Level Of Information Security Awareness Research Articles

Measurement of Employee Information Security Awareness: A Case Study of National Civil Service Agency

National Civil Service Agency is a State institution tasked with the role and function of overseeing and implementing national civil servant management using information technology. There are 4.2 million civil servant data distributed throughout Indonesia that must be safeguarded by BKN. As the utilization of information systems grows, it also leads to an increase in information security risks. Based on the reports from Id-SIRTII/CC and BKN's internal report, there has been an increase in cyber attacks targeting BKN. In addition, there are other types of attacks that occur, such as online defacement, phishing, DDOS, and employee data theft, as well as the presence of employees who are still indifferent to information security. Based on this, the objective of this research is to measure the level of information security awareness among BKN employees and identify the factors that influence it. The Human Aspects of Information Security Questionnaire (HAIS-Q) using the Knowledge, Attitude, and Behavior (KAB) model was selected for measurement, with an additional focus on the Management of Information Systems/Technology Assets, consisting of a total of 75 statements. The quantitative measurements conducted yielded a result of 88.80% for the level of information security awareness among BKN employees, categorized as good. Furthermore, there is a significant influence on information security awareness from the dimensions of knowledge towards attitude, attitude towards behavior, and knowledge towards behavior.

Measurement of Information Security and Privacy Awareness in College Students after the Covid-19 Pandemic

The Covid-19 pandemic has acted as a catalyst for digital transformation, particularly in the realm of education. Consequently, this research aims to ascertain the level of information security awareness among students employing the HAIS-Q. The study employs the MCDA method to determine the weighting of the three dimensions and seven focal areas that have been predetermined. The findings of the study reveal that the overall level of ISA among students falls within the "good" category (80%). The measurement results in this study can serve as valuable input for institutions to enhance information security awareness among their student populations.

Research Review on Measuring Information Security Awareness

One of the factors that contributes to unauthorized parties releasing confidential company information, including employee personal information, is a lack of awareness of employee information security. This is a critical concern that needs to be addressed immediately by strengthening the company's information security culture and raising employee awareness of security. To enhance the clarity and emphasis of the reform policy, it is crucial to evaluate employee awareness of information security. This paper discusses several approaches that have been employed, either as models or frameworks, to evaluate an organization's level of information security awareness. With the aid of inclusion and exclusion criteria, we chose 16 papers out of the 842 that were included in the systematic literature review. Three components are commonly used to assess information security awareness: knowledge (what is already known), attitude (what is thought to be appropriate to do), and habit (what is usually done). Measurements that encompass these three aspects employ the Knowledge, Attitude, and Behavior (KAB) paradigm. This study might be a reference for organizations to measure their employees’ security awareness. Several findings are also discussed in this paper.

Information Security Awareness Raising Strategy Using Fuzzy AHP Method with HAIS-Q and ISO/IEC 27001:2013: A Case Study of XYZ Financial Institution

XYZ financial institution is a government institution that receives and processes transaction reports from banks and remittances, so its data classification is very confidential. However, during the Work from Home (WFH) policy in the Covid-19 pandemic, XYZ financial institution has received many spam/phishing attacks. Hence, this incident shows that some employees need an awareness of information security. The research offers a different Information Security Awareness (ISA) questionnaire using the Human Aspects of the Information Security Questionnaire (HAIS-Q) and ISO/IEC 27001:2013 as focus areas. The research uses the theory of Knowledge, Attitude, and Behavior (KAB) to determine the dimensions that need improvement and priority ranking using Fuzzy Analytical Hierarchy Process (FAHP). Furthermore, the research conducts a Focus Group Discussion (FGD) to explore the root causes of employee behavior. The FGD results show that there are still employees who do not know about information security, such as password combinations and length, so limited knowledge affects employees’ attitudes and behaviors. The research results from 34 respondents show that the employees’ information security awareness level is in the moderate category (78.8%). They still need to increase their awareness of information security, especially in managing passwords, using email and the Internet, and reporting incidents. Recommendations have been prepared to improve the dimensions and areas that have yet to be categorized as good. In the future, the ISA questionnaire is expected to be used in other organizations.

