Professional Documents
Culture Documents
Oua Assignment Cover Sheet University of South Australia
Oua Assignment Cover Sheet University of South Australia
Oua Assignment Cover Sheet University of South Australia
Research Proposal
Hong Chan
External
Chaht01f
00069566
1
Table of Contents
Abstract ............................................................................................................................. ii
1 Introduction ................................................................................................................... 1
1.1 Partnership – TAFE South Australia .............................................................. 2
1.2 Researcher’s Personal Interest ........................................................................ 2
1.3 Potential Contributions ................................................................................... 2
1.4 Limitations ...................................................................................................... 2
1.5 Field of Thesis ................................................................................................ 3
1.6 Research Question .......................................................................................... 3
2 Literature Review .......................................................................................................... 4
2.1 Information Security ....................................................................................... 4
2.2 Employee Information Security Awareness ................................................... 5
2.3 Managerial Information Security Awareness ................................................. 6
2.4 Other Relevant Literature ............................................................................... 7
2.5 Assessing Information Security Awareness ................................................... 9
2.6 Literature Review Summary......................................................................... 10
3 Methodology................................................................................................................ 11
3.1 Research Design ........................................................................................... 11
3.2 Data Analysis ................................................................................................ 12
3.3 Expected Results .......................................................................................... 12
4 Ethics and Compliance ................................................................................................ 13
Reference ........................................................................................................................ 14
Project Schedule ............................................................................................................. 16
Trial Table of Contents ................................................................................................... 17
i
Abstract
Various literature and studies relating to information security emphasise the importance of
information security awareness in maintaining any organisational wide security
implementations or measures. It is also widely accepted that information security awareness is
an important factor in a successful security plan, and should be properly assessed to suggest
improvements.
While it has been established that it is important for staff from within all levels of the
organisation to have greater information security awareness, there is clearly a gap within current
literature and studies in that there has been virtually no studies into information security
awareness in an Australian context.
It is proposed that this study will directly investigate and to assess the employee information
security awareness in TAFE South Australia in order to provide much needed insight into the
extent of information awareness levels in Australian organisations.
If the gap in literature is any indication, then it is anticipated that awareness levels of TAFE
South Australia employees will be low, thereby warranting the need to explore ways in
improving information security awareness levels.
ii
1 Introduction
Due to advances in information technology and the resultant high accessibility of information
by internal and external users, information security has become highly relevant and necessary
for the survival of organisations (von Solms 1998; Cervone 2005; Thompson 2006). Failure to
protect confidential an information may result in exorbitant costs in public liabilities, which
may result in the ultimate downfall of an organisation.
Many papers such as von Solms (1998) and Cervone (2005) have concluded that to counteract
or to minimise the risk of information security breaches, it is important for an organisation to
implement an information security plan or strategy.
Further, Namjoo et al. (2008) suggested that preventative action by organisations usually take
place after the occurrence of information security breaches. By the time an incident has taken
place, it could be too late. It is better to be safe than sorry. In addition, organisations have an
ethical and or legal responsibility to ensure that client confidential information is well protected.
It is widely accepted within current literature that information security awareness is a key factor
in contributing to a successful security strategy (Siponen & Vance 2010; Spears & Barki 2010;
McFadzean, Ezingeard & Birchall 2007; Knapp et al. 2006; Mouratidis, Jahankhani & Nkhoma
2008; Hagen, Albrechtsen & Hovden 2008; Doherty, Anastasakis & Fulford 2009; Bulgurcu,
Cavusoglu & Benbasat 2010; Namjoo et al. 2008). Further, there is a positive and direct relation
between information security awareness and preventative action and thus improved security
performance (Knapp et al. 2006), which suggests that employee security awareness assessment
should be the starting point in developing or enhancing any security strategies.
