ArticlePDF Available

An analysis of information security vulnerabilities at three Australian government organisations

Authors:
K. Parsons
K. Parsons
K. Parsons
  • This person is not on ResearchGate, or hasn't claimed this research yet.
A. McCormac
A. McCormac
A. McCormac
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Malcolm Pattinson at University of Adelaide
Malcolm Pattinson
M. Butavicius
M. Butavicius
M. Butavicius
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Show all 5 authorsHide
Download full-text PDF
Read full-text
Download citation

Abstract

This paper reports on a study conducted by The University of Adelaide with the support of the Defence Science and Technology Organisation, to examine information security (InfoSec) vulnerabilities caused by individuals, and expressed by their knowledge, attitude and behaviour. A total of 203 employees, from three large Australian government organisations, completed a web-based questionnaire designed to capture the knowledge, attitude and behaviour of individuals in regard to InfoSec. In conjunction with this employee questionnaire, qualitative interviews were conducted with a small number of senior management employees from each of the three organisations. Overall, the questionnaire results indicated that employees from all three organisations had reasonable levels of awareness of InfoSec vulnerabilities. Analysis of the qualitative interviews revealed that management not only had an accurate understanding of their employees' InfoSec awareness, but were able to recognise vulnerable areas that required further attention and improvement, such as the appropriate use of wireless technology, the reporting of security incidents and the use of social networking sites.
Content uploaded by Cate Jerram
Author content
All content in this area was uploaded by Cate Jerram on Sep 04, 2019
Content may be subject to copyright.
Proceedings of the European Information Security Multi-Conference (EISMC 2013)
34
An Analysis of Information Security Vulnerabilities at
Three Australian Government Organisations
K. Parsons1, A. McCormac1, M. Pattinson2, M. Butavicius1, C. Jerram2
1Defence Science and Technology Organisation, Edinburgh, Australia
2Business School, University of Adelaide, Australia
Abstract
This paper reports on a study conducted by The University of Adelaide with the support of the
Defence Science and Technology Organisation, to examine information security (InfoSec)
vulnerabilities caused by individuals, and expressed by their knowledge, attitude and
behaviour. A total of 203 employees, from three large Australian government organisations,
completed a web-based questionnaire designed to capture the knowledge, attitude and
behaviour of individuals in regard to InfoSec. In conjunction with this employee
questionnaire, qualitative interviews were conducted with a small number of senior
management employees from each of the three organisations. Overall, the questionnaire results
indicated that employees from all three organisations had reasonable levels of awareness of
InfoSec vulnerabilities. Analysis of the qualitative interviews revealed that management not
only had an accurate understanding of their employees’ InfoSec awareness, but were able to
recognise vulnerable areas that required further attention and improvement, such as the
appropriate use of wireless technology, the reporting of security incidents and the use of social
networking sites.
Keywords
Information security (InfoSec), InfoSec behaviour, Information Risk, InfoSec
awareness, InfoSec vulnerabilities
1. Introduction
Management of InfoSec is a critical issue for both public and private sector
organisations and there are growing expectations for organisations to ensure a high
level of security of electronic data. Historically, problems with InfoSec have
demanded a focus on technical solutions such as the development of hardware,
software and network solutions. However, InfoSec is not only a technical problem,
but is also a ‘people’ problem (Schultz, 2005). InfoSec-related issues can be better
addressed by also considering the influence of the human factor to complement
hardware and software solutions (Schneier, 2000).
The aim of this research project was twofold. The first aim was to gain a holistic
understanding of the level of InfoSec awareness, defined by the dimensions
knowledge, attitude and behaviour, of employees from Australian Government
Organisations. The second aim was to develop and test an Information Security
Awareness Instrument to assess the InfoSec awareness of employees. An inductive,
qualitative approach was utilised in the development of the survey tool rather that the
more commonly used theory verification approach (Karjalainen, 2011). This meant
Proceedings of the European Information Security Multi-Conference (EISMC 2013)
35
that questions were developed before a model was applied, thus minimising the
effect of bias (Karjalainen, 2011). This process formed the hypothesis that if
computer users are in possession of adequate knowledge of InfoSec, this should
result in a more positive attitude towards InfoSec, which should then result in more
positive InfoSec behaviour. Hence, our three main dimensions of interest are
knowledge, attitude and behaviour. This is sometimes referred to as the KAB model
and has been studied in fields including InfoSec (Kruger & Kearney, 2006), climate
change (van der Linden, 2012) and health promotion (Bettinghaus, 1986).
2. Method
2.1. Participants
Employees of three Australian Government organisations were invited via email to
participate in a web-based questionnaire, and their participation was anonymous and
voluntary. Response rates varied across the three organisations. In Organisation A,
123 of the 222 invited employees completed the questionnaire, resulting in a
response rate of 55%. In Organisation B, 52 of the 200 invited employees completed
the questionnaire, resulting in a response rate of approximately 26%. In Organisation
C, 28 of the 746 invited employees completed the questionnaire, which equates to a
response rate of approximately 4%. Hence, the overall response rate was
approximately 17%.
It is important to highlight that the response rate of Organisation C is very low,
which greatly affects the ability to generalise the findings. This means that the
employees in Organisation C who chose to answer the questionnaire are likely to be
systematically different from other employees of that organisation, and are
essentially self-selected (Fowler, 2002). Fowler (2002) claims that self-selected
participants in small sample sizes are more likely to have an interest in the topic in
question. This means that the actual level of InfoSec awareness in Organisation C is
likely to be lower than the level estimated by our study.
