Standardizing Instructional Definition and Content Supporting Information Security Compliance Requirements

Curran, Theresa

01 January 2018

Information security (IS)-related risks affect global public and private organizations on a daily basis. These risks may be introduced through technical or human-based activities, and can include fraud, hacking, malware, insider abuse, physical loss, mobile device misconfiguration or unintended disclosure. Numerous and diverse regulatory and contractual compliance requirements have been mandated to assist organizations proactively prevent these types of risks. Two constants are noted in these requirements. The first constant is requiring organizations to disseminate security policies addressing risk management through secure behavior. The second constant is communicating policies through IS awareness, training and education (ISATE) programs. Compliance requirements direct that these policies provide instruction about making compliant and positive security decisions to reduce risk. Policy-driven and organizationally-relevant ISATE content is understood to be foundational and critical to prevent security risk. The problem identified for investigation is inconsistency of the terms awareness, training and education as found in security-related regulatory, contractual and policy compliance requirements. Organizations are mandated to manage a rapidly increasing portfolio of inconsistent ISATE compliance requirements generated from many sources. Since there is no one set of common guidance for compliance, organizations struggle to meet global, diverse and inconsistent compliance requirements. Inconsistent policy-related content and instructions, generated from differing sources, may cause incorrect security behavior that can present increased security risk. Traditionally, organizations were required to provide only internally-developed programs, with content left to business, regulatory/contractual, and cultural discretion. Updated compliance requirements now require organizations to disseminate externally-developed content in addition to internally-provided content. This real-world business requirement may cause compliance risks due to inconsistent instruction, guidance gaps and lack of organizational relevance. The problem has been experienced by industry practitioners within the last five years due to increased regulatory and contractual compliance requirements. Prior studies have not yet identified specific impacts of multiple and differing compliance requirements on organizations. The need for organizational relevance in ISATE content has been explored in literature, but the amount of organizationally-relevant content has not been examined in balance of newer compliance mandates.The goal of the research project was to develop a standard content definition and framework. Experienced practitioners responsible for ISATE content within their organizations participated in a survey to validate definitions, content, compliance and organizational relevance requirements imposed on their organizations. Fifty-five of 80 practitioners surveyed (68.75% participation rate) provided responses to one or more sections of the survey. This research is believed to be the first to suggest a standardized content definition for ISATE program activities based on literature review, assessment of existing regulatory, contractual, standard and framework definitions and information obtained from specialized practitioner survey data. It is understood to be the first effort to align and synthesize cross-industry compliance requirements, security awareness topics and organizational relevance within information security awareness program content. Findings validated that multiple and varied regulatory and contractual compliance requirements are imposed on organizations. A lower number of organizations were impacted by third party program requirements than was originally expected. Negative and positive impacts of third party compliance requirements were identified. Program titles and content definitions vary in respondent organizations and are documented in a variety of organizational methods. Respondents indicated high acceptance of a standard definition of awareness, less so for training and education. Organizationally-relevant program content is highly important and must contain traditional and contemporary topics. Results are believed to be an original contribution to information/cyber security practitioners, with findings of interest to academic researchers, standards/framework bodies, auditing/risk management practitioners and learning/development specialists.

cybersecurity program

information security awareness

information security policy

organizational relevance

security compliance requirements

security risk management

Computer Sciences

Empathy in Security: The Effect of Personalized Awareness and Training Initiatives on Information Security Attitude and Behavioral Intention

Donaldson, Jacob

19 May 2021

No description available.

Business Administration

Information Security

Information Security Awareness

Information Security Training

Empathy in Information Security

Persuasive Communication

Elaboration Likelihood Model

Linking Information Security Awareness to Information Security Management Strategy.A Study in an IT Company

