UNIVERSITI TEKNOLOGI MALAYSIA

DECLARATION OF THESIS / POSTGRADUATE PROJECT PAPER AND COPYRIGHT

Authors full name: Dzairol Adzriem Bin Din

Date of birth : 21st October 1986

Title : EDUCATIONAL AND TRAINING MODEL OF

SECURITY AWARENESS ON MOBILE

DEVICE FOR STUDENTS

Academic Session : 2011/2012(3)

I declare that this thesis is classified as:

I acknowledged that Universiti Teknologi Malaysia reserves the right as

follows:

1. 1. The thesis is the property of Universiti Teknologi Malaysia.

2. 2. The Library of Universiti Teknologi Malaysia has the right to

make copies for the purpose of research only.

3. 3. The Library has the right to make copies of the thesis for

academic exchange.

Certified by:

SIGNATURE SIGNATURE OF SUPERVISOR

861021-09-5075 DR.NORAFIDA BINTI ITHNIN

(NEW IC NO. /PASSPORT NO) NAME OF SUPERVISOR

Date : 27 AUGUST 2012 Date : 27 AUGUST 2012

NOTES : * If the thesis is CONFIDENTAL or RESTRICTED, please attach with the

letter from the organization with period and reasons for

confidentiality or restriction.

CONFIDENTIAL (Contains confidential information under the Official Secret Act 1972)*

RESTRICTED (Contains restricted information as specified by the organization where research was

done)*

OPEN ACCESS I agree that my thesis to be published as online open access (full text)

I hereby declare that I have read this project report an in my

opinion this project report is sufficient in terms of scope and quality for the

award of the degree of Master of Computer Science (Information Security)

Signature : ...................................................

Name of Supervisor : DR. NORAFIDA ITHNIN

Date : AUGUST 27, 2012

EDUCATIONAL AND TRAINING MODEL OF SECURITY AWARENESS ON

MOBILE DEVICES FOR STUDENTS

DZAIROL ADZRIEM BIN DIN

A project report submitted in partial fulfillment of the

requirements for the award of the degree of

Master of Computer Science (Information Security)

Faculty of Computer Science and Information Systems

Universiti Teknologi Malaysia

AUGUST 2012

ii

I declare that this project entitled Educational and Training Model of Security

Awareness on Mobile Device for Students is the result of my own research except

as cited in the references. The project report has not been accepted for any degree

and is not currently submitted in candidature of any other degree.

Signature : ....................................................

Name : Dzairol Adzriem Bin Din

Date : August 27, 2012

iii

Alhamdulillah thank you to Allah. Because of Him, I manage to reach at

this level. I lovingly dedicate this project to my beloved family, especially to my Dad

and Mom for instilling me the importance of hard work and higher education. Not

forgotten for your financial and moral support till your son got to complete this

study. Thank you so much.

I also dedicate this to my respected supervisor, Dr. Norafida Ithnin who gives

me knowledge, advices and encouragement towards the project.

Dear fellows friends, thanks for your kindness and moral support. Always

helping each other and motivate each other. Thank you so much. Those sweet

memories we all together will never be forget.

iv

ACKNOWLEDGEMENT

Bismillahirrahmanirrahim

In the name of Allah, the Most Gracious,

the Most Merciful and the Most Compassionate.

Alhamdulillah, all praise to Allah for the strengths and His blessing to

completing this research and thesis writing. My special appreciation goes to my

supervisor, Dr.Norafida Ithnin, who supervises in term of giving a useful knowledge

and constant support. Her invaluable help in constructive comments and suggestions

throughout the study have contributed to the success of my research. Not forgotten,

to express my appreciation to all lecturers of computer science faculty and dearest

UTMs students who contributed to this research finding and also for their co-

operations.

Sincere thanks dedicate to all my lovely friends, especially Dunia ScS

friends and Information Security Classmate for their moral support and kindness

during my study. All the sweet memories will never forget and thanks for the

friendship and brotherhood.

Last but not least, deepest gratitude goes to my beloved parents; Mr. Din B.

