Search results

1 – 10 of over 25000
To view the access options for this content please click here
Article
Publication date: 23 November 2010

Hennie Kruger, Lynette Drevin and Tjaart Steyn

The dependence on human involvement and human behavior to protect information assets necessitates an information security awareness program to make people aware of their…

Downloads
2142

Abstract

Purpose

The dependence on human involvement and human behavior to protect information assets necessitates an information security awareness program to make people aware of their roles and responsibilities towards information security. The purpose of this paper is to examine the feasibility of an information security vocabulary test as an aid to assess awareness levels and to assist with the identification of suitable areas or topics to be included in an information security awareness program.

Design/methodology/approach

A questionnaire has been designed to test and illustrate the feasibility of a vocabulary test. The questionnaire consists of two sections – a first section to perform a vocabulary test and a second one to evaluate respondents' behavior. Two different class groups of students at a university were used as a sample.

Findings

The research findings confirmed that the use of a vocabulary test to assess security awareness levels will be beneficial. A significant relationship between knowledge of concepts (vocabulary) and behavior was observed.

Originality/value

The paper introduces a new approach to evaluate people's information security awareness levels by employing an information security vocabulary test. This new approach can assist management to plan and evaluate interventions and to facilitate best practice in information security. Aspects of cognitive psychology and language were taken into account in this research project, indicating the interaction and influence between apparently different disciplines.

Details

Information Management & Computer Security, vol. 18 no. 5
Type: Research Article
ISSN: 0968-5227

Keywords

To view the access options for this content please click here
Article
Publication date: 6 May 2020

Raneem AlMindeel and Jorge Tiago Martins

The purpose of this paper is to increase understanding of employee information security awareness in a government sector setting and illuminate the problems that public…

Abstract

Purpose

The purpose of this paper is to increase understanding of employee information security awareness in a government sector setting and illuminate the problems that public sector organisations in a developing context face when seeking to establish an information security awareness programme.

Design/methodology/approach

An interpretive research design was followed to develop an empirically enriched understanding of information security awareness perceptions, aspirations, challenges and enablers in the context of Saudi Arabia as a developing country. The study adopts a single-case study approach, including face-to-face interviews with senior employees, as well as document analysis.

Findings

The paper theorises the importance of individual information security awareness, knowledge and behaviour and identifies a number of facilitating conditions: customisation to employee and organisational needs, interactivity, innovation, frequency, integration of both electronic and physical learning resources and rewarding the acquisition of in-depth security-related actionable knowledge.

Originality/value

This study is one of the first to examine information security awareness as a socio-technical process within a government sector organisation in a developing country context.

Details

Information Technology & People, vol. 34 no. 2
Type: Research Article
ISSN: 0959-3845

Keywords

To view the access options for this content please click here
Article
Publication date: 10 January 2020

Alex Koohang, Jonathan Anderson, Jeretta Horn Nord and Joanna Paliszkiewicz

The purpose of this paper is to build an awareness-centered information security policy (ISP) compliance model, asserting that awareness is the key to ISP compliance and…

Abstract

Purpose

The purpose of this paper is to build an awareness-centered information security policy (ISP) compliance model, asserting that awareness is the key to ISP compliance and that awareness depends upon several variables that influence successful ISP compliance.

Design/methodology/approach

The authors built a model with seven constructs, i.e., leadership, trusting beliefs, information security issues awareness (ISIA), ISP awareness, understanding resource vulnerability, self-efficacy (SE) and intention to comply. Seven hypotheses were stated. A sample of 285 non-management employees was used from various organizations in the USA. The authors used path modeling to analyze the data.

Findings

The findings indicated that IS awareness depends on effective organizational leadership and elevated employees’ trusting beliefs. The understanding of resource vulnerability (URV) and SE are influenced by IS awareness resulting from effective leadership and elevated employees’ trusting beliefs which guide employees to comply with ISP requirements.

Practical implications

Practical implications were aimed at organizations embracing an awareness-centered information security compliance program to secure organizations’ assets against threats by implementing various security education and training awareness programs.

Originality/value

This paper asserts that awareness is central to ISP compliance. Leadership and trusting beliefs variables play significant roles in the information security awareness which in turn positively affect employees’ URV and SE variables leading employees to comply with the ISP requirements.