Due to the apparent gap which exists in current literature in that studies in relation to
organisational information security awareness in an Australian context are virtually non-
existent, this investigative study aims to assess the employee awareness levels of an Australian
organisation. Assessment will be conducted using a vocabulary test based on Kruger, Drevin &
Steyn (2010) which will be modified to suit the Australian context. The test will be delivered
online and the resultant collected data will be analysed to determine employee assessment
levels.
1
1.1 Partnership – TAFE South Australia
TAFE South Australia recognises the potential benefits of this study for the organisation and
Australian organisations in general. Therefore TAFE South Australia has kindly agreed to take
part in this study by allowing its employees to be the subjects for this research.
TAFE South Australia is an agency of the Department for Further Education, Science and
Technology (DFEEST) within the Government of South Australia. It is the largest provider of
vocational education and training in South Australia.
With over 2400 employees ranging from lecturing, administrative and management spread
across 48 campuses around the State of South Australia (TAFE South Australia 2011), it is
anticipated that the organisation will provide sufficient data for analysis to enable a conclusive
finding for this research.
1.4 Limitations
Assessing awareness is only the first step in the process of ensuring information security, this
study is limited in that it will not investigate how awareness can be improved. Further study is
needed, and will be considered in the future.
2
1.5 Field of Thesis
Information Security, Information Security Awareness, Information Assurance, Information
Management.
3
2 Literature Review
The following sections provide a review of current literature relating to information security
awareness and within the scope of this proposal. Firstly, literature providing background
information will be briefly discussed. This is followed by the review of various studies which
place emphasis on information security awareness. Finally a brief summary of the reviewed
literature will be provided, explaining the justification for the need to investigate information
security awareness in an Australian context.
Further, Cervone (2005) stated that due to the increasing complexity of software, vulnerabilities
of software are also increasing. Subsequently, security breaches will result. Of particular
relevance to this proposed research is the obtaining of confidential information via illegal
means. The liability to an organisation if this was to occur would financially cripple the
organisation and may cause a public outcry. In order to minimise or to prevent information
security breaches, an organisation must implement an information security preventative plan.
Cervone (2005) identified three major areas in which a security plan should include. These
were: Confidentiality, protecting information from unauthorised access; Integrity, protecting
information from unauthorised alteration; and availability, providing access to information as
required, when required.
4
implemented information security plan to prevent social engineering, employees play an active
and important role. The starting point would be to ensure that employees have a high level of
information security awareness, and this forms the basis for this proposed research.
Siponen & Vance (2010) explained information security breaches by employees from a
neutralization theory perspective. That is, the study concluded that employees who are
responsible for any security breaches often justify or rationalise their actions using
neutralization techniques. Neutralization is a concept borrowed from the field of psychology.
The study was not directly related to information security awareness. However, Siponen &
Vance (2010) did propose that policy awareness campaigns may be used to counteract the
effects of neutralization thereby ensuring that security policies are adhered to, suggesting that
further investigation into information security awareness is warranted.
Spears & Barki (2010) explored the relationship between employee participation in risk
management and internal security compliance. The study was able to conclude that employee
participation in risk management greatly contributed to improved security control performance
due to greater alignment between security risk management and the business environment,
better policy development, and more importantly for the purpose of this research – greater
information security awareness. While the study did not explore information security awareness
as the main driver of a successful security policy, it did highlight information security
awareness as a main contributor.
5
2.3 Managerial Information Security Awareness
Most studies have so far explored the significance of information security awareness of
employees in general. This section presents current literature which has identified the
importance of managerial information security awareness.
McFadzean, Ezingeard & Birchall (2007) identified the awareness of senior management as an
important driver of effective security measures. The study argued that senior executives have a
holistic view of the organisation and therefore have the power to affect change in the
organisation through their roles as strategy implementers. It was found that board level
perceptions and thereby information security awareness are positively related to the strategic
activities of an organisation.
