Paper presented by Mohd Nabil Zulhemay, Rohama Mohamad Rashid and Omar Zakaria at the 4th PERPUN International Conference 2015: Information Revolution, 11-12th August 2015 at Avillion Legacy Hotel, Melaka.
Towards a Structured Information Security Awareness Programme
1. By: Zulhemay, M. N., Rohana, M. R., Zakaria, O.
FSTP, UPNM, Kuala Lumpur, Malaysia.
2. • The evolution of economy
• K-economy utilising information as key materials to operate and survive in the
market
• Economy has switched from being organised around the flow of things and
money to the flow of information (Drucker, 1992).
• Information is vital asset to organisation – secure the information is
paramount to company – information security is business process (Pipkin,
20000).
Agriculture Industrial Knowledge
7. • This paper review relevant literatures regarding Information Security
Awareness (ISA) and suggest a structured approach of ISA programme for
organisation.
• Adapt Information Security (IS) process by (Pipkin, 2000).
• IS process can give general idea on security knowledge
• Security knowledge can help to reduce security incidents.
• A conceptual framework is proposed based on IS process to increase IS in
organisations.
8. • Content
• The information on how the desired results are to be achieved in practice (M.
Siponen, 2006).
• E.g., Johnson (2006) suggest the ideas on how to switch security awareness into
a better programme and highlight the important issues such as changing
employees perception towards security, topic that should be covered on
awareness programme the need for measuring effectiveness of the programme,
and security guidance.
• Rezgui and Marks (2008) indirectly provide the content to awareness
programme by exploring the factors that contribute to the security awareness of
staff in higher education and provide a number of recommendations to
promote security awareness. The recommendation is the example of ‘how the
desired results are to be achieved’ in promoting awareness programme.
9. • Evaluation
• Several authors acknowledge the significance of evaluating awareness
programme as the way to be better in securing information assets such present
in a number of literatures (i.e., (Albrechtsen & Hovden, 2010; Eminağaoğlu, Uçar,
& Eren, 2009; H. Kruger, Drevin, & Steyn, 2006; H. Kruger & Kearney, 2005)).
• I.e., Alarifi et al. (2012) study on awareness level among public in Saudi Arabia
using online survey.
• Without measurement, rating, metrics, or indicators, one cannot demonstrate
the value of information security effort especially to their top level management
(Eminağaoğlu et al., 2009; Herold, 2011).
10. • Framework
• Provide the relationships among the variables, explains the theory and describe
the direction of the relationships (Sekaran, 2007).
• Aggeliki, Maria, Spyros, and Evangelos (2012) analysed why security awareness
and training in the company failed to meet their goals and provide a framework
that enables the analysis of awareness activities by using actor network theory
(ANT).
• Zakaria (2013) adapt Schein’s organisational culture model to establish security
culture. In addition, the research concludes that one of the prerequisite to
establish security culture in an organisation is by having a structured security
awareness programme.
• H. Kruger et al. (2006); Thomson and Von Solms (1998) utilise social psychology
model in security awareness. (Chan & Wei, 2009) uses educational psychology
called conceptual change to embedded awareness to the students.
11. • Tools
• In terms of this study evice or implement to carry out a particular function.
• I.e., knowledge regarding information security is delivering by using game play
(Chun-Che, Khera, Depickere, Tantatsanawong, & Boonbrahm, 2008; Cone,
Irvine, Thompson, & Nguyen, 2007). Such therefore, game is a tool to deliver
awareness message.
• Based on our analysis, another popular tool develop by researchers is web
based application such as online portal, intranet and online learning such
present in (Chen, Shaw, & Yang, 2006; Shaw, Chen, Harris, & Huang, 2009).
12.
13. • The themes provide us with several approaches towards effectiveness of information
security awareness. However, there is no research that provides a framework for
information security awareness programme based on information security processes.
• By identifying several themes of information security awareness strategy in the
previous section, we manage to prove that the human dimension of information
security such as awareness is not being neglected, at least in academic field. In
fact, the significance of human dimension on information security such as
awareness programme has been acknowledged in many literatures
• Nevertheless, it has gone quite far without noticing that there is an absent of realistic
function which is to introduce information security to the audience. As a result, only a
few security elements are being covered in awareness programme and it is not
structured according to the proper chronology of information security processes.
Also, it is not comprehensive in terms of not cover all aspects of information security
processes. Only favourite topics are being concern based on the previous issues
faced by the organisation or just randomly pick by the consultant or security officer.
14. INSPECTION
PROTECTION
DETECTION
REACTION
REFLECTION
Inspection is a process of
regulating and appraising the
relevant security level in the
organisation.
Protection is a proactive process
that enforces a secure
environment at the appropriate
level.
Detection is a reactive
process that identifies any
appropriate events.