User Perceptions of Information Security: Evidence from Takoradi Technical University

This study related to the importance of information and information technology in today's global business. The global nature of information systems also exposes them to threats which make them prone to security breaches. Information risks are several internal and external, making it almost impossible for only information security professionals to handle. This therefore reinforces the need to involve end-users in by educating them to be aware of threats, and their role in curbing those threats. Related information security literature was reviewed to establish the business problem theoretically. Using focus group discussions and open-ended interview guide, data was collected from non-security employees from Takoradi Polytechnic. The data provided understanding of the employees' present security needs, employees perception of information security, employees' personal security initiative, and level of information security awareness. The key findings in the study suggested that, currently some arrangements have been made to ensure information security; however, there is the need for more non-computer-based arrangements such as physical security, training and data backup systems. Further, because some respondents did not perceive the current security arrangement to be adequate, they took personal initiatives like using passwords, using formal communication channels for obtaining information which falls outside their domain or function, and seldom reporting any perceived security threats. These personal initiatives seemed to be the basis for the employees' self-rating of their level of information security awareness, not some training they had acquired.
 
 Received: 8 September 2022 / Accepted: 29 October 2022 / Published: 5 November 2022

Modelling the effects of personal factors on information security awareness

According to research, the number of attacks on the Internet has been increasing each year. Hence, information security awareness is a very significant skill. Accordingly, this study aimed to investigate the effects of students’ personal factors on their information security awareness. The researchers conducted a quantitative study that examines a theoretical model. The data were collected from 684 undergraduate students via three data tools. The effects of variables on information security awareness were explained via path analysis. The mediating role of technology attitude was examined in the relationship between information security awareness and the individual variables for the first time. The findings showed that gender and grade did not directly affect information security awareness levels, while attending information security training, department and technology attitude had a significant effect. On the other hand, some personal factors indirectly affected information security awareness. This analysis offered substantial contributions to the literature in uncovering the effects of variables on students’ information security awareness in a holistic way. The results can guide planning for information security training to increase information security awareness by considering personal factors.

Risk management in digitalized educational environments: Teachers' information security awareness levels.

With the spread of Information and Communication Technologies (ICT) tools and the Internet, Twenty first century technologies have significantly affected human life, and it has been desired to be obtained continuously. It has become challenging to protect information due to the increase in the methods by which malicious people can get information. As a result, it is crucial to determine people’s awareness levels by revealing the risks and threats to information security. In this context, a study was conducted to show the awareness levels of teachers who come after the family in raising conscious individuals in society. For this purpose, a quantitative research method was adopted for the problem and sub-problems that form the basis of the research. The survey model, one of the research designs used within the framework of the quantitative research method, was used. Information Security Awareness Scale was applied to 394 teachers, and according to the results obtained, it was determined that the information security awareness level of the teachers was moderate. According to the attacks and threats sub-dimension, which includes technical issues, it has been determined that the awareness levels of the teachers are at a medium level. The study results show that female teachers’ information security awareness levels are lower than male teachers. In comparison, the awareness levels of those who received information security awareness training and information technology teachers are higher.

Strategy to Improve Employee Security Awareness at Information Technology Directorate Bank XYZ

Bank handles private information like customer financial transactions and personal data. There was a 63% increase in cyberattacks attempted against Bank XYZ in 2021, and 1,323 attempted attacks on corporate email Bank XYZ. Therefore, implementing security awareness training for all employees is crucial for Bank XYZ. The information security awareness program must be assessed to determine the program's efficiency and the level of information security awareness among employees. Therefore, this study assesses the information security awareness at Bank XYZ, especially the Information Technology (IT) Directorate using the Human Aspect of Information Security Questionnaire (HAIS-Q) method. The findings of this study revealed that employees at Bank XYZ in the information security work unit had a "Good" level of awareness. In contrast, the results from other IT work units were “Medium”. Based on the assessment results, Bank XYZ's security awareness strategy recommendation is to align awareness content with information security policies and procedures, use a variety of media awareness, and focus on the "Internet Use" and "Information Handling" awareness areas. As a way of determining the achievement of information security Key Performance Indicators (KPI), security awareness measurement must be done regularly, for example, once a year.

