Enhancing information security education and awareness: Proposed characteristics for a model

The use of models has been one of the prevalent approaches to enhancing information security education and awareness in existing literature. Models provide step by step problem solving opportunities and are thus essential in security education and awareness activities. This paper categorized models for enhancing security education and awareness based on their stakeholder domains into: End-Users, Institutions and Industry domains. Analysis of literature on information security education and awareness indicates that approaches for enhancing end-users' security knowledge do exist, as do models for promoting organizational security knowledge in the industry domain. However, only one model was found to exist for enhancing security knowledge of employees in the institutions domain. This paper therefore describes a gap identified in the existing information security education and awareness models and presents the required relevant characteristics for developing information security education and awareness models for bridging the gap (in the institutions domain). The paper also evaluates and compares characteristics of existing models in order to identify the most relevant characteristics for a new model and makes a presentation to that effect. This was done through a review of existing literature on information security education and awareness models and a comparative analysis of models identified in the three domains.

[1]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[2]  Kathy Schwalbe,et al.  Information Technology Project Management , 1999 .

[3]  Albert L. Harris,et al.  The impact of information richness on information security awareness training effectiveness , 2009, Comput. Educ..

[4]  Katja Hutter,et al.  Open innovation in SMEs: a case study of a regional open innovation platform , 2017 .

[5]  Elmarie Kritzinger,et al.  Cyber security for home users: A new way of protection through awareness enforcement , 2010, Comput. Secur..

[6]  J. Grama Just in Time Research: Data Breaches in Higher Education. , 2014 .

[7]  Eldad Antwi-Bekoe,et al.  Computer Security Awareness and Vulnerabilities: An Exploratory Study for Two Public Higher Institutions in Ghana , 2012 .

[8]  Cynthia E. Irvine,et al.  A video game for cyber security training and awareness , 2007, Comput. Secur..

[9]  Yilun Shang DISCRETE-TIME EPIDEMIC DYNAMICS WITH AWARENESS IN RANDOM NETWORKS , 2013 .

[10]  Elmarie Kritzinger,et al.  Information security management: An information security retrieval and awareness model for industry , 2008, Comput. Secur..

[11]  Isaca Cobit 5 , 2012 .

[12]  Pravin Bendre,et al.  Management Information System , 2017 .

[13]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[14]  Sushil K. Sharma,et al.  Teaching information systems security courses: A hands-onapproach , 2007, Comput. Secur..

[15]  Tubagus Mohammad Akhriza SECURE KNOWLEDGE MANAGEMENT: CONFIDENTIALITY, TRUST AND PRIVACY , 2010 .

[16]  Tai-hoon Kim,et al.  IT Security Strategies for SME’s , 2008 .

[17]  Roberto J. Mejias,et al.  A case for information security awareness (ISA) programmes to protect global information, innovation and knowledge resources , 2012 .

[18]  Yongge Wang,et al.  Constructivist Approach to Information Security Awareness in the Middle East , 2010, 2010 International Conference on Broadband, Wireless Computing, Communication and Applications.

[19]  Maheyzah Md Siraj,et al.  Towards metamodel-based approach for Information Security Awareness Management , 2014, 2014 International Symposium on Biometrics and Security Technologies (ISBAST).

[20]  David Lacey,et al.  Death by a Thousand Facts: Criticising the Technocratic Approach to Information Security Awareness , 2012, Inf. Manag. Comput. Secur..

[21]  Rossouw von Solms,et al.  Sweetening the medicine: educating users about information security by means of game play , 2010, SAICSIT '10.

[22]  Rossouw von Solms,et al.  Information Security Assurance Model (ISAM) for an Examination Paper Preparation Process , 2014, 2014 Information Security for South Africa.

[23]  C. Wekesa,et al.  A Model to measure information security awareness level in an organization : case study of Kenya commercial bank. , 2015 .

[24]  J. A. Obrien Management Information System , 2004 .

[25]  Rossouw von Solms,et al.  A conceptual framework for cyber-security awareness and education in SA , 2014, South Afr. Comput. J..

[26]  Elmarie Kritzinger,et al.  Information security education : bridging the gap between academic institutions and industry , 2005 .

[27]  Elmarie Kritzinger,et al.  A conceptual analysis of information security education, information security training and information security awareness definitions , 2014, The 9th International Conference for Internet Technology and Secured Transactions (ICITST-2014).

[28]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[29]  Gerhard G. van de Bunt,et al.  Comparative Research , 2006 .