Search results

The purpose of this study was to investigate the relationship between resilience, job stress and information security awareness (ISA). The study examined the effect of resilience and job stress on the three components that comprise ISA, namely, knowledge, attitude and behaviour.

A total of 1,048 working Australians completed an online questionnaire. ISA was measured with the Human Aspects of Information Security Questionnaire. Participants also completed the Brief Resilience Scale and the Job Stress Scale.

It was found that participants with greater resilience also had higher ISA and experienced lower levels of job stress. More specifically, individuals who reported higher levels of resilience had significantly better knowledge, attitude and behaviour. Similarly, participants who reported lower levels of job stress also reported significantly better knowledge, attitude and behaviour. Resilience plays an important mediating role in the relationship between job stress and ISA. This means that even if people have high levels of job stress, if they are better able to cope with or adapt to stress (i.e. have higher resilience), they are less likely to have lower ISA. Results of this study add to the body of literature emphasising the positive effects of resilience and suggest that resilience is associated with improved ISA and therefore more secure behaviour.

Future research should focus on assessing the influence of resilience training in the workplace.

Given the constructive findings, it may be valuable to focus on the effect of organisational culture, and organisational security culture, on resilience, job stress and ISA.

This paper aims to introduce the concept of a framework of cyber-security controls that are adaptable to different types of organisations and different types of employees. One of these adaptive controls, namely, the mode of training provided, is then empirically tested for its effectiveness.

In total, 1,048 working Australian adults completed the human aspects of the information security questionnaire (HAIS-Q) to determine their individual information security awareness (ISA). This included questions relating to the various modes of cyber-security training they had received and how often it was provided. Also, a set of questions called the cyber-security learning-styles inventory was used to identify their preferred learning styles for training.

The extent to which the training that an individual received matched their learning preferences was positively associated with their information security awareness (ISA) level. However, the frequency of such training did not directly predict ISA levels.

Further research should examine the influence of matching cyber-security learning styles to training packages more directly by conducting a controlled trial where the training packages provided differ only in the mode of learning. Further research should also investigate how individual tailoring of aspects of an adaptive control framework (ACF), other than training, may improve ISA.

If cyber-security training is adapted to the preferred learning styles of individuals, their level of ISA will improve, and therefore, their non-malicious behaviour, whilst using a digital device to do their work, will be safer.

A review of the literature confirmed that ACFs for cyber-security does exist, but only in terms of hardware and software controls. There is no evidence of any literature on frameworks that include controls that are adaptable to human factors within the context of information security. In addition, this is the first study to show that ISA is improved when cyber-security training is provided in line with an individual’s preferred learning style. Similar improvement was not evident when the training frequency was increased suggesting real-world improvements in ISA may be possible without increasing training budgets but by simply matching individuals to their desired mode of training.

The aim of this study was first to confirm that a specific bank’s employees were generally more information security-aware than employees in other Australian industries and second to identify the major factors that contributed to this bank’s high levels of information security awareness (ISA).

A Web-based questionnaire (the Human Aspects of Information Security Questionnaire – HAIS-Q) was used in two separate studies to assess the ISA of individuals who used computers at their workplace. The first study assessed 198 employees at an Australian bank and the second study assessed 500 working Australians from various industries. Both studies used a Qualtrics-based questionnaire that was distributed via an email link.

The results showed that the average level of ISA among bank employees was consistently 20 per cent higher than that among general workforce participants in all focus areas and overall. There were no significant differences between the ISA scores for those who received more frequent training compared to those who received less frequent training. This result suggests that the frequency of training is not a contributing factor to an employee’s level of ISA.

This current research did not investigate the information security (InfoSec) culture that prevailed within the bank in question because the objective of the research was to compare a bank’s employees with general workforce employees rather than compare organisations. The Research did not include questions relating to the type of training participants had received at work.