Ön Lisans Öğrencilerinin Bilgi Güvenliği Kazanımı Ve Farkındalık Düzeylerinin Belirlenmesi: Kırıkhan Meslek Yüksekokulu Örneği

Bu çalışmanın amacı, önlisans öğrencilerinin bilgi güvenliği konusundaki kazanım ve farkındalık düzeylerinin belirlenmesidir. Çalışma tarama modelinde tasarlanmıştır. Örneklem seçiminde kolayda örnekleme yöntemi kullanılmıştır. Bu bağlamda, araştırmanın örneklemini Kırıkhan Meslek Yüksekokulu’nda çeşitli bölümlerde öğrenim gören 161 önlisans öğrencisi oluşturmaktadır. Çalışmada Bilgi Güvenliği Kazanımları (BGK) ve Bilgi Güvenliği Farkındalığı (BGF) ölçekleri kullanılmıştır. Demografik bilgiler için betimsel istatistikler kullanılırken, araştırmaya katılanların yaş ve bölüm değişkenleri için tek yönlü ANOVA testi, sınıf düzeyi için bağımsız örneklem t-testi uygulanmıştır. Bu çalışmanın sonucunda, önlisans öğrencilerinin bilgi güvenliği farkındalık düzeylerinin yüksek, bilgi güvenliği kazanım düzeylerinin orta düzeyde olduğu belirlenmiştir. Öğrencilerin BGK ortalama puanlarının öğrenim gördükleri programlara göre istatistiksel olarak önemli ölçüde farklılık gösterdiği tespit edilmiştir. Aynı zamanda öğrencilerin BGF alt boyutlarından olan İnternet Tarayıcısı ve Ağ Güvenliği puanlarının öğrencilerin yaşlarına göre önemli ölçüde farklılık gösterdiği bulunmuştur. Bununla birlikte önlisans öğrencilerinin bilgi güvenliği kazanımları ve alt boyutları ile bilgi güvenliği farkındalığı internet güvenliği, internet tarayıcısı ve ağ güvenliği alt boyutlarına göre bilgi güvenliğine ilişkin bilişim suçlarını bilme durumuna göre de önemli ölçüde farklılık gösterdiği bulunmuştur. Öğrencilerin bilgi güvenliği farkındalığı (BGF) ortalama puanları ile bilgi güvenliği kazanımları (BGK) ve tüm BGK alt boyutlarına ait ortalama puanlarının öğrencilerin sınıf düzeylerine göre istatistiksel olarak önemli ölçüde bir farklılık göstermediği tespit edilmiştir.

Measuring organizational information security awareness in South Africa

ABSTRACT Information is a valuable resource that organization may utilize in the current business environment. It is critical to comprehend the importance of information protection, as it safeguards the lifeline of the organization. All employees within organization should be aware of the organizational information security culture. Organizations should promote an information security awareness culture, so as to secure data as part of their critical infrastructure. Organizations should monitor and measure information security awareness levels among employees, with a number of international instruments. However, the validity of those instruments has not yet been determined in the South African context. As a consequence, the aim of this article is to validate one internationally accepted measurement instrument – the Human Aspects of Information Security-Questionnaire (HAIS-Q) in South Africa. The research sought to determine employees’ awareness levels, in order to make recommendations aimed at improving awareness in organizations. A survey was conducted whereby the data from 356 respondents were collected across industries, with a web-based questionnaire. To determine the factor structure of the scale under investigation, an exploratory factor analysis (EFA) and Cronbach’s alpha was used to establish the internal reliability of the HAIS-Q. T-tests and ANOVAs were used to identify significant differences between demographic groups.

Determinants of Information Security Awareness and Behaviour Strategies in Public Sector Organizations among Employees

In this digital era, protecting an organisation's sensitive information system assets against cyberattacks is challenging. Globally, organisations spend heavily on information security (InfoSec) technological countermeasures. Public and private sectors often fail to secure their information assets because they depend primarily on technical solutions. Human components create the bulk of cybersecurity incidents directly or indirectly, causing many organisational information security breaches. Employees' information security awareness (ISA) is crucial to preventing poor information security behaviours. Until recently, there was little combined information on how to improve ISA and how investigated factors influencing employees' ISA levels were. This paper proposed a comprehensive theoretical model based on the Protection Motivation Theory, the Theory of Planned Behaviour, the General Deterrence Theory, and Facilitating Conditions for assessing public sector employees' ISA intentions for information security behaviour. Using a survey and the structural equation modelling (SEM) method, this research reveals that the utilised factors are positively associated with actual information security behaviour adoption, except for perceived sanction certainty. The findings suggest that the three theories and facilitating conditions provide the most influential theoretical framework for explaining public sector employees' information security adoption behaviour. These findings support previous empirical research on why employees' information on security behaviours vary. Consistent with earlier research, these psychological factors are just as critical as facilitating conditions in ensuring more significant behavioural intention to engage in ISA activities, ensuring information security behaviour. The study recommends that public-sector organisations invest in their employees' applied information security training.