Spandonidis, Bladimiros

January 2015

There is a great concern when it comes to the investigation of the parameters that affect the formulation of an information security management strategy in an organization. Amongst others, information security awareness is of great interest, mainly because it links the implementation of the information security policies to the consciousness and the psychology of the employees of an organization. State it otherwise, the information security awareness positively beholds the role of a bridge so as to help the IS managers to evaluate the level that the critical information of the organization are secured, and it offers to IS managers opportunities to develop suitable training programs and information security policies for all the employees of an organization. In the current thesis, we focused on the investigation of the factors that influence the behavior of the employees in order to accept any information security policy of the organization and to adopt information security awareness.The psychology of security and technology (POST™) framework (Layton, 2005) together with a PEST (Political, Economic, Social, Technology) analysis guide the investigation and offer the theoretical background for the conduction of a study in an IT Company. A qualitative research has been conducted and semi-structured interviews helped for the collection of the desired data. Also a thematic analysis and the use of a generic approach (Lichtman, 2013) helped for the analysis of the data. The final results gave the ability to identify in practice the employees’ information security awareness adoption level, to link the measurement findings to the development of an information security management strategy and to refine the POST™ framework for its greater advance.

Information security awareness

information security policies

compliance

psychology

security

measurement

information security training programs

POST™ framework

PEST analysis.

Säkerhetsmedvetenhet och integration av IoT : En kvantitativ studie på konsumenters säkerhetsmedvetenhet och syn på integration av IoT / Security awareness and integration of IoT : A quantitative study of consumers safety awareness and views on the integration of IoT

Lindström, Oskar, Magnusson, August

January 2021

Internetuppkopplade apparater blir allt vanligare att se i våra hem. Samlingsordet för dessa enheter är Internet of Things (IOT). Med införande av IoT i våra hem skapas fler accesspunkter till internet, vilket även skapar en större attackyta. I kombinationmed den ständigt växande cyberkriminalliteten och införandet av IoT i våra hem ökar risken för att utsättas för en attack. Tidigare forskning inom området gällande konsumenters informationssäkerhetsmedvetenhet visar att konsumenterna har låg medvetenhet och bristande kunskaper för de hot som tillkommer vid integrationen av en IoT-enhet ihemmet. Det finns även tidigare forskning som undersökt vilka faktorer som påverkar individernas inställning till att anta ny teknologi. Mycket av den tidigare forskningen inom området har fokuserat på de tekniska aspekterna och fokuset har inte varit på konsumenternas informationssäkerhetsmedvetenhet och deras inställning till den ökande integrationen av IoT. Den här studien syftade till att undersöka svenska konsumenters informationssäkerhetsmedvetenhet och deras inställning till den ökande integrationen av IoT. Studien avsåg att undersöka hur medvetna konsumenterna är för de informationssäkerhetsrisker som tillkommer vid integreringen av IoT i hemmet i kombination med att undersöka deras syn på den ökade integrationen av IoT ivardagen. Studien har fokuserat på två olika enheter. Dessa enheter genererar data via ljudupptagning samt videoinspelning. En kvantitativ metod med en enkätundersökning tillämpades för att se ifall den låga kunskapen hos respondenter fanns, men även för att lättare nå ut till fler respondenter. För att förstå konsumenternas beteende utformades enkätfrågorna utifrån den allmänt tillämpade beteendemodellen Theory of planned behavior (TPB). Studien fann att majoriteten av respondenterna hade en låg medvetenhet för de risker som tillkommer med integreringen av IoT-enheter, samt låga kunskap för de säkerhetsåtgärder som går att implementera. Trots den låga medvetenheten för riskerna visade det sig att respondenterna hade en mycket positiv inställning till den ökade integrationen av IoT och att de funderar på att införskaffa fler IoT-enheter. / Internet-connected devices are becoming more common to see in our homes. The collective word for these devices is Internet of Things (IoT). With the introduction of IoT in our homes, more access points to the internet are created, which also creates alarger attack area. Combined with the ever-growing cybercrime and the introduction of IoT in our homes, the risk of being attacked increases. Previous research in the field of consumer information security awareness shows that consumers have low awareness, and lack of knowledge about the threats posed by the integration of an IoT device in the home. Previous research has examined the factors that influence individuals attitudes towards adopting new technology. Much of the previous research in the field has focused on the technical aspects and the focus has not been on consumers information security awareness and their attitude to the increasing integration of IoT. This study aimed to examine Swedish consumers' information security awareness and their attitude towards the increasing integration of IoT. The study aimed to examine how aware consumers are of the information security risks that arise from the integration of IoT in the home in combination with examining their stand on the increased integration of IoT in their everyday life. The study has focused on two specific IoT-devices. These devices generate data via audio recording and video recording. A quantitative method with a survey was applied to examine how aware the consumers where of the information security risks, but also to be able to include more respondents in the study. To understand consumer behavior, the questionnaires were designed based on the generally applied behavioral model Theory of plannedbehavior (TPB).The study found that the majority of respondents had a low awareness of the risks involved with the integration of IoT devices, as well as low knowledge of the security measures that can be implemented. Despite the low awareness of the risks, it turnedout that the respondents had a very positive attitude towards the increased integrationof IoT, and that they also are considering acquiring more IoT devices.

