The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies

Information security awareness (ISA) is integral to protecting an organisation from cyber threats. The aim of this paper is to further establish the validity of the Human Aspects of Information Security Questionnaire (HAIS-Q), as an effective instrument for measuring ISA. We present two studies to further establish the construct validity of this instrument. In Study 1, 112 university students completed the HAIS-Q and also took part in an empirical lab-based phishing experiment. Results indicated that participants who scored more highly on the HAIS-Q had better performance in the phishing experiment. This means the HAIS-Q can predict an aspect of information security behaviour, and provides evidence for its convergent validity. In Study 2, the HAIS-Q was administered to a larger and more representative population of 505 working Australians to further establish the construct validity of the instrument. The results of a factor analysis and other statistical techniques provide evidence for the validity of the HAIS-Q as a robust measure of ISA. We also describe the practical implications of the HAIS-Q, particularly how it could be used by information security practitioners.

[1]  H Stanislaw,et al.  Calculation of signal detection theory measures , 1999, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[2]  Graham Greene,et al.  The Human Factor , 1978 .

[3]  Aggeliki Tsohou,et al.  Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs , 2015, Comput. Secur..

[4]  Dimitris Gritzalis,et al.  Delegate the smartphone user? Security awareness in smartphone platforms , 2013, Comput. Secur..

[5]  Anthony Vance,et al.  Why do employees violate is security policies? : insights from multiple theoretical perspectives , 2010 .

[6]  Steve Love,et al.  Security awareness of computer users: A phishing threat avoidance perspective , 2014, Comput. Hum. Behav..

[7]  Malcolm Robert Pattinson,et al.  An Analysis of Information Security Vulnerabilities at Three Australian Government Organisations , 2013, EISMC.

[8]  Malcolm Robert Pattinson,et al.  Phishing for the Truth: A Scenario-Based Experiment of Users' Behavioural Response to Emails , 2013, SEC.

[9]  Serge Egelman,et al.  Behavior Ever Follows Intention?: A Validation of the Security Behavior Intentions Scale (SeBIS) , 2016, CHI.

[10]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[11]  Mari Karjalainen,et al.  Improving employees’ information systems (IS) security behavior : toward a meta-theory of IS security training and a new framework for understanding employees' IS security behavior , 2011 .

[12]  Steven Furnell,et al.  Information security policy compliance model in organizations , 2016, Comput. Secur..

[13]  M. Butavicius,et al.  The Influence of Organizational Information Security Culture on Information Security Decision Making , 2015 .

[14]  Tena Velki,et al.  Development of Users' Information Security Awareness Questionnaire (UISAQ) — Ongoing work , 2014, 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[15]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[16]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[17]  Allen L. Edwards,et al.  The Relationship Between the Judged Desirability of a Trait and the Probability That the Trait Will Be Endorsed , 1953 .

[18]  Steven Furnell,et al.  Awareness of Mobile Device Security: A Survey of User's Attitudes , 2016, Int. J. Mob. Comput. Multim. Commun..

[19]  A. Meade,et al.  Identifying careless responses in survey data. , 2012, Psychological methods.

[20]  Anna Wierzbicka,et al.  Australian Culture and Australian English: A Response to William Ramson , 2001 .

[21]  Malcolm Robert Pattinson,et al.  Individual differences and Information Security Awareness , 2017, Comput. Hum. Behav..

[22]  Malcolm Robert Pattinson,et al.  Examining Attitudes toward Information Security Behaviour using Mixed Methods , 2015, HAISA.

[23]  Malcolm Robert Pattinson,et al.  Breaching the Human Firewall: Social engineering in Phishing and Spear-Phishing Emails , 2016, ACIS.

[24]  E. Eugene Schultz,et al.  The human factor in security , 2005, Comput. Secur..

[25]  Robert Rosenthal,et al.  Quantifying construct validity: two simple measures. , 2003 .

