Assessment of Security Awareness: A Qualitative and Quantitative Study

IntroductionWith the significant increase in the number of cybercrime attacks around the world, information security becomes a vital issue and a huge challenge for global as well as local organizations. Information security stems from ensuring that employees in the organization are aware of the importance of security and its different facets. Protecting against security risks and attacks is only one part of the scope and objective of security (Dahbur, Isleem, & Ismail, 2012). The scope and objectives of security also include, but are not limited to, the design, implementation, enforcement of security policies, establishing and conducting training programs to encourage security awareness, and ensuring that all physical security controls are designed and employed properly within the organization (Barrett, 2003) (Dolan, 2004).Security awareness can be critical for the existence of organizations. Even though many organizations spend considerable amounts of money, effort, and time to secure their data, the threats to their security still pose a huge challenge. The information security of many organizations continues to be compromised by hackers using new techniques, such as "Zero-Day Attacks" (Hammarberg, 2014). But people are still considered a first point of attack because attacking through "human element" is much easier than spending time looking for vulnerabilities in the systems. Consequently, people are the first point of defense; therefore, it is essential to assess and develop their security awareness (Aloul, 2012). It is important for organizations to understand that just as the "human element" is considered their largest asset, it should also be recognized as their significant security risk (Parsons, McCormac, Butavicius, & Ferguson, 2010).Security awareness at an individual user level has been advocated by many authors (Veltsos, 2016) (Mataracioglui & Ozkan, 2010) (Applegate, 2009), the "Big Four" companies (Earnest and Young, Deloitte, KPMG, and PWC), as well as many professional organizations such as SANS, ISACA, and ISC2. Many have also reported that the "human element" is still considered the weakest link in the security equation because it can be exploited by attackers easily (Spears & Barki, 2010) (Goodchild, 2010) (Hasan, Prajapati, & Vohara, 2010). Sophisticated technologies are not likely to prevent cyber attacks if the employees are not "aware" of the security issues and measures. The words "Aware" or "Awareness" will be used throughout this paper to imply that an important part, of the "Confidentiality, Integrity and Availability (CIA)" security principles, is to continuously educate and train employees about the latest development in the field of information security as it relates to their organizational environment.In general, organizations must contemplate the following main elements when considering security awareness:(1) People: The right employees should be positioned in the right roles and charged with right responsibilities. Employees must also be educated and trained to enhance their knowledge, skills, and attitude with regards to security.(2) Technology: Technology must be up-to-date, in addition to being user-friendly as employees must be trained on the technology based on their roles and responsibilities. Technology should also be selected and configured properly to implement the functionality and the security features.(3) Processes and Procedures: Processes must be designed and implemented to regulate the use of technology by employees based on their roles and responsibilities. Procedures must be defined and implemented per the guidelines of best-practices to promote the effectiveness of the processes.(4) Policies: Policies must be clearly defined, using high-level statements that all employees can understand, to achieve the security objectives of the organization. Management must also be committed to the enforcement of the policies to ensure organizational compliance and their effectiveness. …