Hennie A. Kruger

A prototype for assessing information security awareness

Due to the intensified need for improved information security, many organisations have established information security awareness programs to ensure that their employees are informed and aware of security risks, thereby protecting themselves and their profitability. In order for a security awareness program to add value to an organisation and at the same time make a contribution to the field of information security, it is necessary to have a set of methods to study and measure its effect. The objective of this paper is to report on the development of a prototype model for measuring information security awareness in an international mining company. Following a description of the model, a brief discussion of the application results is presented.

Value-focused assessment of ICT security awareness in an academic environment

Security awareness is important to reduce human error, theft, fraud, and misuse of computer assets. A strong ICT security culture cannot develop and grow in a company without awareness programmes. This paper focuses on ICT security awareness and how to identify key areas of concern to address in ICT security awareness programmes by making use of the value-focused approach. The result of this approach is a network of objectives where the fundamental objectives are the key areas of concern that can be used in decision making in security planning. The fundamental objectives were found to be in line with the acknowledged goals of ICT security, e.g. confidentiality, integrity and availability. Other objectives that emerged were more on the social and management side, e.g. responsibility for actions and effective use of resources.

A vocabulary test to assess information security awareness

Purpose – The dependence on human involvement and human behavior to protect information assets necessitates an information security awareness program to make people aware of their roles and responsibilities towards information security. The purpose of this paper is to examine the feasibility of an information security vocabulary test as an aid to assess awareness levels and to assist with the identification of suitable areas or topics to be included in an information security awareness program. Design/methodology/approach – A questionnaire has been designed to test and illustrate the feasibility of a vocabulary test. The questionnaire consists of two sections – a first section to perform a vocabulary test and a second one to evaluate respondents’ behavior. Two different class groups of students at a university were used as a sample. Findings – The research findings confirmed that the use of a vocabulary test to assess security awareness levels will be beneficial. A significant relationship between knowledge of concepts (vocabulary) and behavior was observed. Originality/value – The paper introduces a new approach to evaluate people’s information security awareness levels by employing an information security vocabulary test. This new approach can assist management to plan and evaluate interventions and to facilitate best practice in information security. Aspects of cognitive psychology and language were taken into account in this research project, indicating the interaction and influence between apparently different disciplines.

Consensus ranking - An ICT security awareness case study

There are many disciplines where the problem of consensus ranking plays a vital role. Decision-makers are frequently asked to express their preferences for a group of objects, e.g. new projects, new products, candidates in an election, etc. The basic problem then becomes one of combining the individual rankings into a group choice or consensus ranking. The objective of this paper is to report on the application of two management science methodologies to the problem of identifying the most important areas to be included in an Information Communications Technology (ICT) security awareness program. The first methodology is based on the concept of minimizing the distance (disagreement) between individual rankings, while the second one employs a heuristic approach. A real-world case study from the mining industry is presented to illustrate the methods.

An assessment of the role of cultural factors in information security awareness

An information security awareness program is regarded as an important instrument in the protection of information assets. In this study, the traditional approach to an information security awareness program is extended to include possible cultural factors relating to people from diverse backgrounds. The human factor, consisting of two closely related dimensions, namely knowledge and behaviour, play a significant role in the field of ICT security. In addition, cultural factors also impact on the security knowledge and behaviour of people as cultural differences may manifest themselves in different levels of security awareness. An information security vocabulary test was used to assess the level of awareness pertaining to the two human dimensions — knowledge and behaviour amongst students from two different regional universities in South Africa. The objective is to determine whether cultural differences among students have an effect on their ICT security awareness levels. Results obtained suggest that certain cultural factors such as mother tongue, area where you grew up, etc., do have an impact on security awareness levels and should be taken into consideration when planning and developing an information security awareness program.

Considering the influence of human trust in practical social engineering exercises

There are numerous technical advances in the field of information security. However, the application of information security technologies alone is often not sufficient to address security issues. Human factors play an increasing role in securing computer assets and are often detrimental to the security of an organisation. One of the salient aspects of security, which is linked to humans, is trust. It is safe to assume that trust will play an important role in any information security environment and may influence security behaviour significantly. In this paper the results of a practical phishing exercise and a trust survey are considered. The research project is part of a larger project and the phishing exercise is a follow-up to an earlier first practical phishing test. Results of the phishing test are compared with the first exercise. In addition, the newly obtained trust information from the survey is also incorporated into the report in order to try and explain security behaviour. The research was performed at a large organisation. Results indicate that although there is a general high level of trust in the organisations ability to provide safe and secure information systems, a large number of staff was still victim to a simple phishing exercise. A possible explanation, which opens up further avenues for research, is offered.

Identity Theft — Empirical evidence from a Phishing Exercise

Identity theft is an emerging threat in our networked world and more individuals and companies fall victim to this type of fraud. User training is an important part of ICT security awareness; however, IT management must know and identify where to direct and focus these awareness training efforts. A phishing exercise was conducted in an academic environment as part of an ongoing information security awareness project where system data or evidence of users’ behavior was accumulated. Information security culture is influenced by amongst other aspects the behavior of users. This paper presents the findings of this phishing experiment where alarming results on the staff behavior are shown. Educational and awareness activities pertaining to email environments are of utmost importance to manage the increased risks of identity theft.

Email security awareness: a practical assessment of employee behaviour

Email communication is growing as a main method for individuals and organizations to communicate. Sadly, this is also an emerging means of conducting crime in the cyber world, e.g. identity theft, virus attacks etc. The need for improving awareness to these threats amongst employees is evident in media reports. Information security is as much a people issue as a technology one. This paper presents a description and results of an email awareness experiment that was performed amongst staff from a South African university. It is shown how management can use these results to focus and improve ICT awareness.

Can perceptual differences account for enigmatic information security behaviour in an organisation

Present two preceding social engineering tests and a trust survey as background and contextualisation.Present a perceptual differences study.Results offer some explanations to problems such as the privacy paradox.Propose a safe and secure information environment model. Information security in organisations is often threatened by risky behaviour of users. Despite information security awareness and training programmes, the human aspect of information security remains a critical and challenging component of a safe and secure information environment, and users reveal personal and confidential information regularly when asked for it. In an effort to explain and understand this so-called privacy paradox, this paper investigates aspects of trust and perceptual differences, based on empirical research. Two preceding social engineering exercises form the basis of the research project and are also presented as background information. Following the empirical work, a safe and secure information model is proposed. It is then argued that perceptual alignment of different organisational groups is a critical and prerequisite requirement to reach information security congruence between groups of people. In the context of the proposed model, the perceptual differences also offer some explanation as to why users with high levels of security awareness as well as high levels of trust in own and organisational capabilities so often fall victim to social engineering scams. The empirical work was performed at a large utility company and results are presented together with appropriate discussions.

Phishing and Organisational Learning

The importance of addressing the human aspect in information security has grown over the past few years. One of the most frequent techniques used to obtain private or confidential information from humans is phishing. One way to combat these phishing scams is to have proper security awareness programs in place. In order to enhance the awareness and educational value of information security awareness programs, it is suggested that an organisational learning model, characterised by so called single-loop and double-loop learning, be considered. This paper describes a practical phishing experiment that was conducted at a large organisation and shows how a learning process was initiated and how security incidents such as phishing can be used successfully for both single and double-loop learning.