With most employees in little and average endeavor technology houses now holding entree to their ain personal workstations, the demand for information security direction to safeguard against loss/alteration or larceny of the houses ‘ of import information has increased. These SMEs tend to be more concerned with exposures from external menaces, although industry research suggests that a significant proportion of security incidents originate from insiders within the house. Hence, physical preventive steps such as antivirus package and firewalls are turn outing to work out lone portion of the job as the employees utilizing them lack equal information security cognition. This tends to expose a house to hazards and dearly-won errors made by naA?ve/uninformed employees. This paper presents an information security consciousness procedure that seeks to cultivate positive security behaviors utilizing a behavioral purpose theoretical account based on the Theory of Reasoned Action, the Protection Motivation Theory and the Behaviourism Theory. The procedure and theoretical account have been refined, tested through action research at an SME technology house in South Africa, and the findings are presented and discussed in this paper.
Keywords: Information Security Awareness ; Security Behaviour, Information Security Training
SMEs, particularly those in the technology sector, are continually puting significantly in their overall Information and Communication Technologies ( ICTs ) doing Information Security a major concern for the safeguarding of their information assets [ 10 ] ; [ 15 ] .
Most of these SMEs have information security policies that present regulations to be adhered to [ 19 ] . These regulations provide a solid foundation for the development and execution of secure patterns within the houses. However, the being of these formal security policies does non needfully intend that employees will adhere to the regulations [ 10 ] . Subsequently, employees need to be cognizant of the security patterns prescribed in the house ‘s policy.
Information security consciousness and preparation are often used for raising consciousness of employees and advancing appropriate information security behavior. This ensures their employees gain the importance of security and the inauspicious effects of information security failure plus that there is the possible for people to intentionally or by chance steal, harm, or misapply informations stored within a house ‘s information systems and throughout the administration [ 20 ] ; [ 45 ] .
Engineering houses rely to a great extent on digital information stored on networked waiters. This information includes patented and unpatented private and confidential designs, plus drawings and client information that are prone to security menaces. Engineering SMEs tend to disregard the hazard of the uninformed employee and are more concerned with exposures from external menaces ; nevertheless, industry research suggests that the uninformed employee, by non acting firmly, may expose the house to serious security hazards, for illustration: informations corruptness, omission, and even commercial espionage [ 1 ] ; [ 5 ] ; [ 6 ] ; [ 22 ] ; [ 33 ] .
Insider hazard can ensue from two beginnings: knowing and unwilled behavior [ 45 ] . This paper focuses on unwilled naA?ve errors although knowing unsafe tinkering by dissatisfied employees is besides a important menace. Unintentionally uninformed employees ( insiders ) may expose a house ‘s information assets to put on the line by doing naA?ve errors, sing malware infested web sites, reacting to phishing electronic mails, utilizing weak watchwords, hive awaying their login information in unbarred locations, or giving out sensitive information over the phone when exposed to societal technology techniques. Unintentional errors by the employee is non an effort to discredit the house or do a net income by selling confidential informations, but instead as a consequence of unequal employee developing about information security, that is their deficiency of security consciousness and the effects of their actions. This failing can ne’er be wholly eliminated, but a well-structured security consciousness run helps to cut down the hazard to acceptable degrees [ 19 ] ; [ 22 ] .
SME Engineering houses have high degrees of trust in their employees non to compromise security ; hence, they believe information security consciousness is non an issue for them [ 42 ] . Ironically, it is more of import for SMEs compared to larger houses as employees frequently have multiple functions and therefore hold entree to a assortment of fiscal, organisational, client and employee information. Furthermore, there is less segregation of responsibilities in SME technology houses, therefore less control over entree to information. Whilst exposed to many of the same menaces and exposures as big administrations, SMEs do non hold entree to the same degree of resources [ 42 ] ; this makes their hazard even higher.
The intent of this paper is to show, refine and formalize a procedure that can be followed by SMEs to guarantee that their employees are information security aware. This procedure is chiefly based on a behavioral purpose theoretical account to be presented in subdivision 3.2 and Kruger and Kearney ‘s [ 21 ] information security measurement constructs.
