About the Measuring of Information Security Awareness: A Systematic Literature Review

To make employees aware of their important role for information security, companies typically carry out security awareness campaigns. The success and effectiveness of those campaigns has to be measured to justify the budget for example. Therefore, we did a systematic literature review in order to learn how information security awareness (ISA) is measured in theory and practice. We covered published literature as well as unpublished information. The unpublished information was retrieved by interviewing experts of small and medium-sized enterprises. The results showed that ISA is mostly measured via questionnaires. Round about 40 % of the questionnaires are based on the Knowledge-Attitude-Behavior-Model which is itself scientifically weak. According to studies measuring knowledge is not sufficient and,behavior has to be measured. Our results show that the answers of participants in questionnaires often differ from the truth due to wrong perception or social desirability bias. Therefore, behavior should be measured through behavior tests

The Forgotten Model – Validating the Integrated Behavioral Model in Context of Information Security Awareness

The behavior of employees has a strong influence on the information security of a company. Whether humans behave information security compliant depends on a large extent on their information security awareness (ISA). Social psychology provides an understanding about factors that influence awareness and thus gives relevant insights on how to increase an employee‘s ISA. A promising theory from health psychology is the Integrated Behavioral Model (IBM). To validate the significance of the IBM for ISA, a structured literature review about models that explain ISA has been conducted. The analysis of the found ISA models and their constructs showed that the IBM indeed includes all found factors. Based on the findings, the paper presents an extended model of the IBM within the ISA context with a higher level of detail. The model can be used to analyze individualized ISA and help companies to enhance ISA in a systematic way

Analyze Before You Sensitize: Preparation of a Targeted ISA Training

This paper describes a procedure to enable the planning of targeted measures to increase the Information Security Awareness (ISA) of employees of an institution. The procedure is practically applied at a German university. With the help of a comprehensive analysis, which is based on findings of social psychology, necessary topics for ISA measures are identified. In addition, reasons are sought for why employees do not conduct information security. The procedure consists of a qualitative phase with interviews and a quantitative phase with a questionnaire. It turned out that the procedure provided many clues to the design of ISA measures. These include organizational and technical measures that can help employees to ensure information-safe behavior. In addition, it was found that there were deviations between the qualitative and quantitative phases and therefore, both phases are necessary. The paper critically discusses the procedure and also addresses the strengths and weaknesses of the analysis

Automated Measuring of Information Security Related Habits

Since the digital age requires interaction with digital services, the information security awareness (ISA) of everyone gets more important than ever. Since the ISA is defined as a set of aspects, it is not enough to increase the knowledge. This work focuses on the aspect of habits. Therefore, we used design science research to create an artifact which allows the automated measurement of habits. The automation can be achieved through a client-server application which tracks the behavior of employees in a GDPR-compliant way and calculates multiple metrics based on the tracked behavior. However, not all of the defined metrics are applicable in every company. Therefore, additional process iterations of the design science research methodology are required

360 Degrees of Security: Can VR Increase the Sustainability of ISA Trainings?

What companies need are employees who have an appropriate level of information security awareness (ISA). This paper examined ways to increase existing ISA knowledge. The core of the work was to investigate the possibility of a more sustainable effect of knowledge enhancement in relation to ISA through virtual reality (VR). For this purpose, VR training and traditional video training were compared within a subject study. In order to create the most efficient video training possible, a qualitative literature research was first conducted on the topic of knowledge transfer in general. This was followed by the development of didactic guiding principles for an optimized learning video. Both training courses were then tested. Theoretically, a sustainable effect of increasing ISA knowledge through VR training has been proven. However, within the scope of the subject study, no sustainable increase in ISA knowledge can be proven through VR training in comparison to video training. Therefore, the didactic and immersive possibilities of VR technology need to be further explored in follow-up studies

Developing a Maturity Model for Information Security Awareness Using a Polytomous Extension of the Rasch Model

Advancing digitization in companies leads to increased importance of information and their security. Since people play a crucial role in protecting information, it is important to sensitize them to information security. Many companies find it difficult to raise the so-called information security awareness (ISA) in a planned and targeted way. With a maturity model (MM) for ISA, companies are able to carry out an assessment of the current state regarding ISA and thereby actively manage and plan their future ISA measures. The proposed MM has five maturity levels that were determined mathematically with the help of a polytomous extension of the Rasch model and a hierarchical cluster analysis. The required data for the calculations has been gathered with a survey among 105 organizations. The evaluation has shown that the MM is well-suited to identify strengths and weaknesses with regard to ISA within organizations

Coexistence in a One-Dimensional Cyclic Dominance Process

Cyclic (rock-paper-scissors-type) population models serve to mimic complex species interactions. Focusing on a paradigmatic three-species model with mutations in one dimension, we observe an interplay between equilibrium and non-equilibrium processes in the stationary state. We exploit these insights to obtain asymptotically exact descriptions of the emerging reactive steady state in the regimes of high and low mutation rates. The results are compared to stochastic lattice simulations. Our methods and findings are potentially relevant for the spatio-temporal evolution of other non-equilibrium stochastic processes.Comment: 4 pages, 4 figures and 2 pages of Supplementary Material. To appear in Physical Review