2.2. Web-based Questionnaire
The questionnaire was designed around eight aspects of InfoSec management:
Importance of InfoSec policies,
Principles of InfoSec policies,
Rules of InfoSec policies,
Password management,
Email and internet usage,
Reporting security incidents,
Consequences of behaviour and Training.
These focus areas were chosen such that they allowed the researcher to identify any
specific InfoSec weaknesses that could be subsequently addressed by management in
the form of training, communication and policy development.
Proceedings of the European Information Security Multi-Conference (EISMC 2013)
36
Participants were asked questions about their understanding of InfoSec threats and
their experiences with InfoSec training within their organisation. More broadly,
participants were asked to provide details about their general computer practices.
Responses were used to produce measures of each of the eight focus areas along one
or more of the dimensions: knowledge, attitude and behaviour.
Self-report questionnaires are often influenced by response bias and social
desirability bias. Response pattern bias is observed when participants select the same
response to every question. In order to eliminate and detect this behaviour,
negatively worded questions were purposefully included in the questionnaire design.
Social desirability bias is observed when individuals respond in a way that ensures
they are seen to be behaving appropriately (Edwards, 1953). This bias, and the
possible effects on results, is examined in more detail in the Discussion of this paper.
2.3. Management Interviews
To complement the questionnaire, qualitative interviews were conducted with
members of senior management from each organisation. Three interviews were
conducted with Organisation A, three interviews with Organisation B and two
interviews with Organisation C. Each interview was conducted by two researchers
with one member of senior management.
3. Results
3.1. Overview
Overall, the InfoSec awareness of employees who responded to the questionnaire
was high. As mentioned previously, employee InfoSec awareness was assessed using
three dimensions, namely, knowledge, attitude and behaviour. To provide more in-
depth context specific information, the dimensions were divided into eight focus
areas.
A number of questions were administered to provide a measure of each of these
components, and Table 1 shows a summary of the results for each of the
organisations. The mean score is shown with the standard deviation in brackets.
Values range from ‘0’ to ‘1’ where ‘0’ represents the least appropriate response and
‘1’ the most desirable. Sample questions and results are also shown in Appendix A.
Proceedings of the European Information Security Multi-Conference (EISMC 2013)
37
Table 1: Summary Results
It is important to highlight that this measure is still undergoing development, and has
been completed by only 203 participants, who were not necessarily representative of
the whole organisation. Hence, any comparisons between the organisations should be
interpreted cautiously. For this reason, this report will only describe overall
comparisons, based on the major dimensions of InfoSec awareness.
3.2. InfoSec Knowledge
In the section designed to capture knowledge about InfoSec, employees were
provided with 15 statements. The purpose of these statements was to ascertain the
employees’ level of understanding of a number of important InfoSec rules. These
statements addressed security considerations such as password selection, email and
social networking site use, and using wireless technology to access information.
Participants could respond to each statement with either ‘True’, ‘False’ or ‘Unsure’,
and the responses to each statement were assigned values from one to three. This
assignment was such that, the more appropriate the response, the higher the value
assigned to it, and a response of ‘Unsure’ was assigned a value of two (which is the
middle value). Hence, for reverse questions, the scores were inverted, so that a
higher score always corresponds with a better or more appropriate response.
The average scores were very high for the majority of the statements. All three
organisations obtained average scores of 90% or higher for seven of the knowledge-
based statements, and 80% or higher for a further six statements. This means that
most employees had an appropriate knowledge of InfoSec. Results indicate that
respondents had a good understanding of the importance of InfoSec rules, and had an
Components Organisation
A
Organisation
B
Orga nisati on
C
Total
Knowledge 0.92 (0.08) 0.86 (0.12) 0.91 (0.07) 0.90 (0.09)
Attitude 0.86 (0.08) 0.76 (0.13) 0.86 (0.21) 0.83 (0.13) Dimensions
Behaviour 0.85 (0.08) 0.79 (0.09) 0.80 (0.09) 0.83 (0.09)
Importance of
InfoSec policy 0.91 (0.0 9) 0.85 (0.16) 0.91 (0.22) 0.90 (0.13)
Rules of
InfoSec policy 0.87(0.08) 0.81 (0.10) 0.86 (0.13) 0.85 (0.10)
Principles of
InfoSec policy 0.92 (0.0 9) 0.85 (0.17) 0.90 (0.23) 0.90 (0.14)
Password
management 0.92 (0.10) 0.86 (0.12) 0.82 (0.11) 0.89 (0.11)
Email and
internet usage 0.88 (0.07) 0.83 (0.10) 0.90 (0.10) 0.87 (0.09)
Report security
incidents 0.71 (0.20) 0.65 (0.21) 0.70 (0.25) 0.69 (0.21)
Consequences
of behaviour 0.83 (0.12) 0.69 (0.16) 0.81 (0.21) 0.76 (0 .16)
Focus Area
Training 0.82 (0.14) 0.68 (0.16) 0.81 (0.26) 0.78 (0.17)
Proceedings of the European Information Security Multi-Conference (EISMC 2013)
38
accurate knowledge of password security, and recognised that passwords should not
consist solely of real words or significant dates or names.
Employees’ knowledge of the security of wireless technologies was less convincing.
As depicted in Appendix A, in response to the statement “Wireless computing is
considered to be less secure than wired computing” the average score obtained by
Organisation A was only 67%, and Organisations B and C had average scores of
only 60% and 55%, respectively. Since wireless computing can pose a potential
security risk, this is an area where education may be required.
In summary, the InfoSec knowledge demonstrated by respondents from
Organisations A and C tended to be slightly higher than the knowledge demonstrated
by Organisation B. However, this was usually only a difference of a few percentage
points.