Similar to McFadzean, Ezingeard & Birchall (2007), Knapp et al. (2006) also identified senior
management as key players. The study found that senior management support is positively
related to both an organisation’s security culture and the level of policy enforcement. While the
study did not directly explore managerial information security awareness as a predictor of
security performance, it does again highlight the importance of management involvement, thus
the importance of managerial information security awareness in affecting an organisation’s
information security readiness.
Mouratidis, Jahankhani & Nkhoma (2008) aimed to study the differences in perception of
network security between general management personnel and personnel who are responsible for
actual network security. The study found that general managers do have different perspectives
towards network security than personnel from the network security management. In particular,
the effectiveness and efficiency of the network, control of security, security decision making
process, and users of the network all showed significant perceptual differences. There is a clear
lack of information security awareness within general management and as confirmed by
McFadzean, Ezingeard & Birchall (2007), this could have a negative impact on the
effectiveness of information security policies.
Namjoo et al. (2008) further reinforced the importance of information security awareness levels
of management by investigating the relationship between managerial information security
awareness and action. The study was able to provide empirical support for a positive
relationship between awareness and action. In other words, the higher the level of managerial
information security awareness, the more likely the managers will take action in implementing
preventative measures. The study suggested that preventative action usually occur after the fact.
6
That is, unless an actual information security breach has occurred, organisations usually take no
action in adopting security measures. Like various similar studies, Namjoo et al. (2008) implied
that by raising managerial information security awareness, information security performance
could in fact improve information security performance.
According to Doherty, Anastasakis & Fulford (2009), ensuring the security of information has
become extremely complex and challenging. This is more so for Universities because teaching
and research activities are becoming more reliant on the availability, integrity and accuracy of
computer based information. The study aimed to empirically study the structure or content of
security policies for UK based Universities in order to fill the gap in the literature by critically
examining the structure and content of these policies. The study found that due to the wide
diversity of these policies, it was not possible to foster a coherent approach to security
management. It also found that the range of issues being covered in such policies was
surprisingly low, and reflects a highly techno-centric view rather than a user-centric view of
information security management. This suggests that the user or staff information security
awareness are not prominent nor considered in these policies. Again, while Doherty,
Anastasakis & Fulford (2009) only explored UK based Universities, it can be posited that
Australian higher education institutions such as TAFE South Australia may have similar
attitudes, thereby further justifying the need to explore information security awareness in an
Australian setting.
7
In another non-Australian context, Dzazali, Sulaiman & Zolait (2009) aimed to evaluate the
maturity level of information security in the Malaysian Public Service. The study used
convenience sampling and collected data from 970 individuals through a survey. It was revealed
that spamming was the most prevalent (42%) followed by malicious codes (41%). Notably, it
was found that 25% of incidents were from internal sources where as 11% were from external
sources, with 49% being unknown sources. Findings on the maturity level showed that 61% of
respondents were at level 3, followed by 21% at level 2. At the higher end, only 13% were at
level 4 and a miniscule 1% were at level 5. The study did not directly study security awareness,
but the finding that the internal related incidents were prevalent suggests that security awareness
is a factor when taking into the account of other studies being discussed. While this study was
conducted in relation to the Malaysian Public Sector, similar investigation could be adopted to
investigate maturity levels of information security within the Australian Public Sector in which
TAFE South Australia belongs to.
Samy, Ahmad & Ismail (2010) was another study of information security within a non-
educational industry in a non-Australian setting. The study aimed to investigate the various
types of threats which exist for Malaysian healthcare information systems. The systems in
question all belonged to government funded hospitals and data were collected from these
hospitals. The study identified 22 types of threats according to major threat categories based on
ISO27002. More importantly, the results showed that the most critical threat for these systems
were power failure followed by human error. While power failure may be unavoidable, the
human errors are not. Samy, Ahmad & Ismail (2010) stated that the human errors were due to a
lack of awareness and good practice among staff.