Sabu and Mrs. Zainab Bt. Omar and also the rest of my family for their endless love,

prayers, encouragement, spiritual and financial help and support. To those who

indirectly contributed to this research, your kindnesses are highly appreciated. Thank

you so much.

Sincerely: Dzairol Adzriem , 2012

v

ABSTRACT

Nowadays technology has rapidly evolving. In mobile device technology, since it

has become a vital part of daily human life, the developers keep upgrading devices and

software to perform better. Smartphone has replaced cellular phone and it is widely use

due to the advance technology offered in the device. More similarity functions and features

of smartphone with computer are turning smartphones to be exposed to numerous security

threats such as malicious code (including virus, worm and Trojan) and other

vulnerabilities. Students often obsess in having an advance technology device but

unfortunately they lack of security awareness on their devices. Lack of security education

and feeling the device is secure enough has lead them to ignore to apply security features

to the device. Due to this matter, a study was conducted towards UTMs student by

distributing pre-survey question to identify their current state of awareness, concern and

knowledge of the technology. The result found that they still at low level of awareness

concern and necessarily to undergo for a proper education and training. Process Model of

educational and training of security awareness on mobile device has been designed to

guide ICT units to conducting the program. By implementing the course or program more

or less will increase the students security knowledge to be more aware to secure their

device from any unauthorized access.

vi

ABSTRAK

Teknologi semasa pesat berkembang untuk lebih maju. Dalam teknologi peranti

mudah alih, semenjak ia telah menjadi sebahagian penting dalam kehidupan manusia

seharian, pemaju berlumba-lumba menaik taraf peranti mudah alih kepada prestasi yang

lebih baik. Telefon pintar (Smartphone) telah menggantikan telefon bimbit dan ia telah

digunakan secara meluas disebabkan oleh kemajuan teknologi yang ditawarkan. Memiliki

sepenuhnya fungsi seakan-akan dan ciri-ciri telefon pintar dengan komputer membuat

peranti tersebut lebih terdedah kepada pelbagai ancaman keselamatan seperti Malicios

Code (termasuk juga virus, worm dan trojan) dan beberapa kelemahan yang lain.

Pelajar sering kali taksub dalam mempunyai teknologi yang canggih akan tetapi

kebiasaannya tahap kesedaran mereka amatlah kurang terhadap peranti mudah alih yang

dimiliki. Kekurangan pendidikan keselamatan dan berasakan peranti mereka sudah cukup

selamat menyebabkan para pelajar mengabaikan dalam menggunakan ciri-ciri keselamatan

kepada peranti mudah alih. Oleh kerana itu, kajian ini telah dijalankan kepada pelajar

UTM dengan mengedarkan soalan pra-kajian bagi mengenal pasti keadaan semasa tahap

kesedaran dan pengetahuan teknologi berkaitan. Keputusan didapati bahawa mereka masih

berada pada tahap kesedaran yang rendah dan seharusnya mereka perlu untuk menjalani

pendidikan dan latihan yang sepatutnya. Proses model pendidikan dan latihan kesedaran

keselamatan pada peranti mudah alih telah digubal untuk dijadikan panduan kepada unit

ICT untuk menjalankan program tersebut kepada pelajar. Dengan melaksanakan program

kursus, sedikit sebanyak akan meningkatkan kadar pengetahuan keselamatan pelajar untuk

menjadikan mereka lebih berhati-hati dalam mengelakkan peranti mudah alih mereka

daripada diakses tanpa kebenaran.

