Figure 1 - uploaded by Arash Habibi Lashkari
Content may be subject to copyright.
Citations
... Qualitative data were gathered through interviews, while quantitative data were collected through surveys. Qualitative research possesses intricate attributes due to its emphasis on comprehensive comprehension and depiction of an individual's experience within a specific context [14], [15]. Qualitative data collected by researchers must therefore be processed using suitable techniques or analytic methods in order to obtain answers consistent with the formulation of the research problem and to comprehend the social and cultural context associated with the phenomenon under investigation. ...
... Table 9 indicates that the direct effect estimates for H1, H2, and H3 are all positive and statistically significant, indicating that all three hypotheses are accepted. The association between knowledge and attitude yields the highest tstatistics value (15,808), whereas the relationship between a respondent's demography and behavior yields the lowest value (0,022). There is a significant tstatistics value of 2,019 in the respondent's demographic association to attitude, but the p-values are < 0.05 or negative, meaning the hypothesis that results is not acceptable. ...
National Civil Service Agency is a State institution tasked with the role and function of overseeing and implementing national civil servant management using information technology. There are 4.2 million civil servant data distributed throughout Indonesia that must be safeguarded by BKN. As the utilization of information systems grows, it also leads to an increase in information security risks. Based on the reports from Id-SIRTII/CC and BKN's internal report, there has been an increase in cyber attacks targeting BKN. In addition, there are other types of attacks that occur, such as online defacement, phishing, DDOS, and employee data theft, as well as the presence of employees who are still indifferent to information security. Based on this, the objective of this research is to measure the level of information security awareness among BKN employees and identify the factors that influence it. The Human Aspects of Information Security Questionnaire (HAIS-Q) using the Knowledge, Attitude, and Behavior (KAB) model was selected for measurement, with an additional focus on the Management of Information Systems/Technology Assets, consisting of a total of 75 statements. The quantitative measurements conducted yielded a result of 88.80% for the level of information security awareness among BKN employees, categorized as good. Furthermore, there is a significant influence on information security awareness from the dimensions of knowledge towards attitude, attitude towards behavior, and knowledge towards behavior.
... Huang et al (2010) adopted a similar broad strategy and established 12 categories of cybersecurity threats. Badie and Lashkari (2012) defined nine less generalised factors. The categories included technical hardware/software failures, forces of nature, or deliberate acts of espionage and trespass. ...
... The categories included technical hardware/software failures, forces of nature, or deliberate acts of espionage and trespass. In these overviews several descriptions are used for the human error, which is the focus of our work: acts of human error or failure, staff shortage, and operational issues (Samy et al, 2010), "acts of human error or failure" (Huang et al, 2010), and error and omission, phishing, and social engineering (Badie and Lashkari, 2012). ...
Internet is completely integrated and absorbed in our life. Facilitating transfer of files across the world or wiring money from the couch, we could not imagine a world without it anymore. With these benefits, as with any new technology, there is also the introduction of risks and threats, for internet primarily in the form of cybercrime and online fraud. To reduce victimisation of this cybercrime, interventions are used to teach people to not perform risky behaviour. To overcome criticisms of current training materials, such as being tedious and boring, we created an Immersive Virtual Reality experience. By using a 4-step design process (i.e. ideation, specification, realisation, and evaluation), we designed a playful VR environment with simplistic non player characters to train the user to perform basic cybersecurity tasks in the right way. In the simulation, the participants are exposed to the challenge of creating a new password and a potential ransomware attack using USB storage device. The program allows for monitoring the user’s cybersecurity knowledge and behaviour and provides feedback. An evaluation of the VR environment among 16 respondents using a pretest-posttest evaluation with the Human Aspect Information Security Questionnaire (HAIS-Q) showed a statistically significant increase in scores after exposure to the VR environment. The system showed an above average SUS score. These initial findings indicate that a VR environment can be an alternative to consider for future development of cybersecurity interventions. Future research could expand our social VR environment with additional cybersecurity challenges, real-time actors, and running simulations among a broader audience to also investigate the retention of knowledge and skills.
... Various research has emphasized the importance of human factors in information security (Cuchta et al., 2019;Kadena & Gupi, 2021;Nifakos et al., 2021;Pollock, 2017;Prabhu & Thompson, 2022;Rahman et al., 2021). Regardless of the sophistication of any security implementation, the lack of employee security awareness and poor security behavioral intentions will be its weakest link (Badie & Lashkari, 2012). ...