The behavioral purpose theoretical account bases its statement on three chief theories: the Theory of Reasoned Action ( TRA ) [ 3 ] , the Protection Motivation Theory ( PMT ) [ 28 ] and the Behaviourism Theory ( BT ) [ 47 ] . Previous plants have used research frameworks that incorporate TRA, PMT and BT with other theories ( even if unconsciously ) [ 10 ] ; [ 13 ] ; [ 30 ] . Harmonizing to Anderson and Agarwal ‘s [ 27 ] reappraisal of literature in this country, no anterior information security research has used all three theories in a individual information security survey. Although research has been carried out in the country of information security consciousness, there is a deficiency of literature on the effectivity of information security consciousness methods on the footing of psychological theories every bit good as a deficiency of description of the underlying theory of these methods. Psychology is the scientific discipline of the head and behavior. Social psychological science has been used for many old ages for research in the country of instruction, larning and human behavior [ 29 ] .
Action Research was conducted at a civil technology house to polish and formalize the procedure. Elden and Chisholm [ 44 ] note that action research is alteration oriented, seeking to present alterations with positive societal values, the cardinal focal point of the pattern being on a job and its solution.
The balance of the paper is organised as follows: foremost, the information security consciousness procedure is presented, so follows by the behavioral knowing theoretical account ; thirdly, the method for mensurating information security is discussed ; followed by the analysis and consequences ; eventually, the paper concludes by discoursing its findings.
THE INFORMATION SECURITY AWARENESS PROCESS
Information security theories posit that in order for security attempts to be effectual, houses must guarantee that employees are portion of the security attempt [ 4 ] ; [ 32 ] ; [ 34 ] ; [ 38 ] ; [ 45 ] .
This subdivision discusses the proposed information security consciousness procedure in the signifier of a flow chart. Figure 1 shows the proposed information security consciousness procedure for SME technology houses. The flow chart has four procedures ( P1, P2, P3 and P4 ) and three cheques ( C1, C2 and C3 ) . When be aftering an information security consciousness plan, the first measure should be to look into the being of an up-to-date Information Security Policy ( C1 and C2 ) ; nevertheless, the house where the action research was conducted had a sound and up-to-date policy that accurately reflected its overall position towards information security. The measure of outlining or updating an Information Security Policy ( P1 and P2 ) was non carried out and is beyond the range of this survey.
Draft an information security policy
Measure employee information security consciousness degrees & A ; carry out a needs appraisal.
Run information security consciousness run & A ; preparation
Is the awareness degree satisfactory?
Does an information security policy exist?
Update the information security policy
Is the information security policy up to day of the month?
Figure 1: Information security consciousness procedure
The following measure is to mensurate employees ‘ current degree of information security apprehension ( P3 ) so as to place any cognition spreads. During the action research, this needs assessment procedure highlighted the house ‘s consciousness and preparation demands. For illustration, in the first loop of the action research, the measuring revealed that employees had an unequal apprehension of watchword creative activity, safe Internet use, virus and firewall apprehension, therefore foregrounding some subjects for awareness preparation. These consequences besides justified to the house ‘s direction the demand to apportion resources towards information security consciousness and preparation. The method for mensurating employee consciousness degrees was adapted from Kruger and Kearney ‘s [ 21 ] old research ; the inside informations of this method will follow in subdivision 4.
The following measure would so be to verify if the current degree of information security consciousness is at an acceptable degree ( C3 ) . When carry oning the action research, it was found that the degree of information security consciousness during the first loop was unsatisfactory and exposed the demand for information security consciousness runs and preparation. If the degrees are unsatisfactory, awareness runs and developing Sessionss should be conducted. During the action research, an e-learning based awareness campaign/training was conducted ( P4 ) . Its execution and care is discussed in item in subdivision 4. The consciousness degree was measured once more after the consciousness run and consequences showed that the cognition spread was shutting, but the consequences were non yet satisfactory harmonizing to the graduated tables used ( these will be discussed in the information analysis subdivision ) . The procedure was so run once more for a 2nd and 3rd loop. The consequences of the 3rd loop were satisfactory and the procedure was stopped.
