Information security competence test with regards to password management

It is widely acknowledged that when it comes to IT security the human factor is usually the weakest link. In an effort to strengthen this link, most CIO's are embracing the deployment of security awareness programmes. It is accepted that these programmes can create an information security-aware culture where security risks can be reduced. Even though work has been done in ensuring that these programmes include mechanisms for changing behaviour and reinforcing good security practices, there is a lack of work on measuring the effectiveness of such programmes. Competence based questions have long been used in HR to select employees with the skills that are necessary to perform effectively in a job. Competence based tests focus mainly on the behaviours and traits critical for success on the job and how they have been demonstrated in the past. This current paper presents the description of an approach that uses competency based behavioural questions to measure security competence levels at a university with regards to password management. A sample of 140 students participated in the study. The findings revealed that even though students were aware of the procedures, many failed to implement them. For example, 48.6% of students would share their passwords even though they know it was wrong. It was also found that there is a positive relationship between the year of study and the creation of strong passwords (n=140; r=+0.268; p=0.007).

[1]  Hennie A. Kruger,et al.  Measuring Information Security Awareness - A West Africa Gold Mining Environment Case , 2005, ISSA.

[2]  Debi Ashenden,et al.  Information Security management: A human challenge? , 2008, Inf. Secur. Tech. Rep..

[3]  R. Solms,et al.  Cultivating an organizational information security culture , 2006 .

[4]  Richard S. Mansfield,et al.  Building competency models: Approaches for HR professionals , 1996 .

[5]  I. Norman,et al.  Measuring nursing competence: development of a self-assessment tool for general nurses across Europe. , 2008, International journal of nursing studies.

[6]  Steven Furnell,et al.  From culture to disobedience: Recognising the varying user acceptance of IT security , 2009 .

[7]  Kimberly A. Wrenn,et al.  Beliefs about ‘improvability’ of career‐relevant skills: relevance to job/task analysis, competency modelling, and learning orientation , 2003 .

[8]  Vichita Vathanophas,et al.  Competency Requirements for Effective Job Performance in Thai Public Sector , 2006 .

[9]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[10]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[11]  Hennie A. Kruger,et al.  Value-focused assessment of ICT security awareness in an academic environment , 2007, Comput. Secur..

[12]  Diarmid Marshall,et al.  User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking , 2011, Comput. Secur..

[13]  Assessing medical students' competence in obtaining informed consent. , 1999, American journal of surgery.

[14]  Hennie A. Kruger,et al.  Determinants of Password Security: Some Educational Aspects , 2009, World Conference on Information Security Education.

[15]  Rossouw von Solms,et al.  Towards an Information Security Competence Maturity Model , 2006 .

[16]  H. Leino‐Kilpi,et al.  Vaccination competence of graduating public health nurse students. , 2011, Nurse education today.

[17]  Everett C. Johnson Awareness Training: Security awareness: switch to a better programme , 2006 .

[18]  Hennie A. Kruger,et al.  A Framework for Evaluating ICT Security Awareness , 2006, ISSA.

[19]  Hennie A. Kruger,et al.  Consensus ranking - An ICT security awareness case study , 2008, Comput. Secur..

[20]  David Hylender,et al.  Data Breach Investigations Report , 2011 .

[21]  Kim-Phuong L. Vu,et al.  Effectiveness of image-based mnemonic techniques for enhancing the memorability and security of user-generated passwords , 2010, Comput. Hum. Behav..

[22]  Augustine A. Lado,et al.  Human Resource Systems and Sustained Competitive Advantage: A Competency-Based Perspective , 1994 .

[23]  Mike Hansell,et al.  Measuring Behaviour: An Introductory Guide, Paul Martin, Patrick Bateson. University of Cambridge Press, Cambridge (1986), x, +200. Price £20.00 (hardback), £6.95 (paperback) , 1987 .

[24]  T. McCready Portfolios and the assessment of competence in nursing: a literature review. , 2007, International journal of nursing studies.

[25]  Carl Colwill,et al.  Human factors in information security: The insider threat - Who can you trust these days? , 2009, Inf. Secur. Tech. Rep..

[26]  Hilary Johnson,et al.  Using and managing multiple passwords: A week to a view , 2011, Interact. Comput..

[27]  Mark Wilson,et al.  SP 800-16. Information Technology Security Training Requirements: a Role- and Performance-Based Model , 1998 .

[28]  T. V. Laptyeva,et al.  The weak-password problem: Chaos, criticality, and encrypted p-CAPTCHAs , 2011, IACR Cryptol. ePrint Arch..