FORMING THE AWARENESS OF EMPLOYEES IN THE FIELD OF INFORMATION SECURITY
DOI:
https://doi.org/10.12775/JPM.2017.006Keywords
information security, information security awareness, method, trainingAbstract
Research purpose: The aim of this study is to present the essence and importance of information security awareness in the organisation and to analyse selected methods used in forming employee awareness in terms of information security.
Methodology/ approach: This paper is based on literature studies and available reports.
Findings: The presented paper suggests that in order to create a positive change in the organisation, information security training should focus on the attitude and behavior of employees. Concentration is primarily about what they do and how their actions affect the results. In order to minimise the risk of data breaches, often resulting from human error, training methods must meet the needs of today's employees. Effective information security awareness strategies should address the needs of both the organisation itself and the learning people.
Limitations/implications: The study is based on the theoretical analysis, indicating the need of conducting further empirical research.
Originality/value: The main value of the study is to clarify the need for forming employees' awareness of information security while indicating a number of available methods enabling the implementation of awareness programs in the organisation.
References
Abawajy, J. (2014), "User preference of cyber security awareness delivery methods", Behaviour & Information Technology, Vol. 33 No. 3, pp. 236-247. DOI: 10.1080/0144929X.2012.708787
Aurigemma, S., Panko, R. P. (2012), "A Composite Framework for Behavioral Compliance with Information Security Police", 47th Hawaii International Conference on System Sciences, pp. 3248-3257. DOI: 10.1109/HICSS.2012.49.
Cone, B. D., Thompson, M. F., Irvine, C. E., Nguyen, T. D. (2006), "Cyber Security Training and Awareness Through Game Play", in: Fisher-Hubner, S., Rannenberg, K., Yngstrom, L., Lindskog, S. (Eds.), Security and Privacy in Dynamic Environments, International Federation for Information Processing, Vol. 201, Boston: Springer, Boston, pp. 431-436.
Da Veiga, A. (2015), "An Information Security Training and Awareness Approach (ISTAAP) to Instil an Information Security – Positive Culture", Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015), pp. 95-107.
Eminağaoğlu, M., Uçar, E., Eren, S. (2009), "The positive outcomes of information security awareness training in companies – A case study", Information Security Technical Report, Vol. 14 No. 4, pp. 223-229.
EY (2017), "Path to cyber resilience: EY’s 19th Global Information Security Survey 2016-2017", available at: http://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2016-pdf/$FILE/GISS_2016_Report_Final.pdf (accessed 3 September 2017).
Hadlington, L. (2017), "Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours", Heliyon, Vol. 3 No. 7, pp. 1-18. DOI: 10.1016/j.heliyon.2017e00346
Herold, R. (2010), Managing an Information Security and Privacy Awareness and Training Program, Second Edition, CRC Press, Inc. Boca Raton, FL, USA.
Kajzer, M., D’Arcy, J., Crowell, Ch.R., Striegel, A., Bruggen, D.V. (2014), "An exploratory investigation of message-person congruence in information security awareness campaigns", Computers & Security, Vol. 43, pp. 64-76. DOI: 10.1016/j.cose.2014.03.003
Khan, B., Alghathbar, K.S., Nabi, S.I., Khan, M.K. (2011), "Effectiveness of information security awareness methods based on psychological theories", African Journal of Business Management, Vol. 5 No. 26, pp. 10862-10868. DOI: 10.5897/AJBM11.067
Ki-Aries, D., Faily, S. (2017), "Persona-centred information security awareness", Computers & Security, Vol. 70, pp. 663-674. DOI: 10.1016/j.cose.2017.08.001
Kraemer, S., Carayon, P., Clem, J. (2009), "Human and organizational factors in computer and information security: Pathways to vulnerabilities", Computers & Security, Vol. 28 No. 7, pp. 509-520. DOI: 10.1016/j.cose.2009.04.006
Kritzinger, E., Smith, E. (2009), "A prototype for enhancing information security awareness in industry", Proceedings of the World Academy of Science Engineering and Technology, Vol. 54, pp. 521-530.
