About the Measuring of Information Security Awareness: A Systematic Literature Review

To make employees aware of their important role for information security, companies typically carry out security awareness campaigns. The success and effectiveness of those campaigns has to be measured to justify the budget for example. Therefore, we did a systematic literature review in order to learn how information security awareness (ISA) is measured in theory and practice. We covered published literature as well as unpublished information. The unpublished information was retrieved by interviewing experts of small and medium-sized enterprises. The results showed that ISA is mostly measured via questionnaires. Round about 40 % of the questionnaires are based on the Knowledge-Attitude-Behavior-Model which is itself scientifically weak. According to studies measuring knowledge is not sufficient and,behavior has to be measured. Our results show that the answers of participants in questionnaires often differ from the truth due to wrong perception or social desirability bias. Therefore, behavior should be measured through behavior tests

The Forgotten Model – Validating the Integrated Behavioral Model in Context of Information Security Awareness

The behavior of employees has a strong influence on the information security of a company. Whether humans behave information security compliant depends on a large extent on their information security awareness (ISA). Social psychology provides an understanding about factors that influence awareness and thus gives relevant insights on how to increase an employee‘s ISA. A promising theory from health psychology is the Integrated Behavioral Model (IBM). To validate the significance of the IBM for ISA, a structured literature review about models that explain ISA has been conducted. The analysis of the found ISA models and their constructs showed that the IBM indeed includes all found factors. Based on the findings, the paper presents an extended model of the IBM within the ISA context with a higher level of detail. The model can be used to analyze individualized ISA and help companies to enhance ISA in a systematic way

Automated Measuring of Information Security Related Habits

Since the digital age requires interaction with digital services, the information security awareness (ISA) of everyone gets more important than ever. Since the ISA is defined as a set of aspects, it is not enough to increase the knowledge. This work focuses on the aspect of habits. Therefore, we used design science research to create an artifact which allows the automated measurement of habits. The automation can be achieved through a client-server application which tracks the behavior of employees in a GDPR-compliant way and calculates multiple metrics based on the tracked behavior. However, not all of the defined metrics are applicable in every company. Therefore, additional process iterations of the design science research methodology are required

Analyze Before You Sensitize: Preparation of a Targeted ISA Training

This paper describes a procedure to enable the planning of targeted measures to increase the Information Security Awareness (ISA) of employees of an institution. The procedure is practically applied at a German university. With the help of a comprehensive analysis, which is based on findings of social psychology, necessary topics for ISA measures are identified. In addition, reasons are sought for why employees do not conduct information security. The procedure consists of a qualitative phase with interviews and a quantitative phase with a questionnaire. It turned out that the procedure provided many clues to the design of ISA measures. These include organizational and technical measures that can help employees to ensure information-safe behavior. In addition, it was found that there were deviations between the qualitative and quantitative phases and therefore, both phases are necessary. The paper critically discusses the procedure and also addresses the strengths and weaknesses of the analysis

360 Degrees of Security: Can VR Increase the Sustainability of ISA Trainings?

What companies need are employees who have an appropriate level of information security awareness (ISA). This paper examined ways to increase existing ISA knowledge. The core of the work was to investigate the possibility of a more sustainable effect of knowledge enhancement in relation to ISA through virtual reality (VR). For this purpose, VR training and traditional video training were compared within a subject study. In order to create the most efficient video training possible, a qualitative literature research was first conducted on the topic of knowledge transfer in general. This was followed by the development of didactic guiding principles for an optimized learning video. Both training courses were then tested. Theoretically, a sustainable effect of increasing ISA knowledge through VR training has been proven. However, within the scope of the subject study, no sustainable increase in ISA knowledge can be proven through VR training in comparison to video training. Therefore, the didactic and immersive possibilities of VR technology need to be further explored in follow-up studies

Developing a Maturity Model for Information Security Awareness Using a Polytomous Extension of the Rasch Model

