wiki.cis.unisa.edu.au€¦ · web viewspecial thanks go to my research supervisor dr sameera...
TRANSCRIPT
Information Security Awareness Levels of TAFE South Australia Employees
Minor Thesis
Submitted - 30/11/2011
Revised - 27/12/2011
Hong Chan
00069566
Supervised by Dr Sameera Mubarak
Bachelor of Information Technology (Honours)
School of Computer and Information Science
University of South Australia
DeclarationI declare that this thesis does not incorporate without acknowledgment any material
previously submitted for a degree or diploma in any university, and that to the best of
my knowledge it does not contain any materials previously published or written by
another person except where due reference is made in the text.
Hong Chan – 27/12/2011
i
AcknowledgementSpecial thanks go to my research supervisor Dr Sameera Mubarak for her valuable
guidance and insights into research methodologies and the research topic in question.
Thanks also go to Dr Jiuyong Li for letting me know that the success of any research
project is positively related to keeping the research supervisor happy. Here is to hoping
that Sameera is still happy.
At the TAFE SA end, I would like to thank Elaine Bensted, Chief Executive of the Office of
TAFE SA, for allowing the research to be conducted. I would also like to thank Michael
King for assisting with the distribution of the online questionnaire.
Last but not least, I would like to thank Leanne Brookes, my manager and the TAFE SA
Web Services team for allowing me to take time off during critical times to meet my
research commitments.
ii
AbstractVarious literature and studies relating to information security emphasise the
importance of information security awareness of employees in maintaining any
organisational wide information security implementations or measures. It is widely
accepted that information security awareness is an important contributing factor for a
successful information security plan and should be properly assessed in order to
suggest improvements.
While it has been established that it is important for staff from within all levels of the
organisation to have greater information security awareness, there is clearly a gap
within current literature and studies in that there has been very small amounts of
studies which looked into information security awareness in an Australian context.
This explorative study directly investigated and assessed the employee information
security awareness levels within TAFE South Australia for the purpose of providing
much needed insight into the extent of information awareness levels in Australian
organisations.
Using an online questionnaire, the study revealed that TAFE South Australia’s employee
information security awareness were generally lacking. The study also identified
several problem areas which had plenty of room for improvements, thus paving the way
for further research into how information security awareness levels can be improved.
It is recommended that TAFE South Australia include information security awareness as
part of its overall risk assessment strategies in order to mitigate such risks. Finally, the
adoption of programs which will enhance security awareness should also be explored in
order to foster an organisational culture of security compliance, thereby minimising any
information security risks.
iii
Table of Contents
Declaration.............................................................................................................................................................. i
Acknowledgement.............................................................................................................................................. ii
Abstract.................................................................................................................................................................. iii
List of Tables....................................................................................................................................................... vii
1. Introduction..................................................................................................................................................... 1
1.1 Partnership – TAFE South Australia..............................................................................................2
1.2 Researcher’s Personal Interest.........................................................................................................3
1.3 Contributions........................................................................................................................................... 3
1.4 Scope and Limitations.......................................................................................................................... 3
1.5 Field of Thesis.......................................................................................................................................... 3
1.6 Research Question................................................................................................................................. 4
2. Literature Review.......................................................................................................................................... 5
2.1 Information Security.............................................................................................................................5
2.2 Employee Information Security Awareness...............................................................................6
2.3 Managerial Information Security Awareness............................................................................7
2.4 Australian Information Security Awareness..............................................................................8
2.5 Other Relevant Literature...................................................................................................................9
2.6 Assessing Information Security Awareness.............................................................................12
2.7 General Information Security Concepts.....................................................................................13
2.7.1 Phishing...........................................................................................................................................13
2.7.2 Spam................................................................................................................................................. 14
2.7.3 Social Engineering...................................................................................................................... 14
2.7.4 Strong Passwords....................................................................................................................... 15
2.7.5 Data or Information Integrity................................................................................................15
iv
2.7.6 Social Networking.......................................................................................................................16
2.8 Literature Review Summary...........................................................................................................16
3. Methodology.................................................................................................................................................. 17
3.1 Aim............................................................................................................................................................. 17
3.2 Research methods...............................................................................................................................17
3.3 Questionnaire Justification..............................................................................................................17
3.4 Questionnaire Design.........................................................................................................................18
3.4.1 Section 1 – Knowledge of Concepts.....................................................................................18
3.4.2 Section 2 - Employee Behaviours and Actions...............................................................19
3.4.3 Section 3 - Consciousness of Policies.................................................................................20
3.4.4 Section 4 – Experiences Relating to Computer Crime................................................20
3.4.5 Section 5 – Demographics.......................................................................................................20
3.5 Data Collection...................................................................................................................................... 21
3.6 Data Analysis......................................................................................................................................... 21
3.7 Methodology Summary.....................................................................................................................22
4. Results.............................................................................................................................................................. 23
4.1 Demographics....................................................................................................................................... 23
4.2 Employees’ Knowledge of Concepts............................................................................................24
4.3 Employee Behaviours........................................................................................................................28
4.4 Relationships between Concepts and Behaviours................................................................31
4.5 Consciousness of Policies.................................................................................................................36
4.6 Past Experiences of Computer Crime.........................................................................................37
4.7 Results Summary................................................................................................................................. 38
4.8 Discussion............................................................................................................................................... 38
4.8.1 Lack of Knowledge of Security Concepts..........................................................................38
4.8.2 Lack of Awareness of Policies................................................................................................40
4.8.3 Lack of Information Security Awareness.........................................................................40
v
4.8.4 Relationships between Concepts and Behaviours.......................................................41
4.8.5 Recommendations......................................................................................................................42
5. Conclusion...................................................................................................................................................... 43
5.1 Research Summary.............................................................................................................................43
5.2 Limitations..............................................................................................................................................44
5.3 Future Research................................................................................................................................... 44
6. Ethics and Compliance..............................................................................................................................45
Reference............................................................................................................................................................. 46
Appendix A: Questionnaire..........................................................................................................................49
Appendix B: Questionnaire Invitation to All Staff..............................................................................53
Appendix C: Questionnaire Section 4 Responses...............................................................................55
vi
List of Tables
Table 1 : Relationships between Concepts and Behaviours..........................................................19
Table 2 : Demographics................................................................................................................................. 23
Table 3 : Demographics – Combined into Broad Categories.........................................................24
Table 4 : Knowledge of Concepts – All Staff.........................................................................................25
Table 5 : Knowledge of Concepts - Management...............................................................................25
Table 6 : Knowledge of Concepts – General Staff...............................................................................26
Table 7 : Employee Behaviours – All Staff.............................................................................................28
Table 8 : Employee Behaviours - Management...................................................................................29
Table 9 : Employee Behaviours – General Staff..................................................................................30
Table 10 : Cross Tabulation - Phishing and Spam (All Staff)........................................................31
Table 11: Cross Tabulation - Phishing and Spam (Management)...............................................31
Table 12 : Cross Tabulation - Phishing and Spam (General Staff)..............................................32
Table 13 : Cross Tabulation – Strong Passwords (All Staff)..........................................................33
Table 14 : Cross Tabulation – Strong Passwords (Management)...............................................33
Table 15 : Cross Tabulation – Strong Passwords (General Staff)...............................................34
Table 16 : Cross Tabulation – Information Integrity (All Staff)...................................................35
Table 17 : Cross Tabulation – Information Integrity (Management)........................................35
Table 18 : Cross Tabulation – Information Integrity (General Staff)........................................35
Table 19 : Consciousness of Policies – All Staff...................................................................................36
Table 20 : Consciousness of Policies – Management........................................................................36
Table 21 : Consciousness of Policies – General Staff........................................................................37
vii
1. IntroductionDue to advances in information technology and the resultant high accessibility of
information by internal and external users, information security has become highly
relevant and necessary for the survival of organisations (von Solms 1998; Cervone
2005; Thompson 2006). Failure to protect confidential information may result in
exorbitant costs in public liabilities, which may result in the ultimate downfall of an
organisation.
There are three important aspects of information security according to Cervone (2005).
Firstly, the confidentiality aspect relates to preventing unauthorised access to
information, thus ensuring that confidential data or information is well protected.
Secondly, integrity relates to the accuracy, correctness and currency of information,
thus ensuring that information is trustworthy and faithfully represents the real world in
which the data or information is based on. Thirdly, availability of information relates to
ensuring that authorised access to information or systems are provided when needed.
The main purpose of information security, therefore, is to ensure business continuity in
order to minimise damage and liability to the organisation. Furthermore, organisations
have both an ethical and legal responsibility in ensuring that confidential information is
well protected (Cervone 2005).
Many papers such as von Solms (1998) and Cervone (2005) have concluded that to
counteract or to minimise the risk of information security breaches, it is important for
an organisation to implement an information security plan or strategy.
Further, Namjoo et al. (2008) suggested that the preventative actions by organisations
usually take place after the occurrence of information security breaches. By the time an
incident has taken place, it could be too late. It is therefore better to be safe than sorry.
Information security measures usually consist of utilising technical controls in order to
mitigate information security risks. However, Dzazali, Sulaiman & Zolait (2009) stated
that technical controls become futile if the people interacting with the information
systems do not have prudent security practices. In other words, human factors must be
taken into account. Policies or controls become useless if users are not aware of any
security risks or the policies themselves.
1
It is widely accepted within current literature that information security awareness is a
key factor in contributing to a successful security strategy (Siponen & Vance 2010;
Spears & Barki 2010; McFadzean, Ezingeard & Birchall 2007; Knapp et al. 2006;
Mouratidis, Jahankhani & Nkhoma 2008; Hagen, Albrechtsen & Hovden 2008; Doherty,
Anastasakis & Fulford 2009; Bulgurcu, Cavusoglu & Benbasat 2010; Namjoo et al. 2008).
Further, there is a positive and direct relation between information security awareness
and preventative action and thus improved security performance (Knapp et al. 2006),
which suggests that employee security awareness assessment should be the starting
point in developing or enhancing any security strategies.
According to Bulgurcu, Cavusoglu & Benbasat (2010), information security awareness is
an employee’s knowledge of information security concepts and his or her consciousness
of the organisation’s information security measures or plans.
Due to the apparent gap which exists in current literature in that studies in relation to
organisational information security awareness in an Australian context are minimal,
this investigative study aims to assess the employee awareness levels of an Australian
organisation. Assessment will be conducted using a questionnaire in which the design
and methodologies are based on the study presented by Kruger, Drevin & Steyn (2010).
The questionnaire will be delivered online and the resultant collected data will be
analysed to gain insight into employee assessment levels.
