Is the policy regarding information security awareness one of the factors influencing ... policies, procedures, and practices, in order for them to make sound ...
1723 Journal of Applied Sciences Research, 8(3): 1723-1735, 2012 ISSN 1819-544X This is a refereed journal and all articles are professionally screened and reviewed
ORIGINAL ARTICLES Information Security Awareness Amongst Academic Librarians Shamsul Kamal Wan Fakeh, Mohd Nabil Zulhemay, Dr. Mohd Sazili Shahibi, Juwahir Ali, Muhammad Khairulnizam Zaini University Technology MARA (UiTM) Malaysia ABSTRACT This study seeks the level of awareness amongst academic librarians in private colleges in the districts of Shah Alam, Petaling Jaya, and Damansara. The matrix analysis of the literature review in this study succeeded in producing factors that contribute to information security awareness. Information security awareness plays an important role in the continuity of an organization. Information security refers to the elements of confidentiality, integrity, and availability, of data or information, in an organization. The research began with definitions of information, information security, and information security awareness, as identified by previous publications. The four independent variables established in this study are policy of information security, education of information security, knowledge of IT, and employee’s behaviour towards information security in the workplace. A survey was selected as a research method for the study, and was conducted in order to gain respondent’s feedback on the level of information security awareness. The respondents of the study consisted of librarians from private colleges in Shah Alam, Petaling Jaya, and Damansara areas. The survey findings showed that the level of information security awareness was considered high, but the relation or contribution factors proposed by this study were only slight correlated. This was proved in the correlation coefficient analysis in this study, in Chapter 4. From these findings, it can be concluded that further research is needed to clarify the contributing factors of information security awareness in an information provider; such as librarians in a library organization. Key word: Information Security, Library, Awareness Introduction Older computers used only single processors to run one program at a time with no shared database, there is no shared memory, no access to the same source simultaneously, and no integrated system. This kind of environment was easy to secure. (Solms R. v., 1998). Moreover, the growth of computers and multi-processing computer systems has resulted in several additional security mechanisms. For instance, identification and authentication of the user, log monitoring, and access control to data, and more. These days, many organizations are interconnected through their Information Technology (IT) systems, for an easier and faster sharing of data for work, study, and communications, and many other routine human tasks. This may result in an information security risk for an organization (Solms R. v., 1998). The disruption of information security will kill the main purpose of this sophisticated technology, hinder the smooth operation of an organization, make users feel suspicious and traumatised, and could cause losses to the organizations involved. As mentioned by Feng, Seet, Chenyi, & Yong (2000), annual spending on security measures is expected to grow year by year. Hinde (2003) stated that carelessness towards privacy could cause an organization to have a big financial loss. Furthermore, previous studies show even more adverse affects from a non-intact information security (explained in the next chapter). Most of the information on security issues relies on physical devices. The device is used to guarantee the three main elements of information security. They are confidentiality, integrity, and availability. Discussion about these three elements, how equipment can protect data in the system or database, how the firewall protects to prevent outside attacks, how secure are the software or applications used to dispel hackers, and why technology cannot ensure against humans making mistakes. This forms another part of the information security issue, namely information security awareness. Similar to the library, due to increased information, the traditional method for handling the volume of information is inadequate (Henley, 1972). Now, the library has switched to a machine-based system. Some libraries operate entirely in cyberspace, otherwise known as digital libraries. ENISA (2006) stated that organizations, whether private or public, are increasingly storing and making information available electronically, and therefore, there is an increase in the reliance on IT systems. Corresponding Author: Shamsul Kamal Wan Fakeh, University Technology MARA (UiTM) Malaysia
1724 J. Appl. Sci. Res., 8(3): 1723-1735, 2012
This study attempts to identify information security awareness amongst librarians in private colleges within the districts of Shah Alam and Petaling. A number of literatures are reviewed, and from that, a theoretical framework has been produced to develop an instrument for measuring the level of awareness. Objective And Research Questions: The two main objectives of this study are as follows: i.To identify the level of information security awareness amongst librarians in the private colleges within studied area ii.To identify the factors that influence information security awareness in such organizations. Based on these objectives, the research questions have been developed to seek the level of information security awareness in the studied area. The research questions are as follows: i.Is the policy regarding information security awareness one of the factors influencing information security awareness? ii.Is education regarding information security one of the factors influencing information security awareness? iii.Is knowledge of IT one of the factors influencing information security awareness? iv.Is behaviour one of the factors influencing information security awareness? Scope Of The Study: This research will determine the librarian within Shah Alam Area as regard to the information security awareness. The study is only focusing on Private College and University in the area aforementioned. The data were collected only for middle level staff such as librarian, IT librarian, assistant librarian, and such rank of employee. Literature review: Despite computer security (defined earlier as the physical protection of a computer), which currently is said to prevent and complicate the threat towards information in systems, humans are still the main factor involved in errors, faults, misleading, and many other damages or losses of information in computer systems (Nurul Hidayah, 2009). Even though security technology has been implemented properly, the same issues are still arising in security attacks, such as social engineering, dishonesty, and negligence. Security problems nowadays are primarily caused by the inadequate security awareness of the users (Chen, Shaw, & Yang, 2006). According to Boyce & Jennings (2002), security awareness occurs when a user understands the security policies, procedures, and practices, in order for them to make sound judgments when a potential security issue occurs, in the absence of further guidance. The aim of information security awareness is to improve information security by enhancing and adopting security policies and countermeasures (ENISA, 2006), improving IS users’ security behaviour (ENISA, 2006; Puhakainen, 2006), or altering work routines, so that good security habits are applied (Hansche, 2001). Information security awareness focuses more on the motivation of the employee in an organization to follow the policy and regulations towards the security of information in the company. An approach which is often taken to raise awareness is having a program, training, or a seminar in the workplace. The objective of awareness is to minimize human related faults (Siponen M. T., A conceptual foundation for organizational information security awareness., 2000). Several authors state that the motive of information security awareness is to define that term. It is to refer to a state where people in a company are aware of their security mission (Siponen M. T., A conceptual foundation for organizational information security awareness., 2000). For instance, it means that a company wants to secure its confidential information from its competitors. Therefore, employees should not reveal particular information to their opponents; otherwise, the level of awareness amongst staff in that company is not as good as their mission. According to Zahri & Ahmad Nasir (2003), countries that use a lot of ICT, especially the internet, are vulnerable to cyber attacks. Information systems are widely used nowadays. A lot of information is being processed, stored, transferred, and manipulated for business purposes. Organizations particularly need to secure their information. Companies often adopt security measures by placing security devices and software into their IT and network equipment, such as antivirus, firewalls, monitor network traffic, and many more. However, notwithstanding the sophisticated equipment and software used, without an awareness of the importance of information security, the company’s information and knowledge may fall into the hands of unscrupulous people or organisations. Arce (2003) stated, that in the past, most security threats were external and could be prevented or solved using technical solutions, such as firewalls and antivirus software. Threats coming from inside of an