Similar to Samy, Ahmad & Ismail (2010), Williams (2008) studied the failure of the American
health industry in recognising the seriousness of information security threats to patients and
practice information. The study suggested that this failure is attributed to the lack of
understanding of security concepts, underestimating potential threats and the difficulty in setting
up security measures. In order to appreciate these factors, research into the general practitioner
security practice and perceptions of security was undertaken. It was found that poor security
measures implementation and a lack of knowledge were key factors. The results also showed
that information security was overwhelmingly reliant on trusting staff and the computer systems
themselves, rather than implementing an overall security policy, which the study recommended.
While Samy, Ahmad, & Ismail (2010) and Williams (2008) both investigated information
security in the context of the health industry from Malaysia and America respectively, it can be
posited that Australian based higher education institutions face similar threats due to the large
8
amount of confidential and personal data relating to students which exist in their database, thus
warranting further investigations.
Most of the literature reviewed so far has only briefly discussed employee or managerial
information security awareness in their studies, or has only implicated, assumed or posited the
importance of information security (Siponen & Vance 2010; Spears & Barki 2010; McFadzean,
Ezingeard & Birchall 2007; Knapp et al. 2006; Mouratidis, Jahankhani & Nkhoma 2008;
Hagen, Albrechtsen & Hovden 2008; Doherty, Anastasakis & Fulford 2009). Few studies have
actually directly assessed information security awareness.
Similarly, the study by Namjoo et al. (2008) looked at information security awareness of
managers in determining its relationship and managerial action relating to prevention. Like
Bulgurcu, Cavusoglu & Benbasat (2010), simple questions were used to gauge awareness. The
questions were again limited in that they were only relevant in the context of an existing
security policy.
9
Perhaps the most extensive tool for assessing information security awareness was proposed by
Kruger, Drevin & Steyn (2010). Like many studies, Kruger, Drevin & Steyn (2010)
acknowledged that an organisation’s survival necessitates a security program. Due to the
importance of information security awareness in ensuring a successful plan, the study proposed
that the starting point in developing a plan is to assess awareness levels of employees. The study
aimed to examine the feasibility of an information security awareness test for employees,
thereby identifying suitable topics to include in an information security awareness training
program. It was found that the use of a vocabulary test to assess awareness levels is beneficial in
gauging the awareness of employees. It is important to note however, that the test population
used by the study were all University students rather than employees from an actual
organisation. However, for the purpose of this proposed research, the vocabulary test proposed
by Kruger, Drevin & Steyn (2010) will be modified to fit the Australian organisational context
and will be used to assess awareness levels of TAFE South Australia employees. This will be
further discussed in the methodology section of this proposal.
10
3 Methodology
This study is an investigative or case study. A questionnaire based on Kruger, Drevin & Steyn
(2010) will be developed to assess information security awareness of TAFE South Australia
employees. This questionnaire is to be delivered online (Web based) to ensure a greater reach,
thus ensuring enough responses is obtained for a conclusive data analysis.
It has not been finalised, but it is anticipated that section 1 questions will be based on generally
accepted terminology relating to information security in order to gauge an employee’s general
knowledge about information security. A tentative sample question is provided as follow:
Again, the questions for section 2 has not been finalised, the questions will be relating to the
organisation’s security strategy or plan in order to gauge the employee’s awareness of any
existing strategy or plan. A tentative sample question is provided as follows:
In addition to the questions, respondents will be requested to provide their level within the
organisation such as non-management, management and executive management. This will
11
enable the results to be split into demographic sections in which results could be compared
against each demographical group.
12
4 Ethics and Compliance
The University of South Australia is bound by the Australian Code for Responsible Conduct of
Research and the National Statement on Ethical Conduct in Human Research.
Due to the human involvement required in this study, an application for approval will be
submitted to the University’s Human Research Ethics Committee before any human interactions
will take place.
In addition, verbal permission has already been obtained from TAFE South Australia to interact
with employees and to deliver appropriate questions to the employees, and to obtain relevant
data in relation to TAFE South Australia and its employees. However, as required by the
University of South Australia, written approval will be requested from the authorising body of
TAFE South Australia before any data collection or human interaction will take place.
