Global ETD Search

51	Impact of demographic factors on information security awareness : a study on professionals and students in Sweden Ojala Burman, Emma January 2021 (has links) Over the past year, cyberattacks have increased and one of the reasons is a lack of security awareness in society. The Covid-19 pandemic has forced a drastic change in working conditions and the most prominent shift is that many people had to start working from home. From an information security perspective, this places great demands on the individual since they are not protected by their organization's security solutions in the same degree as in the physical office space. This is being exploited by cybercriminals and the issue of focusing on the human aspect of information security is becoming more essential. Education is used to increase information security awareness (ISA), which in turn leads to improved security behavior. Through education, organizations can therefore reduce the risk of being exposed to various cyberattacks. To develop training programs within information security, one should look for the underlying factors that have an impact on ISA. Therefore, the purpose of this study is to see if demographic factors have any impact on ISA among Swedish professionals and students. The study is based on a quantitative survey in which a total of 157 professionals and students participated. The study was conducted using The Human Aspects of Information Security Questionnaire (HAIS-Q), which is a validated questionnaire developed to measure ISA. The results of the study strengthen previous findings that knowledge about security policies is a crucial factor for a high ISA. In addition, age and level of education also show an impact on ISA. Information about underlying factors that impact ISA can be useful when designing training programs in information security for Swedish professionals and students. Information security information security awareness security behavior Information Systems, Social aspects
52	INFORMATION SECURITY AWARENESS TRAINING FOR END-USER : A Survey on the Perspective of Nordic Municipalities Al Salek, Aous January 2021 (has links) The reliance on information systems in daily operations in organizations made these systems and the security thereof a vital asset that must be protected. Traditionally, technical solutions were thought to be the critical factor in achieving security requirements. However, this has changed with research advancements into information security, suggesting that users are the root cause of the majority of information security incidents. It is widely accepted that an integral part of the methodology of securing information systems is end-user Information Security Awareness Train-ing (ISAT). The goal of ISAT is described to be a change in user behavior. As a result, research into the area has been steadily improving the ways ISAT is carried out. Yet, information security incidents are still on the rise with no indication of slowing down. Previous research has mainly examined users’ experience in relation to ISAT with very little focus on the organizational per-spective. In this study, the organizational perspective on the preferences and expectations of ISAT is examined by inviting all Nordic municipalities to participate in an online survey. The survey consisted of two parts; the first part focused on the current state of ISAT in Nordic municipalities. The second part examined the ideal design of ISAT according to participants. The results obtained from the survey revealed that the participating Nordic municipalities are well aware of recent developments in ISAT. Furthermore, their preferences and expectations of ISAT and what they consider an ideal design of ISAT conform to what is suggested in the literature—with some ex-ceptions. However, there seems to be a gap between knowing about recent developments and having a desired ideal design that conforms to the literature on one side, and actually applying these in production on the other side. information security information security awareness training information systems ISAT user security training Information Systems
53	Factors Affecting Employee Intentions to Comply With Password Policies Anye, Ernest Tamanji 01 January 2019 (has links) Password policy compliance is a vital component of organizational information security. Although many organizations make substantial investments in information security, employee-related security breaches are prevalent, with many breaches being caused by negative password behavior such as password sharing and the use of weak passwords. The purpose of this quantitative correlational study was to examine the relationship between employees’ attitudes towards password policies, information security awareness, password self-efficacy, and employee intentions to comply with password policies. This study was grounded in the theory of planned behavior and social cognitive theory. A cross-sectional survey was administered online to a random sample of 187 employees selected from a pool of qualified Qualtrics panel members. Participants worked for organizations in the United States and were aware of the password policies in their own organizations. The collected data were analyzed using 3 ordinal logistic regression models, each representing a specific measure of employees’ compliance intentions. Attitudes towards policies and password self-efficacy were significant predictors of employees’ intentions to comply with password policies (odds ratios ≥ 1.257, p < .05), while information security awareness did not have a significant impact on compliance intentions. With more knowledge of the controllable predictive factors affecting compliance, information security managers may be able to improve password policy compliance and reduce economic loss due to related security breaches. An implication of this study for positive social change is that a reduction in security breaches may promote more public confidence in organizational information systems. Employee Compliance Information Security Policies Intention to Comply Password Policy Password Self-efficacy Security Awareness Databases and Information Systems