1725 J. Appl. Sci. Res., 8(3): 1723-1735, 2012
organization are more difficult to trace, because there is no way to monitor a person’s actions or intent (Caroll, 2006). As mentioned earlier, the importance of information in an organization, sometimes called intangible assets (referring to information and knowledge within an organization), plays a key role to the drivers and technology used as a key enabler (Shashi, 2007). The importance of information security awareness is as important as the information security techniques and information security policy used in an organization (Siponen M. T., A conceptual foundation for organizational information security awareness., 2000). Rafidah (2010) said that security is not something that can be wrapped in a package and brought off the shelf. Furthermore, according to Siponen & Oinas-Kukkonen (2007), most information security research focuses on technical issues, such as access to information systems and secure communications, but Bishop & Frincke, (2005) stated that many nontechnical articles present themes that are directly applicable to technical issues. It is obvious that information security awareness can bring many benefits to an organization. However, the return on investment for any awareness program should not be looked at merely from a dollars and cents point of view. Due to the explosive growth of the internet, fundamental information security needs to also grow. According to Hawkins, Yen, & Chou (2000), companies that connect to the internet in order to expand their businesses, risk the threat of intrusion. Furthermore, when a company is connected to the internet, any user in cyberspace can have access to its website. Moreover, while many tactics provide an assurance of protection, carelessness can also be a key factor. As a result, awareness training and education should be used to remind staff that an internet security breach could have a profound effect on the health of the organization, and hence, their job security (Everet, 1998). This is one of the situations that could clarify why information security awareness is important. More disturbing, is the existence of those that are complacent and ignore the issue of information security, until their behaviour leads to information leakage. Either intentionally or unintentionally, information leaks can harm a company. Without trouble, these people do not work hard for the company, hacking and stealing information, with little regard for the people in the organization itself, and this information falls into the hands of unscrupulous people easily. In 1998, Solms stated that the aim of information security is to ensure business continuity and to minimize business damage, by preventing and minimizing the impact of security incidents. Information protection usually relies on an information security plan and management, which involves humans (Kruger, Drevin, & Styen, 2010). This means that knowledge, education, and awareness, plays a role in the success of information security, to protect information in an organization. For example: When an employee does not logoff from a computer after use, unscrupulous people can steal data from the computer and use it for personal gain or to compete with that particular company. Therefore, this is the effect of a behaviour that does not consider information security matters, or in other words, does not realize the importance information security awareness. Theoretical Framework: Based on the literature review, it can be surmised that four major factors are closely related to information security awareness. These factors are as follows: (1) human behaviour, (2) education of information security, (3) knowledge about the use of technology, and (4) information security policy in the workplace. By having these four factors, it can be said that a particular organization has reached an adequate level of information security awareness. Table 1 (see Appendix 1) shows a matrix analysis of the factors that influence information security awareness. The total number of articles reviewed was 16. Ten articles mention that human behaviour can affect information security awareness, 12 articles mention the educational aspects of information security, eight articles mention knowledge of technology, and three articles mention policy as a factor of information security awareness. Explanations of each factor are in the following paragraph. One constraint of an organization, which impacts the effectiveness of technologies, is the behaviour of the human beings that administer, use, access, and maintain, information resources (Solms & Solms, 2004; Vroom & Solms, 2004). According to Stanton, Stam, Mastrangelo, & Jolton (2005), appropriate and constructive behaviour by end users, system administrators, and others, can enhance the effectiveness of information security; while inappropriate and destructive behaviour can substantially inhibit its effectiveness. An article by Thomson & Solms (1998) talked about changing human interest for information security awareness program, by using psychological principles that have been ignored by information security practices. Gordon (2010) directly determined the relationship between security awareness and security behaviour in individuals. According to Kruger & Kearney (2006), human behaviour consists of an intention to act in a particular manner. Moreover, maintaining a security-positive behaviour, is a critical element in an effective information security environment. With respect to education, Peltier T (2001) said that an effective information security program cannot be implemented without implementing an employee awareness and training program to address policy, procedures, and tools. Takemura (2010) suggested the necessity for enhancing information security education, in order to motivate Japanese workers’ awareness of information security. Siponen (2001) also agreed that education of
1726 J. Appl. Sci. Res., 8(3): 1723-1735, 2012
information security awareness plays a significant role in the overall level of any organisation. Other authors that mentioned education in their writings include Flinn & Lumsden, (2005); D'Arcy, Hovav, & Galletta, (2008); Solms B. v. (2000); Hawkins, Yen, & Chou, (2000); and Kruger, Drevin, & Styen, (2010); see Appendix 1. Many companies place good security devices in their organization. Nonetheless, adequate information security training is required to create and improve user awareness and behaviour towards information security within the organization (Albrechtsen & Hovden, 2010). In addition, in their study, they created an involvement of workers in small-sized workshops, aimed at improving information security awareness and behaviour. Recently, most work in organizations has come to depend on information technology to operate, such as managing records, (e.g., electronic records), business transactions, (e.g., online banking), and communicating with others (e.g., email). Technology facilitates daily work, but can also cause harm care is not taken. For example, weak passwords can cause a loss of data in records, trust in internet fraud, such as spam, phishing, and social engineering, and could lead to consumers being cheated. For this reason, knowledge of technology is important and pertinent to the issue of information security. Flinn & Lumsden (2005) said that knowledge of specific technologies that relate to their security and privacy when using the internet, can avoid harm from happening. Information can also be transferred using mobile devices. According to (Straub, 1990), policy regarding the proper and improper use of information systems, needs to be established. The more detailed that these policies are, the greater the deterrent impact on unacceptable systems use is. After these policies are in place, the administrator should educate the users about acceptable information security behaviour. There are many ways to educate users. For example, during employee orientation sessions (Straub, 1990). Policy is a guideline to an organization regarding information security. As Solms & Solms (2004) said, policies should provide guidance to employees and partners, to how they should act and behave in order to be in line with management’s wishes. With clear guidelines in place, IS can strengthen the information security efforts (Straub, 1990). Defining a series of company policies, does not ensure that all employees will necessarily obey these policies (Solms & Solms, 2004). In this case, Solms & Solms (2004); and Straub (1990) agree that a proper education process can ensure appropriate behaviour. Figure 1 shows a clear view of the four factors that influence information security awareness in an organization.
