Forming the Awareness of Employees in the Field of Information Security

• Autorzy: Joanna Chmura
• Języki publikacji: EN

Abstrakty

EN

Research purpose: The aim of this study is to present the essence and importance of information security awareness in the organisation and to analyse selected methods used in forming employee awareness in terms of information security.

Methodology/ approach: This paper is based on literature studies and available reports.

Findings: The presented paper suggests that in order to create a positive change in the organisation, information security training should focus on the attitude and behavior of employees. Concentration is primarily about what they do and how their actions affect the results. In order to minimise the risk of data breaches, often resulting from human error, training methods must meet the needs of today's employees. Effective information security awareness strategies should address the needs of both the organisation itself and the learning people.

Limitations/implications: The study is based on the theoretical analysis, indicating the need of conducting further empirical research.

Originality/value: The main value of the study is to clarify the need for forming employees' awareness of information security while indicating a number of available methods enabling the implementation of awareness programs in the organisation. (original abstract)

Słowa kluczowe

EN

Information security; Employee awareness; Employees in the organization

PL

Bezpieczeństwo informacji; Świadomość pracowników; Pracownicy w organizacji

• Czasopismo: Journal of Positive Management
• Rocznik: 2017
• Tom: 8
• Numer: nr 1
• Strony: 78--85

