Evaluating human factors of information security awareness in Taibah University

Information security for organizations such as educational sectors is gaining more importance as the implementation of technical solutions deployed to increase business efficiency. Information security technological implementation is insufficient to withstand threats that evolve with wider implementations of technologies the more technology is implemented the more threat probability pushes in. The fact that information security relies on three ties which are the technology, process and people. Processes can govern people behaviour by policies, however people still need a broader understanding of process and technology to be aware of expected threats and how their attitude and behaviours are going to evolve. Information security awareness indicates the understanding and behaviour of in information security. The information security awareness of employees should be measured to improve control strategies such as training or to determine the security maturity of an organization. In this research an adequate instrument, the Human Aspects Information Security Questionnaire (HAIS-Q). This instrument was administered to employees and students of Taibah University by an online web-based survey testing the knowledge, attitudes and behaviour across the models seven policy-based focus areas. Initial results indicate that HAIS-Q to be valid, reliable and suitable for comparable analysis. The model is able to measure information security awareness in its seven coverage focus areas. Results obtained indicated above average ISA level on tested sample using HAIS-Q model

A Cognitive Theory-based Approach for the Evaluation and Enhancement of Internet Security Awareness among Children Aged 3-12 Years

In the age of technology, the Internet has spread widely and used for multiple purposes by users of all ages, especially children who start using it frequently to play in their spare time. With the use of the Internet, children must have a sufficient security awareness to avoid security risks found online. This study takes us through the journey of evaluating and enhancing the level of the Internet security awareness among a group of Saudi children aged 3-12 years. The developed evaluation survey shows that there is some awareness among the Saudi Children; however, they still need more concrete ways of ensuring secure practices as they showed a poor knowledge of proper Internet security practices in areas such as interacting with anonymous advertisements as well as understanding some of the Internet Security symbols. The study also presents a suggested Awareness Enhancement solution to raise the security awareness among children. The solution’s design takes into consideration the Piaget’s theory of children’s cognitive development, which states that children in different age groups have different perceptual and learning abilities. The test of the suggested solution shows a significant increase in the sample’s Internet security level. The work of this study emphasizes on the importance of targeting the Saudi children with interactive training sessions to raise their Internet security awareness level

A comparative assessment of human factors in cybersecurity: Implications for cyber governance

This paper provides an extensive overview of cybersecurity awareness in the young, educated, and technology-savvy population of the United Arab Emirates (UAE), compared to the United States of America (USA) for advancing the scholarship and practice of global cyber governance. We conducted comparative empirical studies to identify differences in specific human factors that affect cybersecurity behaviour in the UAE and the USA. In addition, we employed several control variables to observe reliable results. We used Hofstede’s theoretical framework on culture to advance our investigation. The results show that the targeted population in the UAE exhibits contrasting interpretations of cybersecurity awareness of critical human factors as compared to their counterparts from the USA. We identify possible explanations for this relatively different behaviour in the UAE population. Our key contributions are to provide valuable information for cybersecurity policymakers in the UAE and Gulf Cooperation Council (GCC) region to further enhance cyber safety, governance, awareness, and trust among citizens

Information security awareness and behavior: A theory-based literature review

Purpose – This paper aims to provide an overview of theories used in the field of employees’ information systems (IS) security behavior over the past decade. Research gaps and implications for future research are worked out by analyzing and synthesizing existing literature. Design/methodology/approach – This paper presents the results of a literature review comprising 113 publications. The literature review was designed to identify applied theories and to understand the cognitive determinants in the research field. A meta-model that explains employees’ IS security behavior is introduced by assembling the core constructs of the used theories. Findings – The paper identified 54 used theories, but four behavioral theories were primarily used: Theory of Planned Behavior (TPB), General Deterrence Theory (GDT), Protection Motivation Theory (PMT) and Technology Acceptance Model (TAM). By synthesizing results of empirically tested research models, a survey of factors proven to have a significant influence on employees’ security behavior is presented. Research limitations/implications – Some relevant publications might be missing within this literature review due to the selection of search terms and/or databases. However, by conduction a forward and a backward search, this paper has limited this error source to a minimum. Practical implications – This study presents an overview of determinants that have been proven to influence employees’ behavioral intention. Based thereon, concrete training and awareness measures can be developed. This is valuable for practitioners in the process of designing Security Education, Training and Awareness (SETA) programs. Originality/value – This paper presents a comprehensive up-to-date overview of existing academic literature in the field of employees’ security awareness and behavior research. Based on a developed meta-model, research gaps are identified and implications for future research are worked out. © Emerald Group Publishing Limited