vii

TABLE OF CONTENT

CHAPTER TITLE PAGE

DECLARATION ii

DEDICATION iii

ACKNOWLEDGEMENTS iv

ABSTRACT v

ABSTRAK vi

TABLE OF CONTENTS vii

LIST OF TABLES xi

LIST OF FIGURES xii

LIST OF ABBREVIATION xiv

LIST OF APPENDIX xv

1 INTRODUCTION

1.1 Introduction 1

1.2 Problem Background 2

1.3 Problem Statement 3

1.4 Project Aims 5

1.5 Objectives 5

1.6 Project Scope 5

1.7 Significance of the Project 6

1.8 Report Organization 7

2 LITERATURE REVIEW

2.1 Introduction 9

2.2 Information Security Awareness 9

viii

2.3 Component of Security Awareness 10

2.3.1 Awareness 11

2.3.2 Training 12

2.3.3 Education 12

2.4 Current Stage of Security Awareness 12

2.5 Mobile Device Technology 18

2.5.1 Categories of Mobile Device 18

2.5.2 Mobile Application 20

2.5.3 Mobile Device Security and Threat/Attack 22

2.6 Existing Framework / Model / Guidelines / Slogans for

Security Awareness

27

2.6.1 The Continuum (A Role and Performance

Model)

28

2.6.2 NIST-SP800-50, Model 1: Centralized

Program Management Model

30

2.6.3 NIST-SP800-50, Model 2: Partially

Decentralized Program Management Model

31

2.6.4 NIST-SP800-50, Model 3: Fully

Decentralized Program Management Model

32

2.6.5 IS Security Awareness Sequential Model 33

2.6.6 Full E-Awareness Model (E-AM) 34

2.6.7 Framework for Evaluating ICT Security

Awareness

35

2.6.8 Southern African Cyber Security Awareness

Framework

36

2.6.9 Awareness Model by [SecurityResearch.at] 38

2.6.10 Japanese National Information Security

Center Slogan

39

2.6.11 Awareness Noticeboard 40

2.6.12 Security Awareness Maturity Model 41

2.6.13 Four Factor Influence Awareness 42

2.6.14 Summary of Existing Framework / Model /

Guideline

44

2.7 Current Technique of Designing, Developing and

Implementing Awareness Program

47

ix

2.8 Summary 48

3 RESEARCH METHODOLOGY

3.1 Introduction 50

3.2 Operational Framework 50

3.2.1 Phase 1: Information Gathering 53

3.2.2 Phase 2: Design 54

3.2.3 Phase 3: Validation 55

3.3 Survey Technique Explanation 56

3.3.1 Pre-Study and Observation 57

3.3.2 Questionnaire 57

3.3.3 Statistical Method 58

3.4 Summary 59

4 DESIGN IMPLEMENTATION PROCESS

4.1 Introduction 60

4.2 Mapping Process 60

4.2.1 Relationship Table Description 62

4.3 Selection of Elements/Components/Features 64

4.4 Model Draft Design 69

4.4.1 Draft Model Summary Description 70

4.4.2 Details Model Description 72

4.5 Summary 75

5 ANALYSIS AND RESULT

5.1 Introduction 76

5.2 Targeted Experts Validation 76

5.3 First Stage Validation Model Process 77

5.4 Second Stage Validation Model Process 78

5.4.1 Validation of Model Design 78

5.4.2 Validation Script Questionnaire 79

5.4.3 New Model Draft 81

5.5 Supported Expert Witness 82

x

5.5.1 Analysis on Expert Witness Validation Result 83

5.6 Educational and Training Model of Security Awareness

on Mobile Device

87

5.6.1 Details Model Description 88

5.6.2 Summary of Model Description 92

5.7 Summary 95

6 CONCLUSION

6.1 Introduction 96

6.2 Research Achievement 96

6.3 Research Challenges and Constraints 98

6.4 Future Work 99

6.5 Summary 99

REFERENCES

100

APPENDIX 104

xi

LIST OF TABLE

TABLE NO. TITLE PAGE

2.1 Matrix Table Who Needs Awareness 17

2.2 Example of Mobile Application 21

2.3 Recent Threats and Solution 24

2.4 Matrix Table of Threats 25

2.5 Matrix Table of Application Versus Threats 26

2.6 Matrix Table of Features 45

3.1 Activities Summarization Table 52

4.1 Result of Students Feeling to Their Devices 62

4.2 Result of Attending Course or Program 64

4.3 Matrix Table of Selected Features 65

4.4 Result of Students Responds Towards the

Education and Training

67

4.5 Result of Joining Class 67

4.6 Result of Information Security Awareness as

Compulsory Course