Twórcy

autor

Joanna Chmura

• Nicolaus Copernicus University in Toruń, Poland

Bibliografia

• Abawajy, J. (2014), "User preference of cyber security awareness delivery methods", Behaviour & Information Technology, Vol. 33 No. 3, pp. 236-247. DOI: 10.1080/0144929X.2012.708787
• Aurigemma, S., Panko, R. P. (2012), "A Composite Framework for Behavioral Compliance with Information Security Police", 47th Hawaii International Conference on System Sciences, pp. 3248-3257. DOI: 10.1109/HICSS.2012.49.
• Cone, B. D., Thompson, M. F., Irvine, C. E., Nguyen, T. D. (2006), "Cyber Security Training and Awareness Through Game Play", in: Fisher-Hubner, S., Rannenberg, K., Yngstrom, L., Lindskog, S. (Eds.), Security and Privacy in Dynamic Environments, International Federation for Information Processing, Vol. 201, Boston: Springer, Boston, pp. 431-436.
• Da Veiga, A. (2015), "An Information Security Training and Awareness Approach (ISTAAP) to Instil an Information Security - Positive Culture", Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015), pp. 95-107.
• Eminağaoğlu, M., Uçar, E., Eren, S. (2009), "The positive outcomes of information security awareness training in companies - A case study", Information Security Technical Report, Vol. 14 No. 4, pp. 223-229.
• EY (2017), "Path to cyber resilience: EY's 19th Global Information Security Survey 2016-2017", available at: http://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2016-pdf/$FILE/GISS_2016_Report_Final.pdf (accessed 3 September 2017).
• Hadlington, L. (2017), "Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours", Heliyon, Vol. 3 No. 7, pp. 1-18. DOI: 10.1016/j.heliyon.2017e00346
• Herold, R. (2010), Managing an Information Security and Privacy Awareness and Training Program, Second Edition, CRC Press, Inc. Boca Raton, FL, USA.
• Kajzer, M., D'Arcy, J., Crowell, Ch.R., Striegel, A., Bruggen, D.V. (2014), "An exploratory investigation of message-person congruence in information security awareness campaigns", Computers & Security, Vol. 43, pp. 64-76. DOI: 10.1016/j.cose.2014.03.003
• Khan, B., Alghathbar, K.S., Nabi, S.I., Khan, M.K. (2011), "Effectiveness of information security awareness methods based on psychological theories", African Journal of Business Management, Vol. 5 No. 26, pp. 10862-10868. DOI: 10.5897/AJBM11.067
• Ki-Aries, D., Faily, S. (2017), "Persona-centred information security awareness", Computers & Security, Vol. 70, pp. 663-674. DOI: 10.1016/j.cose.2017.08.001
• Kraemer, S., Carayon, P., Clem, J. (2009), "Human and organizational factors in computer and information security: Pathways to vulnerabilities", Computers & Security, Vol. 28 No. 7, pp. 509-520. DOI: 10.1016/j.cose.2009.04.006
• Kritzinger, E., Smith, E. (2009), "A prototype for enhancing information security awareness in industry", Proceedings of the World Academy of Science Engineering and Technology, Vol. 54, pp. 521-530.
• Kruger, H.A., Kearney, W.D. (2006), "A prototype for assessing information security awareness", Computers & Security, Vol. 25 No. 4, pp. 289-296. DOI: 10.1016/j.cose.2006.02.008
• Maqousi, A., Balikhina, T., Mackay, M. (2013), "An effective method for information security awareness raising initiatives", International Journal of Computer Science & Information Technology, Vol. 5 No. 2, pp. 63-72. DOI: 10.5121/ijcsit.2013.5206
• Mitnick, K.D., Simon, W.L. (2002), The Art of Deception: Controlling the Human Element of Security, Wiley, New Jersey.
• McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., Pattinson, M. (2017), "Individual differences and Information Security Awareness", Computers in Human Behavior, Vol. 69, pp. 151-156. DOI: 10.1016/j.chb.2016.11.065
• Mukhlis, A. (2014), "Information security awareness level measurement using multiple criteria decision analysis (MCDA)", Jurnal Penelitian dan Pengembangan Komunikasi dan Informatika, Vol. 5 No. 1, pp. 15-24.
• Öğütçü, G., Testik, Ö.M., Chouseinoglou, O. (2016), "Analysis of personal information security behavior and awareness", Computers & Security, Vol. 56, pp. 83-93. DOI: 10.1016/j.cose.2015.10.002
• Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., Jerram, C. (2014), "Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q)", Computers & Security, Vol. 42, pp. 165-176. DOI: 10.1016/j.cose.2013.12.003
• Parsons, K., Calic, D., Pattinsonb, M., Butaviciusa, M., McCormaca, A., Zwaansc, T. (2017), "The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studie", Computers & Security, Vol. 66, pp. 40-51. DOI: 10.1016/j.cose.2017.01.004
• Schlienger, T., Teufel, S. (2003), "Information Security Culture - from analysis to change", South African Computer Journal, Vol. 2003 No. 31, pp. 46-52.
• Schultz, E. (2005), "The human factor in securiy", Computers & Security, Vol. 24 No. 6, pp. 425-426.
• Shaw, R.S., Charlie, Ch.C., Harris, A.L., Huang, H-J. (2009), "The impact of information richness on information security awareness training effectiveness", Computers & Education, Vol. 52, pp. 92-100. DOI: 10.1016/j.compedu.2008.06.011
• Soomro, Z.A., Shah, M.H., Ahmed, J. (2016), "Information security management needs more holistic approach: A literature review", International Journal of Information Management, Vol. 36 No. 2, pp. 215-225. DOI: 10.1016/j.ijinfomgt.2015.11.009
• Thomson, K., von Solms, R., Louw, L. (2006), "Cultivating an organisational information security culture", Computer Fraud and Security, Vol. 2006 No. 10, pp. 7-11.
• Tsohou, A., Karyda, M., Kokolakis, S. (2015), "Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs", Computers & Security, Vol. 52, pp. 128-141. DOI: 10.1016/j.cose.2015.04.006
• Valentine, J.A. (2006), "Enhancing the employee security awareness model", Computer Fraud & Security, Vol. 6, pp. 17-19.
• Vroom, C., Von Solms, R. (2004), "Towards information security behavioural compliance", Computers & Security, Vol. 23 No. 3, pp. 191-198.

Identyfikatory

DOI

10.12775/JPM.2017.006