3.3. InfoSec Attitude
In the section assessing attitude towards InfoSec, employees were asked “In terms of
your work environment, how strongly do you agree with the following statements”.
Employees were asked to respond to 20 statements on a five-point scale from
‘Strongly Disagree’ to ‘Strongly Agree’. The statements addressed areas such as the
importance of InfoSec within their organisation, their exposure to training and their
understanding of their responsibilities for maintaining InfoSec.
Employees’ responses to each statement were assigned values from one to five. This
assignment was such that, the more appropriate the response, the higher the value
assigned to it. Hence, for reverse questions, the scores were inverted, so that a higher
score always corresponds with a better or more appropriate response.
Employees of all organisations were judged to have a reasonable attitude towards
InfoSec, with average scores for most variables at over 60%. The vast majority of
employees from all three organisations recognised that their organisation has
information that needs to be protected, believed that InfoSec is an important issue in
their organisation, and recognised that it is important for them to act securely in all
aspects of their work.
Generally speaking, employees from Organisations A and C were more likely to
provide the most appropriate response than the employees from Organisation B. The
largest difference between the organisations was obtained in response to the
statement “I believe that adequate security training is provided”. Most participants
from Organisation A and C agreed with this statement, with average scores of 75%
and 78% respectively. In contrast, the average score obtained for Organisation B for
this statement was only 49%.
There was also a large variation in response to the statement “What I do on social
networking sites is none of my employer’s business”. The vast majority of employees
from Organisation C recognised that their behaviour on these sites is of some interest
to their employer, with an average score of 79%, whereas the average scores
Proceedings of the European Information Security Multi-Conference (EISMC 2013)
39
provided by Organisations A and B were only 58% and 59%, respectively. Since
social networking sites can have numerous negative consequences, such as
jeopardising the security, confidentiality and reputation of an organisation (Parsons,
McCormac & Butavicius, 2011), this is therefore an area where education may be
required for employees from Organisations A and B.
3.4. InfoSec Behaviour
In the section assessing InfoSec behaviour, participants were provided with 16
statements and were asked to indicate how frequently they engaged in certain
behaviours, both conducive and detrimental to InfoSec. Examples include, “I delete
suspicious emails”, “I share my password with others”, and “I open attachments
from unknown sources”. Participants were asked to respond on a five-point scale,
from ‘Never’ to ‘Always’, and the responses to each statement were assigned values
from one to five. This assignment was such that, the more appropriate the response,
the higher the value assigned to it.
In summary, self-reported behaviour of employees from all organisations was
considered reasonable, with an average score for most questions of 70% or higher.
Although there was some variation across the questions, generally speaking, the
respondents from Organisation A were most likely to respond appropriately, and the
employees from Organisation B were less likely to do so.
The vast majority of employees from all organisations reported that they never share
their passwords with others, and would never download non-corporate software or
music or video content from the Internet onto their work computers. Although most
employees from Organisation A would not use a USB stick to transfer files between
work and home, a number of employees from Organisations B and C admitted that
they sometimes do so.
Results also indicated that many people do not keep a clear and tidy desk at work,
and there were also areas associated with reporting of security incidents where
people did not respond appropriately. For example, in response to the statement “If I
see unfamiliar people in my office area I will approach them and ask to see their
identification,” employees from Organisation A scored an average of 56%,
Organisation B scored an average of 49% and Organisation C scored an average of
69%. The response to this statement must be examined in light of the organisation in
question. Some organisations have a policy where visitors must be escorted, and
therefore, it is not appropriate for someone to approach an escorted visitor, but it
would be necessary to approach an unfamiliar person if the individual in question is
not being escorted.
3.5. Management Interviews
To determine whether management within the three organisations had a good
understanding of the InfoSec awareness of their employees, members of senior
management from each organisation were interviewed. A total of eight interviews
were carried out. Although the interviewees all held senior management positions
Proceedings of the European Information Security Multi-Conference (EISMC 2013)
40
within their organisations, some were responsible for day-to-day operations and
people management, whereas others were specifically responsible for InfoSec
management.
A semi-structured interview technique was utilised, and the interviews included
questions regarding InfoSec policy, procedures, culture and management attitude
towards InfoSec.
Generally, the information provided by the senior managers of all three organisations
was consistent with the responses from the employees of their organisations,
indicating that management have a good understanding of the InfoSec awareness of
their employees. Essentially, management believed that most employees have an
appropriate level of InfoSec awareness, but recognised that there were areas of
improvement required.
The managers had a very good knowledge not only of the InfoSec policies of their
organisation, but also understood what constituted good InfoSec management in
general. The managers recognised that there can be tensions between the necessity to
abide by any security regulations and the need to get the job done. They also
explained that there can be challenges associated with keeping any InfoSec policy
current with so many fast changing technological advances.
However, the managers believed that most employees have a sense of responsibility
and professionalism for the information held by their organisation. Therefore,
managers believed that security breaches would be more likely to be caused by
unintentional lapses rather than maliciousness. Managers believe that this was
particularly true of employees who had been with the organisation for some time, as
this sense of responsibility and professionalism is stronger once employees have
been enculturated within the organisation. With new employees, the managers of all
organisations explained that a greater emphasis is placed on punitive measures.
All managers also acknowledged that their organisation has potential vulnerabilities
associated with the use of social networking sites, and although the potential risks
associated with these sites should be covered by current policies associated with
Internet usage and general privacy or confidentiality rules, the managers still
acknowledged that this is an area where further education is required to emphasise
the possible risks, and reinforce the restrictions on use.
In summary, the results of the management interviews support the findings from the
employee questionnaires. Essentially, managers recognised that there were some
weaknesses with regards to InfoSec awareness, training and compliance, but
generally believed that most employees at their organisation have a reasonable level
of InfoSec awareness.
