A study of information security awareness in Australian government organisations

Purpose – The purpose of this paper is to investigate the human-based information security (InfoSec) vulnerabilities in three Australian government organisations. Design/methodology/approach – A Web-based survey was developed to test attitudes, knowledge and behaviour across eight policy-based focus areas. It was completed by 203 participants across the three organisations. This was complemented by interviews with senior management from these agencies. Findings – Overall, management and employees had reasonable levels of InfoSec awareness. However, weaknesses were identified in the use of wireless technology, the reporting of security incidents and the use of social networking sites. These weaknesses were identified in the survey data of the employees and corroborated in the management interviews. Research limitations/implications – As with all such surveys, responses to the questions on attitude and behaviour (but not knowledge) may have been influenced by the social desirability bias. Further research s...

[1]  Stephanie L. Brooke Using the Case Method to Teach Online Classes: Promoting Socratic Dialogue and Critical Thinking Skills , 2006 .

[2]  Bente Anda,et al.  Experiences from conducting semi-structured interviews in empirical software engineering research , 2005, 11th IEEE International Software Metrics Symposium (METRICS'05).

[3]  N. Schmitt Method bias: The importance of theory and measurement , 1994 .

[4]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[5]  E. Bettinghaus,et al.  Health promotion and the knowledge-attitude-behavior continuum. , 1986, Preventive medicine.

[6]  Allen L. Edwards,et al.  The Relationship Between the Judged Desirability of a Trait and the Probability That the Trait Will Be Endorsed , 1953 .

[7]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[8]  Malcolm Robert Pattinson,et al.  How well are information risks being communicated to your computer end-users? , 2007, Inf. Manag. Comput. Secur..

[9]  Paul E. Spector Using self‐report questionnaires in OB research: A comment on the use of a controversial method , 1994 .

[10]  Marcus A. Butavicius,et al.  Human Factors and Information Security: Individual, Culture and Security Environment , 2010 .

[11]  Mari Karjalainen,et al.  Improving employees’ information systems (IS) security behavior : toward a meta-theory of IS security training and a new framework for understanding employees' IS security behavior , 2011 .

[12]  D. Pinto Secrets and Lies: Digital Security in a Networked World , 2003 .

[13]  Lara Khansa,et al.  How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management , 2009, Computers & security.

[14]  S. Wiedenbeck,et al.  Human Factors and Information Security , 2004 .

[15]  E. Eugene Schultz,et al.  The human factor in security , 2005, Comput. Secur..

[16]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[17]  Marcus A. Butavicius,et al.  Don't Judge a (Face)Book by its Cover: A Critical Review of the Implications of Social Networking Sites , 2011 .

[18]  Steven Furnell,et al.  A systematic review of approaches to assessing cybersecurity awareness , 2015, Kybernetes.

[19]  Floyd J. Fowler,et al.  Survey Research Methods , 1984 .

[20]  Charles Cresson Wood,et al.  Human error: an overlooked but significant information security problem , 1993, Comput. Secur..