This study provided the bank’s InfoSec management with evidence that their multi-channelled InfoSec training regime was responsible for a substantially higher-than-average ISA for their employees. Future research of this nature should examine the effectiveness of various ISA programmes in light of individual differences and learning styles. This would form the basis of an adaptive control framework that would complement many of the current international standards, such as ISO’s 27000 series, NIST’s SP800 series and ISACA’s COBIT5.

The purpose of this study is to investigate the extent to which a sample of the Australian cybersecurity industry is impacted by burnout.

Based on the review of the literature, this research investigates the following three hypotheses. Gender will significantly predict burnout scores. Those who identify as women will score higher on average than those who identify as men (because of being in a male-dominated industry). Self-reported burnout will differ across job roles. In addition, the authors expect these relationships to hold across the three dimensions of burnout, namely, emotional exhaustion, depersonalisation and professional efficacy. Sleep quality will be associated with burnout.

Gender and job role were significant predictors of emotional exhaustion, but not depersonalisation or professional efficacy. The interaction between gender and job role was also significant. Senior managers experienced poorer quality sleep, and poorer sleep quality was associated with greater reported emotional exhaustion at work. For emotional exhaustion, female respondents who worked in security consultant roles tended to score higher than their male counterparts.

Left unaddressed, the high level of workplace burnout may add to the well-being and retention problems developing within the cybersecurity community. These results indicate that organisations should look to measure the well-being of their own cyber workforce and implement meaningful changes if they wish to keep their cyber talent and enable them to thrive at work.

This research paper is an extension of a previous paper by the same authors which is titled “Is Your CISO Burnt Out Yet”. This paper examined the demographic differences in workplace burnout among cybersecurity professionals.

The purpose of this paper is to report on the use of two studies that assessed the attitudes of typical computer users. The aim of the research was to compare a self-reporting online survey with a set of one-on-one repertory grid technique interviews. More specifically, this research focussed on participant attitudes toward naive and accidental information security behaviours.

In the first study, 23 university students responded to an online survey within a university laboratory setting that captured their attitudes toward behaviours in each of seven focus areas. In the second study, the same students participated in a one-on-one repertory grid technique interview that elicited their attitudes toward the same seven behaviours. Results were analysed using Spearman correlations.

There were significant correlations for three of the seven behaviours, although attitudes relating to password management, use of social networking sites, information handling and reporting of security incidents were not significantly correlated.

The small sample size (n = 23) and the fact that participants were not necessarily representative of typical employees, may have impacted on the results.

This study contributes to the challenge of developing a reliable instrument that will assess individual InfoSec awareness. Senior management will be better placed to design intervention strategies, such as training and education of employees, if individual attitudes are known. This, in turn, will reduce risk-inclined behaviour and a more secure organisation.

The literature review indicates that this study addresses a genuine gap in the research.

The purpose of this paper is to investigate the behaviour response of computer users when either phishing e‐mails or genuine e‐mails arrive in their inbox. The paper describes how this research was conducted and presents and discusses the findings.

This study was a scenario‐based role‐play experiment that involved the development of a web‐based questionnaire that was only accessible by invited participants when they attended a one‐hour, facilitated session in a computer laboratory.

The findings indicate that overall, genuine e‐mails were managed better than phishing e‐mails. However, informed participants managed phishing e‐mails better than not‐informed participants. Other findings show how familiarity with computers, cognitive impulsivity and personality traits affect behavioural responses to both types of e‐mail.

This study does not claim to evaluate actual susceptibility to phishing emails. The subjects were University students and therefore the conclusions are not necessarily representative of the general population of e‐mail users.

The outcomes of this research would assist management in their endeavours to improve computer user behaviour and, as a result, help to mitigate risks to their organisational information systems.

The literature review indicates that this paper addresses a genuine gap in the research.

The aim of this paper is, first, to discuss how the risk perceptions of computer end‐users may be influenced by improving the process of risk communication by embedding symbols and graphics within information security messages. The second aim is to describe some pilot study research that the authors have conducted in an attempt to ascertain whether the embedding of symbols and graphics within information security messages achieves a shift in the risk perceptions of computer end‐users.