Information security

information security awareness

Internet of Things

IoT

IoT integration

Informationssäkerhet

informationssäkerhetsmedvetenhet

Internet of Things

IoT

IoT integration

Computer Systems

Datorsystem

Communication Systems

Kommunikationssystem

Information Systems

Hur ISO 27001 certifierade företag utvecklar sina anställdas Kunskap, Attityd och Beteende mot Informationssäkerhetsmedvetenhet / How ISO 27001 certified companies develop their employees´Knowledge, Attitude and Behavior towards Information Security Awareness

Istiphan, Sebastian, Biller, Alexander

January 2023

Många företag har idag ett stort ansvar att hålla information säker. Med människor som jobbar med informationen hos företag följer därför arbetet med att stärka informationssäkerhetsmedvetenheten, vilket kan göras genom att bland annat implementera ett ledningssystem för informationssäkerhet efter standarden ISO 27001. Det finns däremot flera sätt att påverka informationssäkerhetsmedvetenheten och bland dessa är det genom att påverka kunskap, attityd eller beteende. Denna studie har därför undersökt hur företag arbetar med dessa aspekter i ett företag certifierat genom ISO 27001. För studien har semistrukturerade intervjuer utförts hos ISO 27001-certifierade företag med vidare analys för att besvara studiens frågeställning. Resultaten visar att företagen enhetligt har ett stort fokus på kunskapsaspekten av arbetet med informationssäkerhetsmedvetenhet samt att beteende är något som sällan är problematiskt men följes upp med åtgärder beroende på incidenten. Slutsatserna som presenteras är rekommendationer som när applicerbara ökar informationssäkerhetsmedvetenheten hos företag.  Studien har främst undersökt kunskap, attityd och beteende hos ISO 27001-certifierade företag i Sverige vilket gör att kulturella och dylika faktorer möjligtvis saknas, vilket kan påverka hur applicerbara rekommendationer är för företag utanför Sverige. / Many companies today have a big responsibility to keep their information secure. As there are employees working with information, there is also a need for improvement of the employee’s information security awareness. This can be done through implementation of a management system for information security of the ISO 27001 standard. There are multiple ways to improve the information security awareness and some of these are through improving the knowledge, attitude, and behavior of the employee. This study has investigated how companies that have an ISO 27001 certification improve their employee’s knowledge, attitude, and behavior. The study identified this improvement through a qualitative method using semi-structured interviews, where the respondents are employees at companies that are ISO 27001 certified, the interviewees answers were then analyzed to answer the study’s question at issue. The results show that the companies uniformly focus on the knowledge aspect of information security awareness and that behavior is rarely an issue but that in the case of an incident is investigated. The conclusion presents recommendations as to how companies can improve their employee’s knowledge, attitude, and behavior to information security. The study mainly studied the knowledge, attitude, and behavior of Swedish companies that are ISO 27001 certified, which makes cultural and similar factors are missing which might affect how applicable the recommendations are for companies outside Sweden.

KAB

Knowledge

Attitude

Behavior

Information Security Awareness

ISO 27001

Information Security.

KAB

Kunskap

Attityd

Beteende

Informationssäkerhetsmedvetenhet

ISO 27001

Informationssäkerhet.