1.1 Partnership – TAFE South Australia
TAFE South Australia recognises the potential benefits of this study for the organisation
and Australian organisations in general. Therefore TAFE South Australia has kindly
agreed to take part in this study by allowing its employees to be the subjects for this
research.
TAFE South Australia is an agency of the Department for Further Education, Science and
Technology (DFEEST) within the Government of South Australia. It is the largest
provider of vocational education and training in South Australia.
With over 2400 employees ranging from lecturing, administrative and management
spread across 48 campuses around the State of South Australia (TAFE South Australia
2011), the organisation is a highly suitable subject for the purpose of this research
2
because nearly all aspects of the business are conducted using information systems, as
is the case for most organisations of today. TAFE SA holds vast amounts of confidential
student and staff data and is therefore obligated to ensure such information is kept well
protected from unauthorised access. In addition, TAFE South Australia recently spent
over 20 million dollars in implementing a student information system consisting of an
online and public component that will increase the potential of exposing confidential
data to the public.
1.2 Researcher’s Personal Interest
As a member of staff within TAFE South Australia, the researcher has first-hand
experience in the workings of the organisation, particularly in relation to information
security, where it is recognised through general observations that awareness is lacking.
By verifying this lack of awareness, the researcher hopes that this will provide a first
step in ensuring TAFE South Australia’s information security readiness.
1.3 Contributions
The results of this research will directly benefit TAFE South Australia by providing the
organisation with a critical analysis of employee information security awareness,
thereby providing a starting point in ensuring information security readiness. More
importantly, very little has been done to assess information security awareness in
Australian organisations. Therefore, this study may provide a much needed insight into
security awareness in an Australian context. The results of this study will be given to
TAFE South Australia.
1.4 Scope and Limitations
Assessing awareness is only the initial step in the process of ensuring information
security. This study is limited in that it does not investigate how awareness can be
improved through best practices. Further study is needed, and will be considered in the
future.
1.5 Field of Thesis
Information Security, Information Security Awareness, Information Assurance,
Information Management.
3
1.6 Research Question
This exploratory study will utilise an information security questionnaire to assess both
the employee and managerial information security awareness levels of TAFE South
Australia in order to identify areas that need improvement. The study will provide a
starting point for developing or improving existing security policies for TAFE South
Australia. The study may also provide an insight into the information security readiness
of other similar Australian organisations. The scope of this study is limited to the
assessment of information security awareness and related employee behaviours and
does not investigate techniques which could improve awareness, nor does the scope
include developing information security policies or plans.
4
2. Literature ReviewThe following sections provide a review of current literature relating to information
security awareness and within the scope of this study. Firstly, literature providing
background information will be briefly discussed. This is followed by the review of
various studies which place emphasis on information security awareness. Finally a brief
summary of the reviewed literature will be provided, explaining the justification for the
need to investigate information security awareness in an Australian context.
2.1 Information Security
The advent of the internet and electronic commerce has ensured that information
security has become increasingly vital for modern organisations (von Solms, 1998). This
is because the internet or intranets have enabled information to be easily accessible by
external or internal sources. von Solms (1998) further stated that organisations need to
ensure that a high level of information security is maintained in order to protect
proprietary and confidential information.
Further, Cervone (2005) stated that due to the increasing complexity of software,
vulnerabilities of software are also increasing. Subsequently, security breaches will
result. Of particular relevance to this research is the unauthorised access to confidential
information via illegal means. The liability to an organisation if this was to occur would
financially cripple the organisation and may cause a public outcry. In order to minimise
or to prevent information security breaches, an organisation must implement an
information security preventative plan. Cervone (2005) identified three major areas in
which a security plan should address. These were: Confidentiality, protecting
information from unauthorised access; Integrity, protecting information from
unauthorised alteration; and availability, providing access to information as required,
when required.
Thompson (2006) expanded further the importance of protecting information by
discussing social engineering in the context of public libraries. According to Thompson
(2006), “social engineering is the use of non-technical means to gain unauthorised
access to information or computer systems”. Libraries contain a vast amount of
personal information in their database and social engineering is clearly a major threat.
Social engineering will be further discussed in a latter section. TAFE South Australia or
5
any other higher education institutions face similar threats due to the vast amount of
student information contained in their database. A major aspect of social engineering is
that hackers prey on employee trust and emotion. That is, hackers will try to gain the
trust of employees in order to obtain confidential information. Further, hackers will
often use impersonation and pretend to be someone else in order to gain trust. Finally,
Thompson (2006) suggested that apart from a well implemented information security
plan to prevent social engineering, employees play an active and important role. The
starting point would be to ensure that employees have a high level of information
security awareness, and this forms the basis for this research.
Bulgurcu, Cavusoglu & Benbasat (2010) defined information security awareness as an
employee’s knowledge of information security and his or her consciousness of the
organisation’s information security measures or plans. The following section will
present relevant literature relating to information security awareness which is of
importance to this research.
2.2 Employee Information Security Awareness
Bulgurcu, Cavusoglu & Benbasat (2010) investigated employee rationality based
behaviours, information security awareness, and their effects on information security
compliance. The study was able to show that an employee’s intention to comply is
greatly influenced by their attitude and their outcome beliefs. More importantly for the
purpose of this research, the study found that an employee’s attitude and outcome
beliefs are affected by their level of information security awareness. In other words,
placing emphasis on information security awareness can positively affect employee
attitudes and to encourage compliance.
Siponen & Vance (2010) explained information security breaches by employees from a
neutralization theory perspective. That is, the study concluded that employees who are
responsible for any security breaches often justify or rationalise their actions using
neutralization techniques. Neutralization is a concept borrowed from the field of
psychology. The study was not directly related to information security awareness.
However, Siponen & Vance (2010) did propose that policy awareness campaigns may
be used to counteract the effects of neutralization thereby ensuring that security
6
policies are adhered to, suggesting that further investigation into information security
awareness is warranted.
Spears & Barki (2010) explored the relationship between employee participation in risk
management and internal security compliance. The study was able to conclude that
employee participation in risk management greatly contributed to improved security
control performance due to greater alignment between security risk management and
the business environment, better policy development, and more importantly for the
purpose of this research – greater information security awareness. While the study did
not explore information security awareness as the main driver of a successful security
policy, it did highlight information security awareness as a main contributor.
2.3 Managerial Information Security Awareness
Most studies have so far explored the significance of information security awareness of
employees in general. This section presents current literature which has identified the
importance of managerial information security awareness.
McFadzean, Ezingeard & Birchall (2007) identified the awareness of senior
management as an important driver of effective security measures. The study argued
that senior executives have a holistic view of the organisation and therefore have the
power to affect change in the organisation through their roles as strategy implementers.
It was found that board level perceptions and thereby information security awareness
are positively related to the strategic activities of an organisation.
Similar to McFadzean, Ezingeard & Birchall (2007), Knapp et al. (2006) also identified
senior management as key players. The study found that senior management support is
positively related to both an organisation’s security culture and the level of policy
enforcement. While the study did not directly explore managerial information security
awareness as a predictor of security performance, it did again highlight the importance
of management involvement, thus the importance of managerial information security
awareness in affecting an organisation’s information security readiness.
Mouratidis, Jahankhani & Nkhoma (2008) aimed to study the differences in perception
of network security between general management personnel and personnel who are
responsible for actual network security. The study found that general managers do have
7
different perspectives towards network security than personnel from the network
security management. In particular, the effectiveness and efficiency of the network,
control of security, security decision making process, and users of the network all
showed significant perceptual differences. There is a clear lack of information security
awareness within general management and as confirmed by McFadzean, Ezingeard &
Birchall (2007), this could have a negative impact on the effectiveness of information
security policies.
Namjoo et al. (2008) further reinforced the importance of information security
awareness levels of management by investigating the relationship between managerial
information security awareness and action. The study was able to provide empirical
support for a positive relationship between awareness and action. In other words, the
higher the level of managerial information security awareness, the more likely the
managers will take action in implementing preventative measures. The study suggested
that preventative action usually occur after the fact. That is, unless an actual
information security breach has occurred, organisations usually take no action in
adopting security measures. Like various similar studies, Namjoo et al. (2008) implied
that by raising managerial information security awareness, information security
performance could in fact improve information security performance.
2.4 Australian Information Security Awareness
This section identifies two studies which are of high relevance for this current study.
These studies are conducted in an Australian Higher Education context in which the
organisation exists within.
The exploratory study conducted by Lane (2007) identified that in relation to
information security management in Australian Universities, information security
awareness activities remain a challenge. Lane (2007) suggested that information
security consist of the awareness of organisational requirements and behaviours, as
well as the willingness to comply with policies and rules. In addition, if employees do
not hold an interest in security, such as in the case of information security professionals,
then they are less likely to comply. Lane (2007) concluded that compliance is difficult to
achieve if security awareness levels are low. The study suggested that Australian
Universities do not have adequate security awareness programs in place to counteract
8
the low levels of awareness, therefore compliance is also low. The study stressed the
importance of information security awareness programs in order to foster a culture of
compliance, which will ultimately enhance employee compliance of information
security. It is important to note that Lane (2007) looked at information management as
a subject of the exploratory study and only briefly discussed information security
awareness.
In another Australian Higher Education context, and similar to Spears & Barki (2010),
Yeo, Rahim & Miri (2007) explored security risk assessment strategies of an Australian
University. Again, the study only briefly discussed the implications of user’s information
security awareness. The study identified security awareness as an important
component which must be assessed as part an organisation’s risk assessment. User non-
compliance is a serious risk for any organisations, and awareness is positively related to
compliance, as concluded by other studies discussed in this thesis. The study concluded
that information security awareness of employees must be risked assessed as part of an
overall organisational risk assessment strategies in order to identify areas which need
improvements. In other words, the lack of information security awareness poses serious
threats to an organisation and must be properly risk assessed and mitigated. As
suggested by Lane (2007), mitigation can be in the form of the adoption of security
awareness training programs.
2.5 Other Relevant Literature
Hagen, Albrechtsen & Hovden (2008) studied the implementation of organisational
security measures and to assess the effectiveness of such measures. The study was
conducted using a survey in which data was collected from information security
managers in various Norwegian organisations. It was discovered that many Norwegian
organisations placed emphasis on the policies and procedures in implementing any
measures, but placed very little emphasis on security awareness. The study also showed
that awareness measures were the most effective of any security measures. As a
consequence, the study showed an inverse relationship between the implementation of
security measures and their effectiveness. In other words, it is important to place
emphasis on security awareness as well as technical controls when adopting security
programs. Hagen, Albrechtsen & Hovden (2008) only investigated Norwegian
organisations. However, due to the similar structures of western organisations (similar
9
accounting practices, management hierarchies, information technology infrastructure
etc.), it can be posited that Australian organisations are in a similar situation. Virtually
no studies have explored information security awareness in Australian organisations,
thereby justifying the need for this proposed research.