68

4.7 Summary of Description Model 70

5.1 Details of Validator 77

5.2 Expert Witness Validation Result on Section A 83

5.3 Expert Witness Validation Result on Section B 84

5.4 Expert Witness Validation Result on Section C 85

5.5 Expert Witness Validation Result on Section D 85

5.6 Expert Witness Validation Result on Section E 86

5.7 Expert Witness Validation Result on Section F 86

5.8 Summarization of Model Description 93

xii

LIST OF FIGURE

FIGURE NO. TITLE PAGE

2.1 Statistic of Smartphone 13

2.2 Statistic of Mobile Malware Arise 14

2.3 TechRepublic Survey Result 14

2.4 Survey Result Study on Password Usage 15

2.5 Survey Result Study on Antivirus Software Usage 16

2.6 Survey Result Toward Security Feeling on Mobile

Device

16

2.7 List of Mobile Malware 23

2.8 List of Mobile Protection Software 23

2.9 List of Top Threats by Semantec 27

2.10 Information Security Learning Continuum 29

2.11 Centralized Program Management Model 30

2.12 Partially Decentralized Program Management

Model

31

2.13 Fully Decentralized Program Management Model 32

2.14 IS Security Awareness Sequential Model 33

2.15 The Full E-Awareness Model (E-AM) 34

2.16 Framework for Evaluating ICT Security

Awareness

35

2.17 Southern African Cyber Security Awareness

Framework

36

2.18 Model by (DI.Mag. Andreas Tomek,

SecurityResearch.at)

38

2.19 Slogans by Japanese National Information

Security Center

39

xiii

2.20 Noticeboard by (Dr. Gary Hinson PhD MBA

CISSP, 2012)

40

2.21 Security Awareness Maturity Model 42

2.22 Four Factor Influence Awareness 43

2.23 Approach for an Effective Information Security

Awareness Program

47

3.1 Operational Framework 51

4.1 Relationship Table 61

4.2 Security Awareness Knowledge Result 63

4.3 Pre-Model Design 69

5.1 New Drafted Model 82

5.2 Final Design 88

xiv

LIST OF ABBREVIATION

GPS Global Positioning System

ICT Information Communications Technology

IM Instant Messaging

IS Information System

IT Information Technology

LAN Local Area Network

MMS Multimedia Messaging Service

NIST National Institute of Standards and Technology

OS Operating System

PC Personal Computer

PDA Personal Digital Assistant

SMS Short Message Service

UTM Universiti Teknologi Malaysia

xv

LIST OF APPENDIX

NO. TITLE PAGE

1 Appendix A 104

2 Appendix B 111

3 Appendix C 117

4 Appendix D 121

CHAPTER 1

INTRODUCTION

1.1 Introduction

The word security towards people will appoint with something that related to a

degree of protection against the danger, damage, loss, harm and crime. Security becomes a

form of protection structures and processes that provide to improve the security mechanism

as its condition. Besides, every work that we are on will require a security and safety.

Safety First is the most common message on signboard that been placed at the

construction sites and workstation which highly expose to death risk. This alone shows us

that the security issues are crucial as fatal injury and big loss will take place whenever

people being insignificant during their duty.

Since Information Technology is in high demand technology and widely used by

human being in this century, security issues in this area also rapidly increase as current

issue happened which mentioned in online media web Utusan Malaysia date on 24 Jun

2011. In that article, Vice President Cyber Security Responsive Service; Adli Abd Wahid

said, mostly the internet user in Malaysia doesnt know a right way to secure their

computer and their data. Furthermore, they not even alert or know what actually firewall

work is for. He advised to all users should learn security education (IT) to prevent security

breaches that happened to Malaysian Government Websites on the date before.