Information Systems

Informationssäkerhetsrisker och organisatoriska sanktioner vid användandet av privata smarta enheter i Försvarsmakten : En studie om användning av privata smarta enheter

Persson, Tobias, Andersson, Emil

January 2020

Denna uppsats undersöker intentionen att använda smarta enheter i tjänst hos personal i Försvarsmakten, som är en organisation med högt behov av verksamhetssäkerhet. Verksamhetens säkerhet är direkt beroende av hur personal inom verksamheten agerar utifrån ett säkerhetsperspektiv. Syftet är att belysa hur Försvarsmakten förmedlar informationssäkerheten kring smarta enheter och hur personalen påverkas utifrån det. Det empiriska materialet har samlats in genom en kvalitativ fallstudie i form av semistrukturerade intervjuer med två olika grupper. Resultatet analyseras med hjälp av ett teoretiskt ramverk bestående av Protection Motivation Theory (PMT) och General Deterrence Theory (GDT) i syfte att belysa vad det är som avgör personalens beteende. Teorierna utgår från att beteendet påverkas av rädsla för sanktioner eller för hot mot verksamhet och individ. Resultatet visar att aspekter från de båda teorierna är närvarande hos personalen och att det som påverkar den enskildes agerande beror på vilken information organisationen delgett och individernas personliga uppfattningar. Personalen är medveten om de risker som följer av användningen av smarta enheter, men enheterna används ändå i stor utsträckning. Faktorer som spelar in i intentionen är kunskapsnivån, befattningen individen besitteroch arbetsområdet individen verkar inom. / This paper examines the intention to use smart devices by staff in the Swedish Armed Forces,which is an organization with a high need for operational security. The security of the business isdependent on how staff within the business behave, in a security perspective. The purpose is toelucidate how the Swedish Armed Forces conveys information security regarding smart devicesand how their staff are affected. The empirical material has been collected through a qualitativecase study in the form of semi-structured interviews with two different groups. The results areanalyzed using a theoretical framework consisting of Protection Motivation Theory (PMT) andGeneral Deterrence Theory (GDT) in order to elucidate what determines the behavior of the staff.The theories are based on the fact that behavior is affected by fear of sanctions or threats to thebusiness and individuals. The result shows that aspects in both theories are present in the staffbehavior. What influences the individual's actions depends on what information the organizationhas shared and the personal perceptions of the individuals. Factors that play into the intention arethe level of knowledge, the position the individual possesses and the area of work the individualoperates within.

Smart devices

Operations security

Information security

Information security awareness

General Deterrence Theory

Protection Motivation Theory

Swedish Armed Forces.

Smarta enheter

Verksamhetssäkerhet

Informationssäkerhet

Information security awareness

General Deterrence Theory

Protection Motivation Theory

Försvarsmakten

Information Systems, Social aspects

Towards an information security awareness process for engineering SMEs in emerging economies

Gundu, Tapiwa

January 2013

With most employees in Engineering Small and Medium Enterprises (SME) now having access to their own personal workstations, the need for information security management to safeguard against loss/alteration or theft of the firms’ important information has increased. These Engineering SMEs tend to be more concerned with vulnerabilities from external threats, although industry research suggests that a substantial proportion of security incidents originate from insiders within the firm. Hence, technical preventative measures such as antivirus software and firewalls are proving to solve only part of the problem as the employees controlling them lack adequate information security knowledge. This tends to expose a firm to risk and costly mistakes made by naïve/uninformed employees. This dissertation presents an information security awareness process that seeks to cultivate positive security behaviours using a behavioural intention model based on the Theory of Reasoned Action, Protection Motivation Theory and the Behaviourism Theory. The process and model have been refined and verified using expert review and tested through action research at an Engineering SME in South Africa. The main finding was information security levels of employees within the firm were low, but the proposed information security awareness process increased their knowledge thereby positively altering their behaviour.

Computer security -- South Africa

Information technology -- South Africa

Small business -- South Africa

Engineering firms -- South Africa

Information Security Awareness

Information Security Behaviour

Information Security Training

The human connection to information security : A qualitative study on policy development, communication and compliance in government agencies / Den mänskliga kopplingen till informationssäkerhet : En kvalitativ studie om policyutveckling, kommunikation och efterlevnad inom statliga myndigheter