According to Doherty, Anastasakis & Fulford (2009), ensuring the security of
information has become extremely complex and challenging. This is more so for
Universities because teaching and research activities are becoming more reliant on the
availability, integrity and accuracy of computer based information. The study aimed to
empirically study the structure or content of security policies for UK based Universities
in order to fill the gap in the literature by critically examining the structure and content
of these policies. The study found that due to the wide diversity of these policies, it was
not possible to foster a coherent approach to security management. It also found that
the range of issues being covered in such policies was surprisingly low, and reflects a
highly techno-centric view rather than a user-centric view of information security
management. This suggests that the user or staff information security awareness are
not prominent nor considered in these policies. Again, while Doherty, Anastasakis &
Fulford (2009) only explored UK based Universities, it can be posited that Australian
higher education institutions such as TAFE South Australia may have similar attitudes,
thereby further justifying the need to explore information security awareness in an
Australian setting.
In another non-Australian context, Dzazali, Sulaiman & Zolait (2009) aimed to evaluate
the maturity level of information security in the Malaysian Public Service. The study
used convenience sampling and collected data from 970 individuals through a survey. It
was revealed that spamming was the most prevalent (42%) followed by malicious codes
(41%). Notably, it was found that 25% of incidents were from internal sources where as
11% were from external sources, with 49% being unknown sources. Findings on the
maturity level showed that 61% of respondents were at level 3, followed by 21% at
level 2. At the higher end, only 13% were at level 4 and a miniscule 1% was at level 5.
The study did not directly study security awareness, but the finding that the internal
related incidents were prevalent suggests that security awareness is a factor when
taking into the account other studies being discussed. While this study was conducted in
relation to the Malaysian Public Sector, similar investigation could be adopted to
10
investigate maturity levels of information security within the Australian Public Sector in
which TAFE South Australia belongs to.
Samy, Ahmad & Ismail (2010) was another study into information security within a
non-educational industry in a non-Australian setting. The study aimed to investigate the
various types of threats which exist for Malaysian healthcare information systems. The
systems in question all belonged to government funded hospitals and data were
collected from these hospitals. The study identified 22 types of threats according to
major threat categories based on ISO27002. More importantly, the results showed that
the most critical threat for these systems were power failure followed by human error.
While power failure may be unavoidable, the human errors are not. Samy, Ahmad &
Ismail (2010) stated that the human errors were due to a lack of awareness and good
practice among staff.
Similar to Samy, Ahmad & Ismail (2010), Williams (2008) studied the failure of the
American health industry in recognising the seriousness of information security threats
to patients and practice information. The study suggested that this failure is attributed
to the lack of understanding of security concepts, underestimating potential threats and
the difficulty in setting up security measures. In order to appreciate these factors,
research into the general practitioner security practice and perceptions of security was
undertaken. It was found that poor security measures implementation and a lack of
knowledge were key factors. The results also showed that information security was
overwhelmingly reliant on trusting staff and the computer systems themselves, rather
than implementing an overall security policy, which the study recommended.
While Samy, Ahmad, & Ismail (2010) and Williams (2008) both investigated
information security in the context of the health industry from Malaysia and America
respectively, it can be posited that Australian based higher education institutions face
similar threats due to the large amount of confidential and personal data relating to
students which exist in their database, thus warranting further investigations.
Laaksonen & Niemimaa (2011) conducted an exploratory study into information
security policies and their effectiveness. It is important to note that information security
awareness was not a main focus of the study. However, the study did suggest that
11
information security awareness did influence employee perception of security policies
and therefore must be taken into account when devising such policies.
2.6 Assessing Information Security Awareness
Since the proposed research is to assess information security awareness of TAFE South
Australia employees, this section provides a review of literature which has directly used
various methodologies in gauging awareness. This provides an important basis for the
methodology adopted for this research.
Most of the literature reviewed so far has only briefly discussed employee or
managerial information security awareness in their studies, or has only implicated,
assumed or posited the importance of information security (Siponen & Vance 2010;
Spears & Barki 2010; McFadzean, Ezingeard & Birchall 2007; Knapp et al. 2006;
Mouratidis, Jahankhani & Nkhoma 2008; Hagen, Albrechtsen & Hovden 2008; Doherty,
Anastasakis & Fulford 2009). Few studies have actually directly assessed information
security awareness.
In determining a positive relationship between information security awareness,
employee rationality based behaviours and policy compliance, Bulgurcu, Cavusoglu &
Benbasat (2010) included three simple questions in their questionnaire to gauge
security awareness. These questions are:
1. I know the rules and regulations prescribed by the ISP of my organisation.
2. I understand the rules and regulations prescribed by the ISP of my organisation.
3. I know my responsibilities as prescribed in the ISP to enhance the IS security of
my organisation.
As can be seen, these questions are all directly related to an organisation’s existing
information security policy (ISP as stated in the questions) and do not involve gauging
an employee’s awareness of information security concepts such as social engineering
(Cervone 2005). While there are clear limitations to the methodology of Bulgurcu,
Cavusoglu & Benbasat (2010), the study did provide a part example of how awareness
can be gauged.
12
Similarly, the study by Namjoo et al. (2008) looked at information security awareness of
managers in determining its relationship and managerial action relating to prevention.
Like Bulgurcu, Cavusoglu & Benbasat (2010), simple questions were used to gauge
awareness. The questions were again limited in that they were only relevant in the
context of an existing security policy.
Perhaps the most extensive tool for assessing information security awareness was
proposed by Kruger, Drevin & Steyn (2010). Like many studies, Kruger, Drevin & Steyn
(2010) acknowledged that an organisation’s survival necessitates a security program.
Due to the importance of information security awareness in ensuring a successful plan,
the study proposed that the starting point in developing a plan is to assess awareness
levels of employees. The study aimed to examine the feasibility of an information
security awareness test for employees, thereby identifying suitable topics to include in
an information security awareness training program. It was found that the use of a
vocabulary test to assess awareness levels is beneficial in gauging the awareness of
employees. It is important to note however, that the test population used by the study
were all University students rather than employees from an actual organisation.
However, for the purpose of this proposed research, the vocabulary test proposed by
Kruger, Drevin & Steyn (2010) will be modified to fit the Australian organisational
context and will be used to assess awareness levels of TAFE South Australia employees.
This will be further discussed in the methodology section of thesis.
2.7 General Information Security Concepts
This section identifies from literature the most relevant concepts relating to
information security and for the purpose of this study. These concepts will form the
basis of the questionnaire design in which respondents will be assessed in their
knowledge of these concepts.
2.7.1 Phishing
According to Whitman & Mattord (2008), phishing is the attempt to obtain confidential
information or to conduct identity theft by using seemingly harmless emails or forged
websites that imitate a real corresponding website. Phishing is also performed by using
non-technical means such as social engineering (discussed in section 2.5.1.3) and may
also be used in conjunction with spam (discussed in the next section) as a mode of
13
carrying out a phishing attack. Phishing is a common threat against the confidentiality
aspect of information security and is therefore important for employees to be aware of
the concept and its dangers.
2.7.2 Spam
Spam is defined as any unsolicited commercial emails or messages (Whitman & Mattord
2005). It may seem trivial but spam is not simply an annoyance to the receiver. Spam
has the potential to cause disasters and disrupt systems. For example, malicious codes
such as viruses and Trojan horses often use spam as a vehicle for distribution. Malicious
code could reduce information systems to a standstill and restrict access to users, thus
violating the availability aspect of information security.
In addition, phishing attacks are often conducted using spam which may contain links to
phishing websites. While most organisational technical controls may prevent spam from
entering the organisation’s email system, it may not be possible to achieve 100%
mitigation. Therefore, it is important for individual employees to be aware of the
concept of spam and its related dangers.
2.7.3 Social Engineering
Social engineering was briefly discussed in section 2.1. This section further expands on
the concept. In the context of information security, social engineering is the use of non-
technical means to perform identity theft or to obtain confidential information
(Thompson 2006). Attackers in this case may use a combination of psychological
manipulation and impersonation in order to induce the unwilling victim into providing
confidential information.
This is further expanded by Btoush et al. (2011), which stated that social engineering is
represented as the ability to build improper trust relations with people who are
working inside the organisation in order to obtain unauthorised access privileges or to
gain sensitive and confidential information using psychological trickery. Due to the very
human aspects of social engineering, it is not possible to prevent these types of attacks
using technical controls. Social engineering mitigation is therefore heavily reliant on
employees’ awareness of the concept and the enforcement of organisational policies
relating to security and privacy.
14
2.7.4 Strong Passwords
A password is the key to authenticating a user and to prevent unauthorised access to a
system. In addition to social engineering or phishing means, passwords can be
illegitimately or illegally obtained by using two types of cyber-attacks known as
password cracking. According to Whitman and Mattord (2005), these attacks are brute
force and dictionary attacks. It is not a question of whether or not a password can be
cracked, but rather how long it takes for a password to be cracked. The stronger the
password is, the longer it takes. Subsequently, a strong password ensures that the
feasibility of a password attack is dramatically diminished for the attacker. It is true that
technical password controls can enforce the strength of a password, but not all
information systems consist of such controls and therefore it is ultimately up to the
employees to ensure that their passwords are of sufficient strength. Knowledge of the
concept of a strong password is therefore vital.
There is no widely accepted definition of a strong password. For the purpose of this
study, Microsoft’s definition was used. According to Microsoft Safety & Security Centre
(2011), a strong password should consist of sufficient length, and should contain a
combination of letters, numbers and symbols.
2.7.5 Data or Information Integrity
Data or information integrity relates to the integrity aspect of information security.
According to Boritz (2005), information integrity has the following core attributes
which are relevant for this study:
Accuracy or Correctness – that is, information must be accurate and correct in
that the information or data must be precise and in line with the real world
object by which the data is mapped to. For example, a student’s date of birth
stored in a system must have no room for error.
Trustworthiness - ensuring accuracy and correctness will subsequently ensure
that the information stored in the system is a faithful representation of a real
world object, thus one can trust the information.
Currency and Timeliness – using a student’s date of birth as an example, the
actual date of birth itself is a variable which changes over time. Information
15
currency is therefore affected by real world changes over time and must be
catered for.