Advancing digitization in companies leads to increased importance of information and their security. Since people play a crucial role in protecting information, it is important to sensitize them to information security. Many companies find it difficult to raise the so-called information security awareness (ISA) in a planned and targeted way. With a maturity model (MM) for ISA, companies are able to carry out an assessment of the current state regarding ISA and thereby actively manage and plan their future ISA measures. The proposed MM has five maturity levels that were determined mathematically with the help of a polytomous extension of the Rasch model and a hierarchical cluster analysis. The required data for the calculations has been gathered with a survey among 105 organizations. The evaluation has shown that the MM is well-suited to identify strengths and weaknesses with regard to ISA within organizations

Immersive Storytelling for Information Security Awareness Training in Virtual Reality

Due to the central role of the human factor in information security, the need for information security awareness (ISA) is constantly increasing. In order to maintain a high level of ISA, trainings have to be carried out frequently to ensure sustainability. Since education via VR has led to a sustainable learning effect in other fields, we evaluated the use of VR for ISA trainings. Moreover, we combined our VR training with immersive storytelling. For the evaluation we used two sets of participants. The first used a traditional e-Learning method to answer the questionnaire. The second used our VR training. After one week we repeated the questionnaires. The results showed that the VR group could achieve higher scores than the noVR group. Moreover, the VR group achieved even higher scores after one week which might be due to the sustained learning effect from the VR training

Long-lived quantum memory enabling atom-photon entanglement over 101 km telecom fiber

Long-distance entanglement distribution is the key task for quantum networks, enabling applications such as secure communication and distributed quantum computing. Here we report on novel developments extending the reach for sharing entanglement between a single $^{87}$Rb atom and a single photon over long optical fibers. To maintain a high fidelity during the long flight times through such fibers, the coherence time of the single atom is prolonged to 7 ms by applying a long-lived qubit encoding. In addition, the attenuation in the fibers is minimized by converting the photon's wavelength to the telecom S-Band via polarization-preserving quantum frequency conversion. This enables to observe entanglement between the atomic quantum memory and the emitted photon after passing 101 km of optical fiber with a fidelity better than 70.8$\pm$2.4%. The fidelity, however, is no longer reduced due to loss of coherence of the atom or photon but in the current setup rather due to detector dark counts, showing the suitability of our platform to realize city-to-city scale quantum network links.Comment: 11 pages, 8 figures, comments are welcom

Entangling single atoms over 33 km telecom fibre

Quantum networks promise to provide the infrastructure for many disruptive applications, such as efcient long-distance quantum communication and distributed quantum computing1,2 . Central to these networks is the ability to distribute entanglement between distant nodes using photonic channels. Initially developed for quantum teleportation3,4 and loophole-free tests of Bell’s inequality5,6 , recently, entanglement distribution has also been achieved over telecom fbres and analysed retrospectively7,8 . Yet, to fully use entanglement over long-distance quantum network links it is mandatory to know it is available at the nodes before the entangled state decays. Here we demonstrate heralded entanglement between two independently trapped single rubidium atoms generated over fbre links with a length up to 33 km. For this, we generate atom–photon entanglement in two nodes located in buildings 400 m line-of-sight apart and to overcome high-attenuation losses in the fbres convert the photons to telecom wavelength using polarization-preserving quantum frequency conversion9 . The long fbres guide the photons to a Bell-state measurement setup in which a successful photonic projection measurement heralds the entanglement of the atoms10. Our results show the feasibility of entanglement distribution over telecom fbre links useful, for example, for device-independent quantum key distribution11–13 and quantum repeater protocols. The presented work represents an important step towards the realization of large-scale quantum network links

Current Issues Of Metrics For Information Security Awareness

Measuring information security awareness (ISA) is mostly done by the measurement of knowledge. However, knowledge does not allow any statement about actual behavior. Therefore, measurement techniques are required, that are focusing on the behavior of employees. We carried out a structured literature review as well as expert interviews in order to retrieve current requirements for metrics in theory and practice. Moreover, we show that the interviewees defined some more requirements than are available in literature. The goal of our research is, to create a performance measurement system (PMS) based on the integrated behavioral model (IBM). Therefore, we had to check if the different aspects of the IBM can be covered by existing metrics. Although many of the requirements can be fulfilled by current metrics, not all aspects of the IBM can be covered. Therefore, we need additional research to create a PMS that allows the evaluation of ISA in companies