Information security awareness in a developing country context: insights from the government sector in Saudi Arabia

PurposeThe purpose of this paper is to increase understanding of employee information security awareness in a government sector setting and illuminate the problems that public sector organisations in a developing context face when seeking to establish an information security awareness programme.Design/methodology/approachAn interpretive research design was followed to develop an empirically enriched understanding of information security awareness perceptions, aspirations, challenges and enablers in the context of Saudi Arabia as a developing country. The study adopts a single-case study approach, including face-to-face interviews with senior employees, as well as document analysis.FindingsThe paper theorises the importance of individual information security awareness, knowledge and behaviour and identifies a number of facilitating conditions: customisation to employee and organisational needs, interactivity, innovation, frequency, integration of both electronic and physical learning resources and rewarding the acquisition of in-depth security-related actionable knowledge.Originality/valueThis study is one of the first to examine information security awareness as a socio-technical process within a government sector organisation in a developing country context.

[1]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[2]  Ara Darzi,et al.  The challenges of cybersecurity in health care: the UK National Health Service as a case study. , 2019, The Lancet. Digital health.

[3]  Sunil Choenni,et al.  A Study of Preventing Email (Spear) Phishing by Enabling Human Intelligence , 2015, 2015 European Intelligence and Security Informatics Conference.

[4]  Izak Benbasat,et al.  Trustworthiness attribution: Inquiry into insider threat detection , 2018, J. Assoc. Inf. Sci. Technol..

[5]  Marijn Janssen,et al.  Building Cybersecurity Awareness: The need for evidence-based framing strategies , 2017, Gov. Inf. Q..

[6]  Zakarya A. Alzamil Information Security Awareness at Saudi Arabians' Organizations: An Information Technology Employee's Perspective , 2012, Int. J. Inf. Secur. Priv..

[7]  Jorge Tiago Martins,et al.  Information security: Listening to the perspective of organisational insiders , 2018, J. Inf. Sci..

[8]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[9]  A. Subramanyam,et al.  Performance Analysis of MANET Reactive Routing under Security , 2012 .

[10]  Johann Kranz,et al.  Information Security Awareness: Its Antecedents and Mediating Effects on Security Compliant Behavior , 2013, ICIS.

[11]  Malcolm Robert Pattinson,et al.  A study of information security awareness in Australian government organisations , 2014, Inf. Manag. Comput. Secur..

[12]  L. Hadlington Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours , 2017, Heliyon.

[13]  Rossouw von Solms,et al.  Human aspects of information security in organisations , 2016 .

[14]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[15]  B. Flyvbjerg Five Misunderstandings About Case-Study Research , 2006, 1304.1186.

[16]  Rossouw von Solms,et al.  Phishing for phishing awareness , 2013, Behav. Inf. Technol..

[17]  Deborah J. Armstrong,et al.  The impact of relational leadership and social alignment on information security system effectiveness in Korean governmental organizations , 2018, Int. J. Inf. Manag..

[18]  Nathan L. Clarke,et al.  Power to the people? The evolving recognition of human aspects of security , 2012, Comput. Secur..

[19]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[20]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[21]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[22]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[23]  Cynthia E. Irvine,et al.  A video game for cyber security training and awareness , 2007, Comput. Secur..

[24]  J. Doug Tygar,et al.  Organisational culture, procedural countermeasures, and employee security behaviour: A qualitative study , 2017, Inf. Comput. Secur..

[25]  Yu Wu,et al.  Definition and Multidimensionality of Security Awareness: Close Encounters of the Second Order , 2018, DATB.

[26]  Evangelos A. Kiountouzis,et al.  Analyzing Trajectories of Information Security Awareness , 2012, Inf. Technol. People.

[27]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[28]  Wanda J. Orlikowski,et al.  Studying Information Technology in Organizations: Research Approaches and Assumptions , 1991, Inf. Syst. Res..

[29]  Eirik Albrechtsen,et al.  Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study , 2010, Comput. Secur..