2.7.6 Social Networking
The idea that social media or networking sites such as Facebook or Twitter as sources of
confidential information leakage has become highly relevant in recent years. However,
very little research has been conducted in this area. Due to the critical mass of social
media uptake by individuals and businesses alike, there is a potential for users to
expose confidential work related information. According to Everett (2010), social
media has recently been identified as the platform of choice by hackers for spreading
malware through tainted web links. Further, the anonymity nature of such sites means
that unwitting users are also subjected to phishing scams. Finally, Everett (2010)
suggested that social media is definitely a source of data leakage when employees
disclose information relating to the workplace on social media sites. It is therefore an
important inclusion for any security plans or policies. Awareness of the dangers of
social networking in relation to information security is very important.
2.8 Literature Review Summary
All studies reviewed above have identified information security as a key contributor to
successful security plans or measures. There is a clear gap in the reviewed literature in
that very little studies into information security awareness have been conducted for
Australian organisations. As a matter of fact, during the search for literature in relation
to this study, only a small amount of studies was found to be related to Australian
organisations. More importantly, very little amount of studies have been identified in
relation to information security awareness. This further justifies the need for this type
of study. The result of this study may provide an insight into the awareness levels, and
thus the information security readiness of Australian organisations. Further, it would
provide a means to gauge awareness and thus identify any aspects of information
awareness requiring improvements to be included in a security training program or
security policy.
16
3. MethodologyThe following sections will discuss the methodologies adopted for the purpose of this
study. The aim of this study will be declared, followed by the methodology approach in
relation to research methods. Discussion will then place emphasis on the design of the
questionnaire followed by data collection and analysis. Finally, a brief summary of this
section will be provided.
3.1 Aim
The aim of this study is to gain an insight into the information security awareness levels
of TAFE South Australia employees in order to identify areas that need improvement. In
other words, this study is an investigative or explorative study.
3.2 Research methods
Due to the fact that theoretical models based on information security awareness are
virtually non-existent, the nature of this research is exploratory rather than to test for
hypothesis. The same dilemma was present in the research methods adopted by De
Haes & Van Grembergen (2009) in their study into IT governance which has a similarly
scarce amount of available resources and existing research. The approach adopted in
this research is therefore exploratory. According to Ryerson (2007 cited in De Haes &
Van Grembergen, 2009), exploratory research includes a mixture of secondary research
methods such as summarising quantitative data obtained by surveys and literature
review. Therefore, the use of quantitative methods and literature review discussed in
section 2 in order to gain insight into the topic of information security awareness was
adopted for this study.
3.3 Questionnaire Justification
A questionnaire was used for this explorative study because a related study has proven
the use of such questionnaires in assessing information awareness to be both beneficial
and practical (Kruger, Drevin & Steyn 2010). The design of the questionnaire was also
based on the study conducted by Kruger, Drevin & Steyn (2010).
An online questionnaire consisting of five sections and totalling seventeen questions
was developed to assess the awareness levels and the behaviours of TAFE South
Australia employees in relation to various aspects of information security. The web-
17
based deployment of the questionnaire ensures a greater reach and better response
rates. The questionnaire requires about ten minutes of the respondent’s time for
completion and the resulting collected data is immediately available.
3.4 Questionnaire Design
Based on the definition of information security awareness by Bulgurcu, Cavusoglu &
Benbasat (2010), the questionnaire included two areas to test the respondents’
knowledge of common information security concepts and a latter section which gauges
an employee’s consciousness or awareness of TAFE South Australia’s security and
password policies’ existence. In addition, employee behaviours in relation to
information security were also tested in a third section. The remainder of the
questionnaire aimed to obtain the respondent’s demographic attribute and an open-
ended section which aims to identify any respondent’s previous experiences relating to
information security incidents or breaches. The ensuing sections will provide an
overview of the questionnaire design and the questionnaire can be found in Appendix A.
3.4.1 Section 1 – Knowledge of Concepts
Similar to Kruger, Drevin & Steyn (2010), various generally known or common concepts
identified in the literature review were included in this section of the questionnaire
because the purpose of this study is to explore and to gauge awareness levels of all
employee types and not just information security professionals. The underlying
assumption is that most general employees would not know the meaning of lesser
known concepts such as “botnets” or “Steganography” (Kruger, Drevin & Steyn 2010).
All concepts included in this area were identified to be relevant for this study and
applicable for TAFE South Australia. A total of five questions are included in section 1
(see Appendix A) and are used to assess the respondents’ knowledge in the following
concepts discussed in the literature review:
Question 1: Phishing
Question 2: Spam
Question 3: Social Engineering
Question 4: Strong Passwords
Question 5: Information Integrity
18
The questions are multiple-choice based, with only one possible correct response for
each question. The exception to this is question 4: strong passwords in which the
question is open-ended in order to prevent respondents from easily selecting the most
likely and obvious choice. The choices for the other questions are not so clear or
obvious.
3.4.2 Section 2 - Employee Behaviours and Actions
The second section of the questionnaire consisted of scenario based questions. The idea
that behaviours should be assessed along with concepts is adapted from Kruger, Drevin
& Steyn (2010) who observed that there are significant relationships between security
concepts and behaviours. The questions in this section evaluate the respondent’s action
taken in their past based on scenarios within an information security context. The basis
for these questions is that the questions are linked with a corresponding security
concept being assessed in section 1 of the questionnaire. For example, spam and
phishing are concepts linked to question 9 which asks whether the respondent has ever
clicked on an unknown link embedded in a third party email. As discussed in the
literature review, spam has a high potential for being a distribution method for
malicious codes and phishing attacks. The concepts of spam and phishing are therefore
related to question 9. The following table summarises similar linkages between section
1 and section 2 of the questionnaire:
Concepts (Section 1) Corresponding Behaviours (Section 2)
Phishing, Spam Clicking on embedded links in emails (Question 9)
Strong Password Giving away Passwords (Question 6)
Leaving computer unlocked and unattended (Question 7)
Using inappropriate methods for storing passwords (Question 8)
Information Integrity Amending data without confirmation or due process (Question 10)
Table 1 : Relationships between Concepts and Behaviours
All section 2 questions are multiple-choice based and there is only one possible correct
answer for each question (refer to Appendix A: Section 2). No linkages between social
19
engineering and a corresponding behavioural question were identified. The reason for
this will be discussed further as a limitation at the conclusion of the thesis.
3.4.3 Section 3 - Consciousness of Policies
This section of the questionnaire relates to the second part of the definition of
information security awareness as defined by Bulgurcu, Cavusoglu & Benbasat (2010).
That is, in addition to the knowledge of concepts, information security awareness also
consists of an employee’s consciousness or knowledge of an organisation’s policies in
relation to information security. Note that for the purpose of this study, the existence or
the details of any TAFE South Australia policies in relation to information security are
not discussed because such information is deemed to be private and confidential. The
section consists of two multiple choice questions with each having only one possible
correct answer. The first question relates to information security policy and the latter
question relates to password policy.
3.4.4 Section 4 – Experiences Relating to Computer Crime
This section of the questionnaire attempts to identify any previous employee
experiences relating to security incidents/breaches or computer crime. The purpose is
to gain an overview or insights into employee perceptions of such incidents and the
actions taken as a result of such incidents. Section 4 consists of three questions. The first
question asks whether or not the respondent has ever experienced computer crime.
Based on the response, the subsequent questions are open-ended and request details of
the experience.
3.4.5 Section 5 – Demographics
The last section of the questionnaire has only one question and simply identifies each
respondent’s demographic groups. The categories listed in the question’s multiple
choices (refer to Appendix A) will be further combined into two broad categories of
management and general employees. The reason for the merging of the categories is
that the literature review has identified both management and general employees as
distinct groups of stakeholders in regards to information security.
20
3.5 Data Collection
The online questionnaire was created and deployed using the web-based survey service
provider Qualtrics (http://www.qualtrics.com). Qualtrics was selected for the task
because it is highly secure and can handle the storage of large amounts of responses.
The responses can be exported into most commonly used statistical formats such as
Microsoft Excel compatible files. Qualtrics also allows for all question types such as
multiple-choice, text boxes, and has support for selectively releasing questions based on
responses from previous questions. Qualtrics is widely used by many research
institutions including the University of South Australia.
The link to the online questionnaire was distributed to all TAFE South Australia
employees via the internal email system. The email invited all employees to voluntarily
take part in the research. Further, the invitation stated clearly that the responses to the
survey will remain strictly anonymous and that no individuals can possibly be identified
in the collected data. The purpose and details of the research was outlined in the email.
The email also stated that by submitting the responses to the online questionnaire,
consent was thereby simultaneously given by the respondents. The collected data as a
result of this study will be stored at a safe location in accordance with the policy of the
University of South Australia. The email inviting all TAFE SA staff to participate in the
questionnaire can be found in Appendix B.
3.6 Data Analysis
Quantitative methods and Microsoft Excel 2010 were used to obtain tabulated
percentages of all responses to closed questions. In addition, content analysis was
performed on responses to open-ended questions in order to determine whether the
responses were deemed positive or negative. For example, in relation to strong
passwords, content analysis was used to group responses into either yes (has
knowledge of strong password) or no. Content analysis was performed for open-ended
questions which only served to obtain a general overview or insight into the employee
perception and actions taken in relation to computer crime or information security
incidents. Finally, the cross-tabulation (pivot tables) functionality within Microsoft
Excel 2010 was used to show the relationships between information concepts and
related behaviours (refer to Section 3.4.2 – Table 1).
21
3.7 Methodology Summary
In summary, the explorative nature of this study justifies the combined methods of data
collection via an online questionnaire and literature review (refer to section 2). The use
of an online questionnaire ensures a higher rate of responses compared with traditional
paper based surveys due to its convenience for respondents. The design of the
questionnaire itself is based on principles used in similar studies which have proven to
be both practical and beneficial. The results of the questionnaire will be presented in
the ensuing section 4.
22
4. ResultsThe online questionnaire was distributed to all TAFE South Australia employees. There
are approximately 2400 employees (TAFE South Australia 2011) equating to a
population of 2400 for statistical purposes. 308 responses were received in total,
representing the sample population of 308. In other words, 12.8% of the organisation
responded to the questionnaire. The ensuing sections will present the results and
findings of the questionnaire. The results are only briefly described in this section. A
more extensive discussion of the findings will be provided in section 5 of this report.
4.1 Demographics
Question 17 (refer to Appendix) contained an open-ended section which allowed the
respondents to specify “other” in best describing their roles within the organisation.
Content analysis was conducted and these responses were distributed amongst the four
other groups as seen in Table 2.
