Towards a Structured Information Security Awareness Programme
- 1. By: Zulhemay, M. N., Rohana, M. R., Zakaria, O. FSTP, UPNM, Kuala Lumpur, Malaysia.
- 2. • The evolution of economy • K-economy utilising information as key materials to operate and survive in the market • Economy has switched from being organised around the flow of things and money to the flow of information (Drucker, 1992). • Information is vital asset to organisation – secure the information is paramount to company – information security is business process (Pipkin, 20000). Agriculture Industrial Knowledge
- 3. Organisation information Security Utilise Information Protect by Figure 1: The relationship between organisation and information security
- 6. Information SecurityInformation Technical solutions Social-technical solutions Approaches Firewall Antivirus software Biometrics Theexampleofthesolutions Awareness Training Education Figure 2: Approaches in information security
- 7. • This paper review relevant literatures regarding Information Security Awareness (ISA) and suggest a structured approach of ISA programme for organisation. • Adapt Information Security (IS) process by (Pipkin, 2000). • IS process can give general idea on security knowledge • Security knowledge can help to reduce security incidents. • A conceptual framework is proposed based on IS process to increase IS in organisations.
- 8. • Content • The information on how the desired results are to be achieved in practice (M. Siponen, 2006). • E.g., Johnson (2006) suggest the ideas on how to switch security awareness into a better programme and highlight the important issues such as changing employees perception towards security, topic that should be covered on awareness programme the need for measuring effectiveness of the programme, and security guidance. • Rezgui and Marks (2008) indirectly provide the content to awareness programme by exploring the factors that contribute to the security awareness of staff in higher education and provide a number of recommendations to promote security awareness. The recommendation is the example of ‘how the desired results are to be achieved’ in promoting awareness programme.
- 9. • Evaluation • Several authors acknowledge the significance of evaluating awareness programme as the way to be better in securing information assets such present in a number of literatures (i.e., (Albrechtsen & Hovden, 2010; Eminağaoğlu, Uçar, & Eren, 2009; H. Kruger, Drevin, & Steyn, 2006; H. Kruger & Kearney, 2005)). • I.e., Alarifi et al. (2012) study on awareness level among public in Saudi Arabia using online survey. • Without measurement, rating, metrics, or indicators, one cannot demonstrate the value of information security effort especially to their top level management (Eminağaoğlu et al., 2009; Herold, 2011).
- 10. • Framework • Provide the relationships among the variables, explains the theory and describe the direction of the relationships (Sekaran, 2007). • Aggeliki, Maria, Spyros, and Evangelos (2012) analysed why security awareness and training in the company failed to meet their goals and provide a framework that enables the analysis of awareness activities by using actor network theory (ANT). • Zakaria (2013) adapt Schein’s organisational culture model to establish security culture. In addition, the research concludes that one of the prerequisite to establish security culture in an organisation is by having a structured security awareness programme. • H. Kruger et al. (2006); Thomson and Von Solms (1998) utilise social psychology model in security awareness. (Chan & Wei, 2009) uses educational psychology called conceptual change to embedded awareness to the students.
- 11. • Tools • In terms of this study evice or implement to carry out a particular function. • I.e., knowledge regarding information security is delivering by using game play (Chun-Che, Khera, Depickere, Tantatsanawong, & Boonbrahm, 2008; Cone, Irvine, Thompson, & Nguyen, 2007). Such therefore, game is a tool to deliver awareness message. • Based on our analysis, another popular tool develop by researchers is web based application such as online portal, intranet and online learning such present in (Chen, Shaw, & Yang, 2006; Shaw, Chen, Harris, & Huang, 2009).
- 13. • The themes provide us with several approaches towards effectiveness of information security awareness. However, there is no research that provides a framework for information security awareness programme based on information security processes. • By identifying several themes of information security awareness strategy in the previous section, we manage to prove that the human dimension of information security such as awareness is not being neglected, at least in academic field. In fact, the significance of human dimension on information security such as awareness programme has been acknowledged in many literatures • Nevertheless, it has gone quite far without noticing that there is an absent of realistic function which is to introduce information security to the audience. As a result, only a few security elements are being covered in awareness programme and it is not structured according to the proper chronology of information security processes. Also, it is not comprehensive in terms of not cover all aspects of information security processes. Only favourite topics are being concern based on the previous issues faced by the organisation or just randomly pick by the consultant or security officer.
- 14. INSPECTION PROTECTION DETECTION REACTION REFLECTION Inspection is a process of regulating and appraising the relevant security level in the organisation. Protection is a proactive process that enforces a secure environment at the appropriate level. Detection is a reactive process that identifies any appropriate events. Reaction is a response process to a security incident. Reflection is a follow-up process that evaluates the existing implementation of a security system.