INFORMATION SECURITY AWARENESS CAMPAIGN AND TRAINING ( P4 )
Awareness from a different position: “ It is believed that about 200 old ages ago people did non cognize about the source theory ; they did non cognize that they should rinse their custodies and furuncle surgical tools to restrict the spread of disease and infection. Even though people know these things today, do they ever wash their custodies before feeding, or even after making something crappy? ” [ 39 ] . Unfortunately, non everyone does so even when they know better. This highlights that the existent challenge is non merely to learn people, but besides to assist them alter their behavior. Security cognition can non assist much if employees do non move on it ; therefore, this subdivision provides guidelines for implementing and keeping comprehensive e-learning information security consciousness and preparation runs.
Security consciousness and preparation aids in annealing the attitude that security policy is restrictive and interferes with an employee ‘s ability to make his/her work. The better the employee ‘s apprehension of information security issues, the more they understand the importance of security and the ways in which security protects them and enables them to make their work in a safer and more effectual environment [ 19 ] .
Information security runs are divided into consciousness and preparation. Awareness aims to raise the corporate cognition of information security and its controls, while developing purposes at easing a more in-depth degree of employee information security apprehension. An effectual information security consciousness and preparation programme seeks to explicate proper regulations of behavior when utilizing the house ‘s computer/information systems. The programme communicates information security policies and processs that need to be followed. Additionally, the run imposes countenances when disobedience occurs [ 10 ] .
The BERR 2008 study [ 2 ] suggests that the bulk of houses rely upon written stuffs for preparation in one signifier or another. However, merely developing and go arounding a policy will non be sufficient to further appropriate apprehension and behavior. Most companies use the traditional schoolroom manner for consciousness and preparation. However, this survey seeks to use the now widely used tried and tested e-learning construct to information security consciousness and preparation. Jenkins et al [ 16 ] and Ricer et al [ 26 ] study that there is no important difference between people who learn utilizing a computing machine or the traditional schoolroom manner in the short or long-run keeping of cognition.
Additionally this subdivision introduces the behavioral purpose theoretical account. This theoretical account attempts to explicate how employee information security consciousness cognition can impact behavioral purposes ( towards policy conformity and positive security civilization ) . Behaviorists believe that employees are born with limited innate physiological reactions ( stimulus-response units that do non necessitate to be learnt ) and that all of an employee ‘s complex behaviors are as a consequence of larning through interaction with the environment [ 47 ] . Therefore, belief in information security consciousness and preparation should assist model information security behavior. The information security consciousness runs and preparation in P4 on the Information Awareness Process ( Figure 1 ) are based on a behavioral purpose theoretical account to be explained following.
Theoretical background of the behavioral purpose theoretical account
Based on the jobs presented in the preceding subdivisions, this subdivision serves to suggest, explicate and associate the Theory of Reasoned Action ( TRA ) , the Protection Motivation Theory ( PMT ) and the Behaviourism Theory ( BT ) to the behavioral purpose theoretical account.
Theory of Reasoned Action
TRA model specifically evaluates the comparative importance of two incentive constituents: ( 1 ) attitude ( 2 ) subjective norm. It suggests that a individual ‘s Behavioural Intention ( BI ) depends on the individual ‘s Attitude ( A ) about the behavior and Subjective Norms ( SN ) i.e. ( BI = A + SN ) . Attitude towards behavior is defined as the person ‘s positive or negative feelings about executing certain actions. Subjective norm is defined as an person ‘s perceptual experience of whether people of import to the single think the behavior should be performed. As a general regulation, the more favorable the attitude and the subjective norm, the greater the perceived control and hence the stronger the employee ‘s purpose to execute the behavior in inquiry [ 7 ] ; [ 17 ] ; [ 23 ] ; [ 29 ] .
The Theory of Reasoned Action helps to explicate how the employee ‘s attitude towards security and sensed corporate outlook affects the employee ‘s behavior towards information security. Consequently, the employee ‘s attitude and perceived outlooks act upon the employee ‘s behavioral purpose.
The employee ‘s attitude is affected by cultural, dispositional and cognition influences. Cultural influences are associated with the employee ‘s background. Dispositional influences are associated with the employee ‘s usual manner of making things. Knowledge influences are associated with the degree of cognition of the topic in inquiry. The employee ‘s attitude can hence be moulded by information security consciousness runs and preparation. The subjective norm is what the employee perceives the house requires of him/her and perceptual experience of how equals would act in similar scenarios [ 9 ] ; [ 13 ] ; [ 30 ] . Corporate outlooks can hence be communicated to employees via information security and preparation Sessionss. In drumhead, information security consciousness runs will assist alter employee attitudes towards information security and will help in pass oning the house ‘s outlooks to its employees.
