Lessons Learned from an Organizational Information Security Awareness Campaign

Educating end-users to improve information security awareness plays an important part in securing organizational environments. While best practice standards provide a set of minimum information security awareness controls that should be implemented, little guidance is given on how to implement these controls to ensure the effectiveness of training. This research defined and evaluated a method for implementing an information security awareness campaign (ISAC) within an organization. The method is based on prior research and standards, while assisting the subject in improving their ISAC through the creation of artefacts and measurement techniques. A design science research approach was used with several research cycles to design the method. The method was implemented within an organization and evaluated based on the impact, effectiveness and results of each step, as well as the feedback from participants (two questionnaires were completed by 47 and 36 employees respectively). The research found both positive and negative results. Certain steps within the method proved time consuming and confusing to some participants. Although improvements can be made, the method was found to be adequate as it achieved the required objective within the organization and provided the organization with a risk-based method and visual representation to measure awareness on specific information security awareness topics. The results of the study not only provided value to the organization but provides a validated method for implementing an ISAC which could be applied in other contexts.

[1]  Malcolm Robert Pattinson,et al.  Managing information security awareness at an Australian bank: a comparative study , 2017, Inf. Comput. Secur..

[2]  Robert Poepjes The development and evaluation of an information security awareness capability model: linking ISO/IEC 27002 controls with awareness importance, capability and risk , 2015 .

[3]  Tadayoshi Kohno,et al.  Control-Alt-Hack: the design and evaluation of a card game for computer security awareness and education , 2013, CCS.

[4]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[5]  Evangelos A. Kiountouzis,et al.  Analyzing Trajectories of Information Security Awareness , 2012, Inf. Technol. People.

[6]  Siew Fan Wong,et al.  Impact of employees' demographic characteristics on the awareness and compliance of information security policy in organizations , 2018, Telematics Informatics.

[7]  Joseph Benin,et al.  A White Hat Approach to Identifying Gaps Between Cybersecurity Education and Training: A Social Engineering Case Study , 2016 .

[8]  David Lacey,et al.  Death by a Thousand Facts: Criticising the Technocratic Approach to Information Security Awareness , 2012, Inf. Manag. Comput. Secur..

[9]  Ebru Yeniman Yildirim The Importance of Information Security Awareness for the Success of Business Enterprises , 2016 .

[10]  Steve Love,et al.  Security awareness of computer users: A phishing threat avoidance perspective , 2014, Comput. Hum. Behav..

[11]  Michael H. Breitner,et al.  Employees' Information Security Awareness and Behavior: A Literature Review , 2013, 2013 46th Hawaii International Conference on System Sciences.

[12]  F. Aloul The Need for Effective Information Security Awareness , 2011 .

[13]  Aaron Striegel,et al.  An exploratory investigation of message-person congruence in information security awareness campaigns , 2014, Comput. Secur..

[14]  Malcolm Robert Pattinson,et al.  Individual differences and Information Security Awareness , 2017, Comput. Hum. Behav..

[15]  Malcolm Robert Pattinson,et al.  Adapting Cyber-Security Training to Your Employees , 2018, HAISA.

[16]  Sean B. Maynard,et al.  An Exploratory Study of Current Information Security Training and Awareness Practices in Organizations , 2018, HICSS.

[17]  Nesren Waly,et al.  Improving Organisational Information Security Management: The Impact of Training and Awareness , 2012, 2012 IEEE 14th International Conference on High Performance Computing and Communication & 2012 IEEE 9th International Conference on Embedded Software and Systems.

[18]  Ashutosh Tiwari,et al.  Human Capability Evaluation Approach for Cyber Security in Critical Industrial Infrastructure , 2016 .