Details

Industrial Management & Data Systems, vol. 120 no. 1
Type: Research Article
ISSN: 0263-5577

Keywords

To view the access options for this content please click here
Article
Publication date: 12 October 2015

Bukelwa Ngoqo and Stephen V. Flowerday

The purpose of this paper was to analyse existing theories from the social sciences to gain a better understanding of factors which contribute to student mobile phone…

Abstract

Purpose

The purpose of this paper was to analyse existing theories from the social sciences to gain a better understanding of factors which contribute to student mobile phone users’ poor information security behaviour. Two key aspects associated with information security behaviour were considered, namely, awareness and behavioural intent. This paper proposes that the knowing-and-doing gap can possibly be reduced by addressing both awareness and behavioural intent. This research paper explores the relationship between student mobile phone user information security awareness and behavioural intent in a developmental university in South Africa.

Design/methodology/approach

Information security awareness interventions were implemented in this action research study, and student information security behavioural intent was observed after each cycle.

Findings

The poor security behaviour exhibited by student mobile phone users, which was confirmed by the findings of this study, is of particular interest in the university context, as most undergraduate students are offered a computer-related course which covers certain information security-related principles. Existing researchers in the field of information security still grapple with the “knowing-and-doing” gap, where user information security knowledge/awareness sometimes does not result in safer behavioural practises.

Originality/value

Zhang et al. (2009) suggest that understanding human behaviour is important when dealing with the problems caused by human errors. Harnesk and Lindstrom (2011) expressed a concern that existing research does not address the interlinked relationship between anticipated security behaviour and the enactment of security procedures. This study acknowledges Choi et al. (2008) contribution in their discussions on the “knowing-and-doing gap” suggests a link between awareness and actual behaviour that is confirmed by the findings of this study.

Details

Information & Computer Security, vol. 23 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article
Publication date: 7 January 2019

Muhammad Shoukat Malik and Urooj Islam

The purpose of this study is to gain more insight into the impact of cybercrime incidents in the banking sector of Pakistan. This study investigates the significant…

Downloads
1019

Abstract

Purpose

The purpose of this study is to gain more insight into the impact of cybercrime incidents in the banking sector of Pakistan. This study investigates the significant contribution of information security awareness on the relationship of cybercrimes and organizational performance.

Design/methodology/approach

The impact of cybercrime incidents on organizational performance is investigated by further exploring the moderating effects of information security awareness. A sample of 302 employees in the banking industry of Pakistan was studied by using survey design.

Findings

Cybercrime incidents have negative impact on organizational performance, but information security awareness weakens the negative impact of cybercrimes on organizational performance.

Research limitations/implications

The present study focuses on the banking sector so its finding cannot be generalized in other sectors. Further, in-depth comparative studies in other sectors with different cultural settings will help to authenticate the research findings.

Practical implications

Information security awareness weakens the negative impact of cybercrimes on organizational performance; therefore, it is important for banks’ HR managers to set up more security training courses to increase employees’ awareness on cybercrimes.

Originality/value

This study explores the impact of cybercrimes on banks’ performance with the moderating role of employees’ information security awareness. Linking these topics has created a new study within the cybercrimes discipline. The present study also enhances the understanding of employees’ role to combat the impact of cybercrimes on organizational performance.

Details

Journal of Financial Crime, vol. 26 no. 1
Type: Research Article
ISSN: 1359-0790

Keywords

To view the access options for this content please click here
Article
Publication date: 17 August 2012

Aggeliki Tsohou, Maria Karyda, Spyros Kokolakis and Evangelos Kiountouzis

Recent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations…

Downloads
2413

Abstract

Purpose

Recent global security surveys indicate that security training and awareness programs are not working as well as they could be and that investments made by organizations are inadequate. The purpose of the paper is to increase understanding of this phenomenon and illuminate the problems that organizations face when trying to establish an information security awareness program.

Design/methodology/approach

Following an interpretive approach the authors apply a case study method and employ actor network theory (ANT) and the due process for analyzing findings.

Findings

The paper contributes to both understanding and managing security awareness programs in organizations, by providing a framework that enables the analysis of awareness activities and interactions with the various organizational processes and events.

Practical implications

The application of ANT still remains a challenge for researchers since no practical method or guide exists. In this paper the application of ANT through the due process model extension is enhanced and practically presented. This exploration highlights the fact that information security awareness initiatives involve different stakeholders, with often conflicting interests. Practitioners must acquire, additionally to technical skills, communication, negotiation and management skills in order to address the related organizational and managerial issues. Moreover, the results of this inquiry reveal that the role of artifacts used within the awareness process is not neutral but can actively affect it.

Originality/value

This study is one of the first to examine information security awareness as a managerial and socio‐technical process within an organizational context.