Demographic Group Responses Percentage
Senior Management 7 2.3%
Middle or Operational Management 52 16.9%
Lecturing staff 161 52.3%
General Administration or Frontline 88 28.6%
Total 308 100.0%
Table 2 : Demographics
Since this study is concerned with the importance of information security awareness of
two main groups (management and general employees), the demographic groups were
further combined into two categories as seen in Table 3. Lecturing staff and general
administrative staff were grouped together as general staff because they are deemed to
be information system users. On the other hand, senior management and middle or
operational management are deemed to be strategy and policy promoters or enforcers.
Therefore were simply grouped into the management category.
Demographic Group Responses Percentage
23
Management 59 19.2%
General Staff 249 80.8%
Total 308 100.0%
Table 3 : Demographics – Combined into Broad Categories
All ensuing sections will therefore present three result sets for each section of the
questionnaire in order to facilitate better comparisons. These are: Responses from all
staff (308 out of 308 respondents); Responses from all respondents belonging to the
management category (59 out of 308 respondents were considered to be management);
Responses from all respondents belonging to the general staff category (249 out of 308
respondents were considered to be general staff)
4.2 Employees’ Knowledge of Concepts
This section presents the results of Section 1 of the questionnaire.
Table 4 summarises the results of the knowledge based questions for each concept as a
number of responses and as a percentage of all respondents. Table 5 and Table 6
summarises the results for management and general staff respectively.
In relation to the concept of strong passwords, respondents were asked to state what
they think a strong password should be. Based on manual content analysis, the
responses were compared against the definition provided by Microsoft Safety & Security
Centre (2011) to determine whether the respondent had a good idea of a strong
password. For example:
“A mixture of alpha and numeric” was deemed insufficient and therefore deemed
incorrect.
“One that uses letters, numbers, and symbols, and has sufficient length” was
deemed to be correct.
The criterion for a correct response is that sufficient length, the combination of alpha-
numeric, and symbols must all be mentioned.
Concept Knew the Concept
Responses Percentage
Phishing Yes 76 24.7%
24
No 232 75.3%Total 308 100.0%
SpamYes 263 85.4%No 45 14.6%
Total 308 100.0%
Social EngineeringYes 55 17.9%No 253 82.1%
Total 308 100.0%
Strong PasswordYes 203 65.9%No 105 34.1%
Total 308 100.0%
Information IntegrityYes 281 91.2%No 27 8.8%
Total 308 100.0%
Table 4 : Knowledge of Concepts – All Staff
ConceptKnew the Concept Responses Percentage
PhishingYes 19 32.2%No 40 67.8%
Total 59 100.0%
SpamYes 46 78.0%
No 13 22.0%
Total 59 100.0%
Social EngineeringYes 14 23.7%No 45 76.3%
Total 59 100.0%
Strong PasswordYes 38 64.4%No 21 35.6%
Total 59 100.0%
Information IntegrityYes 55 93.2%No 4 6.8%
Total 59 100.0%
Table 5 : Knowledge of Concepts - Management
Concept Knew the Concept Responses Percentage
25
Phishing Yes 57 22.9%No 192 77.1%
Total 249 100.0%
Spam Yes 217 87.1%No 32 12.9%
Total 249 100.0%
Social Engineering Yes 41 16.5%
No 208 83.5%
Total 249 100.0%
Strong Password Yes 165 66.3%No 84 33.7%
Total 249 100.0%
Information Integrity Yes 226 90.8%No 23 9.2%
Total 249 100.0%
Table 6 : Knowledge of Concepts – General Staff
The results shown in Table 4 are summarised as follows:
Only 24.7% of all staff knew the term phishing. 85.4% of all staff knew what spam is.
Only 17.9% of all staff knew the term social engineering. 65.9% of all staff had an idea of
what a strong password should be. 91.2% of all staff knew the importance of
information integrity.
The results shown in Table 5 are summarised as follows:
Only 32.2% of managers knew the term phishing. 78% of managers knew what spam is.
Only 23.7% of managers knew the term social engineering. 64.4% of managers had an
idea of what a strong password should be. 93.2% of managers knew the importance of
information integrity.
The results shown in Table 6 are summarised as follows:
26
Only 22.9% of general staff knew the term phishing. 87.1% of general staff knew what
spam is. Only 16.5% of general staff knew the term social engineering. 66.3% of general
staff had an idea of what a strong password should be. 90.8% of general staff knew the
importance of information integrity.
27
4.3 Employee Behaviours
This section presents and summarises the results of section 2 of the questionnaire.
Action Performed Action Responses Percentage
Given away passwords or logged someone onto a computer using own password
Yes 163 52.9%
No 145 47.1%
Total 308 100.0%
Left computer unattended and unlocked
Yes 238 77.3%No 70 22.7%
Total 308 100.0%
Used inappropriate methods for storing passwords
Yes 105 34.1%No 203 65.9%
Total 308 100.0%
Clicked on unknown links embedded in third party emails
Yes 228 74.0%No 80 26.0%
Total 308 100.0%
Amended data without confirming accuracy or authenticity
Yes 24 7.8%No 284 92.2%
Total 308 100.0%
Disclosed work related information on social networking sites
Yes 23 7.5%
No 285 92.5%Total 308 100.0%
Table 7 : Employee Behaviours – All Staff
The results shown in Table 7 are summarised as follows:
A surprising 52.9% of all staff have given away passwords or logged someone onto a
computer using their own password. A surprising 77.3% of all staff have left their
computer unattended and unlocked. 34.1% of all staff used inappropriate methods for
storing passwords. A surprising 74% of all staff has clicked on unknown links
embedded in third party emails. Only 7.8% of all staff has amended data without
confirming accuracy or authenticity. Only 7.5% of all staff has disclosed work related
information on social media.
28
Action Performed Action Responses Percentage
Given away passwords or logged someone onto a computer using own password
Yes 33 55.9%
No 26 44.1%
Total 59 100.0%
Left computer unattended and unlocked
Yes 43 72.9%No 16 27.1%
Total 59 100.0%
Used inappropriate methods for storing passwords
Yes 19 32.2%No 40 67.8%
Total 59 100.0%
Clicked on unknown links embedded in third party emails
Yes 46 78.0%No 13 22.0%
Total 59 100.0%
Amended data without confirming accuracy or authenticity
Yes 4 6.8%No 55 93.2%
Total 59 100.0%
Disclosed work related information on social networking sites
Yes 4 6.8%
No 55 93.2%Total 59 100.0%
Table 8 : Employee Behaviours - Management
The results shown in Table 8 are summarised as follows:
A surprising 55.9% of managers have given away passwords or logged someone onto a
computer using their own password. A surprising 72.9% of managers have left their
computer unattended and unlocked. 32.2% of managers used inappropriate methods
for storing passwords. A surprising 78% of managers have clicked on unknown links
embedded in third party emails. 6.8% of managers have amended data without
confirming accuracy or authenticity. 6.8% of managers have disclosed work related
information on social media.
29
Action Performed Action Responses Percentage
Given away passwords or logged someone onto a computer using own password
Yes 130 52.2%
No 119 47.8%
Total 249 100.0%
Left computer unattended and unlocked
Yes 195 78.3%No 54 21.7%
Total 249 100.0%
Used inappropriate methods for storing passwords
Yes 86 34.5%No 163 65.5%
Total 249 100.0%
Clicked on unknown links embedded in third party emails
Yes 182 73.1%No 67 26.9%
Total 249 100.0%
Amended data without confirming accuracy or authenticity
Yes 20 8.0%No 229 92.0%
Total 249 100.0%
Disclosed work related information on social networking sites
Yes 19 7.6%
No 230 92.4%Total 249 100.0%
Table 9 : Employee Behaviours – General Staff
The results shown in Table 9 are summarised as follows:
A surprising 52.2% of general staff have given away passwords or logged someone onto
a computer using their own password. A surprising 78.3% of general staff have left their
computer unattended and unlocked. 34.5% of general staff used inappropriate methods
for storing passwords. A surprising 73.1% of general staff have clicked on unknown
links embedded in third party emails. Only 8% of general staff have amended data
without confirming accuracy or authenticity. Only 7.6% of general staff have disclosed
work related information on social media.
30
4.4 Relationships between Concepts and Behaviours
The results of section 4.2 and 4.3 were cross tabulated to gain an insight into the
relationship between concepts and corresponding behaviours (Section 3.4.2 – Table 1)
Has clicked on unknown embedded links from third
party emailsYes No Total
Knew what phishing isResponses 172 60 232Percentage 74.1% 25.9% 100.0%
Did not know what phishing isResponses 56 20 76Percentage 73.7% 26.3% 100.0%
308
Knew what spam isResponses 198 65 263Percentage 75.3% 24.7% 100.0%
Did not know what spam isResponses 30 15 45Percentage 66.7% 33.3% 100.0%
308
Table 10 : Cross Tabulation - Phishing and Spam (All Staff)
The results shown in Table 10 are summarised as follows:
Surprisingly, 74.1% of all staff who knew what phishing is still clicked on unknown
embedded links. Similarly, 75.3% of all staff who knew what phishing is still clicked on
unknown embedded links.
Has clicked on unknown embedded links from third
party emailsYes No Total
Knew what phishing isResponses 15 4 19Percentage 78.9% 21.1% 100.0%
Did not know what phishing isResponses 31 9 40Percentage 77.5% 22.5% 100.0%Total 59
Knew what spam isResponses 35 11 46Percentage 76.1% 23.9% 100.0%
Did not know what spam isResponses 11 2 13Percentage 84.6% 15.4% 100.0%
59
Table 11: Cross Tabulation - Phishing and Spam (Management)
31
The results shown in Table 11 are summarised as follows:
Surprisingly, 78.9% of all managers who knew what phishing is still clicked on
unknown embedded links. Similarly, 76.1% of all managers who knew what phishing is
still clicked on unknown embedded links.
Has clicked on unknown embedded links from third
party emailsYes No Total
Knew what phishing isResponses 41 16 57
Percentage 71.9% 28.1% 100.0%
Did not know what phishing isResponses 141 51 192Percentage 73.4% 26.6% 100.0%
249
Knew what spam isResponses 163 54 217Percentage 75.1% 24.9% 100.0%
Did not know what spam isResponses 19 13 32Percentage 59.4% 40.6% 100.0%
249
Table 12 : Cross Tabulation - Phishing and Spam (General Staff)
The results shown in Table 12 are summarised as follows:
Surprisingly, 71.9% of general staff who knew what phishing is still clicked on unknown
embedded links. Similarly, 75.1% of general staff who knew what phishing is still
clicked on unknown embedded links.