Human factors are frequently cited as the weakest link in the information security defense chain. Numerous studies have characterized employees as potential insider threats. Yearly industry reports persistently cite unsafe employee behavior as a leading cause of vulnerabilities and data breaches, especially in security-critical sectors such as the education, finance, government, information technology, legal, and medical sectors. Organizations spend vast sums on information security awareness (ISA) programs to improve employee security behavior. Employee security behavior intentions (SeBI) must be measured as part of gauging and tuning the effectiveness of ISA programs. Many studies measuring employee SeBI independently and as part of general employee ISA measurements have focused on homogenous populations, performing varying analyses based on information security experience, position, academic program, age, gender, and education levels. None have provided insights from the standpoint of deafness and hearing issues. This study surveyed employees in the education, finance, government, information technology, legal, medicine, military, and Policing sectors for their self-reported SeBI. The resulting SeBI scores were average. No statistically significant difference in SeBI scores was found between groups with and without hearing difficulties, although SeBI scores were slightly less for employees with hearing difficulties. The results suggested that more ISA training is needed for employees in the surveyed sectors.
... Information security violations can be classified in several different ways. The study [11] mentioned that based on several studies performed by other researchers provided thirteen attacks that cover all the computer security risk factors, and eventually defined -nine factors (that) can cover all risks as main factors‖. These factors are an excess privilege, error, and omission, denial of service, social engineering, unauthorized access, identity thief, phishing, malware, and unauthorized copy. ...
... As shown in Figure 2, START builds a variety of databases, but the Global Terrorism Database (GTD) related to terrorist attacks collects information published on SNSes in an OSINT manner. Information on terrorist attacks around the world, including incident information, attack information, weapons information, and damage information, was compiled into a database [14]. It collects systematic data on terrorist incidents worldwide and has at present collected more than 110,000 pieces of information. ...
Open-source intelligence (OSINT), an information gathering and analysis system that utilizes public information on SNSes, is a necessary information gathering activity to counter terrorism and cyberterrorism. Although it is not possible to patrol cyberspace directly, as in real space, cyberspace can be patrolled by collecting information using OSINT technology. In this study, OSINT information analysis activities related to military information leakage are presented to SNSes. In this study, two or more OSINT collection tools are used to search for military information keywords, for characters’ names, and for personal identification information about the characters. The results of 100,209 cases of military information keyword search and 471 cases of name search are presented. It was also confirmed that personal identification information was not searched because of the strengthening of personal information protection.
... All employees of an organization must act together to reduce risk and secure the organization. Research by Badie and Lashkari (2012) categorized the two most important factors affecting the security of computing systems as: (i) human factor and, (ii) organization factor. According to Jeimy and Cano (2019), humans represent a mystery to be deciphered by cybersecurity experts because their behaviors, attitudes, beliefs, rituals and decisions (the general characteristics that define a culture) constitute a little-understood universe for executives and their heads of security. ...
In our increasingly digitized and interconnected society, people are poorly protected against cyberthreats, with the main reason being user behavior. Human behavior and actions are unpredictable in nature and this make human an important element and enabler of cybersecurity. The objective of the study is promotion of adoption of non-technical countermeasures (such as user awareness) for a comprehensive and holistic way to manage cyber security in organizations in Cameroon. We conducted a subjective study to measure the level of employees’ knowledge and general awareness, risky behavior they engage in, and attitude toward various aspects of cybersecurity and cyberthreats to show the need for user education, training, and awareness. For the study described in this paper, a self-report questionnaire was developed and data were collected from 214 participants. The results of a descriptive statistic percentage indicated that less than 50% of respondents have completed or has regular training program. We find that over 61% of the participants do not have sufficient knowledge of their organization cyber security policies. Among other findings, the over 60% of employees’ mistakes or violations of security policy are not disciplined or penalized is a demonstration of lack of legal status of cyber-attacks. Cyber resilience in any organization is a responsibility shared by both management and employees. Proactive human management element that can actively hunt for malicious activity and indicators of compromise is recommended.
... In addition, they classified them in 9 areas: external influences, human error, management, organization, performance and resource management, policy issues, technology, and training. Other researchers agreed with the previous authors, and they represented these factors in two major groups (Badie and Lashkari, 2012): ...
Technological solutions in the mobile and digital era are becoming more helpful in informing the population, educational systems, monitoring, tracking the individuals, working, and spending time from home. On the other hand, the valuable information within such systems is posed to the risk of breaches at the individual and organizational level. As a result, cyber threats are constantly evolving. Many security incidents and data breaches are associated with the human factor. Respectively, this work highlights the importance of human factors in cybersecurity. Firstly, this article gives a brief overview of the topic and its significance. Then we present the most common risks in the cybersecurity field and their impacts. The third part emphasizes the role of human factors in security and elaborates on the behavioral approaches. Our conclusions are drawn in the last detail. To further our research, we plan to investigate behavioral science theories on understanding the influence of human factors in cybersecurity.