Protection Motivation Theory
Protection Motivation Theory ( PMT ) was developed by Rogers ( 1983 ) . It evolved from the anticipation value theories and the cognitive processing theories, its chief end is to assistance and elucidate fright entreaties. PMT is regarded as one of the extremely influential explanatory theories for foretelling an employee ‘s purpose to act firmly [ 27 ] . Information security consciousness and preparation instil cognition in the employees and aids in actuating protection. In that regard, protection motive is derived from both the menace assessment and the header assessment. Threat appraisal refers to an employee ‘s appraisal of the posed danger degree by endangering events [ 28 ] ; [ 40 ] . It is composed of sensed exposure and sensed badness.
( I ) Perceived exposure: is an employee ‘s rating of endangering events opportunities of happening. In this survey it refers to threats that occur as a consequence of ignorance of the house ‘s information security policy ( ISP ) .
( two ) Perceived badness: is the earnestness of effects of an event. In this case, at hand menaces to the house ‘s information security may originate from disobedience with the house ‘s ISP.
The get bying appraisal facet of PMT refers to the employee ‘s appraisal of his or her ability to manage and hedge the possible loss or harm originating from the menace [ 40 ] . Coping assessments are made up of ego efficaciousness, response efficaciousness and response cost.
( I ) Self efficaciousness: this aspect highlights the employee ‘s capableness or judgement refering his or her competencies to manage or execute the recommended behavior. In the context of this paper, it refers to the sorts of accomplishments and actions required to protect the house ‘s information assets [ 11 ] ; [ 30 ] ; [ 40 ] .
( two ) Response efficaciousness: this facet associates with the belief of sensed benefits of the action taken by the employee [ 28 ] . Here, it refers to obedience to the information security policy as being an effectual mechanism for observing a menace to the house ‘s information assets.
( three ) Response cost: this aspect highlights the sensed chance costs in relation to money, clip and attempt spent transporting out the recommended behavior, in this instance the cost of staying to the ISP.
Earlier surveies that have used PMT found it valuable in foretelling behaviors related to an employee ‘s computing machine security behaviour both at place and in the work state of affairs [ 9 ] ; [ 27 ] , every bit good as Information Security Policy ( ISP ) conformity [ 10 ] ; [ 30 ] .
The Behaviourism Theory ( BT )
Watson came up with the term “ behaviorism [ 47 ] . ” Critical of Wundt ‘s emphasiss on internal provinces, Watson advised psychological science to concentrate on discernible calculable behaviors [ 47 ] . Watson alleged that speculating ideas, purposes or other subjective experiences was unscientific [ 47 ] . Behaviourism as a theory was chiefly developed by Skinner [ 47 ] . Harmonizing to Skinner [ 47 ] it slackly encompasses the work of other behavioual research workers like Thorndike, Tolman, Guthrie and Hull.
These research workers had similar cardinal premises on the methods of larning. These basic premises are summarised as follows: First, acquisition is attested by a alteration in behavior. Second, the environment molds behaviour. And 3rd, the rules of adjacency ( the recommended clip span between two events for a bond to be formed ) and support ( increasing the chance of an event reoccuring ) are critical to explicating the acquisition procedure. For Behaviourism, acquisition is the attainment of new behaviors through conditioning.
There are two types of possible conditioning:
( I ) Classical conditioning: where the behavior becomes a automatic response to stimulus as in the instance of Pavlov ‘s Dogs. Pavlov was interested in analyzing physiological reactions when he saw that the Canis familiariss drooled without the proper stimulation. Although no nutrient was in sight, the Canis familiariss still salivated. It turned out that the Canis familiariss were responding to lab coats. Every clip the Canis familiariss were served nutrient, the individual who served the nutrient was have oning a lab coat [ 49 ] . Therefore, the Canis familiariss reacted as if nutrient was on its manner whenever they saw a lab coat. In a series of experiments, Pavlov so tried to calculate out how these phenomena were linked. For illustration, he struck a bell when the Canis familiariss were fed. If the bell was sounded in close association with their repast, the Canis familiariss learned to tie in the sound of the bell with nutrient. After a piece, at the mere sound of the bell, they responded by salivating. Pavlov ‘s work laid the foundation for many other psychologists including Watson ‘s thoughts. Watson and Pavlov shared both a contempt for “ mentalistic ” constructs ( such as consciousness ) and a belief that the basic Torahs of acquisition were the same for all animate beings whether Canis familiariss or worlds [ 49 ] .