Fig. 1: Four factors that influence awareness The four factors shown in Figure 1 were identified from the matrix analysis of factors that influence information security, from the perspective of awareness and its measurement. These factors are the main points of understanding, taken from the previous articles, research, and dissertations of several authors. The next paragraph will explain how these factors relate to information security awareness. Policy is a reference for employees. It is a tool for management to guide their subordinates, by educating them based on what the policy states. Education is a communication between user and educator. Education can influence the knowledge of the end user. Knowledge of technology is important, as information is organized and communicated using technology. For example, before users receive education about malicious software, they simply take the installed programs for granted, and click any links they want, in received emails. However, by educating them about how harmful these links can be, because of malicious programs and fraudulent links, they are then made more aware. This is how education relates to the knowledge of technology and interrelated items. Knowledge can change human behaviour. By having knowledge, users can act appropriately. They know how to act when something occurs, by making the right decision for a situation, and in a time that can avoid
1727 J. Appl. Sci. Res., 8(3): 1723-1735, 2012
inappropriate events in the workplace. For instance, an employee must not click any link sent to them, because he/she feels insecure about that link. However, if the link appears frequently, he/she can refer to the IT department for further information. Two right behaviours in this situation are (1) he/she did not click the undefined link, and (2) he/she refers to IT department before ignoring or proceeding to the next action. Both show that he/she is aware of the insecure environment around him/her and he/she knew of the risk if the link was bad. Research Method: In this research, only a quantitative methodology will be used to measure data. Burns and Grove (2005) defined that quantitative research is a formal, objective, systematic process, in which numerical data is used to obtain information about the world. This research method is used to describe variables, examine relationship amongst variables, and determine cause-and-effect interactions between variables. According to Belli (2007), quantitative research is divided into two general categories, namely experimental and non-experimental. For this research, the researcher will use an experimental research. A primary goal of experimental research is to provide strong evidence for cause-and-effect relationship. This is done by demonstrating the manipulation of at least one Independent Variable (IV), produce different outcomes in another variable, also known as a dependent variable (DV). There are various types of quantitative research methods. The following subsection will explain this particular research method. The word ‘survey’ means ‘to view comprehensively and in detail’. In other words, it refers specifically to the act of obtaining data for mapping. This definition of a survey is derived from classic versions of geographical and ordnance surveys. In the twentieth century, survey is one of the most popular approaches to social research. The survey approach is a research strategy, not a research method. Many methods can be incorporated into a social survey. Survey is an approach in which there is empirical research pertaining to a given point in time, which aims to incorporate the widest and most inclusive data possible. A survey is a systematic method of collecting data from a population of interest. It tends to be quantitative in nature, and aims to collect information from a population sample, in such a way that the results are representative of the population, within a certain degree of error. The purpose of a survey is to collect quantitative information, usually through the use of a structured and standardized questionnaire. Questionnaires are cost effective compared to face-to-face interviews. This is especially true for studies involving large sample sizes and large geographic areas. Written questionnaires become even more cost effective as the number of research questions increases. Questionnaires are familiar to most people and easy to analyse. Nearly everyone has had some experience completing questionnaires, and generally, they do not make people apprehensive. Questionnaires reduce bias. There is a uniform question presentation and a no middle-man bias. The researcher's own opinions will not influence the respondent to answer questions in a certain manner. There are no verbal or visual clues to influence respondents. Questionnaires are less intrusive than telephone or face-to-face surveys. When a respondent receives a questionnaire in the mail, he is free to complete the questionnaire in his/her own time. Unlike other research methods, this research instrument does not interrupt the respondent. There were six sections in the questionnaire. The first section was about demographics. Demographic questions, which aim to segment data and draw comparisons within a population, included only three questions, namely gender, age, and education level. The second section contained five questions about information security policies. The third section examined the information security education of the respondent. The fourth section questioned the knowledge of technology of the respondents, whilst the fifth section attempted to cover the respondent’s behaviour characteristics. The final section was about information security awareness. Findings: A numerical index, known as correlation coefficient, expressed the degree or magnitude of the relation. The numerical index +1.00 is the highest possible value that the correlation coefficient can assume and indicates a perfect relationship between variables (Burn, 2000). Table 1 shows a guide to the degree of relationship indicated by the size of the coefficients. Table 1: Remarks on the Degree of Correlation Coefficient Absolute Value of Correlation Coefficient Remarks on Correlation (rho) 0.90 - 1.00 Very high correlation 0.70 - 0.90 High correlation 0.40 - 0.70 Moderate correlation 0.20 - 0.40 Low correlation Less than 0.20 Slight correlation Source: Burn (2000).
