Test-retest reliability and internal consistency of the Human Aspects of Information Security Questionnaire (HAIS-Q)

This paper reports on an evaluation of the test-retest reliability and internal consistency of the Human Aspects of Information Security Questionnaire (HAIS-Q), a measure designed to capture an individual’s knowledge, attitude and self-reported behaviour towards information security in the workplace. The analyses focused on responses from 197 working Australians, who completed two iterations of the HAIS-Q, approximately four weeks apart. The HAIS-Q showed significant test-retest correlations and has high internal reliability levels. The results of this study demonstrated that the HAIS-Q possesses both external reliability and internal consistency, and can therefore be used as a reliable measure of information security awareness. The HAIS-Q can be used within organisations to measure the effectiveness and impacts of training interventions, information security awareness programs and to determine the impact of security incidents and cultural changes.

[1]  Malcolm Robert Pattinson,et al.  An Analysis of Information Security Vulnerabilities at Three Australian Government Organisations , 2013, EISMC.

[2]  James Andrew Lewis,et al.  The economic impact of cybercrime and cyber espionage , 2013 .

[3]  Neil Anderson,et al.  Measuring person‐team fit: development and validation of the team selection inventory , 2004 .

[4]  Özlem Müge Testik,et al.  Analysis of personal information security behavior and awareness , 2016, Comput. Secur..

[5]  Patrick Dattalo,et al.  Statistical Power Analysis , 2008 .

[6]  M Karanika,et al.  Work design and management in the manufacturing sector: development and validation of the Work Organisation Assessment Questionnaire , 2006, Occupational and Environmental Medicine.

[7]  Mo Adam Mahmood,et al.  Compliance with Information Security Policies: An Empirical Investigation , 2010, Computer.

[8]  Malcolm Robert Pattinson,et al.  End-user Risk-taking Behaviour: an application of the IMB model , 2007 .

[9]  M. Traynor,et al.  The development of a measure of job satisfaction for use in monitoring the morale of community nurses in four trusts. , 1993, Journal of advanced nursing.

[10]  A. Meade,et al.  Identifying careless responses in survey data. , 2012, Psychological methods.

[11]  Malcolm Robert Pattinson,et al.  Examining Attitudes toward Information Security Behaviour using Mixed Methods , 2015, HAISA.

[12]  D. Streiner Starting at the Beginning: An Introduction to Coefficient Alpha and Internal Consistency , 2003, Journal of personality assessment.

[13]  R. Charter,et al.  Study Samples Are Too Small to Produce Sufficiently Precise Reliability Coefficients , 2003, The Journal of general psychology.

[14]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[15]  Matthew Tischer,et al.  Users Really Do Plug in USB Drives They Find , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[16]  Malcolm Robert Pattinson,et al.  Individual differences and Information Security Awareness , 2017, Comput. Hum. Behav..

[17]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[18]  Malcolm Robert Pattinson,et al.  A study of information security awareness in Australian government organisations , 2014, Inf. Manag. Comput. Secur..

[19]  Tyler Moore,et al.  Measuring the Cost of Cybercrime , 2012, WEIS.

[20]  L. Cronbach Coefficient alpha and the internal structure of tests , 1951 .

[21]  M. J. Allen Introduction to Measurement Theory , 1979 .

[22]  Detmar W. Straub,et al.  Validation Guidelines for IS Positivist Research , 2004, Commun. Assoc. Inf. Syst..

[23]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[24]  J K Sluiter,et al.  Reliability and validity of instruments measuring job satisfaction--a systematic review. , 2003, Occupational medicine.

[25]  Jacob Cohen,et al.  A power primer. , 1992, Psychological bulletin.

[26]  Stephanie M. Mazerolle,et al.  Survey Instrument Validity Part I: Principles of Survey Instrument Development and Validation in Athletic Training Education Research. , 2011 .

[27]  Steve Love,et al.  Security awareness of computer users: A phishing threat avoidance perspective , 2014, Comput. Hum. Behav..

[28]  Steven Furnell,et al.  Information security policy compliance model in organizations , 2016, Comput. Secur..

[29]  Tena Velki,et al.  Empirical study on ICT system's users' risky behavior and security awareness , 2015, 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[30]  Paul Kline,et al.  A Handbook of Test Construction : Introduction to Psychometric Design , 1987 .

[31]  Robert Rosenthal,et al.  Quantifying construct validity: two simple measures. , 2003 .

[32]  Nathan L. Clarke,et al.  Power to the people? The evolving recognition of human aspects of security , 2012, Comput. Secur..

[33]  Malcolm Robert Pattinson,et al.  The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies , 2017, Comput. Secur..

[34]  Tena Velki,et al.  Development of Users' Information Security Awareness Questionnaire (UISAQ) — Ongoing work , 2014, 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[35]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[36]  Leslie G. Portney Dpt PhD Fapta,et al.  Foundations of Clinical Research: Applications to Practice , 2015 .

[37]  Serge Egelman,et al.  Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) , 2015, CHI.