Investigation of Attitudes Towards Security Behaviors

Cybersecurity attacks have increased as Internet technology has proliferated. Symantec’s 2013 Internet Security Report stated that two out of the top three causes of data breaches in 2012 were attributable to human error (Pelgrin, 2014). This suggests a need to educate end users so that they engage in behaviors that increase their cybersecurity. This study researched how a user’s knowledge affects their engagement in security behaviors. Security behaviors were operationalized into two categories: cyber hygiene and threat response behaviors. A sample of 194 San José State University students were recruited to participate in an observational study. Students completed a card sort, a semantic knowledge quiz, and a survey of their intention to perform security behaviors. A personality inventory was included to see if there would be any effects of personality on security behaviors. Multiple regression was used to see how card sorting and semantic knowledge quiz scores predicted security behaviors, but the results were not significant. Despite this, there was a correlation between cyber hygiene behaviors and threat response behaviors, as well as the Big Five personality traits. The results showed that many of the Big Five personality traits correlated with each other, which is consistent with other studies’ findings. The only personality trait that had a correlation with one of the knowledge measures was neuroticism, in which neuroticism had a negative correlation with the semantic knowledge quiz. Implications for future research are discussed to understand how knowledge, cyber hygiene behaviors, and threat response behaviors relate

Measuring information security governance within general medical practice

Information security is becoming increasingly important within the Australian general medical practice environment as legal and accreditation compliance is being enforced. Using a literature review, approaches to measuring information security governance were analysed for their potential suitability and use within General Practice for the effective protection of confidential information. The models, frameworks and guidelines selected were analysed to evaluate if they were Key Performance Indicator (KPI), or process driven; whether the approach taken was strategic, tactical or operational; and if governance or management assessment tools were presented. To measure information security governance, and be both effective and practical, the approach to be utilised within General Practice would need to function at an operational level and be KPI driven. Eight of the 29 approaches identified, were deemed to be applicable for measuring information security governance within the General Practice environment. However, further analysis indicated that these measurement approaches were either too complex to be directly implemented into General Practice, or collected self-assessment security data rather than actual security measurements. The literature review presented in this paper establishes the need for further research to develop an approach for measuring information security governance within General Practice

A descriptive review and classification of organizational information security awareness research

Information security awareness (ISA) is a vital component of information security in organizations. The purpose of this research is to descriptively review and classify the current body of knowledge on ISA. A sample of 59 peer-reviewed academic journal articles, which were published over the last decade from 2008 to 2018, were analyzed. Articles were classified using coding techniques from the grounded theory literature-review method. The results show that ISA research is evolving with behavioral research studies still being explored. Quantitative empirical research is the dominant methodology and the top three theories used are general deterrence theory, theory of planned behavior, and protection motivation theory. Future research could focus on qualitative approaches to provide greater depth of ISA understanding

Pengukuran Tingkat Kesadaran Keamanan Informasi Mahasiswa pada Pembelajaran Online

Tahun 2020 hingga sekarang menjadi tahun dimana teknologi semakin dibutuhkan karena adanya Corona Virus Disease yang mengharuskan seluruh instansi terkait pendidikan melakukan pembelajaran secara online. Penelitian ini dilakukan untuk mengukur tingkat kesadaran keamanan informasi mahasiswa yang melakukan aktifitas online menggunakan platform seperti zoom, google meet, dll dan mengedukasi mahasiswa melalui feedback kuisioner secara online. Pengukuran masalah ini dilakukan melalui 3 dimensi kesadaran yaitu attitude, behavior, dan knowledge yang bertujuan untuk mengetahui tingkat kesadaran, dengan demikian dapat difomulasikan tindakan yang harus dilakukan agar mengedukasi yang kurang dan mempertahankan yang sudah baik dari hasil presentase akhir. Penelitian ini menggunakan metode Multiple Criteria Decision Analysis (MCDA) dan pengumpulan data menggunakan metode kuisioner google form. Hasil dari penelitian ini menunjukkan bahwa tingkat kesadaran keamanan informasi mahasiswa berada pada level “sedang” dengan total nilai 66%. Perlu mempertahankan dimensi knowledge yang sudah baik dan memberikan perhatian khusus pada dimensi attitude dan behavior

Information Security Behavioral Model: Towards Employees’ Knowledge and Attitude

Information Security has become a significant concern for today’s organizations. The internal security threats acts as the most curtail type of security threat within an organization. These internal security threats are a result of poor conduct of security behavior by the employees within an organization. If not deal properly, it may hamper the auditing of organization. Auditing plays an important role in the business environment. Before conducting auditing it is essential to examine the behavioral aspect of the employees. The objective of this paper is to take out this internal threat that acts as a security slack, out of an organization by using a well-structured approach to develop a security behavior model. To validate the proposed model a survey method is used. The survey method measures the knowledge and attitude of an individual employee towards information security to analyze the behavioral security aspect of the employee’s. Statistical Analysis of the result of survey indicates that the employees’ knowledge and his attitude towards information security derive his behavior towards achieving ultimate organizational goal and thus validates the proposed security model