Nature of Relationship Very strong relationship Marked relationship Substantial relationship Weak relationship Relationship so small as to be negligible
1728 J. Appl. Sci. Res., 8(3): 1723-1735, 2012
Demography: Tables 2 and 3 report the results relating to the background of the participants in this study. Table 4.2 reveals that 60 respondents, from private college libraries within the districts of Shah Alam, Petaling Jaya, and Damansara, participated in the study. The response rate by the males participating in this study exceeded the females. This study found that the majority of respondents (51.7 percent) were male, whilst the remainder (48.3 percent) were female. Table 2: Profile of Respondents’ Gender Male Female Total
Frequency 31 29 60
Percent 51.7 48.3 100.0
Table 3 shows the age range of the respondents participating in this research. The respondents’ ages ranged from 20 to 30 years old, representing a majority equivalent to 35 or 58.3 percent, respectively. A small number of respondents were below 20 years old, which was only about 8.3 percent. The remainder (33.3 percent) were 31 years old and above. Table 3: Respondents’ Age Below 20 20-30 31 above Total
Frequency 5 35 20 60
Percent 8.3 58.3 33.3 100.0
Table 4 shows that many of the librarians participating in this study held a Degree qualification (65.0 percent), compared to other qualification, such as Diploma (10.0 percent), Master’s degree (10.0 percent), PhD (8.3), and Certification (6.7 percent). Table 4: Respondents’ Education Level Certification Diploma Degree Master’s degree PhD Total
Frequency 4 6 39 6 5 60
Percent 6.7 10.0 65.0 10.0 8.3 100.0
Policy factor: Table 5 depicts most of the respondents’ answers to questions in Section B of the survey. The analysis of Table 4 and Table 5 was conducted with the intention of finding an answer to research question number one, which is: “Is the policy regarding information security awareness one of the factors influencing information security awareness?” The first question asked about the existence of a security team in the organization. The results revealed that 75.0 percent of the respondents’ said yes, 25.0 percent were not sure, and none of the respondents said no. The establishment of a security team is important to ensure that staff in the organization know who to refer to if there is something happening on their computer, like hacking or infection by a virus, worm, trojan, or any other malicious program that can be harmful to data on the desktop or laptop in the workplace. The majority of respondents knew who to contact if such an event occurred. This was proven by 93.3 percent of the respondents who said yes, they knew who to contact. Only 6.7 percent remained unsure. Every computer, especially those with the latest Windows 7 operating system, should be complete with an individual firewall. As a default setting, the firewall should be on, and as recommended, it should be enabled. But for some reason, users turn the firewall off. For example, they want to allow some applications to be installed or for some web pages to be displayed on the computer. For an expert user, he or she may control and predict malicious programs that attempt to cause trouble to their system; but for novice or irregular/basic users, they might be unaware of such issues. For this reason, firewalls on computers should remain enabled. Respondents were informed of the importance of a firewall and the majority kept the firewall on the computer on. This was clear, as 91.7 percent of the respondents answered yes, the firewall on the computer is always enabled. Only 8.3 percent answered no.
1729 J. Appl. Sci. Res., 8(3): 1723-1735, 2012
Some organizations allow any website to be retrieved either during or after office hours. However, some organizations, such as libraries (though not all libraries), have a policy and restrictions to not enter certain groups of websites. For instance, no access is allowed to social networks or pornography in the work place using the organization’s facilities, including networks. When asked about whether the respondents had policies on which websites were allowed, 66.7 percent of the respondents answered yes; another 16.7 percent answered no, and the rest were unsure. In terms of guidelines regarding information security in the respondent’s work place, the majority (65.0 percent) answered yes, while 18.3 percent were unsure, and the rest (16.7 percent) said no. Table 5: Policy Factors Influencing Information Security Awareness Frequency Elements We have a security team in this organization I know who to contact if my computer is hacked or infected The firewall on my computer is always enabled My computer is configured to automatically update I have policies on which websites I am allowed to visit There are guidelines regarding information security in my workplace
No 0.0 0.0 8.3 16.7 16.7 16.7
Not Sure 25.0 6.7 0.0 8.3 16.7 18.3
Yes 75.0 93.3 91.7 75.0 66.7 65.0
Total 100 100 100 100 100 100
Using a scale of one (no), two (unsure), and three (yes), the overall data was summarized in Table 6. The ranking is performed by comparing means with other variables. The highest mean is ranked as one, and so on. The findings show that the most significant factor fell under the knowledge of who to contact if a computer was hacked or infected. After that, the firewall on the computer is always enabled ranked second, and guidelines regarding information security in the workplace ranked last. Table 6: Policy Influencing Information Security Awareness Analysis Element I know who to contact if my computer is hacked or infected The firewall on my computer is always enabled We have a security team in this organization My computer is configured to automatically update I have policies on which websites I am allowed to visit There are guidelines regarding information security in my workplace
Mean 2.9333 2.8333 2.7500 2.5833 2.5000 2.4833
Std. Deviation 0.25155 0.557744 0.43667 0.76561 0.77021 0.77002
Rank 1 2 3 4 5 6
Education factor: The analysis of Table 8 and Table 9 was conducted with the intention of finding an answer to research question number two, which is: “Is education regarding information security one of the factors influencing information security awareness?” The respondents were asked about the elements of education, training, and/or programs about information security. The questions addressed phishing attacks, virus infections, value of computers in the workplace to hackers, downloading and installing software, password sharing, and training about information security in the workplace. Table 6 shows that 65.0 percent of the respondents answered that they knew what a phishing attack was, whilst 20.0 percent of the respondents answered no, and the rest (15.0 percent) were unsure. As shown in the Table, 8.3 percent and 6.7 percent of the respondents answered no and unsure about what to do if the computer was infected with a virus, and the rest (85.0 percent) knew what to do. About 53.3 percent of the respondents answered no, for the element never finding a virus, 40.0 percent said they never found a virus, and less than 6.7 percent of the respondents answered that they were unsure whether they had found a virus or not. A total of 33.3 percent of the respondents were unsure about the value of their computer to the hackers, 46.7 percent said yes, and 20.0 percent said no for this element. When asked about downloading and installing software onto a computer in the workplace, 58.3 percent said no, 33.3 percent of the respondents answered yes they did, and the rest (8.3 percent) were unsure. The respondents were asked about sharing their passwords. 75.0 percent answered yes, they do not share their password, 11.8 percent say no, and the rest were unsure. These results indicate that some respondents share their passwords. Respondents were also asked whether they received training about information security in the workplace. The majority (60.0 percent) answered no, 15.0 percent answered that they were unsure, and the rest (25.0 percent) said yes.