Abdulhadi, Osama

January 2023

The human factor and insider threats play a crucial role in information security. In today’s digital age, protecting organizational data requires a deep understanding of human behaviour and its impact on information security. The increasing volume of electronically stored data has led to a rise in cyber threats and breaches, necessitating effective information security policies and regulations. This study focuses on the experiences and perspectives of employees and top management in government agencies regarding the development, communication, compliance, and attitudes towards information security policies and regulations. Semi-structured interviews were conducted with participants from both top management or information security officers and regular employees, which allowed for an in-depth exploration of their experiences and perspectives. The findings show that government agencies systematically develop policies by engaging stakeholders, ensuring accessibility, and adhering to legal frameworks. Addressing the human factor involves training, awareness programs, and top management support. Policy development and implementation include risk assessment, stakeholder identification, objective setting, continuous review, and integration into daily operations. Communication channels such as intranets, training, coordinators, and awareness events are utilized, but their effectiveness is not directly measured. Proposed improvements include enhancing accessibility, improving policy document management, and using clearer language. Employees generally possess a positive attitude towards information security, though their understanding varies, and challenges to their understanding include complex language and unclear instructions. Compliance also varies, with difficulties arising from technical terminology and information overload. Enhanced compliance can be achieved through simplified language, providing better resources, and top management support. Proactive incident management focuses on learning and risk minimization. The human factor and insider threats remain significant concerns, which emphasizes the need for further education, awareness training, and motivation.

Communication

compliance

development

effectiveness

government agencies

human factor

information security

information security awareness

information security culture

information security management system

information security policy

insider threat

Information Systems, Social aspects

Informationssäkerhetsmedvetenhet inom mikro- och småbolag : Medvetenhetsåtgärder hos svenska mikro- och småbolag inom IT-branschen / Information security awareness in micro and small companies.

Vukovic, Alexander, Samet, Özcelik

January 2022

All organizations, regardless of size, are affected by information security awareness. Information security awareness is an important component, especially for organizations in the IT industry, to be able to respond to new cyber threats but also comply with requirements and regulations for handling customer data. The purpose of the study is to improve awareness-raising measures used by Swedish micro and small companies in the IT industry to increase information security awareness among employees. The study is performed through semi-structured interviews and then analyzed using the Grounded theory-method. The study highlights the awareness measures used in the IT industry and how they are used among companies to make employees aware of information security. In addition, the companies' underlying motives for their choice of awareness measure and their perspective on adapting the measure are examined. The study's conclusions present recommendations that can be used by micro and small companies in the IT industry to improve their awareness-raising measures. The study highlights the importance of adapting training measures, but also that companies should present reality-based scenarios to employees. In addition, it is also emphasized that incentives should be used by information security officers for employees to ensure compliance. / Alla organisationer, oavsett storlek påverkas av informationssäkerhetsmedvetenhet. Medvetenhet om informationssäkerhet är en viktig komponent i synnerhet för organisationer inom IT-branschen för att kunna bemöta nya cyberhot men också efterleva krav och regleringar för hantering av kunddata. Syftet med studien är att förbättra medvetenhetshöjande åtgärder som används av svenska mikro- och småbolag inom IT-branschen för att öka informationssäkerhetsmedvetenheten bland anställda. Studien utförs genom semistrukturerade intervjuer och analyseras sedan med hjälp av Grundad teori-metoden. Studien synliggör vilka medvetenhetsåtgärder som används inom IT-branschen och hur de används bland bolagen för att göra anställda medvetna gällande informationssäkerhet. Dessutom framgår bolagens bakomliggande motiv för deras val av medvetenhetsåtgärd samt deras perspektiv på anpassning av åtgärd. Studiens slutsatser presenterar rekommendationer som kan användas av mikro- och småbolag inom IT-branschen för att förbättra deras medvetenhetshöjande åtgärder. Studien lyfter fram betydelsen av anpassning av utbildningsåtgärder, men även att bolagen bör presentera verklighetsförankrade scenarier till de anställda. Därtill framhävs även att incitament bör användas av informationssäkerhetsansvariga till anställda för att säkerställa efterlevnad.

Information security

information security awareness

awareness measures

training measures

compliance

IT industry

micro and small companies

Informationssäkerhet

informationssäkerhetsmedvetenhet

medvetenhetsåtgärder

utbildningsåtgärder

efterlevnad

IT-branschen

mikro- och småbolag

Information Systems