Information security management and employees' security awareness : an analysis of behavioral determinants

[no abstract

Strategic framework to minimise information security risks in the UAE

A thesis submitted to the University of Bedfordshire in partial fulfilment of the requirements for the PhD degreeThe transition process to ICT (Information and Communication Technology) has had significant influence on different aspects of society. Although the computerisation process has motivated the alignment of different technical and human factors with the expansion process, the technical pace of the transition surpasses the human adaptation to change. Much research on ICT development has shown that ICT security is essentially a political and a managerial act that must not disregard the importance of the relevant cultural characteristics of a society. Information sharing is a necessary action in society to exchange knowledge and to enable and facilitate communication. However, certain information should be shared only with selected parties or even kept private. Information sharing by humans forms the main obstacle to security measure undertaken by organisations to protect their assets. Moreover, certain cultural traits play a major role in thwarting information security measures. Arab culture of the United Arab Emirates is one of those cultures with strong collectivism featuring strong ties among individuals. Sharing sensitive information including passwords of online accounts can be found in some settings in some cultures, but with reason and generally on a small scale. However, this research includes a study on 3 main Gulf Cooperation Council (GCC) countries, namely, Saudi Arabia (KSA), United Arab Emirates (UAE) and Oman, showing that there is similar a significant level of sensitive information sharing among employees in the region. This is proven to highly contribute to compromising user digital authentication, eventually, putting users’ accounts at risk. The research continued by carrying out a comparison between the United Kingdom (UK) and the Gulf Cooperation Council (GCC) countries in terms of attitudes and behaviour towards information sharing. It was evident that there is a significant difference between GCC Arab culture and the UK culture in terms of information sharing. Respondents from the GCC countries were more inclined to share sensitive information with their families and friends than the UK respondents were. However, UK respondents still revealed behaviour in some contexts, which may lead potential threats to the authentication mechanism and consequently to other digital accounts that require a credential pass. It was shown that the lack of awareness and the cultural impact are the main issues for sensitive information sharing among family members and friends in the GCC. The research hence investigated channels and measures of reducing the prevalence of social engineering attacks, such as legislative measures, technological measures, and education and awareness. The found out that cultural change is necessary to remedy sensitive information sharing as a cultural trait. Education and awareness are perhaps the best defence to cultural change and should be designed effectively. Accordingly, the work critically analysed three national cybersecurity strategies of the United Kingdom (UK), the United States (U.S.) and Australia (AUS) in order to identify any information security awareness education designed to educate online users about the risk of sharing sensitive information including passwords. The analysis aimed to assess possible adoption of certain elements, if any, of these strategies by the UAE. The strategies discussed only user awareness to reduce information sharing. However, awareness in itself may not achieve the required result of reducing information sharing among family members and friends. Rather, computer users should be educated about the risks of such behaviour in order to realise and change. As a result, the research conducted an intervention study that proposed a UAE-focused strategy designed to promote information security education for the younger generation to mitigate the risk of sensitive information sharing. The results obtained from the intervention study of school children formed a basis for the information security education framework also proposed in this work

Information Security Risk Management (ISRM) Model for Saudi Arabian Organisations

This research aimed to investigate the factors influencing information security risk management (ISRM) and develop an ISRM model for large Saudi Arabian organisations. The study employed an exploratory research method following a top-down design approach. The research was conducted in two sequential phases: an interview and a focus group discussion. The research identified 14 factors grouped into the people, process, and technology that influence ISRM in large Saudi Arabian organisations. The proposed model can successfully guide large Saudi Arabian organisations to implement ISRM standards more effectively