54	Standardizing Instructional Definition and Content Supporting Information Security Compliance Requirements Curran, Theresa 01 January 2018 (has links) Information security (IS)-related risks affect global public and private organizations on a daily basis. These risks may be introduced through technical or human-based activities, and can include fraud, hacking, malware, insider abuse, physical loss, mobile device misconfiguration or unintended disclosure. Numerous and diverse regulatory and contractual compliance requirements have been mandated to assist organizations proactively prevent these types of risks. Two constants are noted in these requirements. The first constant is requiring organizations to disseminate security policies addressing risk management through secure behavior. The second constant is communicating policies through IS awareness, training and education (ISATE) programs. Compliance requirements direct that these policies provide instruction about making compliant and positive security decisions to reduce risk. Policy-driven and organizationally-relevant ISATE content is understood to be foundational and critical to prevent security risk. The problem identified for investigation is inconsistency of the terms awareness, training and education as found in security-related regulatory, contractual and policy compliance requirements. Organizations are mandated to manage a rapidly increasing portfolio of inconsistent ISATE compliance requirements generated from many sources. Since there is no one set of common guidance for compliance, organizations struggle to meet global, diverse and inconsistent compliance requirements. Inconsistent policy-related content and instructions, generated from differing sources, may cause incorrect security behavior that can present increased security risk. Traditionally, organizations were required to provide only internally-developed programs, with content left to business, regulatory/contractual, and cultural discretion. Updated compliance requirements now require organizations to disseminate externally-developed content in addition to internally-provided content. This real-world business requirement may cause compliance risks due to inconsistent instruction, guidance gaps and lack of organizational relevance. The problem has been experienced by industry practitioners within the last five years due to increased regulatory and contractual compliance requirements. Prior studies have not yet identified specific impacts of multiple and differing compliance requirements on organizations. The need for organizational relevance in ISATE content has been explored in literature, but the amount of organizationally-relevant content has not been examined in balance of newer compliance mandates.The goal of the research project was to develop a standard content definition and framework. Experienced practitioners responsible for ISATE content within their organizations participated in a survey to validate definitions, content, compliance and organizational relevance requirements imposed on their organizations. Fifty-five of 80 practitioners surveyed (68.75% participation rate) provided responses to one or more sections of the survey. This research is believed to be the first to suggest a standardized content definition for ISATE program activities based on literature review, assessment of existing regulatory, contractual, standard and framework definitions and information obtained from specialized practitioner survey data. It is understood to be the first effort to align and synthesize cross-industry compliance requirements, security awareness topics and organizational relevance within information security awareness program content. Findings validated that multiple and varied regulatory and contractual compliance requirements are imposed on organizations. A lower number of organizations were impacted by third party program requirements than was originally expected. Negative and positive impacts of third party compliance requirements were identified. Program titles and content definitions vary in respondent organizations and are documented in a variety of organizational methods. Respondents indicated high acceptance of a standard definition of awareness, less so for training and education. Organizationally-relevant program content is highly important and must contain traditional and contemporary topics. Results are believed to be an original contribution to information/cyber security practitioners, with findings of interest to academic researchers, standards/framework bodies, auditing/risk management practitioners and learning/development specialists. cybersecurity program information security awareness information security policy organizational relevance security compliance requirements security risk management Computer Sciences
