Investigating Information Security Awareness: Research and Practice Gaps

ABSTRACT The aim of this survey is largely exploratory, namely, to discover patterns and trends in the way that practitioners and academics alike tackle the security awareness issue and to have a better understanding of the reasons why security awareness practice remains an unsolved problem. Open coding analysis was performed on numerous publications (articles, surveys, standards, reports and books). A classification scheme of six categories of concern has emerged from the content analysis (e.g., terminology ambiguity), and the chosen publications were classified based on it. The paper identifies ambiguous aspects of current security awareness approaches and the proposed classification provides a guide to identify the range of options available to researchers and practitioners when they design their research and practice on information security awareness.

[1]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[2]  E. Michael Power Developing a Culture of Privacy: A Case Study , 2007, IEEE Security & Privacy.

[3]  Carrie McCoy,et al.  "You are the key to security": establishing a successful security awareness program , 2004, SIGUCCS '04.

[4]  Andrew Cox,et al.  Raising information security awareness in the academic setting , 2001 .

[5]  Petri Puhakainen,et al.  A design theory for information security awareness , 2006 .

[6]  Susan D. Hansche Designing a Security Awareness Program: Part 1 , 2001, Inf. Secur. J. A Glob. Perspect..

[7]  Johnny Mathisen Measuring Information Security Awareness. A survey showing the Norwegian way to do it. , 2004 .

[8]  Louise Yngström,et al.  The Value and Assessment of Information Security Education and Training , 2001 .

[9]  Steven Furnell,et al.  A prototype tool for information security awareness and training , 2002 .

[10]  Steven Furnell Remote PC Security: Securing the home worker , 2006 .

[11]  A. Strauss,et al.  Basics of Qualitative Research , 1992 .

[12]  Cynthia E. Irvine,et al.  A video game for cyber security training and awareness , 2007, Comput. Secur..

[13]  J. Andrew Valentine,et al.  Enhancing the employee security awareness model , 2006 .

[14]  Thomas J. Bray Security Actions During Reduction in Workforce Efforts: What To Do When Downsizing , 2002, Inf. Secur. J. A Glob. Perspect..

[15]  David C. Yen,et al.  Awareness and challenges of Internet security , 2000, Inf. Manag. Comput. Secur..

[16]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[17]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[18]  Thomas J. Bray Security Actions During Reduction in Workforce Efforts: What to do When Downsizing , 2002, Inf. Syst. Manag..

[19]  T. Schlienger,et al.  Information security culture - from analysis to change : research article , 2003 .

[20]  Susan Hansche Cissp Information System Security Training: Making it Happen, Part 2 , 2006 .

[21]  Thomas J. Owens,et al.  On the Anatomy of Human Hacking , 2007, Inf. Secur. J. A Glob. Perspect..

[22]  Mark Wilson,et al.  SP 800-16. Information Technology Security Training Requirements: a Role- and Performance-Based Model , 1998 .

[23]  Atreyi Kankanhalli,et al.  Individual's Response to Security Messages: A Decision-Making Perspective , 2007, Decision Support for Global Enterprises.

[24]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[25]  Charlie C. Chen,et al.  Mitigating Information Security Risks by Increasing User Security Awareness : A Case Study of an Information Security Awareness System , 2007 .

[26]  Hennie A. Kruger,et al.  Identity Theft - Empirical evidence from a Phishing Exercise , 2007, SEC.

[27]  Cism Thomas R. Peltier Cissp Implementing an Information Security Awareness Program , 2005 .

[28]  Omar El Sawy,et al.  Building an Information System Design Theory for Vigilant EIS , 1992, Inf. Syst. Res..

[29]  Everett C. Johnson Awareness Training: Security awareness: switch to a better programme , 2006 .

[30]  Stephanie Teufel,et al.  Information security culture - from analysis to change , 2003, South Afr. Comput. J..

[31]  Dirk De Maeyer Setting up an Effective Information Security Awareness Programme , 2007, ISSE.

[32]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[33]  F. P. Bresz People – Often the Weakest Link in Security, but One of the Best Places to Start , 2004 .

[34]  Susan D. Hansche Information System Security Training: Making It Happen: Part 2 of 2 , 2001, Inf. Secur. J. A Glob. Perspect..

[35]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[36]  Rossouw von Solms,et al.  A Practical Approach to Information Security Awareness in the Organization , 2002, SEC.

[37]  Douglas W. Frye,et al.  Network Security Policies and Procedures , 2006, Advances in Information Security.

[38]  Sokratis K. Katsikas Health care management and information systems security: awareness, training or education? , 2000, Int. J. Medical Informatics.

[39]  Pamela Jordan Basics of qualitative research: Grounded theory procedures and techniques , 1994 .

[40]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[41]  Richard W. Power,et al.  Case Study: a bold new approach to awareness and education, and how it met an ignoble fate , 2006 .

[42]  Elmarie Kritzinger,et al.  Information security management: An information security retrieval and awareness model for industry , 2008, Comput. Secur..

[43]  Roland L. Trope,et al.  Setting Boundaries at Borders: Reconciling Laptop Searches and Privacy , 2007, IEEE Security & Privacy.

[44]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[45]  Lorne Olfman,et al.  Improving End User Behaviour in Password Utilization: An Action Research Initiative , 2008 .

[46]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..

[47]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[48]  Hennie A. Kruger,et al.  Value-focused assessment of ICT security awareness in an academic environment , 2007, Comput. Secur..

[49]  Charles Cresson Wood,et al.  Information Security Awareness Raising Methods , 1995 .

[50]  Wendy Goucher Getting the most from training sessions: the art of raising security awareness without curing insomnia 1 1 This is not to say that curing insomnia would be a bad thing. , 2008 .

[51]  John Steven,et al.  Essential Factors for Successful Software Security Awareness Training , 2006, IEEE Security & Privacy.

[52]  Thomas R. Peltier,et al.  Implementing an Information Security Awareness Program , 2005, Inf. Secur. J. A Glob. Perspect..

[53]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[54]  Phil Spurling,et al.  Promoting security awareness and commitment , 1995, Inf. Manag. Comput. Secur..