( two ) Operant conditioning: there is support of a behavior by a wages or penalty. The theory of operant conditioning was developed by Skinner [ 47 ] and is known as Extremist Behaviourism. Harmonizing to Reynold [ 48 ] the word ‘operant ‘ refers to the manner in which behaviour ‘operates on the environment ‘ . Briefly, a behavior may ensue either in support, which increases the likeliness of the behavior recurring, or penalty, which decreases the likeliness of the behavior repeating. It is of import to observe that, penalty is non considered to be applicable if it does non ensue in the decrease of the behavior, and so the footings penalty and support are determined as a consequence of the actions. Within this model, behaviorists are peculiarly interested in mensurable alterations in behavior [ 48 ] . In operant conditioning we learn to tie in a response ( our behavior ) and its effect and therefore to reiterate Acts of the Apostless followed by good consequences and avoid Acts of the Apostless followed by bad consequences [ 48 ] .
The Behavioural Intention Model
Following the predating treatment, it can be observed that the TRA, PMT or the BT can consequence desirable behavioral purpose. However, the behavioral purpose theoretical account in Figure 2 efforts to promote better behavioral purposes by uniting the three theories into one theoretical account. Discussions on the behavioral purpose theoretical account are explained in this subdivision.
Towards Policy Conformity
Towards Positive Security Culture
Figure 2: Behavioral purpose theoretical account
Subjective norms have a positive consequence on information security policy ( ISP ) conformity behavioral purpose. TRA indicates that persons ‘ attitudes impact on behavioral purposes [ 24 ] . To that terminal, a positive attitude toward ISP conformity bodes good for good behavioral purpose. Conversely, negative attitudes will decrease an person ‘s ISP conformity and good behavioral purpose. Therefore, persons with positive beliefs and values about their house ‘s ISP might expose favorable inclinations towards following with such regulations, demands and guidelines [ 10 ] ; [ 13 ] .
Attitude toward Information Security Policy ( ISP ) conformity will hold a positive consequence on ISP conformity behavioral purpose. With regard to ISP, it is to be expected that persons with high information security capablenesss and competency will appreciate the demand to follow organisational ISPs, and such persons may be better placed to gain the menaces of disobedience [ 43 ] .
Self efficaciousness will hold a positive consequence on ISP conformity behavioral purpose. Harmonizing to Pahnila et Al [ 30 ] , response costs may include pecuniary disbursal, clocking incommodiousnesss, embarrassment or other negative effects, which result from an person ‘s behavior. Employees are loath to follow or follow recommended responses if they perceive that a considerable sum of resources i.e. clip, attempt, and money will be used in chase of a low rewarding end [ 8 ] ; [ 9 ] . Conversely, if little sums of resources are required in implementing a step, it may be adopted [ 36 ] ; [ 41 ] . Reducing the Response Cost tends to increase the likeliness of an single acting a recommended behavior [ 40 ] . Past surveies have confirmed that Response Costss are negatively related to purpose to utilize security steps [ 9 ] ; [ 41 ] .
Response Cost will hold a negative consequence on ISP conformity behavioral purpose because normally employees believe information security steps are hard and drawn-out.
When an single possesses requisite cognition about the effectivity of a recommended header mechanism in supplying protection from a menace or danger, the person is more likely to follow an adaptative behavior [ 9 ] ; [ 28 ] ; [ 40 ] . If an person has uncertainties sing the effectivity of a step, he or she may non readily accept it [ 18 ] . Consequently, persons who believe that their organisation ‘s ISP has guidelines and get bying mechanisms to debar menaces and dangers in their context, they are more likely to develop an purpose to follow it [ 10 ] .