32
Knew the concept of a strong password
Yes NoResponse Percentage Response Percentage
Has given away passwords or logged someone in using own password
Yes 105 51.7% 58 55.2%
No 98 48.3% 47 44.8%
Total 203 100.0% 105 100.0%
Has left computer unattended and unlocked
Yes 161 79.3% 77 73.3%No 42 20.7% 28 26.7%
Total 203 100.0% 105 100.0%
Has used inappropriate methods for storing passwords
Yes 61 30.0% 44 41.9%No 142 70.0% 61 58.1%
Total 203 100.0% 105 100.0%
Table 13 : Cross Tabulation – Strong Passwords (All Staff)
The results shown in Table 13 are summarised as follows:
51.7% of all staff who knew the concept of a strong password has admitted to giving
away their passwords. 79.3% of all staff who knew the concept of a strong password
have admitted to leaving their computers unattended and unlocked. 30% of all staff who
knew the concept of a strong password used inappropriate methods for storing
passwords.
Knew the concept of a strong password
Yes NoResponse Percentage Response Percentage
Has given away passwords or logged someone in using own password
Yes 19 50.0% 14 66.7%
No 19 50.0% 7 33.3%
Total 38 100.0% 21 100.0%
Has left computer unattended and unlocked
Yes 28 73.7% 15 71.4%No 10 26.3% 6 28.6%
Total 38 100.0% 21 100.0%
Has used inappropriate methods for storing passwords
Yes 11 28.9% 8 38.1%No 27 71.1% 13 61.9%
Total 38 100.0% 21 100.0%
Table 14 : Cross Tabulation – Strong Passwords (Management)
The results shown in Table 14 are summarised as follows:
33
50% of managers who knew the concept of a strong password have admitted to giving
away their passwords. 73.7% of managers who knew the concept of a strong password
have admitted to leaving their computers unattended and unlocked. 28.9% of managers
who knew the concept of a strong password used inappropriate methods for storing
passwords.
Knew the concept of a strong password
Yes NoResponse Percentage Response Percentage
Has given away passwords or logged someone in using own password
Yes 86 52.1% 44 52.4%
No 79 47.9% 40 47.6%
Total 165 100.0% 84 100.0%
Has left computer unattended and unlocked
Yes 133 80.6% 62 73.8%
No 32 19.4% 22 26.2%Total 165 100.0% 84 100.0%
Has used inappropriate methods for storing passwords
Yes 50 30.3% 36 42.9%
No 115 69.7% 48 57.1%Total 165 100.0% 84 100.0%
Table 15 : Cross Tabulation – Strong Passwords (General Staff)
The results shown in Table 15 are summarised as follows:
52.1% of general staff who knew the concept of a strong password have admitted to
giving away their passwords. 80.6% of general who knew the concept of a strong
password have admitted to leaving their computers unattended and unlocked. 30.3% of
general staff who knew the concept of a strong password used inappropriate methods
for storing passwords.
Has amended data without confirmation or due process
Yes No Total
34
Knew the importance of information integrity
Responses 21 260 281Percentage 7.5% 92.5% 100.0%
Did not know the importance of information integrity
Responses 3 24 27Percentage 11.1% 88.9% 100.0%
308
Table 16 : Cross Tabulation – Information Integrity (All Staff)
The results shown in Table 16 are summarised as follows:
7.5% of all staff who understood the importance of information integrity have amended
data without confirmation or due process.
Has amended data without confirmation or due process
Yes No TotalKnew the importance of information integrity
Responses 4 51 55Percentage 7.3% 92.7% 100.0%
Did not know the importance of information integrity
Responses 0 4 4Percentage 0.0% 100.0% 100.0%
59
Table 17 : Cross Tabulation – Information Integrity (Management)
The results shown in Table 17 are summarised as follows:
7.3% of managers who understood the importance of information integrity have
amended data without confirmation or due process.
Has amended data without confirmation or due process
Yes No TotalKnew the importance of information integrity
Responses 17 209 226Percentage 7.5% 92.5% 100.0%
Did not know the importance of information integrity
Responses 3 20 23Percentage 13.0% 87.0% 100.0%
249
Table 18 : Cross Tabulation – Information Integrity (General Staff)
The results shown in Table 18 are summarised as follows:
7.5% of general staff who understood the importance of information integrity have
amended data without confirmation or due process.
35
4.5 Consciousness of Policies
This section presents and summarises the results of section 3 of the questionnaire
which assesses the awareness or consciousness of existing security policies of
respondents.
Policy Aware of Policy's Existence Responses Percentage
Information Security PolicyYes 126 40.9%No 182 59.1%
Total 308 100.0%
Password PolicyYes 101 32.8%No 207 67.2%
Total 308 100.0%
Table 19 : Consciousness of Policies – All Staff
The results shown in Table19 are summarised as follows:
Only 40.9% of all staff knew the existence of an information security policy. Only 32.8%
of all staff knew the existence of a password policy.
Policy Aware of Policy's Existence Responses Percentage
Information Security PolicyYes 35 59.3%No 24 40.7%
Total 59 100.0%
Password PolicyYes 24 40.7%No 35 59.3%
Total 59 100.0%
Table 20 : Consciousness of Policies – Management
The results shown in Table 20 are summarised as follows:
59.3% of all managers knew the existence of an information security policy. Only 40.7%
of managers knew the existence of a password policy.
36
Policy Aware of Policy's Existence Responses Percentage
Information Security PolicyYes 91 36.5%No 158 63.5%
Total 249 100.0%
Password PolicyYes 77 30.9%No 172 69.1%
Total 249 100.0%
Table 21 : Consciousness of Policies – General Staff
The results shown in Table 21 are summarised as follows:
Only 36.5% of general staff knew the existence of an information security policy. Only
30.9% of general staff knew the existence of a password policy.
4.6 Past Experiences of Computer Crime
Appendix C shows the results of the open-ended questions in section 4 of the
questionnaire. The section begins by asking the respondents whether or not they have
experienced or believed to have experienced computer crime in the past. If the response
was yes, they were then asked to provide details of the experience and the actions
taken. The purpose of this section is to gain an overview or insight into employee
perceptions of any incidents and the actions taken as a result of such incidents.
Only 28 respondents from the sample population of 308 answered yes. However, due to
a technical glitch, users of Microsoft’s Internet Explorer were initially not able to
provide details in the text box in relation to their experience. The glitch was rectified,
but 9 respondents left the details blank as a result of the glitch. Due to the anonymous
nature of the questionnaire, it was not possible to identify the respondents and
therefore they could not be contacted for resubmission of the responses. All 19 valid
responses are presented the Appendix C.
Content analysis was performed on these responses and failed to reveal any noteworthy
findings relevant for this research. However, various experiences were in relation to
phishing attacks. For example, 5 respondents reported experiences relating to credit
37
card theft suggesting that phishing scams are prevalent and highly active. A few
experiences were in relation to attempts of hackers to gain access to email accounts.
Apart from the credit card scams, there were simply too small a sample set to reveal
anything useful.
4.7 Results Summary
It was interesting to note that there were minimal deviations between the scores of the
organisation as a whole (all staff), management and general staff in all sections of the
questionnaire. All three result sets displayed similar scores. However, the results
themselves were surprising. For example, only about 24.7% of all staff knew what the
term phishing meant. Similarly, the scores achieved by management and general staff
were 32.2% and 22.9% respectively. In relation to behaviours, the results were
alarming. For example, more than half the organisation (52.9%) has admitted to giving
away passwords. Management and general staff returned similar results, 55.9% and
52.2 respectively. The implications of the results of the questionnaire will be discussed
in greater detail in next section.
4.8 Discussion
As can be seen in section 4, the results of the questionnaire were both alarming and
surprising. Information security awareness as defined by Bulgurcu, Cavusoglu &
Benbasat (2010) of TAFE South Australia employees were generally poor. That is, there
was a clear lack of knowledge in terms of information security concepts, as well as
generally low levels of consciousness or awareness of policies. The generally low levels
of awareness were reflected in employee behaviours, whereby most employees have
admitted to performing actions which could have negative consequences for the
organisation. The ensuing sections discuss in greater detail the findings of this study.
4.8.1 Lack of Knowledge of Security Concepts
The results in section 4.1 demonstrated that the organisation performed poorly in
relation to knowledge of common security concepts. The results were particularly poor
for social engineering (all staff – 17.9%, management – 23.7%, general staff - 16.5%).
One explanation for the low scores could be that social engineering is an ambiguous
term in that the terminology is borrowed from the field of political science. Its original
meaning relates to governmental influence on society. The term was adopted by the
38
information technology industry to describe the psychological manipulation used by
hackers to obtain information (Thompson, 2006). In fact, several respondents
complained that none of the available choices for the question reflected their version of
what social engineering meant (they used the open-ended sections of the questionnaire
to express their concerns). However, given the context (information security) in which
the question was asked, it is safe to conclude that they just did not know the answer.
Even so, the synonymous nature of the term suggests that the question must be
regarded as a limitation of this study.
On the other hand, the organisation scored highly in relation to the concept of
information security (all staff – 91%, management – 93.2%, general staff – 90.8%). In
retrospect, the multiple choices available in the question (see Appendix A – Question 5)
may have been too obvious for a respondent to hazard a guess. In this case, the core
attributes of the concept as defined by Boritz (2005) were all options with the
subsequent correct answer being “All of the above”. Simple logic would suggest that
many would guess the correct answer. However, the relatively high score did reflect in
the positive results obtained in Question 10, which asked whether or not a respondent
have ever amended data without confirming accuracy and correctness. The scores were
very low (all staff – 7.8%, management – 6.8%, general staff – 8.0%) demonstrating that
only a small portion of the organisation has performed this negative action.
Phishing and spam are concepts which go hand in hand because phishing attacks are
often conducted via spam (Whitman & Mattord 2005). However, the organisation
scored relatively high for spam (all staff – 85.4%, management – 78%, general staff –
87.1%) but very low for phishing (all staff – 24.7%, management – 32.2%, general staff
– 22.9%). Such a large variance may be explained by Bulgurcu, Cavusoglu & Benbasat
(2010) which suggested that information security awareness in regards to concepts are
often built upon life experiences. For example, one may not know of a concept if they
have never experienced the phenomenon first-hand. Spam is a tremendously frequent
occurrence affecting most people, whereas phishing may not be so obvious until an
attack has been committed. Therefore not many people may know the term compared
to spam.
39
It is of the opinion that the organisation scored moderately in relation to the concept of
a strong password (all staff – 65.9%, management – 64.4%, general staff – 66.3%).
However, the accuracy of the results must be questioned due to the fact that the initial
308 responses were all subjected to manual content analysis in order to determine
whether each response was correct. The manual nature of the analysis in addition to the
unlimited variations of open-ended responses raises the possibility of incorrectly
classifying each response. This is similar to a University lecturer marking many exam
papers. Discrepancies would undoubtedly occur.