Details

Information Technology & People, vol. 25 no. 3
Type: Research Article
ISSN: 0959-3845

Keywords

To view the access options for this content please click here
Article
Publication date: 18 July 2008

Aggeliki Tsohou, Spyros Kokolakis, Maria Karyda and Evangelos Kiountouzis

The purpose of this paper is to study the way information systems (IS) security researchers approach information security awareness and examine whether these approaches…

Downloads
4582

Abstract

Purpose

The purpose of this paper is to study the way information systems (IS) security researchers approach information security awareness and examine whether these approaches are consistent with the organization theory and IS approaches for the study of organizational processes.

Design/methodology/approach

Open coding analysis was performed on selected publications (articles, surveys, standards, and reports). The chosen publications were classified and the classification results are presented, based on a proposed typology.

Findings

The proposed typology allows us to identify different types of research models followed by security researchers and practitioners, and to infer a set of practical implications, for the benefit of those interested in empirically studying information security awareness.

Research limitations/implications

The paper represents a pilot survey, performed in a selected number of publications.

Practical implications

The paper helps researchers and practitioners to distinguish the research models that can be adopted for the study of information security awareness organizational process, by identifying the key dimensions along which they differ.

Originality/value

The proposed typology provides a guide to identify the range of options available to researchers and practitioners when they design their work regarding the security awareness topic. Moreover, it can facilitate the communication between scholars in the field of security awareness.

Details

Information Management & Computer Security, vol. 16 no. 3
Type: Research Article
ISSN: 0968-5227

Keywords

To view the access options for this content please click here
Article
Publication date: 20 November 2009

Janne Merete Hagen and Eirik Albrechtsen

The purpose of this paper is to measure and discuss the effects of an e‐learning tool aiming at improving the information security knowledge, awareness, and behaviour of employees.

Downloads
2117

Abstract

Purpose

The purpose of this paper is to measure and discuss the effects of an e‐learning tool aiming at improving the information security knowledge, awareness, and behaviour of employees.

Design/methodology/approach

The intervention study has a pre‐ and post‐assessment of knowledge and attitudes among employees. In total, 1,897 employees responded to a survey before and after the intervention. The population is divided into an intervention group and a control group, where the only thing that separates the groups is participation in the intervention (i.e. the e‐learning tool).

Findings

The study documents significant short‐time improvements in security knowledge, awareness, and behavior of members of the intervention group.

Research limitations/implications

The study looks at short‐time effects of the intervention. The paper has done a follow‐up study of the long‐term effects, which is also submitted to Information Management & Computer Security.

Practical implications

The study can document that software that support Information Security Awareness programs have a short‐time effect on employees' knowledge, behaviour, and awareness; more interventions studies, following the same principles as presented in this paper, of other user‐directed measures are needed, to test and document the effects of different measures.

Originality/value

The paper is innovative in the area of information security research as it shows how the effects of an information security intervention can be measured.

Details

Information Management & Computer Security, vol. 17 no. 5
Type: Research Article
ISSN: 0968-5227

Keywords

To view the access options for this content please click here
Article
Publication date: 13 November 2017

Harrison Stewart and Jan Jürjens

The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to…

Downloads
4641

Abstract

Purpose

The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset.

Design/methodology/approach

Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B.

Findings

Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own.

Research limitations/implications

The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings.

Practical implications

In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed.

Social implications

The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps.

Originality/value

The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

Details

Information & Computer Security, vol. 25 no. 5
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article
Publication date: 12 June 2017

Dirk Snyman and Hennie Kruger

The purpose of this study is to perform an exploratory investigation into the feasibility of behavioural threshold analysis as a possible aid in security awareness campaigns.

Abstract

Purpose

The purpose of this study is to perform an exploratory investigation into the feasibility of behavioural threshold analysis as a possible aid in security awareness campaigns.

Design/methodology/approach

Generic behavioural threshold analysis is presented and then applied in the domain of information security by collecting data on the behavioural thresholds of individuals in a group setting and how the individuals influence each other when it comes to security behaviour.

Findings

Initial experimental results show that behavioural threshold analysis is feasible in the context of information security and may provide useful guidelines on how to construct information security awareness programmes.

Practical implications

Threshold analysis may contribute in a number of ways to information security, e.g. identification of security issues that are susceptible to peer pressure and easily influenced by peer behaviour; serve as a countermeasure against security fatigue; contribute to the economics of information security awareness programmes; track progress of security awareness campaigns; and provide a new measure for determining the importance of security awareness issues.

Originality/value

This paper describes the very first experiment to test the behavioural threshold analysis concepts in the context of information security.

Details

Information & Computer Security, vol. 25 no. 2
Type: Research Article
ISSN: 2056-4961

Keywords

1 – 10 of over 25000