Response efficaciousness will hold a positive consequence on ISP conformity behavioral purpose. In general, when employees perceive a menace, they frequently adjust their behavior in response to the degree of hazard and find if they are willing to accept the hazard or non [ 8 ] ; [ 41 ] . Thus, an person ‘s sensed badness tends to be positively linked to their purposes to follow protective actions [ 36 ] . If an single perceives a menace to his or her house ‘s Information Systems ( IS ) assets, such an person will more than probably follow guidelines and demands laid out in their ISP [ 13 ] ; [ 30 ] .
Perceived badness will hold a positive consequence on ISP conformity behavioral purpose with regard to safe computer science in the house ; nevertheless, persons who consider themselves immune to security menaces are more likely to disregard security steps at work [ 10 ] ; [ 13 ] ; [ 30 ] . It is sensible to anticipate that an person who perceives high hazard to their house ‘s information system resource will be more likely to follow protective behaviors.
Therefore, perceived exposure will hold a positive consequence on Information Security Policy ( ISP ) conformity behavioral purpose because employees will be made cognizant of the exposure of the houses ‘ information assets.
Information Dissemination Method ( E-Learning )
When information security run stuff based on the demands appraisal has been compiled, there is a demand to take a method for pass oning the information to the employees. During the action research in this survey, an e-learning method was used alternatively of the conventional schoolroom manner because it provides a configurable substructure that integrates larning stuff, policies, and services into a individual solution to rapidly, efficaciously and economically make and present consciousness and preparation content. E-Learning allows employees to develop at their ain convenience and learn at their ain gait. It has besides proved to be cheaper than conveying everyone together, in footings of clip and money. This subdivision hence seeks to explicate how e-learning can be used as a tool for pass oning and proving information security consciousness preparation.
E-learning has grown well over the past several old ages as engineering has been integrated into instruction and preparation. E-learning may be defined as direction delivered electronically via the Internet, Intranets, or multimedia platforms such as CD-ROM or DVD [ 35 ] . The literature reappraisal highlighted that research work on e-learning as a tool for information security consciousness and preparation is still in its babyhood and that no such tool has been used to day of the month in SMEs.
The e-learning consciousness and preparation plan for this survey was designed and developed by the research worker with aid from a multimedia interior decorator and a Web page developer utilizing Macromedia Flash, Macromedia Dream Weaver, PDF, PowerPoint, Access, Gold Wave, and Photoshop package in order to show the plan stuff in a ocular and audile format. This was presented in the signifier of a website containing information identified by the demands appraisal and most relevant recent information security subject. Since information security is a diverse country with many subjects, the importance of each subject varies from one house to another depending on the nature of the hazards faced so there is no cosmopolitan information security consciousness preparation. The training/awareness and testing could be completed in 1-3 hours depending on the velocity at which the employee worked. The web site for preparation and consciousness was constructed as follows:
Home Page: provides an debut to information security and the motive behind the training/ consciousness run. Employees need to be motivated as to why information security is of import. The place page so links to the consciousness pages.
The Awareness/Training Pages: supply information on topical issues and illustrations of breaches. These pages contain all the information about information security required by employees.
The Test Page: was used as the informations aggregation tool for geting informations from the employees ; this was used to mensurate their information security consciousness degrees.
All the pages had attractive information security pictures/video clips/jokes in an attempt to make a more relaxed e-learning environment.
The employees take parting in the survey received an electronic mail with instructions on how to utilize the consciousness and developing stuff including a nexus to the consciousness and preparation web site.
E-Learning is a wide term and this paper wishes to excite the development of E-Awareness enterprises.
Measurement INFORMATION SECURITY AWARENESS LEVELS ( P3 )
After the security consciousness run was launched, it was of import to mensurate its success and draw decisions from the measured consequences. Measurement provides grounds of the run ‘s effectivity and reveals where cognition spreads still exist. Measurements were non limited to a confirmation of whether the message was received by the mark audience, but detected the effectivity of the message, method and behavioral alteration.
Harmonizing to a study by Richardson [ 31 ] , 32 % do non mensurate information security consciousness in their houses, because there are no normally agreed and understood criterion measurings for the effectivity of information security consciousness runs and developing. Two typical challenges are identified when developing a measurement tool and executing the existent measurings. These challenges are “ what to mensurate ” and “ how to mensurate it ” [ 12 ] ; [ 21 ] .
What to step:
Kruger and Kearney [ 21 ] identified three constituents to be measured, viz. what the employee knows ( Knowledge ) , how they feel about the subject ( Attitude ) , and what they do ( Behaviour ) .