Proceedings of the European Information Security Multi-Conference (EISMC 2013)
41
4. Discussion
Interviews were conducted with members of senior management from three
organisations, and employees of these organisations were asked to complete a web-
based questionnaire, which contained questions relating to demographic details,
perceived information risks, knowledge of information security policies, information
security attitudes, and behaviour whilst using a computer.
The results of this survey indicate that the level of awareness of employees within all
three organisations was generally satisfactory. Overall, answers to questions relating
to knowledge received higher scores than those for attitude and behaviour. A
summary of the most important findings is provided below:
The InfoSec knowledge of employees was very good. Employees from all
organisations scored 90% or higher in response to seven knowledge-based
statements, and 80% or higher in response to a further six statements.
Respondents had a good understanding of the importance of InfoSec rules, and
had an accurate knowledge of password security, and recognised that passwords
should not contain only real words or significant dates or names. There were,
however, some aspects of wireless technology where many employees lacked
knowledge.
Most respondents also had a good attitude towards InfoSec. However, in
general, the scores for their attitude-based questions were slightly lower than
those based on their knowledge. Employees generally recognised that their
organisation has information that needs to be protected, believed that InfoSec is
an important issue in their organisation, and recognised that it is important for
them to act securely in all aspects of their work. However, responses indicated
that Organisation B may need to improve their InfoSec training, and all
organisations may need to educate employees about the use of social networking
sites.
Reported employee behaviour was also good. Overall, scores for the behaviour-
based questions were similar to those testing their attitude. Most employees
stated that they would never share their passwords with others, and would never
download non-corporate software or music or video content from the Internet
onto their work computers. However, people were far less likely to keep a clear
and tidy desk, and there were areas associated with the reporting of security
incidents where people did not respond appropriately. In addition, while most
employees from Organisation A knew not to use a USB stick (thumb drive) to
transfer files between work and home, a number of employees from
Organisations B and C admitted that they sometimes do so.
Interviews with senior management revealed that the managers had a good
understanding of the InfoSec awareness of their employees, and understood
what constituted good InfoSec management in general. However, they also
acknowledged some areas of concern such as the need for more education in the
appropriate use of social networking sites whilst at work.
Proceedings of the European Information Security Multi-Conference (EISMC 2013)
42
It is important to highlight that the data from Organisation C is based on only 28
employees due to a very poor response rate. It is likely that those who chose to
respond are systematically different from the employees who did not participate in
the questionnaire which greatly affects the generalisability of the findings from this
organisation.
There are a number of possible limitations associated with this research. For
example, the results of this report are based on self-report which does not always
reflect true attitudes and behaviour, as some respondents may be influenced by
biases. For example, according to the social desirability bias, respondents may
consciously or unconsciously answer in a way that ensures that they are presented in
a positive light (Edwards, 1953). However, previous research has shown that an
individual’s perceptions, attitudes and knowledge can be appropriately measured via
self-report (Schmitt, 1994; Spector, 1994). Additionally, to further decrease the
influence of this bias, and increase the chance that employees responded openly
about InfoSec awareness, employees were informed that the survey was being
conducted anonymously.
5. Conclusions and Future Research
In general, participants scored slightly higher on questions testing their knowledge
than for those regarding behaviour and attitude. While it is difficult to compare
scores directly across these three areas, this finding is nonetheless consistent with the
sentiment echoed by the managers in their interviews; namely, that employees
generally possessed good knowledge of InfoSec even if their actions were not always
consistent with good policy. This suggests that any remedial action might be best
directed towards training programs to improve policy compliance that focus on
changing the behaviour of participants. This training should be contextualised (i.e.,
tailored to the specific needs of the audience) and use case studies (Brooke, 2006)
rather than generic courses that resemble lectures in order to improve compliance
with, rather than simply knowledge of, policy (Parsons, McCormac, Butavicius, &
Ferguson, 2010). In particular, as evidenced with both questionnaire participants and
management interviewees, the use of social networking sites is still a potential issue
and specialised training programs may be beneficial (Parsons et al., 2011).
The next stage of research will examine the effectiveness of various training and risk
communication options by using the questionnaire developed in this current research
in a pre-test/post-test methodology. For example, the authors are interested in
developing e-simulation scenarios and comparing the effectiveness of this form of
training with more traditional methods such as lectures. Furthermore, the authors
intend to refine the questionnaire presented in this report so that it can be used as the
basis of benchmarking the state of information security within various industries.
The questionnaire could also be used to track the long-term InfoSec health of an
organisation over a significant period of time (Wilson & Hash, 2003).
Proceedings of the European Information Security Multi-Conference (EISMC 2013)
43
6. References
Bettinghaus, E. P. (1986), “Health promotion and the knowledge-attitude-behavior
continuum”, Preventive Medicine, Vol. 15, No. 5, pp475-491.
Brooke, S. L. (2006), "Using the case method to teach online classes: Promoting Socratic
dialogue and critical thinking skills", International Journal of Teaching and Learning in
Higher Education, Vol. 18, No. 2, pp142-149.
Edwards, A. L. (1953), "The relationship between the judged desirability of a trait and the
probability that the trait will be endorsed", Journal of Applied Psychology, Vol. 37, No. 2,
pp90-93.
Fowler, F. J. (2002), Survey Research Methods (3rd ed.), Sage, Thousand Oaks, CA, ISBN:
1412958415
Karjalainen, M. (2011), Improving Employees' Information Systems (IS) Security Behaviour:
Toward a Meta-Theory of IS Security Training and a New Framework for Understanding
Employees' IS Security Behaviour, PhD, University of Oulu, Oulu. (A 579)
Kruger, H., & Kearney, W. (2006), "A prototype for assessing information security
awareness", Computers & Security, Vol. 25, No. 4, pp289-296.
