Agata McCormac

Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q)

Abstract It is increasingly acknowledged that many threats to an organisations computer systems can be attributed to the behaviour of computer users. To quantify these human-based information security vulnerabilities, we are developing the Human Aspects of Information Security Questionnaire (HAIS-Q). The aim of this paper was twofold. The first aim was to outline the conceptual development of the HAIS-Q, including validity and reliability testing. The second aim was to examine the relationship between knowledge of policy and procedures, attitude towards policy and procedures and behaviour when using a work computer. Results from 500 Australian employees indicate that knowledge of policy and procedures had a stronger influence on attitude towards policy and procedure than self-reported behaviour. This finding suggests that training and education will be more effective if it outlines not only what is expected (knowledge) but also provides an understanding of why this is important (attitude). Plans for future research to further develop and test the HAIS-Q are outlined.

Why do some people manage phishing e‐mails better than others?

Purpose – The purpose of this paper is to investigate the behaviour response of computer users when either phishing e‐mails or genuine e‐mails arrive in their inbox. The paper describes how this research was conducted and presents and discusses the findings.Design/methodology/approach – This study was a scenario‐based role‐play experiment that involved the development of a web‐based questionnaire that was only accessible by invited participants when they attended a one‐hour, facilitated session in a computer laboratory.Findings – The findings indicate that overall, genuine e‐mails were managed better than phishing e‐mails. However, informed participants managed phishing e‐mails better than not‐informed participants. Other findings show how familiarity with computers, cognitive impulsivity and personality traits affect behavioural responses to both types of e‐mail.Research limitations/implications – This study does not claim to evaluate actual susceptibility to phishing emails. The subjects were University...

The Role of the Human Operator in Image-Based Airport Security Technologies

Heightened international concerns relating to security and identity management have led to an increased interest in security applications, such as face recognition and baggage and passenger screening at airports. A common feature of many of these technologies is that a human operator is presented with an image and asked to decide whether the passenger or baggage corresponds to a person or item of interest. The human operator is a critical component in the performance of the system and it is of considerable interest to not only better understand the performance of human operators on such tasks, but to also design systems with a human operator in mind. This paper discusses a number of human factors issues which will have an impact on human operator performance in the operational environment, as well as highlighting the variables which must be considered when evaluating the performance of these technologies in scenario or operational trials based on Defence Science and Technology Organisation’s experience in such testing.

The Human Aspects of Information Security Questionnaire (HAIS-Q)

Information security awareness (ISA) is integral to protecting an organisation from cyber threats. The aim of this paper is to further establish the validity of the Human Aspects of Information Security Questionnaire (HAIS-Q), as an effective instrument for measuring ISA. We present two studies to further establish the construct validity of this instrument. In Study 1, 112 university students completed the HAIS-Q and also took part in an empirical lab-based phishing experiment. Results indicated that participants who scored more highly on the HAIS-Q had better performance in the phishing experiment. This means the HAIS-Q can predict an aspect of information security behaviour, and provides evidence for its convergent validity. In Study 2, the HAIS-Q was administered to a larger and more representative population of 505 working Australians to further establish the construct validity of the instrument. The results of a factor analysis and other statistical techniques provide evidence for the validity of the HAIS-Q as a robust measure of ISA. We also describe the practical implications of the HAIS-Q, particularly how it could be used by information security practitioners.

The Influence of Organizational Information Security Culture on Information Security Decision Making

In this study three aspects of information security decision making—namely, knowledge of policies and procedures, attitude towards policies and procedures, and self-reported behavior—were examined in conjunction with the organizational factors that may increase human-based cyber vulnerabilities. The results of a survey of 500 Australian employees revealed a significant, positive relationship between information security decision making and organizational information security culture. This suggests that improving the security culture of an organization will positively influence the behavior of employees, which in turn should also improve compliance with security policies. This means that risk to an organization’s information systems and data will be mitigated. The complexity associated with implementing effective rewards and punishments are discussed, along with suggestions for further research to adequately understand the many factors that influence information security decision making.