The attitude of employees towards information security is of import because unless they believe that information security is of import, they are improbable to work firmly, irrespective of how much they know about security demands. Knowledge is of import because even if an employee believes security is of import, he or she can non change over that purpose into action without the necessary cognition and apprehension. Finally, no affair what employees believe or know about information security, they will non hold a positive impact on security unless they behave in a unafraid manner. Figure 3 below shows how enhanced security is achieved by correlating attitude, cognition and behavior.
Figure 3: Enhanced Security
How to mensurate:
Measuring such intangibles as Attitudes, Knowledge and Behaviour is hard. The action research made usage of multiple informations aggregation techniques such as appraisal trials, on-line studies, participant observation, informal interviews and papers studies for garnering informations. However, merely the consequences from on-line appraisal trials were used to cipher security consciousness degrees ; information gathered utilizing the other techniques was merely used for needs appraisals.
Online Survey and Assessment Tests enable designation of wide tendencies [ 14 ] . An understanding graduated table was used to let employees to bespeak grades of understanding with statements about information security.
The assessment trial contained inquiries that seek to prove for cognition, attitude and behavior. The following are illustrations of the inquiries asked:
Example statement for trial of cognition:
Internet entree to the house ‘s systems is a corporate resource and should be used for concern intents merely.
1.True 2. False 3. Make non cognize
Example statement to prove attitude:
Laptops are normally covered with bing insurance screen so there is no particular demand to include them in security policies.
1. True 2. False 3. Make non cognize
Example statement to prove behavior:
I am cognizant that one should ne’er give 1 ‘s watchword to person else – nevertheless, my work is of such a nature that I do give my watchword from clip to clip to a co-worker ( merely to those I trust! ) .
1. True 2. False 3. Make non cognize
DATA ANALYSIS AND RESULTS
The technology house where the action research was conducted was established in 1997. It develops designs, programs, theoretical accounts and geotechnical studies for the clients it consults. It has thirty two employees, four of whom have no entree to the house ‘s computing machine resources. This left a sample size of 20 eight employees. The action research was conducted over a ten-month clip period from February, 2011 to November, 2011.
In this action research, the research worker was non regarded as an aim, inactive foreigner. The house ‘s direction expected him to be an active participator, assisting to be after and present the preparation plan and measure its consequences.
When the information security consciousness of the employees was measured for the first clip during the demands appraisal, merely 21 % ( 6 employees ) had sufficient degrees of information security. Table 1 summarises the information security apprehension of the employees per loop.
Employees understanding degree
6 ( 21 % )
18 ( 64 % )
24 ( 86 % )
27 ( 96 % )
Table 1: Employees information security consciousness apprehension degrees
The figure of employees with sufficient degrees of information security apprehension increased on the 2nd loop due to an addition in cognition. The bulk of employees had sufficient information security apprehension after loop 2 and 3.
All the employees were shown their trial consequences and the overall group consequences during each loop in order to actuate those who had non performed good. However, the figure of employees demoing sufficient degrees of information security apprehension is non a true contemplation of a house ‘s overall information security consciousness degrees ; therefore Kruger and Kearney ‘s [ 21 ] method of analyzing informations acquired through the measurement methods discussed in the preceding subdivisions was used. This method involved burdening the three facets being measured as follows ( Figure 4 ) :
Figure 4: Awareness importance graduated table [ 21 ]
This weighting was verified with the Managing Director and the Human Resources Manager of the house who agreed that behavior was the most of import step followed by cognition so in conclusion attitude. The consequences and importance weightings were processed in a spreadsheet application and the end product was eventually presented in the signifier of graphs and consciousness maps as comparable to Kruger and Kearney ‘s survey [ 21 ] . Table 2 below shows the graduated table used to construe the degree of consciousness. Kruger and Kearney ‘s graduated table was somewhat modified to take into consideration recommendations by the house ‘s Managing Director. Figure 5 summarises the consequences categorised by Knowledge, Attitude and Behaviour.
Measurement ( % )
Table 2: Awareness degree measuring [ 21 ]
Figure 5: Consequences summary
The 78 % awareness degree in the 3rd loop was satisfactory and there was no demand for a 4th although it is advisable to run the procedure at least one time a twelvemonth as the accomplishments and cognition of the employees may go out-of-date.
