Marcus A. Butavicius

Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q)

Abstract It is increasingly acknowledged that many threats to an organisations computer systems can be attributed to the behaviour of computer users. To quantify these human-based information security vulnerabilities, we are developing the Human Aspects of Information Security Questionnaire (HAIS-Q). The aim of this paper was twofold. The first aim was to outline the conceptual development of the HAIS-Q, including validity and reliability testing. The second aim was to examine the relationship between knowledge of policy and procedures, attitude towards policy and procedures and behaviour when using a work computer. Results from 500 Australian employees indicate that knowledge of policy and procedures had a stronger influence on attitude towards policy and procedure than self-reported behaviour. This finding suggests that training and education will be more effective if it outlines not only what is expected (knowledge) but also provides an understanding of why this is important (attitude). Plans for future research to further develop and test the HAIS-Q are outlined.

Why do some people manage phishing e‐mails better than others?

Purpose – The purpose of this paper is to investigate the behaviour response of computer users when either phishing e‐mails or genuine e‐mails arrive in their inbox. The paper describes how this research was conducted and presents and discusses the findings.Design/methodology/approach – This study was a scenario‐based role‐play experiment that involved the development of a web‐based questionnaire that was only accessible by invited participants when they attended a one‐hour, facilitated session in a computer laboratory.Findings – The findings indicate that overall, genuine e‐mails were managed better than phishing e‐mails. However, informed participants managed phishing e‐mails better than not‐informed participants. Other findings show how familiarity with computers, cognitive impulsivity and personality traits affect behavioural responses to both types of e‐mail.Research limitations/implications – This study does not claim to evaluate actual susceptibility to phishing emails. The subjects were University...

The Role of the Human Operator in Image-Based Airport Security Technologies

Heightened international concerns relating to security and identity management have led to an increased interest in security applications, such as face recognition and baggage and passenger screening at airports. A common feature of many of these technologies is that a human operator is presented with an image and asked to decide whether the passenger or baggage corresponds to a person or item of interest. The human operator is a critical component in the performance of the system and it is of considerable interest to not only better understand the performance of human operators on such tasks, but to also design systems with a human operator in mind. This paper discusses a number of human factors issues which will have an impact on human operator performance in the operational environment, as well as highlighting the variables which must be considered when evaluating the performance of these technologies in scenario or operational trials based on Defence Science and Technology Organisation’s experience in such testing.

Attention to internal face features in unfamiliar face matching

Accurate matching of unfamiliar faces is vital in security and forensic applications, yet previous research has suggested that humans often perform poorly when matching unfamiliar faces. Hairstyle and facial hair can strongly influence unfamiliar face matching but are potentially unreliable cues. This study investigated whether increased attention to the more stable internal face features of eyes, nose, and mouth was associated with more accurate face-matching performance. Forty-three first-year psychology students decided whether two simultaneously presented faces were of the same person or not. The faces were displayed for either 2 or 6 seconds, and had either similar or dissimilar hairstyles. The level of attention to internal features was measured by the proportion of fixation time spent on the internal face features and the sensitivity of discrimination to changes in external feature similarity. Increased attention to internal features was associated with increased discrimination in the 2-second display-time condition, but no significant relationship was found in the 6-second condition. Individual differences in eye-movements were highly stable across the experimental conditions.

An empirical evaluation of four data visualization techniques for displaying short news text similarities

An experiment was conducted comparing user performance on four data visualization techniques-an unstructured display condition consisting of a random one-dimensional (1D) list and three proximity-based representations including a 1D list ranked by a greedy nearest-neighbor algorithm and two 2D spatial visualizations using the ISOMAP layout algorithm and multidimensional scaling (MDS). Eighty-one participants completed an information retrieval task where the visualization techniques were used to display a corpus consisting of 50 short news texts. Human pairwise similarity judgments for this corpus were used to create the three proximity-based displays. Results demonstrated an advantage in accuracy, the number of documents accessed, and, to a lesser extent, subjective confidence in these displays over the Random List condition and in the 2D over the 1D displays. Similar, but smaller, advantages were observed in the MDS display over ISOMAP however none of these pairwise comparisons were statistically significant. A sequential analysis of participant actions in terms of the proximity of document representations accessed provided some explanation for variations in performance between the displays as well as indicating strategic differences in interactions particularly between visualizations of different dimensionality.