1730 J. Appl. Sci. Res., 8(3): 1723-1735, 2012
Table 7: Education Factors Influencing Information Security Awareness Frequency Elements I know what a phishing attack is I know what to do if my computer is infected with a virus I never found a virus or a trojan on my computer at work My computer has no value to hackers, they do not target me I always download and install software on my computer at work I do not sharing my work password I receive training about information security in my workplace
No 12 20.0% 5 8.3% 32 53.3% 12 20.0% 35 58.3% 11 18.3% 36 60.0%
Not Sure 9 15.0% 4 6.7% 4 6.7% 20 33.3% 5 8.3% 4 6.7% 9 15.0%
Yes 39 65.0% 51 85.0% 24 40.0% 28 33.3% 20 33.3% 45 75.0% 15 25.0%
Total 60 100.0% 60 100.0% 60 100.0% 60 100.0% 60 100.0% 60 100.0% 60 100.0%
The overall response of respondents about education as a factor in information security awareness is summarized in Table 7. As can be seen from the table, the action for when a computer is infected with a virus; was found to be the most important factor in education. This was followed by not sharing passwords and knowing what a phishing attack was. The lowest score was about training received. Table 7: Education Influencing Information Security Awareness Analysis Element I know what to do if my computer is infected with a virus I do not share my work password I know what a phishing attack is My computer has no value to hackers, they do not target me I never found a virus or trojan on my computer at work I always download and install software on my computer at work I receive training about information security in my workplace
Mean 2.7667 2.5667 2.4500 2.2667 1.8667 1.7500 1.6500
Std. Deviation 0.5980 0.78905 0.81146 0.77824 0.96492 0.93201 0.86013
Rank 1 2 3 4 5 6 7
Knowledge factor: Further tests were performed to find answers to the third research question, which tries to find the significance of IT knowledge of librarians, as one of the factors in information security awareness. Since IT knowledge was mentioned in the literature review as being one of the causes of information security awareness amongst employees, respondents were asked five questions related to the elements of IT knowledge (as shown in Table 8). The respondents were asked about antivirus usage. The results show that 91.7 percent of the respondents answered that they knew how to handle antivirus software and 8.3 percent of the respondents were unsure. Next, the respondents were asked about the risk of opening emails from unknown senders. The majority of the respondents (90.0 percent) knew the risk of opening these emails, 8.3 percent of the respondents were unsure of the risk, and only 1.7 percent had no idea at all. Based on these results, more than 60.0 percent of the respondents knew what an email scam was, and how to identify it. Meanwhile, 31.7 percent of the respondents were unsure. In the last question of the IT knowledge section, respondents were asked about knowing how to use antivirus software and how to scan for viruses. All of the respondents knew how to use it, thus making a response of 100 percent. Table 8: Knowledge of IT Factors Influencing Information Security Awareness Frequency Elements I have installed, updated, and enabled, antivirus software on my computer I know what the risk is when opening e-mails from unknown senders; especially if there is an attachment I know what an email scam is and how to identify it I know how to use antivirus software and how to scan for viruses
No 0 0.0% 1 1.7% 0 0.0% 0 0.0%
Not Sure 5 8.3% 5 8.3% 19 31.7% 0 0.0%
Yes
Total
55 91.7% 54 90.0% 41 68.3% 60 100.0%
60 100.0% 60 100.0% 60 100.0% 60 100.0%
Elements of IT knowledge factors influencing information security awareness are very important. This is clearly shown in Table 9, where the mean score for all elements was high.
