Tjaart Steyn

Value-focused assessment of ICT security awareness in an academic environment

Security awareness is important to reduce human error, theft, fraud, and misuse of computer assets. A strong ICT security culture cannot develop and grow in a company without awareness programmes. This paper focuses on ICT security awareness and how to identify key areas of concern to address in ICT security awareness programmes by making use of the value-focused approach. The result of this approach is a network of objectives where the fundamental objectives are the key areas of concern that can be used in decision making in security planning. The fundamental objectives were found to be in line with the acknowledged goals of ICT security, e.g. confidentiality, integrity and availability. Other objectives that emerged were more on the social and management side, e.g. responsibility for actions and effective use of resources.

A vocabulary test to assess information security awareness

Purpose – The dependence on human involvement and human behavior to protect information assets necessitates an information security awareness program to make people aware of their roles and responsibilities towards information security. The purpose of this paper is to examine the feasibility of an information security vocabulary test as an aid to assess awareness levels and to assist with the identification of suitable areas or topics to be included in an information security awareness program. Design/methodology/approach – A questionnaire has been designed to test and illustrate the feasibility of a vocabulary test. The questionnaire consists of two sections – a first section to perform a vocabulary test and a second one to evaluate respondents’ behavior. Two different class groups of students at a university were used as a sample. Findings – The research findings confirmed that the use of a vocabulary test to assess security awareness levels will be beneficial. A significant relationship between knowledge of concepts (vocabulary) and behavior was observed. Originality/value – The paper introduces a new approach to evaluate people’s information security awareness levels by employing an information security vocabulary test. This new approach can assist management to plan and evaluate interventions and to facilitate best practice in information security. Aspects of cognitive psychology and language were taken into account in this research project, indicating the interaction and influence between apparently different disciplines.

An assessment of the role of cultural factors in information security awareness

An information security awareness program is regarded as an important instrument in the protection of information assets. In this study, the traditional approach to an information security awareness program is extended to include possible cultural factors relating to people from diverse backgrounds. The human factor, consisting of two closely related dimensions, namely knowledge and behaviour, play a significant role in the field of ICT security. In addition, cultural factors also impact on the security knowledge and behaviour of people as cultural differences may manifest themselves in different levels of security awareness. An information security vocabulary test was used to assess the level of awareness pertaining to the two human dimensions — knowledge and behaviour amongst students from two different regional universities in South Africa. The objective is to determine whether cultural differences among students have an effect on their ICT security awareness levels. Results obtained suggest that certain cultural factors such as mother tongue, area where you grew up, etc., do have an impact on security awareness levels and should be taken into consideration when planning and developing an information security awareness program.

An Empirical Assessment of Factors Impeding Effective Password Management

Abstract Since passwords are one of the main mechanisms used to protect data and information, it is important to ensure that passwords are managed correctly and that those factors which will have a significant impact on password management are identified and prioritized. Therefore, in order for an information and communication technology (ICT) overall security program to be successful, a security awareness program or component must be included. The aim of this paper is to perform an exploratory study with the objective of introducing certain fundamental causes that may impact password management. Empirical results, followed by a survey as well as the application of several management science techniques are presented.

Identity Theft — Empirical evidence from a Phishing Exercise

Identity theft is an emerging threat in our networked world and more individuals and companies fall victim to this type of fraud. User training is an important part of ICT security awareness; however, IT management must know and identify where to direct and focus these awareness training efforts. A phishing exercise was conducted in an academic environment as part of an ongoing information security awareness project where system data or evidence of users’ behavior was accumulated. Information security culture is influenced by amongst other aspects the behavior of users. This paper presents the findings of this phishing experiment where alarming results on the staff behavior are shown. Educational and awareness activities pertaining to email environments are of utmost importance to manage the increased risks of identity theft.

Reshaping computer literacy teaching in higher education: Identification of critical success factors

Purpose – Acquiring computer skills is more important today than ever before, especially in a developing country. Teaching of computer skills, however, has to adapt to new technology. This paper aims to model factors influencing the success of the learning of computer literacy by means of an e‐learning environment. The research question for this paper is: what is the relationship between the success of the teaching of computer literacy and factors such as mother tongue, the learners favourite subject, secondary school, race, future vision, confidence, computer anxiety, prior knowledge, intellectual ability, learning styles, the learners ability to plan and follow his or her own planning and gender?Design/methodology/approach – The research plan combined interpretive and positivistic methods (mixed method research). Factors were identified from literature and interpretive interviews before being tested empirically and analyzed statistically, using questionnaires and biographical data from learners at a u...

Email security awareness: a practical assessment of employee behaviour

Email communication is growing as a main method for individuals and organizations to communicate. Sadly, this is also an emerging means of conducting crime in the cyber world, e.g. identity theft, virus attacks etc. The need for improving awareness to these threats amongst employees is evident in media reports. Information security is as much a people issue as a technology one. This paper presents a description and results of an email awareness experiment that was performed amongst staff from a South African university. It is shown how management can use these results to focus and improve ICT awareness.

Value-Focused Assessment of Information Communication and Technology Security Awareness in an Academic Environment

The aim of this paper is to introduce the approach of value-focused thinking when identifying information and communications technology (ICT) security awareness aspects. Security awareness is important to reduce human error, theft, fraud, and misuse of computer assets. A strong ICT security culture cannot develop and grow in a company without awareness programmes. How can personnel follow the rules when they don’t know what the rules are? [1] This paper focuses on ICT security awareness and how to identify key areas of concern to address in ICT security awareness programmes by making use of the value-focused approach. The result of this approach is a network of objectives where the fundamental objectives are the key areas of concern that can be used in decision making in security planning.

Determinants of password security: some educational aspects

Development and integration of technology give organisations the opportunity to be globally competitive. However, the potential misuse of Information Technology (IT) is a reality that has to be dealt with by management, individuals and information security professionals. Numerous threats have emerged over time in the networked world, but so have the ways of alleviating these risks. However, security problems are still imminent – as highlighted by the plethora of media articles and research efforts. The insider risk is stated as being around 80% of security threats [1] in a company. With this statistic in mind, management has to plan how to allocate resources to counteract the risks. Very often, simple measures such as good password behaviour are overlooked or not rated high enough to include in all security awareness programmes. This paper will focus on a study that assesses password management of future IT professionals. It will be demonstrated how management and educators can use these results to focus their efforts in order to improve users’ password practices and thereby enhancing overall IT security.

A Linguistic Approach to Information Security Awareness Education in a Healthcare Environment

It is widely accepted that healthcare information security is extremely important and that security breaches will have serious consequences in many areas. Despite controls, such as legal frameworks, as well as ongoing research projects into healthcare information security and privacy, there is still an alarming number of healthcare information security breaches reported annually. In this paper, a linguistic approach, utilizing a vocabulary test, is proposed as a tool to determine security awareness levels of healthcare workers and to assist in educating them in security awareness aspects. A vocabulary-measuring instrument was developed and distributed to healthcare workers in a large South African hospital group. Results indicated that information security awareness levels are generally acceptable, but that potential problem areas exist between certain language groups, as well as between different business functions (departments). The study also shows that the proposed approach may offer significant advantages in information security awareness campaigns.