FORMING THE AWARENESS OF EMPLOYEES IN THE FIELD OF INFORMATION SECURITY

Research purpose: The aim of this study is to present the essence and importance of information security awareness in the organisation and to analyse selected methods used in forming employee awareness in terms of information security. Methodology/ approach: This paper is based on literature studies and available reports. Findings: The presented paper suggests that in order to create a positive change in the organisation, information security training should focus on the attitude and behavior of employees. Concentration is primarily about what they do and how their actions affect the results. In order to minimise the risk of data breaches, often resulting from human error, training methods must meet the needs of today's employees. Effective information security awareness strategies should address the needs of both the organisation itself and the learning people. Limitations/implications: The study is based on the theoretical analysis, indicating the need of conducting further empirical research. Originality/value: The main value of the study is to clarify the need for forming employees' awareness of information security while indicating a number of available methods enabling the implementation of awareness programs in the organisation

Information security awareness in university: maintaining learnability, performance and adaptability through roles of responsibility

The 21st century witnesses that technology is increasingly providing availability and accessibility to information, along with this trend is the emerging problem of information security. In order to analyze how technology introduces this new risks, it is necessary to discuss the technology lifecycle. Consider for instance the technology life cycleas concerning diffusion of an innovation. Since technological innovations or IT solutions are being adopted to support business processes, the need to protect those IT solutions also arises along with its adoption. Accordingly, two important factors need much consideration in raising awareness, firstly how organization influences significantly of end user’s attitude and secondly how the organization ensure regular assessment or evaluation to measure the effectiveness of IS awareness policy within the organization

Feasibility study on incorporating IEC/ISO27001 information security management system (ISMS) standard in it services environment

Feasibility Study on incorporating IEC/ISO27001 Information Security Management System (ISMS) in IT Services Environment is a research study by taking an organization as a case study to carry out a feasibility study on existing maturity level of managing information security and propose an implementation approach to the organization based on ISO27001 ISMS standards. The activities involve the security gap assessment, drafting the mandatory documents as per ISO 27001 ISMS standard requirement. The objective of this study is to identify the common information security incidents and the ISO27001 ISMS practices on corrective and prevention actions. Beside, this research study is focusing on analyzing the current state of an organization by conducting a feasibility study on the readiness of ISO27001 ISMS practiced by the organization. The methodology of this research study was derived with the research operational framework that comprised of several project phases, ISO27001 ISMS implementation phases that mapped to the deliverables. The deliverables and expected results are series of document sets that must comply to the ISO27001 ISMS standard such as initial draft of ISMS policy manual, risk assessment methodology, risk assessment report, statement of applicability (SOA) will be developed to meet the ISO27001 ISMS requirement and criteria. Also, the mandatory activities such as gap assessment, information security risk assessment will be proposed and conducted with the relevant reports to be prepared as part of the results and findings to accomplish the objectives of this research study. The findings of the feasibility study from the gap assessment that has been performed within an organization are not meeting the requirement of ISO27001 ISMS. Hence, this research study proposed the implementation approach based on ISO27001 ISMS standards to implement the ISMS controls to close the gaps and mitigate the risks identified from the gap assessment findings

End User Information Security Awareness Programs for Improving InformationSecurity in Banking Organizations: Preliminary Results from an Exploratory Study

The purpose of this research is to analyze information security awareness (ISA) programs and the measurement of ISA behavior in banking organizations. The underlying paper summarizes the qualitative and exploratory part of our two-staged mixed methods research on the improvement of employee security behavior concerning IT operational risks. IT operational loss events are often caused by undesirable security behavior of employees concerning information technology. Organizations conduct ISA programs to build employees’ security awareness concerning information technology to prevent IT operational loss events. Ten semi-structured qualitative expert interviews were carried out to explore potentials for improvement of ISA programs. Our findings focus on the character of ISA delivery methods and the implemented controls for these methods. Further research should shed light on the effectivenessof experimental and proactive ISA controlling. The outcome provides input for practice in the area of ISA building in the financial sector

MEASUREMENT OF INFORMATION SECURITY AND PRIVACY AWARENESS USING THE MULTIPLE CRITERIA DECISION ANALYSIS (MCDA) METHOD

Information security is an asset that has value so it must be protected, along with increasing assets it is undeniable that many people wish to gain access and control it so that behind the convenience in the digital world there are many risks to information assets. There are several cases that occur related to information security such as data theft, illegal access, information leakage and vandalism where this becomes the privacy of the user. So it is necessary to do research from the user's perspective to measure the level of information security and privacy awareness of students and lecturers as well as recommendations that will be suggested based on the results of measuring information security and privacy awareness. The objects in this research are students and lecturers at the XYZ University. The method used is Multiple Criteria Decision Analysis (MCDA) by measuring the dimensions of knowledge, attitude, behavior in six areas of information security and three areas of privacy. Data were obtained by distributing questionnaires using a Likert scale of 5. Based on the questionnaire from the respondents, it can be seen students and lecturers have awareness that is at a "good" level of 85% in information security while privacy is at a "good" level with a result of 89% but in the behavior dimension there are several areas that are included in the "average" level including the area passwords by 62%, mobile equipment area by 77% incident area by 70% and on privacy security on the behavior dimension there is one area namely the login activity area by 78% so this needs to be given recommendations for improvement in order to reach a "good" level by providing socialization/ training for students and lecturer