[26]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[27]  Malcolm Robert Pattinson,et al.  The Information Security Awareness of Bank Employees , 2016, HAISA.

[28]  Johann Kranz,et al.  Information Security Awareness: Its Antecedents and Mediating Effects on Security Compliant Behavior , 2013, ICIS.

[29]  L. Cronbach Coefficient alpha and the internal structure of tests , 1951 .

[30]  Detmar W. Straub,et al.  Validation Guidelines for IS Positivist Research , 2004, Commun. Assoc. Inf. Syst..

[31]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[32]  Malcolm Robert Pattinson,et al.  Factors that Influence Information Security Behavior: An Australian Web-Based Study , 2015, HCI.

[33]  Jing Fan,et al.  Study on e-government information misuse based on General Deterrence Theory , 2011, ICSSSM11.

[34]  Kathryn Parsons,et al.  Self-Disclosure on Facebook: Comparing two Research Organisations , 2016, ACIS.

[35]  Lorrie Faith Cranor,et al.  Behavioral response to phishing risk , 2007, eCrime '07.

[36]  H. Kaiser A second generation little jiffy , 1970 .

[37]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[38]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[39]  Krešimir Šolić,et al.  An Information Security and Privacy Self-Assessment (ISPSA) Tool for Internet Users , 2015 .

[40]  Özlem Müge Testik,et al.  Analysis of personal information security behavior and awareness , 2016, Comput. Secur..

[41]  A. Joinson,et al.  Development of measures of online privacy concern and protection for use on the Internet , 2007, J. Assoc. Inf. Sci. Technol..

[42]  Alessandro Acquisti,et al.  Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook , 2006, Privacy Enhancing Technologies.

[43]  Nathan L. Clarke,et al.  Power to the people? The evolving recognition of human aspects of security , 2012, Comput. Secur..

[44]  Malcolm Robert Pattinson,et al.  The design of phishing studies: Challenges for researchers , 2015, Comput. Secur..

[45]  Evangelos A. Kiountouzis,et al.  Investigating Information Security Awareness: Research and Practice Gaps , 2008, Inf. Secur. J. A Glob. Perspect..

[46]  S. Utz,et al.  The privacy paradox on social network sites revisited: The role of individual characteristics and group norms , 2009 .

[47]  Malcolm Robert Pattinson,et al.  Naïve and Accidental Behaviours that Compromise Information Security: What the Experts Think , 2016, HAISA.

[48]  Charles Cresson Wood,et al.  Human error: an overlooked but significant information security problem , 1993, Comput. Secur..

[49]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[50]  J. Ray,et al.  The Reliability of Short Social Desirability Scales , 1984 .

[51]  H. Kaiser An index of factorial simplicity , 1974 .

[52]  Malcolm Robert Pattinson,et al.  A study of information security awareness in Australian government organisations , 2014, Inf. Manag. Comput. Secur..

[53]  B. Uttl,et al.  Measurement of Individual Differences , 2005, Psychological science.

[54]  Serge Egelman,et al.  Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) , 2015, CHI.

[55]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[56]  John Hattie,et al.  Procedures for Assessing the Validities of Tests Using the "Known-Groups" Method , 1984 .

[57]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[58]  Stephanie M. Mazerolle,et al.  Survey Instrument Validity Part I: Principles of Survey Instrument Development and Validation in Athletic Training Education Research. , 2011 .

[59]  D. Marlowe,et al.  A new scale of social desirability independent of psychopathology. , 1960, Journal of consulting psychology.

[60]  M. Bartlett,et al.  A note on the multiplying factors for various chi square approximations , 1954 .

[61]  David Lacey,et al.  Death by a Thousand Facts: Criticising the Technocratic Approach to Information Security Awareness , 2012, Inf. Manag. Comput. Secur..

[62]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[63]  Lorrie Faith Cranor,et al.  Decision strategies and susceptibility to phishing , 2006, SOUPS '06.