2

Security awareness is important and a must needs to any organization. Information

security management is terms of technical and procedural controls that protect information

assets with respect to confidentiality, integrity and availability. However, many of these

controls miss their effectiveness when staff/employees act in a security-negative manner

which refer to, they do not aware the risk of their current insecure behavior and they set

aside the organizations policy and standards because it is more convenient to work like

that. Hence, by implementing effective security will depend on creating an information

security-positive environment, which the staff/employees understand and act accordingly

to behave supposedly.

1.2 Problem Background

Mobile devices nowadays are widely used by all human beings in the entire world.

Its revolution has been updated year by year to satisfy a good services and application to

human life. Mobile device makes human life at ease level as everything is just under the

users fingertip. As simple as one click button will show all the information needed

instantly. Besides, with a thousand of applications that provided by the function of each

device which collaborate with the provider of the service, for example, people can manage

to pay a bill, to transfer an amount, to book a flight ticket and even can manage or view

their share market just by using their mobile device.

Mobile devices such as cellular phone, PDA (Personal Digital Assistant),

Smartphone and Tablet PC are exposed to various security threats like malicious code

which included virus, worm and Trojan horses), vulnerabilities of mobile device, attacks

on network communication, data or information robbery and damage also a mobile spam

(Kim and Leem, 2005).

With rising up amount of information being sent and communicate through

wireless channels, new threats also increase. Later, information security will become a

3

critical issues to mobile devices and be a great concern to mobile devices users, just like

what computer users do today (Bouwman, et al., 2006; Malloy, et al., 2002).

It has been realized that information is not just a technology problem, and in a

recent years it becomes a hot topic to study the human factors in information security in the

field of cyberspace (Hassel and Wiedenbeck, 2004; McCauley-Bell and Crumpton, 1998;

Proctor et al., 2000). Since security issues related to mobile devices are different from that

which related to computer. As example, mobile device might be infected with virus

through the instant messages; users conducting mobile commerce may perceive security

also differently from conduct e-commerce through computers or laptop; and personal

privacy related to mobile devices also different.

Till now, security and privacy awareness of mobile internet usage has drawn few

attentions in research and industry (Maurer, 2010). With the raise number of users that

employ those devices for security sensitive tasks like internet banking, therefore security

and privacy mechanism for mobile devices should be considered in the future.

1.3 Problem Statement

Many organizations have work hard to protect their asset from any harm, damage,

loss, stealing, etc. Some of them have spent over thousand to have such strong security

mechanism to protect their belongings. By installing a good security mechanism is not

enough while security awareness among the employee/staff still at low level. The intruders

may use social engineering in order to get pass through the security tools which been

applied. Even some of professional also does not aware at all in their action in working.

Awareness often overlooked neither organization nor people around the world.

They mostly are focusing on having an advance technology and depending on expert to

4

monitor the security issues while information security awareness is the root state whereby

people will aware on their security mission (Siponen, 2000).

In this study, the problem statements have been identified. Usually students are

obsessed to advance technology such as smartphone or others pocket size gadget whereby

it was providing a multiple and various functions that complement with the requirement in

their life style. Besides, as mentioned by (Androulidakis, 2010) the security of mobile

devices is proven not to be sufficient enough in many research papers. The advance and

modern mobile devices, specifically smartphones are vulnerable to various security risks.

By adopting the mobile devices without any security knowledge or lack of

awareness concern by thinking that the device is secure enough will lead the students being

exposed to those mobile device vulnerabilities and risk. This may harm their devices and

personal information might be stolen. Therefore information security education should

become a priority to be implemented to educational institution like United State was done

in a past few year (Hentea, 2005). In addition, the researcher also stated that there are some

aspects of security education model need a few attentions or make a review for changes.

Here are the lists of problems question that needs to be concern in doing this study,

define as below:

i. Which level of student most at high-risk for security threat and lack of

awareness?

ii. Does security awareness education course and training program should be

held in University?

iii. Which aspects of current existing model that require some customization or

modification?

iv. How does the propose model can increase the awareness among the

students?