The Human Aspects of Information Security Questionnaire (HAIS-Q)

Information security awareness (ISA) is integral to protecting an organisation from cyber threats. The aim of this paper is to further establish the validity of the Human Aspects of Information Security Questionnaire (HAIS-Q), as an effective instrument for measuring ISA. We present two studies to further establish the construct validity of this instrument. In Study 1, 112 university students completed the HAIS-Q and also took part in an empirical lab-based phishing experiment. Results indicated that participants who scored more highly on the HAIS-Q had better performance in the phishing experiment. This means the HAIS-Q can predict an aspect of information security behaviour, and provides evidence for its convergent validity. In Study 2, the HAIS-Q was administered to a larger and more representative population of 505 working Australians to further establish the construct validity of the instrument. The results of a factor analysis and other statistical techniques provide evidence for the validity of the HAIS-Q as a robust measure of ISA. We also describe the practical implications of the HAIS-Q, particularly how it could be used by information security practitioners.

The Influence of Organizational Information Security Culture on Information Security Decision Making

In this study three aspects of information security decision making—namely, knowledge of policies and procedures, attitude towards policies and procedures, and self-reported behavior—were examined in conjunction with the organizational factors that may increase human-based cyber vulnerabilities. The results of a survey of 500 Australian employees revealed a significant, positive relationship between information security decision making and organizational information security culture. This suggests that improving the security culture of an organization will positively influence the behavior of employees, which in turn should also improve compliance with security policies. This means that risk to an organization’s information systems and data will be mitigated. The complexity associated with implementing effective rewards and punishments are discussed, along with suggestions for further research to adequately understand the many factors that influence information security decision making.

Phishing for the Truth: A Scenario-Based Experiment of Users’ Behavioural Response to Emails

Using a role play scenario experiment, 117 participants were asked to manage 50 emails. To test whether the knowledge that participants are undertaking a phishing study impacts on their decisions, only half of the participants were informed that the study was assessing the ability to identify phishing emails. Results indicated that the participants who were informed that they were undertaking a phishing study were significantly better at correctly managing phishing emails and took longer to make decisions. This was not caused by a bias towards judging an email as a phishing attack, but instead, an increase in the ability to discriminate between phishing and real emails. Interestingly, participants who had formal training in information systems performed more poorly overall. Our results have implications for the interpretation of previous phishing studies, the design of future studies and for training and education campaigns, as it suggests that when people are primed about phishing risks, they adopt a more diligent screening approach to emails.

Assessing information security attitudes: a comparison of two studies

Purpose The purpose of this paper is to report on the use of two studies that assessed the attitudes of typical computer users. The aim of the research was to compare a self-reporting online survey with a set of one-on-one repertory grid technique interviews. More specifically, this research focussed on participant attitudes toward naive and accidental information security behaviours. Design/methodology/approach In the first study, 23 university students responded to an online survey within a university laboratory setting that captured their attitudes toward behaviours in each of seven focus areas. In the second study, the same students participated in a one-on-one repertory grid technique interview that elicited their attitudes toward the same seven behaviours. Results were analysed using Spearman correlations. Findings There were significant correlations for three of the seven behaviours, although attitudes relating to password management, use of social networking sites, information handling and reporting of security incidents were not significantly correlated. Research limitations/implications The small sample size (n = 23) and the fact that participants were not necessarily representative of typical employees, may have impacted on the results. Practical implications This study contributes to the challenge of developing a reliable instrument that will assess individual InfoSec awareness. Senior management will be better placed to design intervention strategies, such as training and education of employees, if individual attitudes are known. This, in turn, will reduce risk-inclined behaviour and a more secure organisation. Originality/value The literature review indicates that this study addresses a genuine gap in the research.

A study of information security awareness in Australian government organisations

Purpose – The purpose of this paper is to investigate the human-based information security (InfoSec) vulnerabilities in three Australian government organisations. Design/methodology/approach – A Web-based survey was developed to test attitudes, knowledge and behaviour across eight policy-based focus areas. It was completed by 203 participants across the three organisations. This was complemented by interviews with senior management from these agencies. Findings – Overall, management and employees had reasonable levels of InfoSec awareness. However, weaknesses were identified in the use of wireless technology, the reporting of security incidents and the use of social networking sites. These weaknesses were identified in the survey data of the employees and corroborated in the management interviews. Research limitations/implications – As with all such surveys, responses to the questions on attitude and behaviour (but not knowledge) may have been influenced by the social desirability bias. Further research s...