4.8.2 Lack of Awareness of Policies
The results of the questionnaire showed that many TAFE SA employees did not know of
the existence or the details of the organisation’s security related policies. Less than half
of all staff knew about an actual information security policy (40.9%) and even less for
password policy (32.8%). Management performed slightly better, with a score of 59.3%
for information security policy and 40.7% for password policy. The most alarming
results relate to the general staff, which scored only 36.5% for information security
policy and 30.9% for password policy. The poor results suggest that security policies
are not well promoted or enforced by the organisation and that emphasis is heavily
placed on technical controls without taking into account the human aspects of
information security. Dzazali, Sulaiman & Zolait (2009) suggested that policies or plans
become useless if no consideration is given to the human factors of information
security. In this case, by not ensuring that employees become proficient in the
knowledge of the organisation’s policies, the policies themselves are futile. The lack of
awareness and knowledge of policies may have allowed for staff to violate such policies,
as demonstrated and reflected in the results of the behavioural questions summarised
in section 4.3. In particularly password based actions, where it was observed that many
employees shared passwords, left computer unattended and also used inappropriate
methods for password storage. These actions are generally prohibited by an
organisation’s security and password policies if properly enforced. This is not the case
for TAFE South Australia.
4.8.3 Lack of Information Security Awareness
Information security awareness is the combination of the knowledge of concepts and
awareness of existing policies (Bulgurcu, Cavusoglu & Benbasat 2010). Due to the fact
40
that the organisation as a whole lack both knowledge of security concepts and
awareness of policies as demonstrated by the results, it can be concluded that TAFE
South Australia employees lack information security awareness. This is in line with the
observation made by Knapp et al. (2006) that there is a positive relationship between
information security awareness and preventative action. That is, employees are more
likely to have positive behaviours in relation to information security if their awareness
levels are high. In the case of TAFE South Australia, the lack of awareness have resulted
in many employees engaging in negative actions and behaviours in violation of
information security, thus reaffirming the relationship as defined by Knapp et al. (2006)
4.8.4 Relationships between Concepts and Behaviours
The study into the feasibility of a vocabulary test to assess information security
awareness conducted by Kruger, Drevin & Steyn (2010) identified significant
relationships between knowledge of concepts and behaviours. That is, knowing a
concept will translate into positive behaviours relating to the concept. However, the
current study is in contrast to Kruger, Drevin & Steyn (2010). The results shown in the
cross-tabulations between concepts and corresponding behaviours (refer to Table 1)
identified surprising results which contradicted Kruger, Drevin & Steyn (2010). For
instance, an alarming 74.1% of all staff who knew the concept of phishing still engaged
in clicking on links embedded in potential spam. Both management and general staff
sample sets showed similar results, 78.9% and 71.9% respectively. Similarly, an
alarming 75.3% of all staff who knew what spam is also engaged in the clicking of links
embedded in potential spam. Again, there were hardly any differentiations between the
management and general staff result sets, 76.1% and 75.1% respectively. It can be
concluded that knowing the concept of spam and phishing did not mean that the
employees will not take the risk and click on potentially dangerous links. The likely
reason for this may again be attributed to the lack of policy enforcement or promotion.
In relation to strong passwords, the results also contradicted Kruger, Drevin & Steyn
(2010) in that knowing the concept of a strong password still resulted in staff engaging
in password sharing, leaving computers unattended and unlocked. Using the all staff
result set as an example (management and general staff again showed minor variance),
51.7% of staff who knew what a strong password is did not stop them from sharing
passwords. Similarly, an alarming 79.3% of staff who knew the concept of a strong
41
password have admitted to leaving their computer terminals unattended and unlocked.
The reason for such actions could be a result of the trust formed between co-workers.
However, the security risks are clearly present.
4.8.5 Recommendations
TAFE South Australia is clearly plagued with employee non-compliance of information
security policies. The low levels of awareness may have contributed to such non-
compliance. As suggested by Yeo, Rahim & Miri (2007), the lack of awareness and non-
compliance poses serious risks for the organisation and should be properly assessed
and mitigated as part of the organisation’s overall risk assessment strategies. It is
therefore highly recommended that TAFE South Australia implement proper risk
assessment strategies which include information security awareness as an important
component.
Further, once the security risks are properly assessed, they can be mitigated by
improving security awareness. As suggested by Lane (2007), the adoption of adequate
information security awareness training programs will ensure that employees know of
their responsibilities and also foster an organisational culture of information security
compliance, thereby improving the mitigation of such risks. It is therefore
recommended that TAFE South Australia explore such programs. The exploration of
these programs forms the basis of the suggestion follow up studies in the future.
42
5. Conclusion
5.1 Research Summary
Employee information security awareness has been widely regarded as an important
contributing factor in any successful organisational information security plans.
However, there is a gap in literature in that very little has been done in an Australian
context in relation to information security awareness, thus giving rise to this study.
This exploratory study utilised a specially designed online questionnaire to assess the
levels of information security awareness within TAFE South Australia.
Information security awareness can be defined as the combination of a person’s
knowledge of security concepts and the person’s awareness or consciousness of the
existence of any security related policies. Therefore the questionnaire was used to test
the respondents’ knowledge of commonly known security concepts as well as the
respondents’ consciousness of the organisations security policies in order to gain
insight into the awareness levels of the organisations. In addition, the questionnaire
also tested for behaviours which are related to corresponding security concept.
The results of the study revealed that employee awareness levels for TAFE South
Australia are surprisingly low, with employees lacking in both knowledge of concepts
and awareness of the organisation’s policies. The lack of information security
awareness was reflected in the admission by many employees that they had previously
engaged in behaviours (such as password sharing) which were in direct violation of
information security. This may be a result of the lack of policy promotion and
enforcement.
Finally, this exploratory study has achieved the aim of gaining valuable insight into the
workings of an Australian organisation in relation to information security awareness.
It is important that TAFE South Australia explore information security awareness as an
organisational risk which must be assessed and mitigated. Subsequently, the identified
risks may be mitigated by adopting relevant awareness programs which will ultimately
foster an organisational wide culture of information security compliance.
43
5.2 Limitations
Due to time constraints, a full appreciation of the importance of terminologies used in
the questionnaire was not realised. For instance, social engineering is an ambiguous
term in that it is synonymous with a different meaning within the field of political
science. In relation to the responses to strong password, manually conducting content
analysis for the relatively large number of responses may have increased the chance for
discrepancies.
The initial design of the questionnaire included a question which asked respondents’
whether or not they have ever knowingly provided confidential information to
outsiders in circumstances they felt it was justified to do so. At TAFE South Australia’s
request, the question was omitted from the final version of the questionnaire. The
reasoning was that the responses to such a question could potentially create a public
outcry for the organisation. For instance, if the responses revealed that employees did
in fact knowingly released confidential information, the public would have every right
to question TAFE South Australia’s integrity. However, by omitting the question, this
study may have lost valuable insights.
5.3 Future Research
Assessing information security awareness is deemed to be an initial step in achieving
security readiness. The next step would naturally be to determine how the problem
areas identified in this study can be approved through best practices. That is, future
research should focus on how awareness levels can be improved, thus improving the
security readiness of the organisation. In the long run, future research should also focus
on including information security awareness as part of an overall organisational
security strategy by adopting suitable awareness enhancing programs.
44
6. Ethics and ComplianceThe University of South Australia is bound by the Australian Code for Responsible
Conduct of Research and the National Statement on Ethical Conduct in Human Research.
Due to the human involvement required in this study, an application for approval was
submitted to the University’s Human Research Ethics Committee. Subsequently,
approval was given by the committee.
In addition, permission was obtained from TAFE South Australia to interact with
employees and to deliver appropriate questions to the employees, and to obtain
relevant data in relation to TAFE South Australia and its employees. Written approval to
conduct all activities relating to this study was given by the Chief Executive of the Office
of TAFE SA.
Finally, the online questionnaire to be delivered as part of this study may have involved
gathering information relating to psychological condition or collection of personal data
and as required by the University, the Insurance for Research Projects and Health
Sciences Fieldwork form was submitted to the Human Research Ethics Committee to
ensure that the project is covered by insurance. Subsequently, approval for insurance
cover was given by the committee.
45
Reference
Bulgurcu, B, Cavusoglu, H & Benbasat, I 2010, ‘Information Security Policy Compliance:
An Empirical Study of Rationality-Based Beliefs and Information Security Awareness’,
MIS Quarterly, vol. 34, no. 3, pp. 523-A7.
Boritz, JE 2005, ‘IS Practitioners’ Views on Core Concepts of Information Integrity’,
International Journal of Accounting Information Systems, vol. 6, no. 4, pp. 260-279.
Btoush, M, Alarabeyat, A, Zboon, M, Ryati, O, Hassan, M & Ahmad, S 2011, ‘Increasing
Information Security Inside Organizations Through Awareness Learning for Employees’,
Journal of Theoretical & Applied Information Technology, vol. 24, no. 2, pp. 79-85.
Cervone, F 2005, ‘Understanding The Big Picture So You Can Plan For Network Security’,
Computers in Libraries, vol. 25, no. 3, pp. 10- 15.
Doherty, NF, Anastasakis, L & Fulford, H 2009, ‘The information security policy
unpacked: A critical study of the content of university policies’, International Journal of
Information Management, vol. 29, no. 6, pp. 449-457.
Dzazali, S, Sulaiman, A & Zolait, AH 2009, ‘Information security landscape and maturity
level: Case study of Malaysian Public Service (MPS) organizations’, Government
Information Quarterly, vol. 24, no. 4, pp. 584-593.
Everett, C 2010, ‘Social Media: Opportunity or Risk?’, Computer Fraud & Security, vol.
2010, no. 6, pp. 8-10.
De Haes, S, Van Grembergen, W 2009, ‘An Exploratory study into IT Governance
Implementations and its Impact on Business/IT Alignment’, Information Systems
Management, vol. 26, no. 2, pp. 123-137.
Hagen, JM, Albrechtsen, E & Hovden, J 2008, ‘Implementation and effectiveness of
organizational information security measures’, Information Management & Computer
Security, vol. 16, no. 4, pp. 377-397.
46
Knapp, KJ, Marshall, TE, Rainer, RK, & Ford, FN 2006, ‘Information security:
management's effect on culture and policy’, Information Management & Computer
Security, vol. 14, no. 1, pp. 24-36.
Kruger, H, Drevin, L & Steyn, T 2010, ‘A vocabulary test to assess information security
awareness,’ Information Management & Computer Security, vol. 18, no. 5, pp. 316-327.