It was possible to mensurate the effectivity of the information security consciousness preparation by utilizing tools and methods outlined by Kruger and Kearney [ 21 ] . These enabled the house to measure the extent to which consciousness activities had impacted on behavior, attitude, and cognition and hence, whether or non the initial preparation aims had been met.
This survey confirmed that holding and implementing an information security policy does non automatically vouch that all employees will understand their function in guaranting the security and safeguarding of information assets. It is hence critical to plan and aline an information security consciousness run to the information security policy ‘s high-ranking ends, aims and demands.
The findings of the survey support the Theory of Reasoned Action ( TRA ) , the Protection Motivation Theory ( PMT ) and the Behaviourism Theory ( BT ) . Awareness runs were aimed at pass oning the house ‘s stance ( subjective norm ) on information security, menace assessment, get bying assessment and in an attempt to model the employees ‘ attitude towards positive behavioral purpose. The consequences showed that an addition in cognition made a positive alteration in attitude and behavior.
However it was discovered that even though ab initio their security cognition degrees were really low, the employes had a positive attitude towards procuring the house ‘s information assets ; nevertheless, they did non hold the accomplishments and cognition to act in a secure mode corroborating that the hazard to which employees expose a house is so due to unwilled naA?ve errors as was revealed by literature.
What is let downing is that although cognition increased dramatically during the loops, the addition in attitude was fringy. This could be because employees have a certain attitude towards the house and this attitude can non be altered by information security consciousness entirely.
The survey revealed that information security consciousness plans require the largest part of the information security budget which should be channelled to the design and execution of an information security consciousness run. This supports the findings of Voss [ 46 ] . It was revealed that the general costs of running information security consciousness runs and preparation can be divided into direct and indirect costs.
aˆ? Salary/incentives for the security consciousness coordinator or squad ;
aˆ? Training, including teacher fees and room leases ( in the instance of schoolroom manner preparation ) ; and
aˆ? Materials, such as slides, web designing, picture, postings, hand-outs and appliances.
aˆ? Time spent by other employees or sections involved in advancing security consciousness ; and
aˆ? Time spent by the mark audience on classs and preparation.
Making usage of e-learning run methods significantly reduced the costs of running the consciousness run. Direct costs involved merely the web site planing cost, and the house ‘s in-house technician who was trained on updating and keeping the website thereafter. Indirect costs reduced as employees took the classs during times they were non busy cut downing the opportunity of productive clip being lost.
While transporting out the action research the aims were to polish and formalize the procedure and alter the behavior of the employees at the peculiar SME. However, good information security behavior cultivates an unannounced information security civilization. Hence it can be concluded that good information security consciousness runs will finally ensue in a positive information security civilization.
Information Security Knowledge
Information Security Awareness Campaigns
Attention deficit disorders
Information Security Behaviour
Information Security Culture
Figure 6: From information security consciousness to information security civilization
This paper was conceived against the background of attempts made by SME houses to protect their information assets. This paper introduced an information security consciousness procedure, which included behavioral purpose theoretical accounts based on three persuasive theories i.e. Theory of Reasoned Action, Protection Motivation Theory and the Behaviourism Theory. The research findings showed that information security consciousness degrees greatly influence behavioral purposes.
The information security consciousness procedure and behavioral purpose was verified through expert reappraisal by ab initio nine information security experts. Additionally, it was refined and validated through action research. After the action research, three more experts reviewed the procedure and theoretical account against the consequences from the empirical work to farther formalize them. The information security procedure yielded positive information security behavior from employees at the action research host house during all loops. The research worker is hence about certain that similar consequences would be achieved if the procedure and theoretical account were put into consequence at SMEs with similar features to the 1 where the survey was conducted.
The writers recognise that although e-learning is non a fresh thought, it is a comparatively new facet in the field of information security and has great possible to increase e-security awareness enterprises. This survey country will go more evident as e-learning within information security expands. Associating to that, this survey has been able to advance e-learning as an effectual type of larning compared to the traditional schoolroom manner of acquisition.
This research survey explored the hazards exposed by the uninformed naA?ve employee to SME houses ‘ information assets. However, the hazards exposed by the malicious insider every bit good as the foreigner still necessitate farther geographic expedition.