Parsons, K., McCormac, A., & Butavicius, M. (2011), Don't Judge a (Face) Book by its
Cover: A critical review of the implications of social networking sites, Defence Science &
Technology Organisation, DSTO-TR-2549.
Parsons, K., McCormac, A., Butavicius, M., & Ferguson, L. (2010), Human Factors and
Information Security: Individual, Culture and Security Environment, Defence Science and
Technology Organisation, DSTO-TR-2484.
Schneier, B. (2000), Secrets and lies: digital security in a networked world: Wiley, ISBN: 0-
471-25311-1.
Schmitt, N. (1994), ‘Method bias: The importance of theory and measurement’, Journal of
Organizational Behavior, Vol. 15, pp393-398
Schultz, E. (2005), ‘The human factor in security’, Computers & Security, Vol. 24, No. 6,
pp425-426.
Spector, P.E. (1994), ‘Using self-report questionnaires in OB research: A comment on the use
of a controversial method’, Journal of Organizational Behavior, Vol. 15, p385-392.
van der Linden, S. (2012, July), Understanding and achieving behavioural change: Towards a
new model for communicating information about climate change. Paper presented at the
International Workshop on Psychological and Behavioural Approaches to Understanding and
Governing Sustainable Tourism Mobility, Freiburg, Germany.
Wilson, M. & Hash, J. (2003), Computer Security: Building an Information Technology
Awareness and Training Program, NIST SP: 800-50.
Proceedings of the European Information Security Multi-Conference (EISMC 2013)
44
Appendix A
Figure A: Screenshot of sample questions as shown to participants
Figure B: Results of sample questions for each organisation
... Some studies used questionnaires that were specifically designed for the students' participants, but without capturing the holistic measures of information security threats (see Table 2). The HAIS-Q, developed by Parsons et al. (2013), is comparatively comprehensive in capturing the most typical internet behaviours. Unlike other ISA scales that do not separate awareness from intention and action (Berki et al. 2017;Chandarman and Van Niekerk 2017;Zwilling et al. 2020), the HAIS-Q is the only scale that clearly distinguishes factors of thoughts, feelings and actions. ...
... The HAIS-Q measures an individual's knowledge, attitude, and self-reported behaviour relating to information security in the workplace. The questionnaire was developed by Parsons et al. (2013) to evaluate the ISA performance of company employees. It is based on the interview results with managers and information technology professionals and by reviewing information security policies and standards (Parsons et al. 2014). ...
View
... Simultaneously, based on the KAB model, the conceptualised Human Aspects of Information Security Questionnaire (HAIS-Q) has been developed [33]. HAIS-Q research has shown that age, gender, resilience, job stress, education level, and some other personal characteristics can predict ISA to some extent [34]. ...
... 35), and behaviour (70. 33), in that order. (See Table 3.) ...
How education level influences internet security knowledge, behaviour, and attitude: a comparison among undergraduates, postgraduates and working graduates
Article
Full-text available
  • Nov 2022
  • INT J INF SECUR
During the pandemic, the prevailing online learning has brought tremendous benefits to the education field. However, it has also become a target for cybercriminals. Cybersecurity awareness (CSA) or Internet security awareness in the education sector turns out to be critical to mitigating cybersecurity risks. However, previous research indicated that using education level alone to judge CSA level received inconsistent results. This study postulated Social Educational Level (SEL) as a moderator with an extended Knowledge-Attitude-Behaviour model, used students’ year level as a proxy for the impact of education level, and used work exposure for the influence of social education level, to compare CSA among undergraduates, postgraduates and working graduates. The participants in the study were divided into six groups, namely year 1 university students, year 2-3university students, final-year students, postgraduate students, young working graduates, and experienced working graduates. The Human Aspects of Information Security Questionnaire was used to conduct a large-scale survey. The multivariate regression model analysis showed significant differences among the knowledge, attitude and behaviour dimensions across groups with different conditions of year-level and work exposure. However, it was found that SEL played a more significant role than an individual’s education level. The study suggested that a greater endeavour be committed to educating the public at large together with individuals, institutes, corporate and governments to improve the national CSA level.
View
... Many users appeared to neglect previously good security habits after installing the software, which could ultimately increase their exposure to risk. In a similar study [13] the knowledge, attitude and behavior of 203 employees towards information security was assessed. The results showed that although most employees scored highly in their knowledge of information security, suggesting good awareness, this did not always translate to good security behaviors. ...
... The privacy paradox has been well documented in papers such as [28,29], and although mainly in the context of online security, demonstrates that user attitudes towards security and privacy, often differ from the actions they take or decisions they make. Indeed, this has been highlighted in studies such as [10,13] discussed in Section 2. In our study, Figure 2b shows that given a scenario where a device was infected with malware, but still functioning normally, over three quarters of respondents indicated that they would still be very concerned. When asked to rate the importance of various features related to IoT devices (as shown in Figure 3), security 102 (65%) and privacy 100 (63%) were clearly considered very important features. ...
Evaluating Awareness and Perception of Botnet Activity within Consumer Internet-of-Things (IoT) Networks
Article
Full-text available
  • Feb 2019
The growth of the Internet of Things (IoT), and demand for low-cost, easy-to-deploy devices, has led to the production of swathes of insecure Internet-connected devices. Many can be exploited and leveraged to perform large-scale attacks on the Internet, such as those seen by the Mirai botnet. This paper presents a cross-sectional study of how users value and perceive security and privacy in smart devices found within the IoT. It analyzes user requirements from IoT devices, and the importance placed upon security and privacy. An experimental setup was used to assess user ability to detect threats, in the context of technical knowledge and experience. It clearly demonstrated that without any clear signs when an IoT device was infected, it was very difficult for consumers to detect and be situationally aware of threats exploiting home networks. It also demonstrated that without adequate presentation of data to users, there is no clear correlation between level of technical knowledge and ability to detect infected devices.