Reaction is a response process
to a security incident.
Reflection is a follow-up
process that evaluates the
existing implementation of a
security system.
15. Adapt Pipkin’s information
security processes
Structured
security
awareness
in
organisation
Challenges /
Gap
Information
security risks
A structured information
security awareness
programme principles
An ideal situation
Employees
aware on
security
processes
Employees can
perform security
tasks
Establish
basic security
knowledge
Appropriate
security practices
Yes
Determine
No
Leads to
Develop
Revisited
Figure 3. A structured information security awareness framework
16. • We analysed and discuss the implication of the current approaches and
contribute to the body of knowledge by locating a structured information
security awareness.
• This study adapts Pipkin’s (2000) security processes into a structured security
awareness conceptual framework to investigate awareness programme
challenges within an organisation.
• Pipkin’s security processes has been choose based on the theory develop by
(Zakaria, 2013) where basic security knowledge can further help to increase
awareness amongst all level of employees of their security responsibilities
and promote a collective security responsibility.
• In order to enable employees to internalise security knowledge, organisation
need to establish appropriate (structured) information security awareness
programmes.
17. Alarifi, A., Tootell, H., & Hyland, P. (2012, 26-28 June 2012). A study of information security awareness and practices in Saudi Arabia. Paper presented at the Communications and Information
Technology (ICCIT), 2012 International Conference on.
Albrechtsen, E., & Hovden, J. (2010). Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Computers &
Security, 29(4), 432-445. doi: 10.1016/j.cose.2009.12.005
Anggeliki, T., Maria, K., Spyros, K., & Evangelos, K. (2012). Analyzing trajectories of information security awareness. Information Technology & People, 25(3), 327-352. doi:
10.1108/09593841211254358
Chen, C. C., Shaw, R. S., & Yang, S. C. (2006). Mitigating Information Security Risks by Increasing User Security Awareness: A Case Study of an Information Security Awareness System.
Information technology learning and performance journal, 24(1), 1-14.
Chun-Che, F., Khera, V., Depickere, A., Tantatsanawong, P., & Boonbrahm, P. (2008, 26-29 Feb. 2008). Raising information security awareness in digital ecosystem with games - a pilot study in
Thailand. Paper presented at the Digital Ecosystems and Technologies, 2008. DEST 2008. 2nd IEEE International Conference on.
Cone, B. D., Irvine, C. E., Thompson, M. F., & Nguyen, T. D. (2007). A video game for cyber security training and awareness. Computers & Security, 26(1), 63-72. doi: 10.1016/j.cose.2006.10.005
Drucker, P. F. (1992). The Economy’s Power Shift. The Wall Street journal. Eastern edition.
Eminağaoğlu, M., Uçar, E., & Eren, Ş. (2009). The positive outcomes of information security awareness training in companies – A case study. Information Security Technical Report, 14(4), 223-
229. doi: 10.1016/j.istr.2010.05.002.
Herold, R. (2011). Managing an information security and privacy awareness and training program Information Security Management Handbook (2nd ed.). Boca Raton, Fla.: CRC Press.
Johnson, E. C. (2006). Security awareness: switch to a better programme. Network Security, 2006(2), 15-18.
Kruger, H., Drevin, L., & Steyn, T. (2006). A framework for evaluating ICT security awareness. Paper presented at the Proceeding of the Information Security South Africa (ISSA), Johannesburg,
South Africa.
Kruger, H., & Kearney, W. (2005). Measuring information security awareness: a west africa gold mining environment case study. Paper presented at the Proceedings of the ISSA 2005 New
Knowledge Today Conference, Balalaika Hotel, Sandton, South Africa 2005. http://icsa.cs.up.ac.za/issa/2005/Proceedings/Full/018_Article.pdf.
Pipkin, D. L. (2000). Information security: Protecting the global enterprise Upper Saddle River, New Jersey.: Prentice Hall.
Rezgui, Y., & Marks, A. (2008). Information security awareness in higher education: An exploratory study. Computers & Security, 27(7–8), 241-253. doi:
http://dx.doi.org/10.1016/j.cose.2008.07.008
Sekaran, U. (2007). Research Methods for Business (4 ed.). New Delhi: Wiley India.
Siponen, M. (2006). Information security standards focus on the existence of process, not its content. Commun. ACM, 49(8), 97-100. doi: 10.1145/1145287.114531.
Shaw, R. S., Chen, C. C., Harris, A. L., & Huang, H.-J. (2009). The impact of information richness on information security awareness training effectiveness. Computers & Education, 52(1), 92-100.
doi: http://dx.doi.org/10.1016/j.compedu.2008.06.011
Zakaria, O. (2013). Information Security Culture: A Human Firewall Approach. German: Lambert Academic Publishing.