To read the full version of this content please select one of the options below:

Managing information security awareness at an Australian bank: a comparative study

Malcolm Pattinson (Adelaide Business School, The University of Adelaide, Adelaide, South Australia, Australia)
Marcus Butavicius (Defence Science and Technology Group, National Security and Intelligence, Surveillance and Reconnaissance (ISR) Division, Edinburgh, Australia)
Kathryn Parsons (Defence Science and Technology Group, National Security and Intelligence, Surveillance and Reconnaissance (ISR) Division, Edinburgh, Australia)
Agata McCormac (Defence Science and Technology Group, National Security and Intelligence, Surveillance and Reconnaissance (ISR) Division, Edinburgh, Australia)
Dragana Calic (Defence Science and Technology Group, National Security and Intelligence, Surveillance and Reconnaissance (ISR) Division, Edinburgh, Australia)

Information and Computer Security

ISSN: 2056-4961

Publication date: 12 June 2017

Abstract

Purpose

The aim of this study was first to confirm that a specific bank’s employees were generally more information security-aware than employees in other Australian industries and second to identify the major factors that contributed to this bank’s high levels of information security awareness (ISA).

Design/methodology/approach

A Web-based questionnaire (the Human Aspects of Information Security Questionnaire – HAIS-Q) was used in two separate studies to assess the ISA of individuals who used computers at their workplace. The first study assessed 198 employees at an Australian bank and the second study assessed 500 working Australians from various industries. Both studies used a Qualtrics-based questionnaire that was distributed via an email link.

Findings

The results showed that the average level of ISA among bank employees was consistently 20 per cent higher than that among general workforce participants in all focus areas and overall. There were no significant differences between the ISA scores for those who received more frequent training compared to those who received less frequent training. This result suggests that the frequency of training is not a contributing factor to an employee’s level of ISA.

Research limitations/implications

This current research did not investigate the information security (InfoSec) culture that prevailed within the bank in question because the objective of the research was to compare a bank’s employees with general workforce employees rather than compare organisations. The Research did not include questions relating to the type of training participants had received at work.

Originality/value

This study provided the bank’s InfoSec management with evidence that their multi-channelled InfoSec training regime was responsible for a substantially higher-than-average ISA for their employees. Future research of this nature should examine the effectiveness of various ISA programmes in light of individual differences and learning styles. This would form the basis of an adaptive control framework that would complement many of the current international standards, such as ISO’s 27000 series, NIST’s SP800 series and ISACA’s COBIT5.

Keywords

Citation

Pattinson, M., Butavicius, M., Parsons, K., McCormac, A. and Calic, D. (2017), "Managing information security awareness at an Australian bank: a comparative study", Information and Computer Security, Vol. 25 No. 2, pp. 181-189. https://doi.org/10.1108/ICS-03-2017-0017

Publisher

:

Emerald Publishing Limited

Copyright © 2017, Emerald Publishing Limited