View
... The KAB is a dynamic, interactive model that was originally used in the fields of health and environmental psychology, criminology, climate change, and education and is now applied in network security research. Specifically, Parsons et al. examined the information security loopholes caused by individuals based on (KAB) [7]. The Personal-perspective-based Information Security Questionnaire (HAIS-Q) was developed in 2014, and it outlined the development of its concept as well as the validity and reliability tests [8]. ...
Undergraduates’ Knowledge Attitude and Behavior (KAB) Towards the Disclosure of Personal Data Online in China
Chapter
Full-text available
  • Jul 2023
In the midst of the COVID-19 pandemic, the employment and education sectors have shifted significantly toward online platforms. However, the increased reliance on these digital spaces has raised concerns about personal security information. Scholars have taken note of this issue and have explored its implications, with some employing the extended knowledge, attitude, and behavior (KAB) model to investigate the moderating effects of societal education level on the relationship between knowledge and attitude. Hong et al. [1] conducted a study to examine undergraduates’ KAB regarding personal data sharing in Chinese higher education institutions during the pandemic. Using a questionnaire, the study recruited 156 participants from three universities in West and East China. Using SPSS 23.0, data analysis revealed a widespread lack of awareness, a positive attitude, and proper behavior among college students regarding online personal information leakage during the pandemic. Notably, disparities were observed in KAB among students of different grades, majors, and genders. Students in their sophomore, junior, and senior years were found to be more concerned than freshmen about the availability of their personal information online; what’s more, science majors were more concerned than students of other majors. There appear to be significant gender differences in personal information sharing, ie., males are more concerned about the security of personal information online than females. Through this study, we aim to emphasize that college students’ awareness of personal information protection needs to be improved and suggest that university administrators and policymakers increase information security training. The findings of this study contribute to the theoretical and practical efforts to improve information security in higher education. Future studies should broaden the survey sample and examine the primary factors that influence college students’ KAB of personal information security to ensure the generalization of findings.
View
... Attitude is a necessary mediator to mitigate the cognitive dissonance between knowledge and action. To measure the relationship between the three variables, Parsons et al. (2013) conceptualized the Human Aspects of Information Security Questionnaire (HAIS-Q) based on the KAB model. Before the emergence of HAIS-Q, survey questionnaires tended to have a narrow focus on ISA, such as the use of passwords (Carstens et al., 2004) and smartphone applications (Mylonas et al., 2013). ...
A new dimension in the value of corporate social responsibility: Demotivating undesirable job habits during crisis
Article
Full-text available
  • Sep 2022
Recent studies on the pandemic have focused on the DOs and DON’Ts of recovery remedies, but few have investigated the pandemic-spawned fundamental internal problems of the enterprises in order to diminish the impacts of the mega-crisis and relieve the need for recovery efforts. It is incontestable that employees are one of the major victims of the pandemic crisis; their negative emotions caused by the increasing career and financial instability have heightened the challenges of their enterprises that are striking for survival. This research has identified a breakthrough that extends the effect of CSR efforts from the traditional societal focus to internal employees, to whom CSR is found to mediate the undesirable escape habits and anti-crisis behaviours resulted from crises. This strengthens the understanding and value of CSR, while presents management with a novel mixed strategy to stabilize employee emotions and assemble their competence to get through a crisis.
View
... Attitude is a necessary mediator to mitigate the cognitive dissonance between knowledge and action. To measure the relationship between the three variables, Parsons et al. (2013) conceptualized the Human Aspects of Information Security Questionnaire (HAIS-Q) based on the KAB model. Before the emergence of HAIS-Q, survey questionnaires tended to have a narrow focus on ISA, such as the use of passwords (Carstens et al., 2004) and smartphone applications (Mylonas et al., 2013). ...
The influence of social education level on cybersecurity awareness and behaviour: a comparative study of university students and working graduates
Article
Full-text available
  • Jun 2022
  • Educ Inform Tech
A multitude of studies have suggested potential factors that influence internet security awareness (ISA). Some, for example, used GDP and nationality to explain different ISA levels in other countries but yielded inconsistent results. This study proposed an extended knowledge-attitude-behaviour (KAB) model, which postulates an influence of the education level of society at large is a moderator to the relationship between knowledge and attitude. Using exposure to a full-time working environment as a proxy for the influence, it was hypothesized that significant differences would be found in the attitude and behaviour dimensions across groups with different conditions of exposure and that exposure to full-time work plays a moderating role in KAB. To test the hypotheses, a large-scale survey adopting the Human Aspects of Information Security Questionnaire (HAIS-Q) was conducted with three groups of participants, namely 852 Year 1–3 students, 325 final-year students (age = 18–25) and 475 full-time employees (age = 18–50) in two cities of China. MANOVA and subsequent PROCESS regression analyses found a significant negative moderating effect of work exposure, which confirmed the proposed model. However, the effect was more pervasive than expected and moderation was found in the interaction between work exposure and all three ISA dimensions. The social influence does not only reshape the cybersecurity attitude of the highly educated, but also knowledge and behaviour. Findings contribute theoretically, methodologically and practically, offering novel perspectives on ISA research and prompting new strategies to respond to human factors.
