An information security retrieval and awareness model for industry

The present study originated from a realisation that employees in an organisation should be aware of their role and responsibility towards securing the information they work with. Only if employees are aware of their role and responsibilities towards Information Security, could they be held accountable if the information they work with is compromised in any way. Further motivation for the study was the realisation that information is the lifeline of many organisations and should therefore be properly secured and managed to ensure that it is not compromised in any way. If organisations fail to do so, they could be faced with serious consequences such as prosecution under a number of legal frameworks, or a loss of money, time and business opportunities. The ultimate responsibility for the management of Information Security lies with top management. Top management should enforce Information Security and create an Information Security culture within the organisation. To ensure that employees adhere to the Information Security rules and regulations, top management should measure and monitor the status of Information Security awareness among employees on a continuous basis. A further incentive for this study was the realisation that many Information Security breaches occur due to human action (deliberate as well as accidental). Information Security should therefore also address the non-technical, human-related Information Security issues and not focus on the technical issues only. Bearing these realisations in mind, this study is principally aimed at making a contribution towards enhancing Information Security awareness in industry, and for this reason, culminates in an Information Security Retrieval and Awareness model specifically developed for the industry sector. While developing this model, special care was taken to address the limitations of current models in the said domain. An investigation into the current status of Information Security awareness in each of the sectors of the Information Security community (i.e. government, industry and academia) indicated that there is an urgent need for enhancing Information Security awareness in each of these sectors. Although many governments around the globe have initiated projects to address Information Security, they should continue to launch new initiates to keep up with the constant changes in Information Technology. These changes continuously trigger new risks that could lead to Information Security breaches. In the Industry sector, technical Information Security issues receive most of the attention when Information Security is addressed, and the non-technical, humanrelated Information Security issues are often ignored or neglected. The pressing need for an Information Security awareness model for industry that incorporates the nontechnical, human-related Information Security issues is therefore self-evident. The academic sector has incorporated Information Security into its curricula, but these efforts are still not enough. Information Security should be incorporated at all levels - undergraduate as well as postgraduate - and should be included in Computer Science and Information Systems, as well as other related disciplines such as Law. After having investigated the current status of Information Security awareness in the Information Security community, the researcher proceeded to explore the ongoing development of Information Security over the past few years. These developments created paradigm shifts ranging from a purely technical approach towards Information Security, towards a more managerial way of protecting information, and currently focusing on creating an Information Security culture within organisations. With the development of Information Security came Information Security documents that address the management and implementation of Information Security. An investigation into these documents has lead to the identification of ten Information Security documents that are accepted as leading documents in the Information Security community. These documents were identified as the basis for a Common Body of Knowledge for Information Security suited to industry. After having explored the limitations of current efforts to create such a Common Body of Knowledge, a Common Body of Knowledge for Information Security suited to industry that addresses these limitations was proposed. The proposed Common Body of Knowledge addresses the Information Security responsibility of both users with little or no formal background on Information Security, and of specialists in the field. This is achieved by grouping stakeholders according to their job category into IT authority levels. The people on each IT authority level have different responsibilities towards securing the information they work with. In addition, the proposed Common Body of Knowledge explicitly distinguishes between the technical and the non-technical, human-related Information Security issues. Such a Common Body of Knowledge can be used as a guideline during the management and implementation of Information Security in industry. Having explored the IT authority levels of a typical organisation and after investigating the non-technical, human-related Information Security issues, an Information Security Retrieval and Awareness model (ISRA) was developed specifically for the industry. The proposed model enhances Information Security awareness in the said domain in the sense that it is based on a Common Body of Knowledge for Information Security suited to industry. In addition, the ISRA model ensures that stakeholders are made aware of the Information Security issues relevant to their specific job category only, to prevent them from being burdened with irrelevant information. Finally, the ISRA model allows stakeholders to retrieve specific information related to Information Security at any time. The ISRA model focuses specifically on the industry sector and consists of three parts: the ISRA Dimensions; Information Security Retrieval and Awareness; and Measuring and Monitoring. The ISRA dimensions form the building blocks of the model and integrate the non-technical, human-related Information Security issues, the IT authority levels and the 10 state-of-the-art Information Security document dimensions. The purpose of the Retrieval and Awareness part of the ISRA model is to enable each stakeholder to retrieve information from the ISRA dimensions at any time. In this way Information Security awareness among all stakeholders can be enhanced. IT authority levels could also request specific information to assist them in their decision-making processes. The last part of the ISRA model, Measuring and Monitoring, provides top management with a tool to determine the status of Information Security awareness within the organisation and enables them to identify vulnerable areas with regard to Information Security awareness. The current research culminates in the development and implementation of a prototype to confirm that the ISRA model is not merely a theoretical concept, but that it also constitutes a practicable Information Security Retrieval and Awareness model.COMPUTINGPHD (INFORMATION SYSTEMS