Analyzing the Impact of Information Security Awareness Training to the Employees of Telco Company XYZ

As a company that is operating in the telecommunication sector, XYZ must ensure that they have adequate capabilities to protect their company’s and customers’ sensitive data. Although various information security systems and processes are already in place, human resources still are the weakest link in cyber security. The new normal of Working From Home makes the threat even larger. Basically, Information Security Awareness (ISA) denotes whether or not users are aware of information security objectives. Using a phishing scenario, this study examined the level of ISA of XYZ employees and how ISA training might improve their awareness level. The simulation outcomes were compared to the results before and after they received ISA training on a percentage scale. The results showed a positive increase between before and after being given training. Employees who clicked on phishing URLs before training reached 31% reduced to 12% after training. Meanwhile, employees affected by phishing decreased from 24% to 4%. The study also revealed discovered that based on the nature of the job, employees who work at directorates who work more on non-technical matters have lower awareness when compared to employees who work at directorates who work more on technical work.

AWARENESS OF ICT SECURITY POLICY TO ENSURE DATA PROTECTION IN FORESTRY DEPARTMENT PENINSULAR MALAYSIA

The Forestry Department Peninsular Malaysia's (FDPM) ICT Security Policy was developed and implemented in 2012 and reviewed in 2015. This policy aims to take the lead in managing data, hardware, software, network, and ICT security under legal regulations. Amongst the department's responsibilities are to implement data confidentiality, integrity, and availability policies to ensure the continuity of activities and services while mitigating the impact of security incidents. Accidentally, on September 16, 2016, a fire broke out in the FDPM building, causing property damage and document destruction with an estimated loss of RM30 million. Currently, in Malaysia, cybercrime and government data intrusion has become increasingly difficult to combat. Raising public awareness, particularly among officers who serve as service providers and department employees, is therefore critical to address those issues. Therefore, the objectives of this research are to determine the level of awareness of FDPM employees regarding FDPM ICT Security Policy as well as to investigate the factors that influence information security awareness. Inputs from this study were derived from both primary and secondary sources to meet the objectives. Primary data was gathered through surveys where 130 questionnaires were distributed to FDPM headquarters employees at the management, professional, and support team levels. Meanwhile, secondary data was gathered from FDPM annual and management reports, statistical data, journals, reference documents, and the Internet. The findings were analyzed statistically using SPSS. The level of awareness has been determined and an appropriate criterion to improve the level of information security awareness among FDPM employees was recommended which may help for a better understanding of department culture and increase a higher level of security awareness among FDPM employees.

Effect of Age on Information Security Awareness Level among Young Internet Users in Malaysia

Effect of Age on Information Security Awareness Level among Young Internet Users in Malaysia

Security Awareness Level Evaluation of Healthcare Participants Through Educational Games

The purpose of this paper consists of implementing an educational board game to evaluate the information security awareness level of healthcare personnel. The National Health Service Greater Glasgow and Clyde (NHSGGC) Information Security Acceptable Use Policy was used as a basis to generate the educational content of the board game and Lev Vygotsky’s social development theory was followed for the learning process of the participants. Two evaluations were carried out during this study. The results obtained during the first evaluation showed that it is fundamental to design the board game based on a set of rules in information security enacted by an organization to properly guide the participants with the knowledge they need to counter security incidents. The second evaluation showed that redesigning the content of the board game based on the information security policies of the NHSGGC, resulted in a more effective way of guiding participants on the procedures required for compliance with the policies of this health institution and offer them an understanding of the risks behind security incidents. This was demonstrated during this evaluation since the results obtained gave an approximation that it is possible to increase the level of awareness of information security in people regardless of their area of work or studies.

Security and privacy awareness of smartphone users in Indonesia

The number of smartphone users in Indonesia is increasing every year and has been growing rapidly since Covid-19 hit Indonesia. Smartphones store a lot of personal and information data, such as photos, videos, contact lists, e-mails to social media accounts. A large amount of personal data on smartphones causes an increasing number of threats to information security and privacy. This study aims to measure the knowledge and level of awareness of smartphone users in Indonesia on information security and privacy. This study modify the existing measurement methods. The results showed that there are still many Indonesians do not know the information security and privacy on their smartphones. The results also show that the level of information security awareness among Indonesians is still low.