View
... Employee behaviours that are more likely to result in information security breaches, such as not choosing a strong password and opening suspicious email attachments, are not necessarily associated with the adoption of a specific technology (Ng, et al., 2009). In Parsons, McCormac, Pattinson, Butavicius and Jerram (2013), we reported on the results of an information security study with three Australian government organisations. Rather than focusing solely on theoryverification, we used a hybrid methodology, incorporating the inductive, exploratory approach recommended by Karjalainen (2011). ...
The development of the human aspects of information security questionnaire (HAIS-Q)
Article
Full-text available
  • Jan 2013
The Human Aspects of Information Security Questionnaire (HAIS-Q) is being developed using a hybrid inductive, exploratory approach, for the purpose of evaluating information security threats caused by employees within organisations. This study reports on the conceptual development and pre-testing of the HAIS-Q. Results from 500 Australian employees were then used to examine the reliability of the HAIS-Q, as well as the relationships between knowledge of policy and procedures, attitude towards policy and procedures and behaviour when using a work computer. Results indicate significant, positive relationships between all variables. However, both qualitative and quantitative results indicate the direct influence of knowledge of policy and procedure accounted for far less of the variance in self-reported behaviour than attitude towards policy and procedure. Implications for training and education campaigns and plans for future research to further develop this questionnaire are outlined.
View
... In Parsons et al. (2013), we reported on the results of an information security study with three Australian government organisations. This was the first stage of our development of the HAIS-Q. ...
Determining Employee Awareness Using the Human Aspects of Information Security Questionnaire (HAIS-Q)
Article
Full-text available
  • May 2014
  • COMPUT SECUR
It is increasingly acknowledged that many threats to an organisation’s computer systems can be attributed to the behaviour of computer users. To quantify these human-based information security vulnerabilities, we are developing the Human Aspects of Information Security Questionnaire (HAIS-Q). The aim of this paper was twofold. The first aim was to outline the conceptual development of the HAIS-Q, including validity and reliability testing. The second aim was to examine the relationship between knowledge of policy and procedures, attitude towards policy and procedures and behaviour when using a work computer. Results from 500 Australian employees indicate that knowledge of policy and procedures had a stronger influence on attitude towards policy and procedure than self-reported behaviour. This finding suggests that training and education will be more effective if it outlines not only what is expected (knowledge) but also provides an understanding of why this is important (attitude). Plans for future research to further develop and test the HAIS-Q are outlined.
View
A Reliable Measure of Information Security Awareness and the Identification of Bias in Responses
Article
Full-text available
  • Nov 2017
The Human Aspects of Information Security Questionnaire (HAIS-Q) is designed to measure Information Security Awareness. More specifically, the tool measures an individual’s knowledge, attitude, and self-reported behaviour relating to information security in the workplace. This paper reports on the reliability of the HAIS-Q, including test-retest reliability and internal consistency. The paper also assesses the reliability of three preliminary over-claiming items, designed specifically to complement the HAIS-Q, and identify those individuals who provide socially desirable responses. A total of 197 working Australians completed two iterations of the HAIS-Q and the over-claiming items, approximately 4 weeks apart. Results of the analysis showed that the HAIS-Q was externally reliable and internally consistent. Therefore, the HAIS-Q can be used to reliably measure information security awareness. Reliability testing on the preliminary over-claiming items was not as robust and further development is required and recommended. The implications of these findings mean that organisations can confidently use the HAIS-Q to not only measure the current state of employee information security awareness within their organisation, but they can also measure the effectiveness and impacts of training interventions, information security awareness programs and campaigns. The influence of cultural changes and the effect of security incidents can also be assessed.
View
The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies
Article
  • Jan 2017
  • COMPUT SECUR
Information security awareness (ISA) is integral to protecting an organisation from cyber threats. The aim of this paper is to further establish the validity of the Human Aspects of Information Security Questionnaire (HAIS-Q), as an effective instrument for measuring ISA. We present two studies to further establish the construct validity of this instrument. In Study 1, 112 university students completed the HAIS-Q and also took part in an empirical lab-based phishing experiment. Results indicated that participants who scored more highly on the HAIS-Q had better performance in the phishing experiment. This means the HAIS-Q can predict an aspect of information security behaviour, and provides evidence for its convergent validity. In Study 2, the HAIS-Q was administered to a larger and more representative population of 505 working Australians to further establish the construct validity of the instrument. The results of a factor analysis and other statistical techniques provide evidence for the validity of the HAIS-Q as a robust measure of ISA. We also describe the practical implications of the HAIS-Q, particularly how it could be used by information security practitioners.
View
A prototype for assessing information security awareness
Article
Full-text available
  • Jun 2006
  • COMPUT SECUR
Due to the intensified need for improved information security, many organisations have established information security awareness programs to ensure that their employees are informed and aware of security risks, thereby protecting themselves and their profitability. In order for a security awareness program to add value to an organisation and at the same time make a contribution to the field of information security, it is necessary to have a set of methods to study and measure its effect. The objective of this paper is to report on the development of a prototype model for measuring information security awareness in an international mining company. Following a description of the model, a brief discussion of the application results is presented.
View
Using the Case Method to Teach Online Classes: Promoting Socratic Dialogue and Critical Thinking Skills
Article
  • Jan 2006
With increasing interest in online education, instructors must have a repertoire of tools available to promote the critical thinking skills of their students. This paper will present the case method as one pedagogical approach for teaching online courses. Example cases are provided. Pedagogical approaches to working with new and seasoned online students are addressed. Further, the benefits of using the case method to promote learning in the virtual classroom are explained. The case studies presented for online classes present concrete situations that can be used to stimulate analysis, requiring students to project how they might respond to a set of circumstances. Case studies promote Socratic dialogue and higher order thinking skills. Further, the case method can be a good vehicle for stimulating students' thought about step-by-step planning.