... ISA is considered the most crucial factor in helping organizations to prevent information security breach incidents (Da Veiga et al., 2020;Safa et al., 2016). Awareness mechanisms can be in the form of posters, newsletters or notices (Herath and Rao, 2009) A study conducted by Badie and Lashkari (2012) in Malaysia showed that employees who were not provided with proper ISA training could knowingly or unknowingly expose the organization to information security risks. Similarly, Ashenden (2018), who conducted her study in the UK, found that ISA programmes had a positive impact on employees' behaviour regarding information security. ...
Purpose
The purpose of this study is to examine factors, which influence information security culture among employees of telecommunications companies. The motivation for this study was the rise in the number of data breach incidents caused by the organizations’ own employees.
Design/methodology/approach
A total of 139 usable responses were collected via a Web-based questionnaire survey from employees of Malaysian telecommunications companies. Data were analysed by using SmartPLS 3.
Findings
Security education, training and awareness (SETA) programmes and information security awareness were found to have a positive and significant impact on Information Security Culture. Additionally, self-reported employees’ security behaviour was found to act as a partial mediator on the relationship between information security awareness and information security culture.
Research limitations/implications
The study was cross-sectional in nature. Therefore, it could not measure changes in population over time.
Practical implications
The empirical data provides a new perspective on significant elements that influence information security culture in an emerging market. Organizations in the telecommunications industry can now recognize that SETA programmes and information security awareness have a significant impact on information security culture. Employees’ security behaviour also mediates the relationship between information security awareness and information security culture.
Originality/value
This is the first study to analyse the mediating effect of employees’ security behaviour on the relationship between information security awareness and information security culture in the Malaysian telecommunications context.
... Human factors in cybersecurity is becoming widely discussed (e.g., [48] [1] [4] [32] [25] [45]), which has led to several issues. The first is that there are many variations for often the same terms due to a lack of consistency or conventions to describe human factors. ...
... Other current trends have also emerged that consider the human factors of users through two lenses: personal/user-centered and organizational/cultural such as those by Kraemer [25], Al-Darwish et al. [1], Badie and Lashkari [4], and Mortazavi-Alavi [32]. To this end, and like previous studies, human factors could be impacted by several aspects at once depending on a user's previous experiences and how a workplace impacts the user (e.g., both in a social and policy perspective). ...
Cybersecurity has many challenges to address to ensure the protection of a system from an attacker. Consequently, strategies have been developed to address a system’s weakness that an attacker may try to exploit. However, while these approaches may prevent an attacker from getting in from the outside, they do not consider the user’s actions from the inside and how their behavior may inadvertently allow an attack to occur. This paper presents a human-centered approach to threat modeling titled STRIDE-HF, which extends the existing threat modeling framework STRIDE.
... The human factor is the focus of this study. Metalidou et al. (2014) and Badie and Lashkari (2012) discuss the lack of "Information Security Awareness." Badie and Lashkari (2012) specifically address the idea that the human factors of cybersecurity fall into two separate categories. ...
... Metalidou et al. (2014) and Badie and Lashkari (2012) discuss the lack of "Information Security Awareness." Badie and Lashkari (2012) specifically address the idea that the human factors of cybersecurity fall into two separate categories. The first category has to do with management. ...
... The other category has to do with the end user; this is of interest in this study. Badie and Lashkari (2012) specifically address individual's lack of awareness, (risky) belief, (risky) behavior, inadequate use of technology and lack of motivation as key factors. ...
Purpose
The purpose of this paper is to reveal and describe the divergent viewpoints about cybersecurity within a purposefully selected group of people with a range of expertise in relation to computer security.
Design/methodology/approach
Q methodology [Q] uses empirical evidence to differentiate subjective views and, therefore, behaviors in relation to any topic. Q uses the strengths of qualitative and quantitative research methods to reveal and describe the multiple, divergent viewpoints that exist within a group where individuals sort statements into a grid to represent their views. Analyses group similar views (sorts). In this study, participants were selected from a range of types related to cybersecurity (experts, authorities and uninformed).
Findings
Four unique viewpoints emerged such that one represents cybersecurity best practices and the remaining three viewpoints represent poor cybersecurity behaviors (Naïve Cybersecurity Practitioners, Worried but not Vigilant and How is Cybersecurity a Big Problem) that indicate a need for educational interventions within both the public and private sectors.
Practical implications
Understanding the divergent views about cybersecurity is important within smaller groups including classrooms, technology-based college majors, a company, a set of IT professionals or other targeted groups where understanding cybersecurity viewpoints can reveal the need for training, changes in behavior and/or the potential for security breaches which reflect the human factors of cybersecurity.
Originality/value
A review of the literature revealed that only large, nation-wide surveys have been used to investigate views of cybersecurity. Yet, surveys are not useful in small groups, whereas Q is designed to investigate behavior through revealing subjectivity within smaller groups.