Enhancing employees information security awareness in private and public organisations: A systematic literature review

Preserving the confidentiality, integrity and availability (CIA) of an organisation's sensitive information systems assets against attacks and threats is a challenge in this digital age. Organisations worldwide make huge investments in information security technological countermeasures. Nonetheless, organisations in many cases fail to protect their information assets as they rely mainly on technical solutions which are not contextually compatible and sufficient. As a matter of fact, a significant number of organisational information security incidents are due to the exploitation of human elements that directly and/or indirectly cause the majority of security incidents. Therefore, employees’ information security awareness (ISA) becomes one of the critical aspects of protection against undesirable information security behaviours. However, to date, there is limited synthesised knowledge about methods for enhancing ISA and integrated insights on factors affecting employees’ ISA levels. This study, therefore, provides a systematic review of the literature on ISA and puts forward a state-of-the-art collection of ISA methods and factors for enhancing employees’ ISA within both private and public sector organisations. The results indicate that various methods and factors are used to enhance employees’ ISA in organisations. Theoretical models and gamification are the methods widely used in both private and public organisations, whereas the constructivist approach and violation detections are some of the methods used only in private organisations. Furthermore, this study offers some insights into the latest trends in ISA content development methods and factors, and fosters good ISA practice by disseminating information and knowledge amongst Information Security professionals to help them build an overarching ISA development programme in their organisations.

Measurement of Information Security Awareness Level: A Case Study of Digital Wallet Users

Awareness of a person is an important factor in maintaining information security and reducing the fraud gap. The existence of various types of digital wallet application fraud requires someone to have an awareness of information security. This study was conducted to measure the information security awareness of digital wallet users. The research was conducted by distributing questionnaires to 156 respondents of digital wallet users. These respondents represented users of digital wallet applications in Indonesia. Information security was measured based on the user’s knowledge-attitude-behavior. The assessment of information security awareness level was calculated using the Analytic Hierarchy Process (AHP) method. The results showed that the score was at the awareness level of good (80.78%). However, several focus areas still showed score at the average level which was one of the reasons why there are still many information security breaches against users of the digital wallet.

College students information security awareness: a comparison between smartphones and computers

The rapid technological developments associated with the decrease in the cost of smartphones made the latter more accessible and convenient to be used. In an educational setting, students are increasingly bringing their smartphones to classrooms, this could have serious security implications, particularly when students are less aware of smartphone information security threats. This paper is set out to provide an empirical comparison in the level of information security awareness among college students in terms of knowledge and behavior. The main aim is to find the difference between students’ awareness level of information security using smartphones vs. computers. A descriptive research design was adopted and an online survey method was employed. Research findings showed that students were highly aware of some information security concepts, however, they behaved differently in protecting their smartphones compared to computers. Training campaigns are suggested to be conducted aiming to educate students with possible information security risks related to smartphone usage in educational settings.

Metode MCDA Untuk Pengukuran Tingkat Kesadaran Keamanan Informasi Pada Mahasiswa

Pada sebuah institusi pendidikan tinggi tentunya hal yang lumrah dilakukan oleh mahasiswa dalam menjalankan berbagai aktifitas akademik dan non akademik dengan memanfaatkan teknologi informasi. Kesadaran akan keamanan informasi merupakan salah satu faktor penting didalam pemanfaatan teknologi tersebut. Tingkat kesadaran yang rendah akan mengakibatkan banyaknya insiden keamanan informasi yang muncul. Penelitian ini melakukan pengukuran tingkat kesadaran mahasiswa STMIK XYZ terhadap keamanan informasi. Tujuan penelitian ini untuk mengetahui tingkat kesadaraan keamanan informasi mahasiswa dengan demikian dapat ditentukan tindakan yang perlu dilakukan untuk memperbaiki kesadaran yang masih rendah dan mempertahankan yang sudah baik. Metode yang digunakan adalah metode Multiple Criteria Decision Analysis (MCDA). Metode pengumpulan data menggunakan kuesioner. Hasil penelitian ini menunjukkan bahwa tingkat kesadaran keamanan informasi mahasiswa STMIK XYZ berada pada level “sedang” dengan nilai 71%. Dari tiga dimensi yang diukur hanya ada satu dimensi yang berada pada level “buruk” yaitu dimensi behaviour. Dari enam area pengukuran ada tiga area pengukuran yang berada pada level buruk yaitu policies, mobile equipment dan consequences. Hasil tersebut menunjukkan perlu adanya perhatian khusus dan tindakan konkrit untuk meningkatkan level kesadaran keamanan informasi.