View
The Relationship Between the judged Desirability of a Trait and the Probability That the Trait Will Be Endorsed
Article
  • Apr 1953
The study was designed to measure the relationship between probability of endorsement of personality items and the scaled social desirability of the items. Scale values were determined by applying the method of successive intervals to 140 personality trait items which had been administered to 152 subjects with pertinent instructions. The items were then administered to a different group of 140 students as a personality inventory. The proportion of "yes" answers was taken as a measure of the probability of endorsement and correlated against the social desirability scale value for the items. The high degree of relationship ( r = .871) is discussed. (PsycINFO Database Record (c) 2012 APA, all rights reserved)
View
View
Health promotion and the Knowledge-Attitude-Behavior Continuum
Article
  • Oct 1986
Influencing health behavior through informational campaigns, followed by the expectation of attitude change and subsequent desired behavior changes, is examined. Prior literature in this area indicates that the correlations between information level and overt behavior or between attitude and over behavior are generally positive though low. Two major approaches to improving the relationships between knowledge, attitude, and behavior are discussed: (a) the approach taken by M. Fishbein and his associates, which argues for the use of measures of behavior intention rather than generalized attitudes, and (b) the approach of W. J. McGuire and other proponents of an information-processing model, which argues that moving between the elements of the knowledge-attitude-behavior continuum demands processing time on the part of individuals and attention to a set of elements within a communication matrix. The five central elements of the communication process—source, message, channel, receiver, destination—and the independent variables involved are examined. The information-processing model is seen as particularly appropriate to health promotion campaigns and is recommended for further careful study in health promotion situations.
View
View
Using self-report questionnaires in OB research: A comment on the use of a controversial method
Article
  • Sep 1994
  • J ORGAN BEHAV
Discusses the use of self-report studies to understand organizational phenomena and examines issues of construct validity and of appropriate inferences that can be made from cross-sectional self-report studies (CSRSs). It is argued that CSRSs have 2 weaknesses. First, the use of the job incumbent as the only source of data leaves many alternative explanations for observed correlations other than that the intended traits are related. Second, cross-sectional designs do not allow for confident causal conclusions. Despite these weaknesses, this design can be useful in providing a picture of how people feel about and view their jobs and can determine intercorrelations among various feelings and perceptions. CSRSs should not be automatically dismissed as being inferior. However, the methodology used should match the research question asked, and for many organizational behavior questions the CSRS will not provide adequate answers. (PsycINFO Database Record (c) 2007 APA, all rights reserved)
View
Human Factors and Information Security: Individual, Culture and Security Environment
Article
The numerous technical advances in information sciences do not always produce more secure environments. Therefore, information security cannot be understood or described as solely a technical problem. Computers are operated by people and this means that information security is also a human factors issue. Human factors influence how individuals interact with information security technology; it is this interaction that is often detrimental to security. It is evident that solely technical solutions are unlikely to prevent security breaches. Organisations need to instil and maintain a culture where positive security behaviours are valued. The usability challenges associated with information security need to be understood and resolved. This means that security functions need to be meaningful, easy to locate, visible and convenient to use. Employees need to be educated about the importance of security awareness, and this should incorporate behavioural training. How individuals interact with computers and how decisions are made in regard to information security is certainly a very dynamic and complex issue. There are many factors that need to be considered. For example, it is important to acknowledge the influence of individual differences, personality traits and cognitive abilities. There are also biases and heuristics that affect how individuals perceive risk. These are important because they help to explain why individuals make certain decisions and why specific behaviours may be observed. Both risk perception and individual differences are also affected by the environment in which they occur. Culture and climate can certainly have a significant impact on values, attitudes and behaviours. That is why understanding an organisation’s culture and security climate can provide great insights into why certain behaviours do and do not take place. A major concern within information security is the threat of social engineering attacks. Social engineering attacks are conducted in an effort to gain sensitive information, and this information is often used maliciously to the detriment of individuals and organisations. Social engineering poses a real threat to all organisations and to diminish this threat, individuals need to not only be aware of potential attacks, but also taught the appropriate tools to reduce their chances of becoming a target and a victim. Given the complexity of human factors issues in information security, recommendations will be made about how to promote positive security behaviours through awareness, education and training, in conjunction with improvements in physical and computer security. The application of information security technologies do not always result in improved security. Human factors play a significant role in computer security; factors such as individual difference, cognitive abilities and personality traits can impact on behaviour. Information security behaviours are also greatly influenced by an individual’s perception of risk. All of these factors are also affected by the organisation culture and security environment in which they occur. These factors interact with one another and can result in behaviours that are often detrimental to information security. This report provides recommendations as to how these human and cultural factors can be influenced to result in more positive behaviours and lead to more secure information environments.
View
Secrets and Lies: Digital Security in a Networked World
Article
  • Jan 2003
  • Info
The landscape : Digital threats. Attacks. Adversaries. Security needs -- Technologies : Cryptography. Cryptography in context. Computer security. Identification and authentication. Networked-computer security. Network security. Network defenses. Software reliability. Secure hardware. Certificates and credentials. Security tricks. The human factor -- Strategies : vulnerabilities and the vulnerability landscape. Threat modeling and risk assessment. Security policies and countermeasures. Attack trees. Product testing and verification. The future of products. Security processes. Conclusion
View
  • Jan 2002
  • 1412958415
  • F J Fowler
Fowler, F. J. (2002), Survey Research Methods (3rd ed.), Sage, Thousand Oaks, CA, ISBN: 1412958415