of ServiceAttack (PDOS) that the authors have identified, along with other types of cyber crime, that are endemic to university campuses.