Finally, the online questionnaire to be delivered as part of this study may involve gathering
information relating to psychological condition or collection of personal data and as required by
the University, the Insurance for Research Projects and Health Sciences Fieldwork form will be
submitted to the Human Research Ethics Committee to ensure that the project is covered by
insurance.
13
Reference
Cervone, F 2005, ‘Understanding The Big Picture So You Can Plan For Network Security,’
Computers in Libraries, vol. 25, no. 3, pp. 10- 15.
Doherty, NF, Anastasakis, L & Fulford, H 2009, ‘The information security policy unpacked: A
critical study of the content of university policies,’ International Journal of Information
Management, vol. 29, no. 6, pp. 449-457.
Dzazali, S, Sulaiman, A & Zolait, AH 2009, ‘Information security landscape and maturity level:
Case study of Malaysian Public Service (MPS) organizations,’ Government Information
Quarterly, vol. 24, no. 4, pp. 584-593.
Knapp, KJ, Marshall, TE, Rainer, RK, & Ford, FN 2006, ‘Information security: management's
effect on culture and policy,’ Information Management & Computer Security, vol. 14, no. 1, pp.
24-36.
Kruger, H, Drevin, L & Steyn, T 2010, ‘A vocabulary test to assess information security
awareness,’ Information Management & Computer Security, vol. 18, no. 5, pp. 316-327.
McFadzean, E, Ezingeard, J & Birchall, D 2007, ‘Perception of risk and the strategic impact of
existing IT on information security strategy at board level,’ Online Information Review, vol. 31,
no. 5, pp. 622-660.
Namjoo, C, Kim, D, Goo, J & Whitemore, A 2008, ‘Knowing is doing: An empirical validation
of the relationship between managerial information security awareness and action,’ Information
Management & Computer Security, vol. 16, no. 5, pp. 484-501.
Samy, NG, Ahmad, R & Ismail, Z 2010, ‘Security threats categories in healthcare information
systems,’ Health Informatics Journal, vol. 16, no. 3, pp. 201-209.
Siponen, M & Vance, A 2010, ‘Neutralization: New Insights Into The Problem Of Employee
Information Systems Security Policy Violations,’ MIS Quarterly, vol. 34, no. 3, pp. 487-A12.
14
Spears, JL & Barki, H 2010, ‘User Participation in Information Systems Security Risk
Management,’ MIS Quarterly, vol. 34, no. 3, pp. 503-A5.
TAFE South Australia 2011, TAFE South Australia, Adelaide, viewed 12 June 2011,
<http://www.tafe.sa.edu.au/about-tafesa.aspx>.
Thompson, STC 2006, ‘Helping the Hacker? Library Information, Security, and Social
Engineering,’ Information Technology & Libraries, vol. 25, no. 4, pp. 222-225.
von Solms, R 1998, ‘Information Security Management (1): Why Information Security is so
Important,’ Information Management & Computer Security, vol. 6, no. 4, pp. 174-177.
Williams, PAH 2008, ‘When trust defies common security sense’ Health Informatics Journal,
vol. 14, no. 3, pp. 211-221.
15
Project Schedule
16
Trial Table of Contents
Abstract
1 Introduction
1.1 Partnership – TAFE South Australia
1.2 Researcher’s Personal Interest
1.3 Potential Contributions
1.4 Limitations
1.5 Field of Thesis
1.6 Research Question
2 Literature Review
2.1 Information Security
2.2 Employee Information Security Awareness
2.3 Managerial Information Security Awareness
2.4 Other Relevant Literature
2.5 Assessing Information Security Awareness
2.6 Literature Review Summary
3 Methodology
3.1 Research Design
3.2 Data Analysis
4 Results
5 Conclusion
6 Recommendations
Reference
17