- 15. Adapt Pipkin’s information security processes Structured security awareness in organisation Challenges / Gap Information security risks A structured information security awareness programme principles An ideal situation Employees aware on security processes Employees can perform security tasks Establish basic security knowledge Appropriate security practices Yes Determine No Leads to Develop Revisited Figure 3. A structured information security awareness framework
- 16. • We analysed and discuss the implication of the current approaches and contribute to the body of knowledge by locating a structured information security awareness. • This study adapts Pipkin’s (2000) security processes into a structured security awareness conceptual framework to investigate awareness programme challenges within an organisation. • Pipkin’s security processes has been choose based on the theory develop by (Zakaria, 2013) where basic security knowledge can further help to increase awareness amongst all level of employees of their security responsibilities and promote a collective security responsibility. • In order to enable employees to internalise security knowledge, organisation need to establish appropriate (structured) information security awareness programmes.
- 17. Alarifi, A., Tootell, H., & Hyland, P. (2012, 26-28 June 2012). A study of information security awareness and practices in Saudi Arabia. Paper presented at the Communications and Information Technology (ICCIT), 2012 International Conference on. Albrechtsen, E., & Hovden, J. (2010). Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Computers & Security, 29(4), 432-445. doi: 10.1016/j.cose.2009.12.005 Anggeliki, T., Maria, K., Spyros, K., & Evangelos, K. (2012). Analyzing trajectories of information security awareness. Information Technology & People, 25(3), 327-352. doi: 10.1108/09593841211254358 Chen, C. C., Shaw, R. S., & Yang, S. C. (2006). Mitigating Information Security Risks by Increasing User Security Awareness: A Case Study of an Information Security Awareness System. Information technology learning and performance journal, 24(1), 1-14. Chun-Che, F., Khera, V., Depickere, A., Tantatsanawong, P., & Boonbrahm, P. (2008, 26-29 Feb. 2008). Raising information security awareness in digital ecosystem with games - a pilot study in Thailand. Paper presented at the Digital Ecosystems and Technologies, 2008. DEST 2008. 2nd IEEE International Conference on. Cone, B. D., Irvine, C. E., Thompson, M. F., & Nguyen, T. D. (2007). A video game for cyber security training and awareness. Computers & Security, 26(1), 63-72. doi: 10.1016/j.cose.2006.10.005 Drucker, P. F. (1992). The Economy’s Power Shift. The Wall Street journal. Eastern edition. Eminağaoğlu, M., Uçar, E., & Eren, Ş. (2009). The positive outcomes of information security awareness training in companies – A case study. Information Security Technical Report, 14(4), 223- 229. doi: 10.1016/j.istr.2010.05.002. Herold, R. (2011). Managing an information security and privacy awareness and training program Information Security Management Handbook (2nd ed.). Boca Raton, Fla.: CRC Press. Johnson, E. C. (2006). Security awareness: switch to a better programme. Network Security, 2006(2), 15-18. Kruger, H., Drevin, L., & Steyn, T. (2006). A framework for evaluating ICT security awareness. Paper presented at the Proceeding of the Information Security South Africa (ISSA), Johannesburg, South Africa. Kruger, H., & Kearney, W. (2005). Measuring information security awareness: a west africa gold mining environment case study. Paper presented at the Proceedings of the ISSA 2005 New Knowledge Today Conference, Balalaika Hotel, Sandton, South Africa 2005. http://icsa.cs.up.ac.za/issa/2005/Proceedings/Full/018_Article.pdf. Pipkin, D. L. (2000). Information security: Protecting the global enterprise Upper Saddle River, New Jersey.: Prentice Hall. Rezgui, Y., & Marks, A. (2008). Information security awareness in higher education: An exploratory study. Computers & Security, 27(7–8), 241-253. doi: http://dx.doi.org/10.1016/j.cose.2008.07.008 Sekaran, U. (2007). Research Methods for Business (4 ed.). New Delhi: Wiley India. Siponen, M. (2006). Information security standards focus on the existence of process, not its content. Commun. ACM, 49(8), 97-100. doi: 10.1145/1145287.114531. Shaw, R. S., Chen, C. C., Harris, A. L., & Huang, H.-J. (2009). The impact of information richness on information security awareness training effectiveness. Computers & Education, 52(1), 92-100. doi: http://dx.doi.org/10.1016/j.compedu.2008.06.011 Zakaria, O. (2013). Information Security Culture: A Human Firewall Approach. German: Lambert Academic Publishing.