55	Factors Related to Users’ Awareness of Information Security on Social Network Service : The Case of WeChat Shen, Han January 2018 (has links) Recent trends in social network services (SNS) have taken the rates of personal information sharing, storage and processing to an unprecedented level, which yield both benefits and undesirable consequences for their users. SNS is being exploited by criminals to fraudulently obtain information from unsuspecting users. User’s awareness of privacy protection has been far left behind by the increasing and popularizing utilization of social network services (SNS), the privacy security problems will become one of the important factors influencing the healthy development of social network service industry. This study was designed to collect data and produce knowledge about the security awareness of WeChat users (i.e., randomly selected from all over China), their preferences and their experience of using WeChat while facing security issues as well as the perspectives of how people perceive a specific security problems, in order to find out what factors influence user's security awareness. In order to carefully conduct the research process and explain the empirical findings, seven principles of interpretive field research and protection motivation theory is adopted as core theoretical foundation. Participants were asked to provide information about and their personal views of questions from their different experience and value. Eight persons interviewed for our research and their responses confirmed our objectives of the study. As a result, six factors are indentified in related to WeChat user’s security awareness. PMT helps to explain and understand that how six indentified concepts influence behaviour intention and security awareness of user. Social Networking Services Cybercriminal Security Awareness Protection Motivation Theory Personal Information Privacy Protection WeChat China Social Sciences Samhällsvetenskap
56	Empathy in Security: The Effect of Personalized Awareness and Training Initiatives on Information Security Attitude and Behavioral Intention Donaldson, Jacob 19 May 2021 (has links) No description available. Business Administration Information Security Information Security Awareness Information Security Training Empathy in Information Security Persuasive Communication Elaboration Likelihood Model
57	Exploring information security culture within Swedish municipalities : A qualitative study Ameri, Haydar January 2023 (has links) The human aspect in the context of security has been a well-debated topic over the last two decades among researchers and practitioners. It has been recognized that technology alone cannot provide full protection, but should be combined with information security culture. This thesis explored how Swedish municipalities address the cultural aspects of information security. In addition, several important aspects and challenges were identified. Interviews were conducted as a data collection method with nine respondents from nine municipalities to gather their insights and experiences on the topic. The material from the interviews was then analyzed by applying thematic analysis. The results of this thesis have shown that most municipalities used what was feasible from the standards for the protection of information. One challenge was finding a balance between security measures and the various operations of the various entities to avoid hindrances to service delivery. With respect to training and awareness, initiatives employed diverse approaches, in some cases customized while in others not. The follow-up on information security culture was con[1]ducted using the tool Information Security Check provided by the Swedish Civil Contingencies Agency, along with measurements of security awareness through questionnaires, in some cases customized while in others not. Involving top management included diverse activities with support taking various forms beyond financial and human resources. However, the degree of follow-up, top management involvement, and support exhibited variations and in some cases were lacking. One notable discovery was the importance of educating not only the network of champions but also managers in information security, fostering a symbiotic relationship between the two. With respect to the lacking aspects, another finding was the importance of leadership and management knowledge/skills, not only essential for people in the security domain but also for other managerial roles in maintaining a positive information security culture. Municipality security awareness security culture information security cybersecurity Information Systems, Social aspects
58	Säker i det digitala landskapet : En studie om betydelsen av internutbildning inom cybersäkerhet / Secure in the digital landscape : A study on the importance of education and training in cybersecurity Wallman, Klara, Risberg, Ebba January 2024 (has links) Digitaliseringens framsteg ökar organisationers sårbarhet mot cyberhot och konsekvenserna vid attacker kan bli mycket kostsamma. Trots starka tekniska skydd lämnas organisationer sårbara på grund av den mänskliga faktorn. Säkerhetsmedvetenhet bland anställda blir därför avgörande för en organisations överlevnad. Studien ämnar därför att undersöka och analysera olika aspekter av internutbildning inom cybersäkerhet i syfte att identifiera vilka faktorer som har en betydande påverkan på anställdas säkerhetsmedvetenhet. Undersökningen grundas på kvalitativa intervjuer med olika organisationers IT-säkerhetsansvariga som har inflytande över utformningen och innehållet i den interna kompetensutbildningen inom cybersäkerhet. Organisationerna utgörs av medelstora och stora organisationer som är verksamma i Sverige, och som hanterar digital konfidentiell information. Studiens resultat