1731 J. Appl. Sci. Res., 8(3): 1723-1735, 2012 Table 9: Knowledge of IT Influencing Information Security Awareness Analysis Element
Mean
I know how to use antivirus software and how to scan for viruses I have installed, updated, and enabled antivirus software on my computer I know what the risk is when opening e-mails from unknown senders; especially if there is an attachment I know what an email scam is and how to identify it
Rank
3.0000 2.9167 2.8833
Std. Deviation 0.0000 0.27872 0.37243
2.6833
0.46910
4
1 2 3
Employee behaviour factor: The analysis of this section tries to find answers for the fourth research question. The research question looks at the elements of behaviour amongst employees as one of the influencing factors in information security awareness. In this section, respondents were asked several questions about the behaviour that will most likely influence information security awareness. The questions were asked with the purpose of identifying whether the behaviour factor is significant to information security awareness. The results of this analysis can be seen in Table 10. When respondents were asked, if they deleted a file from the computer or a USB stick, could the information be recovered or not; more than 50.0 percent answered yes, 38.3 percent answered that they were unsure, and the rest answered no. Respondents were asked about password sharing. About 85.0 percent of the respondents said that they did not share passwords, while less than 15.0 percent answered no, which means that they do share their passwords. The majority of respondents (80.0 percent) did not use the same password for their working and personal accounts. The rest of the respondents (11.3 percent) used the same password for both. However, less than 9.0 percent of the respondents were unsure. About 91.7 percent of the respondents answered that they never gave their work password to anyone else. About 6.7 percent were unsure whether they gave their password to others or not. Table 10 demonstrates that about 81.7 percent did not take information from the office to their home to work on. About 18.3 percent of the respondents did do that. Further analysis was performed to look at the respondent’s responses to the statement that their organization’s PC was safe. The table indicates that 65.0 percent of the respondents felt that their organization’s PC was safe, while less than 20.0 percent answered no. Another 15.0 percent of the respondents were unsure. Table 10: Frequency analysis of the Employees Behaviour Element Elements I’ll make sure that when I delete a file from the computer or USB stick, that the information is recoverable I do not share my work password I use the same password on my work and personal accounts I never give my work password to someone else I often take information from the office and use a computer at home to work on it. I feel that my organizations’ PC is safe
No 5 8.3% 9 15.0% 48 80.0% 1 0.0% 49 81.7% 12 20.0%
Not Sure 23 38.3% 0 0.0% 5 8.3% 4 6.7% 0 0.0% 9 15.0%
Yes
Total
53 53.3% 51 85.0% 7 11.3% 55 91.7% 11 18.3% 39 65.0%
60 100.0% 60 100.0% 60 100.0% 60 100.0% 60 100.0% 60 100.0%
Table 11 shows the distribution of the overall opinions by respondents on the behaviour element as a factor of information security awareness. It was found that respondents slightly accepted all factors that were asked of them. They treated all elements of the behaviour factors as being less important. Table 11: Analysis of the Elements of the Employees Behaviour Factor Element I never give my work password to someone else I do not share my work password I feel that my organizations’ PC is safe I’ll make sure that when I delete a file from the computer or USB stick, that the information is recoverable I often take information from the office and use a computer at home to work on it I use the same password on my work and personal accounts
Mean 2.9000 2.7000 2.4500 2.4500
Std. Deviation 0.35415 0.72017 0.81146 0.64899
Rank 1 2 3 4
1.3667 1.3167
0.78041 0.67627
5 6
1732 J. Appl. Sci. Res., 8(3): 1723-1735, 2012
Information security awareness element: Table 12 demonstrates that the majority of respondents are aware of information security. This was proven by the 53.3 percent of the respondents who answered yes in total. The analyses show that 85.0 percent of the respondents answered yes about the awareness of information security aspect relating to their job. However, 15.0 percent of the respondents remained unsure. More than 90.0 percent of the respondents did not agree about violating any rules if a problem does not occur, but 8.3 percent of the respondents were unsure. Table 12: Frequency Analysis on the Information Security Awareness Element Element Information security is necessary in my organization to protect information I am aware of the information security aspects relating to my job (e.g. when to change my password or which information I work with is confidential)
No 0 0.0% 0 0.0%
Do you think that it is ok to violate any rules if problems do not occur? 54 90.0%
Not Sure 17 28.3% 9 15.0%
Yes
Total
53 53.3% 51 85%
60 100.0% 60 100.0%
5 8.3%
0 00.0%
60 100.0%
Table 13 summarizes the information security awareness elements. All respondents positively agreed that information security awareness is important. The mean value was less than 3, and ranked from 1 to 3. The majority of respondents chose the awareness of information security aspect relating to their job, as being an important element in the information security awareness factors. Table 13: Means and Standard Deviation Analysis on the Elements of Information Security Awareness Element I am aware of the information security aspects relating to my job (e.g. when to change my password or which information I work with is confidential) Information security is necessary in my organization to protect information Do you think that it is ok to violate any rules if problems do not occur?
Mean
Rank
2.8500
Std. Deviation 0.36008
2.7167 1.2500
0.45442 1.31000
2 3
1
Conclusion: According to the results of this survey, important elements of information security awareness were identified and all research questions were answered. As summarized in Figure 2. Since information security importantly ensures that business process continuity in an organization runs smoothly and without interference, information security awareness is considered as being vital to the organization. Policy is constructed and implemented within organizations. Employees are educated during seminars, awareness programs, training, and campaigns. Knowledge of IT is also important in order to avoid misuse of IT devices, which leads to the lack of information security. Finally, employee behaviour is interrelated with awareness of information security in the workplace. Good behaviour towards information security practices can also influence information security awareness. However, analysis of the data gained from the survey needs to be improved, because the correlation coefficient analysis in the tables show above a slight correlation; meaning that the relationship is so small, as to be negligible.