Phishing for the Truth: A Scenario-Based Experiment of Users’ Behavioural Response to Emails

Using a role play scenario experiment, 117 participants were asked to manage 50 emails. To test whether the knowledge that participants are undertaking a phishing study impacts on their decisions, only half of the participants were informed that the study was assessing the ability to identify phishing emails. Results indicated that the participants who were informed that they were undertaking a phishing study were significantly better at correctly managing phishing emails and took longer to make decisions. This was not caused by a bias towards judging an email as a phishing attack, but instead, an increase in the ability to discriminate between phishing and real emails. Interestingly, participants who had formal training in information systems performed more poorly overall. Our results have implications for the interpretation of previous phishing studies, the design of future studies and for training and education campaigns, as it suggests that when people are primed about phishing risks, they adopt a more diligent screening approach to emails.

Assessing information security attitudes: a comparison of two studies

Purpose The purpose of this paper is to report on the use of two studies that assessed the attitudes of typical computer users. The aim of the research was to compare a self-reporting online survey with a set of one-on-one repertory grid technique interviews. More specifically, this research focussed on participant attitudes toward naive and accidental information security behaviours. Design/methodology/approach In the first study, 23 university students responded to an online survey within a university laboratory setting that captured their attitudes toward behaviours in each of seven focus areas. In the second study, the same students participated in a one-on-one repertory grid technique interview that elicited their attitudes toward the same seven behaviours. Results were analysed using Spearman correlations. Findings There were significant correlations for three of the seven behaviours, although attitudes relating to password management, use of social networking sites, information handling and reporting of security incidents were not significantly correlated. Research limitations/implications The small sample size (n = 23) and the fact that participants were not necessarily representative of typical employees, may have impacted on the results. Practical implications This study contributes to the challenge of developing a reliable instrument that will assess individual InfoSec awareness. Senior management will be better placed to design intervention strategies, such as training and education of employees, if individual attitudes are known. This, in turn, will reduce risk-inclined behaviour and a more secure organisation. Originality/value The literature review indicates that this study addresses a genuine gap in the research.

A study of information security awareness in Australian government organisations

Purpose – The purpose of this paper is to investigate the human-based information security (InfoSec) vulnerabilities in three Australian government organisations. Design/methodology/approach – A Web-based survey was developed to test attitudes, knowledge and behaviour across eight policy-based focus areas. It was completed by 203 participants across the three organisations. This was complemented by interviews with senior management from these agencies. Findings – Overall, management and employees had reasonable levels of InfoSec awareness. However, weaknesses were identified in the use of wireless technology, the reporting of security incidents and the use of social networking sites. These weaknesses were identified in the survey data of the employees and corroborated in the management interviews. Research limitations/implications – As with all such surveys, responses to the questions on attitude and behaviour (but not knowledge) may have been influenced by the social desirability bias. Further research s...

Factors that Influence Information Security Behavior: An Australian Web-Based Study

Information Security professionals have been attempting to convince senior management for many years that humans represent a major risk to the security of an organizations computer systems and the information that these systems process. This major threat relates to the behavior of employees whilst they are using a computer at work. This paper examines the non-malicious computer-based behavior and how it is influenced by a mixture of individual, organizational and interventional factors. The specific factors reported herein include an employees age; education level; ability to control impulsivity; familiarity with computers; and personality. This research utilized the Qualtrics online web-based survey software to develop and distribute a questionnaire that resulted in 500 valid responses. The major conclusions of this research are that an employees accidental-naive behavior is likely to be less risky if they are more conscientious; older; more agreeable; less impulsive; more open; and, surprisingly, less familiar with computers.

An assessment of email and spontaneous dialog visualizations

Two experiments were conducted examining the effectiveness of visualizations of unstructured texts. The first experiment presented transcriptions of unrehearsed dialog and the second used emails. Both experiments showed an advantage in overall performance for semantically structured two-dimensional (2D) spatialized layouts, such as multidimensional scaling (MDS), over structured and non-structured list displays. The second experiment also demonstrated that this advantage is not simply due to the 2D nature of the display, but the combination of 2D display and the semantic structure underpinning it. Without this structure, performance fell to that of a Random List of documents. The effect of document type in this study and in Butavicius and Lees (2007) study on visualizations of news articles may be partly described by a change in bias on a speed-accuracy trade-off. At one extreme, users were accurate but slow in answering questions based on the dialog texts while, at the other extreme, users were fast but relatively inaccurate when responding to queries about emails. Similarly, users could respond accurately using the non-structured list interface; however, this was at the cost of very long response times and was associated with a technique whereby participants navigated by clicking on neighboring document representations. Implications of these findings for real-world applications are discussed.