visar att det råder osäkerhet i hur cybersäkerhet faktiskt definieras vilket kan ses som en förklaring till den generella uppfattningen bland anställda om att utbildningen saknar konkret vägledning. Resultatet lyfter fram olika områden där organisationer kan förbättra olika aspekter av utbildning inom cybersäkerhet, inklusive anpassning av utbildning, upprätthållande av intresse hos anställda, effektiv användning av externa utbildningsresurser och anställdas ansvarstagande genom incitament. Dragna slutsatser om förbättringsmöjligheter kan bidra till en mer ändamålsenlig utbildning som i sin tur kan stärka säkerhetsmedvetenheten bland anställda. / The progress of digitalization increases the vulnerability of organizations to cyber threats, and the costs of attacks can be substantial. Despite robust technical defenses, organizations remain vulnerable due to the human factor. Therefore, the employees’ security awareness becomes crucial for an organization to achieve essential protection against cyber threats. This study aims to examine and analyze various aspects of cybersecurity education and training to identify factors significantly impacting employee security awareness. The study is based on qualitative interviews with IT security managers from different organizations who influence the design and content of cybersecurity training. All the organizations, comprising medium to large-sized entities based in Sweden, handle digital confidential information. The study's findings reveal uncertainties in how cybersecurity is defined, which explains the general perception among employees that the education and training lack practical guidance. The results highlight areas where organizations can enhance cybersecurity education and training, including adapting content, sustaining interest, effectively utilizing external resources, and promoting responsibility through incentives. Conclusions drawn regarding improvement possibilities can contribute to strengthening employee security awareness. Cybersecurity Security awareness Education and Training Cybersäkerhet Säkerhetsmedvetenhet Internutbildning Information Systems, Social aspects
59	Security threats to critical infrastructure: the human factor Ghafir, Ibrahim, Saleem, J., Hammoudeh, M., Faour, H., Prenosil, V., Jaf, S., Jabbar, S., Baker, T. 24 January 2020 (has links) Yes / In the twenty-first century, globalisation made corporate boundaries invisible and difficult to manage. This new macroeconomic transformation caused by globalisation introduced new challenges for critical infrastructure management. By replacing manual tasks with automated decision making and sophisticated technology, no doubt we feel much more secure than half a century ago. As the technological advancement takes root, so does the maturity of security threats. It is common that today’s critical infrastructures are operated by non-computer experts, e.g. nurses in health care, soldiers in military or firefighters in emergency services. In such challenging applications, protecting against insider attacks is often neither feasible nor economically possible, but these threats can be managed using suitable risk management strategies. Security technologies, e.g. firewalls, help protect data assets and computer systems against unauthorised entry. However, one area which is often largely ignored is the human factor of system security. Through social engineering techniques, malicious attackers are able to breach organisational security via people interactions. This paper presents a security awareness training framework, which can be used to train operators of critical infrastructure, on various social engineering security threats such as spear phishing, baiting, pretexting, among others. Critical infrastructure security Security awareness Cyber security training Work-based security training
60	Effective Cyber Security Strategies for Small Businesses Cook, Kimberly Diane 01 January 2017 (has links) Disruptive technologies developed in the digital age expose individuals, businesses, and government entities to potential cyber security vulnerabilities. Through the conceptual framework of general systems theory, this multiple case study was used to explore the strategies among owners of 4 retail small- and medium-size enterprises (SMEs) in Melbourne, Florida, who successfully protected their businesses against cyber attacks. The data were collected from a review of archival company documents and semistructured interviews. Yin's 5-phased cycles for analyzing case studies provided the guidelines for the data analysis process. Three themes emerged from thematic analysis across the data sets: cyber security strategy, reliance on third-party vendors for infrastructure services, and cyber security awareness. The study findings indicated that the SME owners' successful cyber security strategies might serve as a foundational guide for others to assess and mitigate cyber threat vulnerabilities. The implications for positive social change include the potential to empower other SME owners, new entrepreneurs, and academic institutions with successful cyber security strategies and resources to affect changes within the community. SME owners who survive cyber attacks may spur economic growth by employing local residents, thus stimulating the socioeconomic lifecycle. Moreover, implementation of these successful strategies may catalyze consumer confidence, resulting in greater economic prosperity. cyber security awareness cyber security effectiveness cyber security strategy cyber security third party reliance SME cyber security guidance SMEs

Search results