Laaksonen, E & Niemimaa M 2011, ‘Information Security Policies, a Frames of Reference
Perspective’, Department of Computer Science Master thesis, Lulea University of
Technology.
Lane, T 2007, ‘Information Security Management in Australian Universities – An
Exploratory Analysis’, Faculty of Information Technology Master thesis, Queensland
University of Technology.
Microsoft Safety & Security Centre 2011, Microsoft, viewed 9 October 2011,
<http://www.microsoft.com/en-gb/security/online-privacy/passwords-create.aspx>
McFadzean, E, Ezingeard, J & Birchall, D 2007, ‘Perception of risk and the strategic
impact of existing IT on information security strategy at board level’, Online Information
Review, vol. 31, no. 5, pp. 622-660.
Mouratidis, H, Jahankhani, H & Nikhoma, MZ 2008, ‘Management versus security
specialists: an empirical study on security related perceptions’, Information
Management & Computer Security, vol. 16, no. 2, pp. 187-205.
Namjoo, C, Kim, D, Goo, J & Whitemore, A 2008, ‘Knowing is doing: An empirical
validation of the relationship between managerial information security awareness and
action’, Information Management & Computer Security, vol. 16, no. 5, pp. 484-501.
Samy, NG, Ahmad, R & Ismail, Z 2010, ‘Security threats categories in healthcare
information systems’, Health Informatics Journal, vol. 16, no. 3, pp. 201-209.
Siponen, M & Vance, A 2010, ‘Neutralization: New Insights Into The Problem Of
Employee Information Systems Security Policy Violations’, MIS Quarterly, vol. 34, no. 3,
pp. 487-A12.
47
Spears, JL & Barki, H 2010, ‘User Participation in Information Systems Security Risk
Management’, MIS Quarterly, vol. 34, no. 3, pp. 503-A5.
TAFE South Australia 2011, TAFE South Australia, Adelaide, viewed 12 June 2011,
<http://www.tafe.sa.edu.au/about-tafesa.aspx>.
Thompson, STC 2006, ‘Helping the Hacker? Library Information, Security, and Social
Engineering’, Information Technology & Libraries, vol. 25, no. 4, pp. 222-225.
von Solms, R 1998, ‘Information Security Management (1): Why Information Security is
so Important’, Information Management & Computer Security, vol. 6, no. 4, pp. 174-177.
Whitman, ME & Mattord HJ 2008, Management of Information Security, 2nd edn,
Thompson Course Technology, Australia.
Whitman, ME & Mattord HJ 2005, Principles of Information Security, 2nd edn, Thompson
Course Technology, Australia.
Williams, PAH 2008, ‘When trust defies common security sense’, Health Informatics
Journal, vol. 14, no. 3, pp. 211-221.
Yeo, AC, Rahim, M & Miri L 2007, ‘Understanding Factors Affecting Success of
Information Security Risk Assessment: The Case of an Australian Higher Educational
Institution’, in Proceedings of the Pacific Asia Conference on Information Systems 2007,
Auckland
48
Appendix A: Questionnaire
Section 1 – Knowledge of Concepts
Question 1: Phishing is:
a) ☐ The use of an email message which appears to be legitimate for the purpose of obtaining confidential information
b) ☐ When someone is persuaded to give away confidential information
c) ☐ The use of an email message which appears to be legitimate for the purpose of obtaining confidential information
d) ☐ Is also known as identity theft
e) ☐ All of the above – correct answer
f) ☐ I don’t know
Question 2: Spam is:
a) ☐ Another word for email or electronic messages
b) ☐ A marketing technique
c) ☐ Any unsolicited electronic mail – correct answer
d) ☐ All of the above
e) ☐ I don’t know
Question 3: Social Engineering is:
a) ☐ The use of technical means to gain unauthorised access to information
b) ☐ The use of non-technical means to gain unauthorised access to information – correct answer
c) ☐ Related to social media
d) ☐ I don’t know
Question 4: Please explain in a few words what your idea of a strong password is:
49
Question 5: Please select from the following what you believe to be the most important:
a) ☐ Data or information must be accurate
b) ☐ Data or information must be trustworthy
c) ☐ Data or information must be current
d) ☐ All of the above are important – correct answer
e) ☐ I don’t know
Section 2 – Behaviours and Actions
Question 6: Have you ever given your computer passwords to anyone such as a colleague, or logged someone onto a computer using your own passwords?
a) ☐ Yes
b) ☐ No
Question 7: Have you ever left your computer unattended without logging off or locking the computer?
a) ☐ Yes
b) ☐ No
Question 8: In relation to passwords:
a) ☐ I never change my passwords
b) ☐ I always choose passwords which are simple and easy to remember
c) ☐ I give my passwords to someone else (e.g., a colleague) for safe keeping
d) ☐ I change my non-simple passwords all the time, but I still manage to memorise them
e) ☐ I write them down and store them near my computer
e) ☐ I write them down and store them in a safe place
Question 9: Have you ever clicked on a link which has been embedded into an email which you have received from an external company?
a) ☐ Yes
b) ☐ No
Question 10: Have you ever amended data or performed data entry
50
without confirming the correctness of the data? For example, changing a student’s name or address in SMS or SIS without seeing proof?
a) ☐ Yes
b) ☐ No
Question 11: Have you ever discussed information or issues relating to your workplace on any social networking sites (e.g., Facebook, Twitter)?
a) ☐ Yes
b) ☐ No
Section 3 – Consciousness of Policies
Question 12: Are you aware of the existence of an information security policy for TAFE SA?
a) ☐ Yes – I know exactly where to find it
b) ☐ Yes I’ve heard of such a policy, but I don’t know the details
c) ☐ No
d) ☐ I don’t know what an information security policy is
Question 13: Are you aware of the existence of a password policy for TAFE SA?
a) ☐ Yes – I know exactly where to find it
b) ☐ Yes I’ve heard of such a policy, but I don’t know the details
c) ☐ No
d) ☐ I don’t know what a password policy is
Section 4 – Experiences with Computer Crime
Question 14: Have you ever experienced or felt that you have experienced computer crime at work or outside of work? (For example, unauthorised access to your computer accounts, or you have had your personal details stolen)
a) ☐ Yes
b) ☐ No
Question 15: If you have answered yes in the last question, please briefly
51
provide details of the computer crime you experienced:
Question 16: In relation to the computer crime you experienced, what actions did you take? (for example, did you report the incident? Who did you report the incident to?) Please briefly provide details:
Section 5 – Demographics
Question 17: Which of the following best describes your role?
a) ☐ Senior management
b) ☐ Middle or operational management
c) ☐ Lecturing staff
d) ☐ General administration or frontline
e) ☐Other – please specify:
52
Appendix B: Questionnaire Invitation to All Staff
53
54
55
Appendix C: Questionnaire Section 4 Responses
Details of experience Action taken
My world of warcraft and hotmail account have been hacked in the past, but have rectified the situation.
Called Blizzard to fix up the WoW issue, and changed me PW for hotmail while making sure that no other email accounts were attached, cause thats how they keep at you.
Wireless internet access - when I got my wireless router I had no idea how to work it. Months later I researched when my usage was high and found out someone else connecting to it.
I just used the tools to password protect my internet. Something about DHCP client or similar rings a bell?
Web site been hacked and used as a phishing site. Another site hacked - but perpetrator reported the security loophole.
Phishing site had already been reported (I was notified by a security firm).
my boss uses my password change my password.
they access my details to an accountThey actually notified me straight away and put a hold on the information
my password given to casual staff when I went on leave giving them access to my drives, emails, etc
should of but didn't
had the experience of watching my cursor passing across my screen, clicking into areas on my computer in same way remote access from IT happens. However was not in communication with IT department or given approval for remote access at the time.
reported it to IT department,who responded by saying that it "was probably another person in close proximity using a wireless mouse who was on the sam frequency as me and the signals got confused and went to my computer instead??"
Spam and unsolicited emails with links from AOL or similar providers
Notified ICT and then hard deleted without opening the link
A hacker from another country gained access to my VISA card details from, I believe, some transactions I had made to ebay or some other internet site. Fortunately I didnt have a lot of money in the account but the bank was able to credit me with the money stolen!!!
The bank contacted me, I didnt even know my account had been accessed - as this was done over a weekend!
56
Opening the last document in word, and someone elses document came up; It was confirmed to me that ICT remoted into my computer on numerous occassions to attempt to find fault with my machine or usage; they are probably the culprits (YES - I reported the invasions to my managers - Who thought that I was imagining things! - But like I said when a staff of ICT left the TAFE he confirmed off record what I had suspected).
Reported to work manager; problem is that ICT was (I believe but un supported- involved)
Someone tried to guess my yahoo email account password.
I changed my password. Didn't report the incident to anyone.
My personal files being accessed without my knowledge or permission
Told my manager
An IT help desk person logged into my computer without my consent after our call had concluded, the IT person on campus followed up with this issue.
It happened as I was sitting at my desk, I got the IT personell on campus & they contacted the other person & then the IT manager followed up with the incident
As a systems administrator in industry, servers under my control were compromised, but no information was stolen.
Rebuilt servers to remove backdoors and patched the vulnerability used to gasin access. Incidents were not reported to police.
Asked for varification of account details via email stating that they are from the ANZ and Commonwealth banks and Paypal restricted account email. The ANZ banking requests come alsmot daily at present and weekly for the Commonwealth bank. I have had money taken from my Paypal account which was reversed and money removed from my ANZ Visacard from overseas. /
Removed all funds from tageted account changed all passwords and cancelled Visa Card (replaced). Altered Passwords on PayPal and all bank accounts. Downloaded and ANZ bank App for my Iphone and use PIN's as well as passwords.
Identifty theft resulting in unauthorised financial transactions.
Yes, reported to my financial organisation. They tracked and corrected it, although it took many months to sort out.
Credit card fraud reported it to bank.
My manager wanted access to my computer while I was on leave so contacted ICT who freely gave out that information. On my return I inadvertantly found out and found out they still had access.
I complained in writing to ICT and I understand ICT have stopped doing that now. They ended up sending an email out to all staff advisign that passwords were not to be givne out etc. / / Let's hope it really was ICT..........hee hee
My work and home credit card details were stolen and used without my consent, even though I have virus/security software on my computers. I am required to shop online for my job, and also do some at home, so this is how my details were stolen. Both cards were cancelled and replaced with new ones.
I reported my work one to the purchase card people and ANZ at work, who then cancelled the card. My home details that were taken were picked up by my bank's security system, and they let me know of this. I then rang the bank to confirm what was being said.
57