Fig. 2: Elements of Information Security Awareness
1733 J. Appl. Sci. Res., 8(3): 1723-1735, 2012
In conclusion, this study has identified the four factors that can influence information security awareness within the studied area. These factors are policy of information security, education regarding information security, knowledge of IT, and employee’s behaviour. Policy is both the reference and the guideline to staff regarding information security. Policy can give rules, regulations, and objectives, of why information security is important. Policy can then ensure that information considered as private, can be protected. This is how policy can influence information security awareness amongst staff, or in the context of this study, as a librarian. Education regarding information security received by staff during campaigns, briefings, discussions, speeches, seminars and others, can enhance and establish an awareness of information security in an organization. Knowledge of IT protects data and information in an organization by reducing the number of mistakes in IT usage in an organization, in order to avoid damage and the loss of data. Staff’s behaviour is a major concern and an important aspect of information security awareness. The good behaviour of staff, whilst dealing with sensitive data, can ensure that information in the organization is kept safely. References Adnan, J., & M.Y. Alwi, 2005. The Understanding And Relevance Of Knowledge Management In Educational Environment. Journal Of Knowledge Management , 1(1): 1-12. Ahmad, A.M., 2010. Information security governance in Saudi organizations: an empirical study. Information Management & Computer Security, 18(4): 226-276. Ahmad, S.A., 2010. An approach to enhance security awareness on the use of mobile devices. Universiti Teknolgi Malaysia. Albrechtsen, E., & J. Hovden, 2010. Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. comp uters & security, 29: 432- 445. Anderson, J.M., 2003. Why we need a new definition of information security. Computer & Security, 308-313. Arce, I., 2003. The weakest link revisited. IEEE Security & Privacy, 1(2): 72-76. Asai, T., & A.U. Hakizabera, 2010. Human-related problems of information security in East African crosscultural environments. Information Management & Computer Security, 18(5): 328-338. Aytes, K., & T. Connolly, 2004. Computer security and risky computing practices: A rational choice perspective. Journal of Organizational and End User Computing, 16(3): 22-40. Bishop, M., 2003. In Computer security, Art and Science (p. 3). Boston: Addison-Wesley. Bishop, M., & D. Frincke, 2005. A human endeavor: Lessons from Shakespeare and beyond. IEEE Security & Privacy, 49-51. Blyth, A., & G. Kovacich, 2006. Information assurance: Security in the information. Cambridge: Springer. Boyce, J., & D. Jennings, 2002. Information assurance: Managing organizational IT. Woburn, MA: Butterworth-Heinemann. Burn, R.B., 2000. Introduction to research method. Australia: Longman. Carol, M.D., 2006. Information security: Examining and managing the insider threat. ACM Proceedings of the 3rd Annual Conference on Information Security Curriculum Development 2006 (InfoSeCD 06) (pp. 156158). Georgia: Kennesaw. Caroll, M.D., 2006. Information security: Examining and managing the insider threat. ACM Proceedings of the 3rd Annual Conference on Information Security Curriculum Development 2006 (InfoSecCD 06), , (pp. 156158). Kennesaw, Georgia. Chen, C.C., R.S. Shaw, & S.C. Yang, 2006. Mitigating Information Security Risks by Increasing User Security Awareness: A Case Study of an Information Security Awareness System. Information Technology Learning and Performance Journal, 24(1). Chinchani, R., A. Iyer, H.Q. Ngo, & S. Upadhyaya, 2005. Towards a theory of insider threat assessment. IEEE Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN 05), (pp. 108-117). Yokohama, Japan. CSI/FBI., 2006. Computer Crime and Security Survey 2006. Retrieved January 14, 2011, from http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf D'Arcy, J., A. Hovav, & D. Galletta, 2008. User Awareness of Security Countermeasures and Its Impact on Information System Misuse: A Deterrence Approach. Information System Research , June(20): 1-20. Dardick, G.S., 2010. Proceeding of the 8th Australian Digital Forensic Conference. In A. Woodward (Ed.). Perth, Australia: Security Research Centre, School of Computer and Security Science, Edith Cowan University, Perth, Western Australia. Debons, A., E. Horne, & S. Gronenweth, 1988. Information Science: An Integrated View. Boston: G.K Hall. Denscombe, M., 1998. The good research guide: for small-scale social research projects. UK: University Press. Dhillon, G., 2001. Information Security Management: Global Challenges In The New Millenium. USA: Idea Group Publishing.
1734 J. Appl. Sci. Res., 8(3): 1723-1735, 2012
Dlamini, M.T., J.H. Eloff, & M.M. Eloff, 2008. Information security: The moving target. Computer & Security . Doherty, N.F., & H. Fulford, 2005. Do information security policies reduce the incidence of security breaches: An exploratory analysis. Information Resources Management Journal, 18(4): 21-39. ENISA., 2006. A Users’ Guide: How to Raise Information Security Awareness. Retrieved January 14, 2011, from European Network: www.enisa.europa.eu/doc/pdf/deliverables/ Ernst & Young Global Information Security Survey, 2005. Annual Global Information. Retrieved January 14, 2011, from www.vistorm.com/uplds/EY_Global_Information_Security_ Everet, J., 1998. Internet Security. Employee Benefits Journal, 23(3): 14-18. Feng, E., J. Seet, L. Chenyi, & J. Yong, 2000. Effective IS Security: An Empirical Study. Retrieved February 18, 2011, from National University of Singapore (NUS): http://www.google.com.my/url?sa=t&source=web&cd=1&sqi=2&ved=0CBcQFjAA&url=http://staff.scien ce.nus.edu.sg/~parwani/sim/simproject5/security.doc&rct=j&q=Effective%20IS%20Security:%20An%20E mpirical%20Study%20Eric%20Feng&ei=VGleTc3KM8WyrAf53sCyDg&usg=AFQjCNG Flinn, S., & J. Lumsden, 2005. User Perseptions of Privacy and Security on the Web. National Research Council . Futcher, L., C. Schroder, & R.v. Solms, 2010. Information Security Education in South Africa. Information Management & Computer Security. Gordn, G.J., 2010. Ascertaining the Relationship between Security Awareness and the Security Behavior of Individuals. Nova Southeastern: Nova Southeastern University. Gross, J.B., & M.B. Rosson, 2007. Looking for trouble: understanding end user security management. ACM Proceedings of the 2007 Symposium on Computer Human Interaction for the Management of Information Technology (CHIMIT 07), (p. 