Kruger, H.A., Kearney, W.D. (2006), "A prototype for assessing information security awareness", Computers & Security, Vol. 25 No. 4, pp. 289-296. DOI: 10.1016/j.cose.2006.02.008
Maqousi, A., Balikhina, T., Mackay, M. (2013), "An effective method for information security awareness raising initiatives", International Journal of Computer Science & Information Technology, Vol. 5 No. 2, pp. 63-72. DOI: 10.5121/ijcsit.2013.5206
Mitnick, K.D., Simon, W.L. (2002), The Art of Deception: Controlling the Human Element of Security, Wiley, New Jersey.
McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., Pattinson, M. (2017), "Individual differences and Information Security Awareness", Computers in Human Behavior, Vol. 69, pp. 151-156. DOI: 10.1016/j.chb.2016.11.065
Mukhlis, A. (2014), "Information security awareness level measurement using multiple criteria decision analysis (MCDA)", Jurnal Penelitian dan Pengembangan Komunikasi dan Informatika, Vol. 5 No. 1, pp. 15-24.
Öğütçü, G., Testik, Ö.M., Chouseinoglou, O. (2016), "Analysis of personal information security behavior and awareness", Computers & Security, Vol. 56, pp. 83-93. DOI: 10.1016/j.cose.2015.10.002
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., Jerram, C. (2014), "Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q)", Computers & Security, Vol. 42, pp. 165-176. DOI: 10.1016/j.cose.2013.12.003
Parsons, K., Calic, D., Pattinsonb, M., Butaviciusa, M., McCormaca, A., Zwaansc, T. (2017), "The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studie", Computers & Security, Vol. 66, pp. 40-51. DOI: 10.1016/j.cose.2017.01.004
Schlienger, T., Teufel, S. (2003), "Information Security Culture – from analysis to change", South African Computer Journal, Vol. 2003 No. 31, pp. 46-52.
Schultz, E. (2005), "The human factor in securiy", Computers & Security, Vol. 24 No. 6, pp. 425-426.
Shaw, R.S., Charlie, Ch.C., Harris, A.L., Huang, H-J. (2009), "The impact of information richness on information security awareness training effectiveness", Computers & Education, Vol. 52, pp. 92-100. DOI: 10.1016/j.compedu.2008.06.011
Soomro, Z.A., Shah, M.H., Ahmed, J. (2016), "Information security management needs more holistic approach: A literature review", International Journal of Information Management, Vol. 36 No. 2, pp. 215-225. DOI: 10.1016/j.ijinfomgt.2015.11.009
Thomson, K., von Solms, R., Louw, L. (2006), "Cultivating an organisational information security culture", Computer Fraud and Security, Vol. 2006 No. 10, pp. 7-11.
Tsohou, A., Karyda, M., Kokolakis, S. (2015), "Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs", Computers & Security, Vol. 52, pp. 128-141. DOI: 10.1016/j.cose.2015.04.006
Valentine, J.A. (2006), "Enhancing the employee security awareness model", Computer Fraud & Security, Vol. 6, pp. 17-19.
Vroom, C., Von Solms, R. (2004), "Towards information security behavioural compliance", Computers & Security, Vol. 23 No. 3, pp. 191-198.
Downloads
Published
How to Cite
Issue
Section
License
Copyright
Articles submitted to the journal should not have been published before in their current or substantially similar form, or be under consideration for publication with another journal. Authors submitting articles for publication warrant that the work is not an infringement of any existing copyright and will indemnify the publisher against any breach of such warranty. For ease of dissemination and to ensure proper policing of use, papers and contributions become the legal copyright of the publisher unless otherwise agreed.
Plagiarism and ghostwriting
In response to the issue of plagiarism and ghostwriting the editors of the Journal of Positive Management has introduced the following rules to counteract these phenomena:
1. Contributors should be aware of their responsibility for a content of manuscripts.
2. Collective authors are obliged to reveal the contribution and an affiliation of each author (i.e. who is an author of specified part of a paper).
3. Any act of dishonesty will be denounced, the editors will inform appropriate institutions about the situation and give evidence of all cases of misconduct and unethical behaviour.
4. The editors may ask contributors for financial disclosure (i.e. contribution of specified institutions).
Stats
Number of views and downloads: 609
Number of citations: 0