Two pilot studies were undertaken. The objective of each study was to establish whether the embedding of a relevant graphic relating to some known aspect of information security, when placed inside an information security message, would have any influence on the information security risk perceptions of any individual to whom the message was being communicated. In both studies, the method of eliciting a response from each participant involved the use of a type of semantic differential (SD) grid.

On completing an analysis of the responses to the SD grid survey for both studies, no statistically significant differences were detected between the groups with respect to any of the six relevant scales. Nevertheless, it seems that the differences were large enough for the present authors to be convinced that the SD measures used are an appropriate survey technique for future studies in a workplace environment.

The research subjects (i.e. survey participants) for both pilot studies were students of the University of South Australia. There are many ways in which information risk communication could be made more effective and this paper only attempts to show how graphics and symbols could be used to convey risk messages more effectively. This paper does not in any way attempt to provide any “silver‐bullet” solutions for management in terms of what they can do towards managing information risk.

The ultimate objective of this research is to subsequently advise management on how they can communicate information risk simply and more effectively to achieve the final outcome, i.e. the mitigation of actual risks.

It is believed that, if the effectiveness of the various forms of risk communication within an organisation can be increased, then the general perception of the risks to the information systems will be more realistic.

The purpose of this paper is to investigate the human-based information security (InfoSec) vulnerabilities in three Australian government organisations.

A Web-based survey was developed to test attitudes, knowledge and behaviour across eight policy-based focus areas. It was completed by 203 participants across the three organisations. This was complemented by interviews with senior management from these agencies.

Overall, management and employees had reasonable levels of InfoSec awareness. However, weaknesses were identified in the use of wireless technology, the reporting of security incidents and the use of social networking sites. These weaknesses were identified in the survey data of the employees and corroborated in the management interviews.

As with all such surveys, responses to the questions on attitude and behaviour (but not knowledge) may have been influenced by the social desirability bias. Further research should establish more extensive baseline data for the survey and examine its effectiveness in assessing the impact of training and risk communication interventions.

A new survey tool is presented and tested which is of interest to academics as well as management and IT systems (security) auditors.

THE New English dictionary on historical principles founded mainly on the materials collected by the Philological Society, edited by James A H Murray, forty‐four years in the making, and now known the world over as the Oxford English dictionary holds an unchallenged place in that remarkable series of substantial works of learning and scholarship planned, nurtured, and executed in the latter half of the nineteenth century. The Rolls series, the Dictionary of national biography, and at the turn of the century, the Cambridge moderm history and the Victorian history of the counties of England, all bear witness to the tremendous, almost incredible, energy of the Victorian middle classes who, sometimes holding academic posts at the universities, or perhaps earning their bread as publishers (regarded then as one of the very few commercial pursuits allowed to gentlemen), formed clubs and learned societies to occupy their ‘leisure’ hours, and conceived and brought to fruition their costly schemes for ambitious publishing programmes, refusing to be deterred by years of unremitting toil which consumed their time, their money, but never sapped their vision or their dedication.

The aim of this study was to explore the organizational and social prerequisites for employees' participative and rule-compliant information security behaviour in Swedish nuclear power production and its related industry. These industries are high-risk activities that must be meticulously secured. Protecting the information security in the related organizations is an essential aspect of this.

Individual in-depth interviews were conducted with 24 employees in two organizations within the nuclear power industry in Sweden.

We found that prerequisites for employees' participative and rule-compliant information security behaviour could be categorized into structural, social and individual aspects. Structural aspects included well-adapted rules, knowledge support and resources. Social aspects included a supportive organizational culture, collaboration and adequate resources, and individual aspects included individual responsibility.

The qualitative approach of the study provided comprehensive descriptions of the identified preconditions. The results may thus enable organizations to better promote conditions important for information security in a high-risk industry.