[30]  Cism Thomas R. Peltier Cissp Implementing an Information Security Awareness Program , 2005 .

[31]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[32]  Sameera Mubarak,et al.  Significance of Information Security Awareness in the Higher Education Sector , 2012 .

[33]  M. Breitner,et al.  Information security awareness and behavior: a theory-based literature review , 2014 .

[34]  K. B. ShivaKumar,et al.  Secured data transmission using knight and LSB technique , 2017, 2017 International Conference on Electrical, Electronics, Communication, Computer, and Optimization Techniques (ICEECCOT).

[35]  Suzanne D. Pawlowski,et al.  Social Representations of Cybersecurity by University Students and Implications for Instructional Design , 2015, J. Inf. Syst. Educ..

[36]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[37]  Bruce Murphy,et al.  Enterprise Security Architecture , 2000, Inf. Secur. J. A Glob. Perspect..

[38]  Sunny Consolvo,et al.  "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices , 2015, SOUPS.

[39]  Maryam Alsaif,et al.  Information Security Management in Saudi Arabian Organizations , 2015, FNC/MobiSPC.

[40]  Susan D. Hansche Designing a Security Awareness Program: Part 1 , 2001, Inf. Secur. J. A Glob. Perspect..

[41]  K. Eisenhardt Building theories from case study research , 1989, STUDI ORGANIZZATIVI.

[42]  Sarv Devaraj,et al.  Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model , 2012, Decis. Sci..

[43]  Malcolm Robert Pattinson,et al.  Individual differences and Information Security Awareness , 2017, Comput. Hum. Behav..

[44]  Michael Workman,et al.  Punishment and ethics deterrents: A study of insider security contravention , 2007, J. Assoc. Inf. Sci. Technol..

[45]  M. Workman,et al.  Punishment and ethics deterrents: A study of insider security contravention , 2007 .

[46]  Abdulaziz Alshuaibi Technology as an Important Role in the Implementation of Saudi Arabia ’ s Vision 2030 , 2017 .

[47]  Eirik Albrechtsen,et al.  The long term effects of information security e-learning on organizational learning , 2011, Inf. Manag. Comput. Secur..

[48]  Geoff Walsham,et al.  Interpretive case studies in IS research: nature and method , 1995 .

[49]  Eirik Albrechtsen,et al.  Effects on employees' information security abilities by e-learning , 2009, Inf. Manag. Comput. Secur..

[50]  Robert A. Bridges,et al.  Automated Behavioral Analysis of Malware: A Case Study of WannaCry Ransomware , 2017, 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA).

[51]  Jemal H. Abawajy,et al.  User preference of cyber security awareness delivery methods , 2014, Behav. Inf. Technol..

[52]  Özlem Müge Testik,et al.  Analysis of personal information security behavior and awareness , 2016, Comput. Secur..

[53]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[54]  H. Tootell,et al.  A study of information security awareness and practices in Saudi Arabia , 2012, 2012 International Conference on Communications and Information Technology (ICCIT).

[55]  Mikko T. Siponen,et al.  Five dimensions of information security awareness , 2001, CSOC.

[56]  Jessica Vitak,et al.  Securing the human: Employee security vulnerability risk in organizational settings , 2017, J. Assoc. Inf. Sci. Technol..

[57]  Michael Workman,et al.  Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008, J. Assoc. Inf. Sci. Technol..

[58]  F. Aloul The Need for Effective Information Security Awareness , 2011 .

[59]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[60]  Neil F. Doherty,et al.  Towards a user-centric theory of value-driven information security compliance , 2018, Inf. Technol. People.

[61]  Kathleen M. Eisenhardt,et al.  Theory Building From Cases: Opportunities And Challenges , 2007 .

[62]  V. Braun,et al.  Using thematic analysis in psychology , 2006 .

[63]  Kevin F. McCrohan,et al.  Influence of Awareness and Training on Cyber Security , 2010 .

[64]  M. Workman Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security , 2008 .