10). Cambrighe, MA. Guagnano, G.A., 1995. Influences on Attitude-Behavior Relationships. Environment and Behavior, 27(5): 699718. Hansche, S., 2001. Designing a security awareness program: Part I. Information Systems, 9(6): 14-23. Hawkins, S., D.C. Yen, & D.C. Chou, 2000. Awareness and challenges of Internet security. Information Management & Computer Security, 8(3): 131-143. Hayes, R.M., 1992. "Measurement of Information." In Conception of Library and Information Science: Historical, and Theoritical Perspective. (P. Vakkari, & B. Cronin, Eds.) London: Taylor Graham. Henley, J.P., 1972. Computer-Based Library and Information Systems. Great Britain: Balding & Mansell Ltd.,. Hinde, S., 2003. Careless about privacy. UK. Indahshah. (2011, January 28). Ubiquitous Library. (N. R. Tarmuchi, Interviewer) Kruger, H.A., & W.D. Kearney, 2006. A Prototype for assessing information security awareness. Computer & Security, 25: 289-296. Kruger, H., L. Drevin, & T. Styen, 2010. A vocabulary test to asses information security awareness. Information Security & Computer Security, 18(5): 316-327. Lester, J., & W.C. Koehler, 2007. Fundamentals of Information Studies (2nd edition ed.). USA: Neal-Schuman Pubilchers, Inc. Losee, R.M., 1998. A discipline independent definition of information. Journal of the American Society for Information Science and Technology, 48(3): 254-269. Madden, A.D., 2000. A definition of information. Aslib Proceedings, 52(9): 343-349. Malaysia Computer Emergency Response Team (MyCERT). (2010, February). MYCERT 1st Quarter Summary 2010 Summary Report. eSecurity, pp: 1-2. Martha, A., W. Iaian, & D. Ngaire, 2006. Social Cognition: An Integrated Approach (2nd Edition ed.). London: SAGE Publisher. Martin, R., D. Watson, & C.K. Wan, 2000. A Three-Factor Model of Trait Anger: Dimensions of Affect, Behavior, and Cognition. Journal of Personality, 68(5\): 869-897. Mohamad Noorman, M., 2005. Content Management Systems: An Introduction. Journal of Knowledge Management, 1(2): 89-97. Myers, M.D., & D. Avison, 2002. Qualitative Research in Information Systems. London, UK: Sage Publication. Nurul Hidayah, A.R., 2009. A Prototype to Evaluate Information Secuirty Awareness Level for Teacher and Student in Secondary School. Master Dissertation, 1-97. O'Regan, G., 2008. A Brief History of Computing. Springer. Peltier, T., 2001. Information Security Risk Analysis. USA: Auerbach Publications, div. of CRC Pres LLC. Peltier, T.R., 2005. Implementing an Information Security Awareness Program. Security Management Practices, 37-49. Pervan, G.P., & D.J. Klass, 1992. The use and misuse of statistical method in Information System research. (Galliers, Ed.) Oxford: Blackwell Scientific Publications. Pfleeger, C.P., & S.L. Pfleeger, 2003. Security in computing (3rd Edition ed.). USA: Prentice Hall. Pfleeger, C.P., & S.L. Plfeegers, 2007. Security in Computing (4th Edition ed.). NJ: Prentice-Hall.
1735 J. Appl. Sci. Res., 8(3): 1723-1735, 2012
Porat, M.U., 1977. The Information Economy: Definition and Measurement . Washington: U.S Department of Commerce, Office of Telecommunication. Puhakainen, P., 2006. A design theory for information security awareness. Oulu: Department of Information Processing Science, University of Oulu. Rafidah, A.H., 2010. ISMS Implementation: Examining Roles and Responsibilities. CyberSecurity Knowledge Bank Articles, pp: 1-2. Ratzan, L., 2004. Understanding Information Systems. USA: ALA. Richard, D., 1985. The Concept of Information in Ordinary Discourse. Information Processing & Management , 21: 489-499. Saint-Gemain, R., 2005. Information security management best practice based on ISO/IEC 17799. Information Management Journal, 39(4): 60-65. Satzinger, J., R. Jackson, & S. Burn, 2009. Systems Analysis & Design in Changing World. USA: Course Technology. Schneier, B., 2008, August 10. The problem is information insecurity. Retrieved January 5, 2011, from http://www.schneier.com/essay-233.html Sekaran, U., 2006. Research Methods for Business. A Skill Building Approach. New Delhi: Wiley India Publication. Shahibi, M.S., 2010. The Identification of Trust Factor in Electronic Commerce Usage. Shashi, P.S., 2007. What are we managing - knowledge or information? The journal of information and knowledge management systems, 37(2): 169-179. Siponen, M.T., 2000. A conceptual foundation for organizational information security awareness. Information Management & Computer Security, pp: 31-41. Siponen, M.T., 2001. Five Dimensions of Information Security Awareness. Computer and Society, pp: 24-29. Siponen, M.T., & H. Oinas-Kukkonen, 2007. A review of information security issues and respective research contributions. ACM SIGMIS Database, 38(1): 60-80. Solms, B.v., 2001. Corporate Governance and Information Security. Computers & Security, 20(3): 215-218. Solms, B.v., 2000. Information Security - The Third Wave? Computer & Security, 19: 615-620. Solms, B.v., 2000. Information Security. Computers & Security, 19: 615-620. Solms, R.v., 1998. Information Security Management (3): The Code of Practice for Information Security Management (BS7799). Information Management & Computer Security, 6(5): 224-225. Solms, R.v., & B.v. Solms, 2004. From policies to culture. Computers & Security, 23(4): 275e279. Stanton, J.M., K.R. Stam, P. Mastrangelo, & J. Jolton, 2005. Analysis of end user security behaviors. Computers & Securitt, 24(2): 124-133. Straub, D.W., 1990. Effective IS Security: An Empirical Study. Information System Research, 1(3): 255-276. Takemura, T., 2010. A Quantitative Study on Japenes Workers' Awareness to Information Security Using the Data Collected by Web-Based Survey. American Journal of Economics and Business Administration, 2026. Theiss, H., 1983. On Terminology. Information Science in Action: System Design, 1: 84-94. Thomson, M.E., & R.v. Solms, 1998. Information security awareness: educating your users effectively. Information Management & Computer Security, 6(4): 167-173. Tim, R.V., Davis, & L. Fred, 1980. A Social Learning Approach to Organizational Behavior. The Academy of Management Review, pp: 281-290. Tipton, H.F., & M. Krause, (Eds.). 2004. Informationi Security Management Handbook (5th Edition ed.). U.S.A: CRC Press LC. Vroom, C., & R.v. Solms, 2004. Towards information security behavioural compliance. Computers & Security, 23(3): 191-198. Whitman, M.E., & H.J. Mattord, 2005. Principles of Information Security (2nd Edition ed.). Australia: Thomson course Technology. Zahri, Y., & M.Z. Ahmad Nasir, 2003. Future Cyber Weapons. The Star In Tech, pp: 1-4. Zikmund, W.G., 1994. Business Research Method; International Edition (4th ed.). Texas: The Dryden Press.