5

1.4 Project Aim

The aims of this study are to identify the current stage of awareness among the

different level of student and their field either at low level, intermediate or high level and

to propose a design of security awareness model that suit to UTM campus students.

Anyhow in order to raise up the security awareness concern between the organization and

the student which can motivate them to alert or aware any of vulnerabilities and attack

from any invader that may harm such an important or valuable data or information which

can cause damage or loss toward the organization or individually.

1.5 Objectives

In this project, there are three objectives that need to be achieved in this project.

There are as follows:

i. To identify current state of security awareness on mobile device user

(UTMs student) before and after undergoes training or has a proper

education in Security Awareness Course or Program.

ii. To design an appropriate model of Information Security Awareness to

raise up awareness concern among students

iii. To validate the model which been proposed and analyze the validation

result.

1.6 Project Scope

Scope of the project includes as the following areas:

i. The study focus on UTM campus as a target organization.

ii. The students of UTMs are the target respondents.

6

iii. Survey will be done to a different faculty and different level of

respondents.

iv. Survey result will signify the current stage of awareness concern among

the mobile device user.

v. Generate the data and design the appropriate model to the ICT unit of

UTMs as a guideline to implement educational course or training

program to students.

1.7 Significance of the Project

Significance of doing this study is mainly to suggest for the organization to follow

the model that will be suggest. Security education and awareness program are crucial

although by combining both would take a lot of time and energy. Experts generally agreed

that people are the most common greatest source of IT security problems. Statistics

consistently show that the majority of security breaches are caused by insiders, and the

damage they levy on their organizations can be much more severe than anything wrought

by hackers on the other side of the world (J.Pescatore, 2002).

Many, if not most, insider breaches are caused neither by disgruntled employees

nor by students intent on doing harm. The sources are often as follows reason:

i. People are not aware of the security threats.

ii. People are wrongly relying on someone else to deal with them.

iii. People are not adequately skilled to address them.

iv. People simply feel they have more important things to do and neglect to aware

those things.

7

1.8 Report Organization

This project study consists of four chapters in project 1. Every chapter is organizes

accordingly to a different work that involved in the study. The detailed organization of this

report is described in the following section of paragraphs:

Chapter 1 of this report consists overview of the study, problem background of the

project, problem statement, objectives of the project, scope of the project and significance

of this study.

Chapter 2 of this report covers recent review of the literature review that related to

the study area which is information security, security awareness and mobile device that

relate to each topic. Its will discuss the previous researcher work in scope security issues

and its problem.

Chapter 3 explain the technique of method that to be use in the study and also

operational framework been describe in details phase by phase that will represent the flow

of all task in doing the study.

Chapter 4 is discussing on design implementation process. Its consist the

processes on how the elements and the features been selected in order to developing the

propose design model. Besides, matrix table also been map to each other to build a

relationship to be a strong support for model design.

Chapter 5 will discuss on analysis and the result of the finding from the students

survey feedback. The result of the validation process of the model also explained as to be

the finalized result of the design model.

8

Chapter 6 is the final chapter which consists of discussion on conclusion to the

project. It does discuss on research achievement, challenge and constraint of doing the

research and future recommendation towards the study. Lastly summarization of the

research project will all conclude in this chapter.

CHAPTER 2

LITERATURE REVIEW

2.1 Introduction

The purpose of this chapter is to investigate or probe the area of interest in the

research study. It will assist the researcher to understand thoroughly in their scope. This

chapter briefly discusses about the previous studies of researches done in Information

Security Awareness and its related study that to raise the awareness among people.

Variation and evolution of mobile devices technology also explained in this chapter

together with its vulnerabilities. Besides, a few frameworks, models and guidelines of

security awareness training program were compared to each other to synthesis ideas to

propose a suitable one for this study. All the ideas from previous studies contribute to a

solution design which is discussed in the next chapter.