A Novel Framework for Improving Cyber Security Management and Awareness for Home Users

A wide and increasing range of different technologies, devices, platforms, applications and services are being used every day by home users. In parallel, home users are also experiencing a range of different online threats and attacks. Indeed, home users are increasingly being targeted as they lack the knowledge and awareness about potential threats and how to protect themselves. The increase in technologies and platforms also increases the burden upon a user to understand how to apply security across the differing technologies, operating systems and applications. This results in managing the security across their technology portfolio increasingly more troublesome and time-consuming. Thus, it is apparent that a more innovative, convenient and usable security management solution is vital. This thesis investigates current online awareness tools and reviews studies which try to enhance cybersecurity awareness and education among the home users. It is evident from the analysis that most of the studies which have made efforts in proposing “one-fits-all” solutions do not have the ability to provide the users with a tailored awareness content based on a number of criteria such as the current needs, prior knowledge, and security priorities for each user. The thesis proposes an approach for improving security management and awareness for home users by providing them with a customised security awareness. A design science research methodology has been used for understanding the current problem, creating and developing an artefact which can enhance security management and awareness for home users. A number of security controls and requirements were identified which need to be managed and monitored for different technologies and services. In addition, the research designed several preliminary interfaces which can show the main components and aspects in the proposed solution based on HCI principles. A participant-based study was undertaken to get feedback on the initial design requirements and interfaces. A survey of 434 digital device users was undertaken and reveal result that there is a positive correlation between the security concern, knowledge and management amongst home users towards different security aspects. Positive feedback and some valuable comments were received about the preliminary interface designs in terms of the usability and functionality aspects. This builds into a final design phase which proposes a novel architecture for enhancing security management and awareness for home users. The proposed framework is capable of creating and assigning different security policies for different digital devices. These assigned policies are monitored, checked and managed in order to review the user’s compliance with the assigned policies and provide bespoke security awareness. In addition. A mockup design was developed to simulate the proposed framework to show different interactions with different components and sections in order to visualise the main concepts and the functions which might be performed when it is deployed in a real environment. Ultimately, two separate focus group discussions, involving experts and end-users have been conducted in order to provide a comprehensive evaluation of the identified research problem, the feasibility and the effectiveness of the proposed approach. The overall feedback of the two discussions can be considered as positive, constructive and encouraging. The experts agreed that the identified research problem is very important and a real problem. In addition, the participants agreed that the proposed framework is feasible and effective in improving security management and awareness for home users. The outcomes have also shown a reasonable level of satisfaction from the participants towards different components and aspects of the proposed design.Saudi governmen

Computational Methods for Medical and Cyber Security

Over the past decade, computational methods, including machine learning (ML) and deep learning (DL), have been exponentially growing in their development of solutions in various domains, especially medicine, cybersecurity, finance, and education. While these applications of machine learning algorithms have been proven beneficial in various fields, many shortcomings have also been highlighted, such as the lack of benchmark datasets, the inability to learn from small datasets, the cost of architecture, adversarial attacks, and imbalanced datasets. On the other hand, new and emerging algorithms, such as deep learning, one-shot learning, continuous learning, and generative adversarial networks, have successfully solved various tasks in these fields. Therefore, applying these new methods to life-critical missions is crucial, as is measuring these less-traditional algorithms' success when used in these fields

Information Security Awareness in Saudi Arabia

While the Web, cell phone „apps‟ and cloud computing put a world of information at our fingertips, that information is under constant threat from cyber vandals and hackers. Although awareness of information threats is growing in the Western world, in places like Saudi Arabia, information security is very poor. Unlike Western pluralistic democracies, Saudi Arabia is a highly-censored country, with a patriarchical and tribal culture, which may influence its poor information security rating. This paper examines the level of information security awareness (ISA) among the general public in Saudi Arabia, using an anonymous online survey, based on instruments produced by the Malaysian Cyber Security Organization and KPMG. The survey attracted 462 respondents and the results confirmed that ISA in Saudi Arabia is extremely low. Several of the areas of weakness in ISA appear to be related to the level of censorship or the patriarchical and tribal nature of Saudi culture