2.2 Information Security Awareness

What is the definition of information security? Do most people are aware of this

term? Information security defines as protecting information and information systems from

unauthorized accesses, uses, disclosures, disruptions, modifications, perusals, inspections,

recordings or destructions. The term information security, computer security and

information assurance are frequently incorrectly been used interchangeably. These fields

10

are interrelated often and share the common goals of protecting the confidentiality,

integrity and availability of information. However, there are some subtle differences

between them. These differences lie primarily in the approach to the subject, the

methodologies used, and the areas of concentration. Information security is concerned with

the confidentiality, integrity and availability of data regardless of the form of the data may

take either electronic, print, or in other forms.

Where else, Security Awareness is the knowledge and attitude of members in an

organization possesses regarding the protection of the physical and more importantly the

information assets of that organization. Security Awareness is a critical part of an

organization's information security program; it is the human knowledge and behaviors that

the organization uses to protect itself against information security risks. (Androulidakis,

2010) stated that users who not receive proper training education on cyber security at

school are often lack of security awareness and proper etiquette. Human are like

computers, who stores, and processes and transfer information. As result, many attackers

today target the user, in bypassing most security controls and using techniques such as

social engineering to achieve information they intended. Awareness, not just technology, is

key factors in an organization's goal to:

i. Reduce risk

ii. Protect its reputation

iii. Improve governance

iv. Be compliant

2.3 Component of Security Awareness

An organization has the right to protect itself against unauthorized disclosures; it

also has an obligation to provide training to its employees to guide them as to what is

approved and what is not, also appropriate behaviors in order to pertain in handling

information.

11

(Peltier, 2005), argues the learning for security awareness has three component

aspects or other word elements; they are as follows:

i. Awareness, which is used to stimulate, motivate, and remind the audience

what is expected of them.

ii. Training, the process that teaches a skill or the use of a required tool.

iii. Education, the specialized, in-depth schooling required to support the

tools or as a career development process.

In developing an information security awareness training regime, the organizations

human resources department should work in conjunction with the IT department to ensure

that the training adequately addresses the topic area and also conforms to relevant laws and

regulations (Coe, 2003)

2.3.1 Awareness

Security awareness efforts are designed to change behavior or reinforce good

security practices. Awareness is defined in NIST Special Publication 800-16 as follows:

Awareness is not training. The purpose of awareness presentations is simply to focus

attention on security. Awareness presentations are intended to allow individuals to

recognize IT security concerns and respond accordingly. In awareness activities, the

learner is the recipient of information, whereas the learner in a training environment has a

more active role. Awareness relies on reaching broad audiences with attractive packaging

techniques. Training is more formal, having a goal of building knowledge and skills to

facilitate the job performance.

12

2.3.2 Training

Security Awareness Training is designed to educate users on the appropriate use,

protection and security of information, individual user responsibilities and ongoing

maintenance necessary to protect the confidentiality, integrity, and availability of

information assets, resources, and systems from unauthorized access, use, misuse,

disclosure, destruction, modification, or disruption. The long term benefits to an

organization from a successful security awareness program include enhanced awareness,

increased security and improved online productivity for employees and the company as

whole.

2.3.3 Education

Security awareness education can help user to ensure the proper handling of

sensitive information which is to protect ones secret data. An organization staff may

handle sensitive data as part of their daily routine but the need to ensure staffs fully

understand the security risks surrounding their duties is imperative. By educating the

employees, suppliers, partners and customers, we reduce the chances of an organization in

becoming a victim of today's data security threats. Moreover, by education, staff can carry

out actions accurately if security bleach does occur. In addition, a number of industry and

regulatory compliance initiatives requires an organization to institute a formal security

awareness program for employees.

2.4 Current Stage of Security Awareness

From observation in previous research papers shows that security awareness is still

at low level and often overlooked by people. As mention by (McConnell and Hamilton,

2002), because of poor security awareness and training, Information Technology

13

workplace mostly are not well prepared to handle an attack such as new viruses, worms

and denial of service.

Since internet has been a part of human life, many activities relate to our routine

influenced by the technology. People are nowadays mostly depends on internet in work

site, business and even personal matters. Those who lack of security awareness will easily

be exposed to the threat or attack. Teenagers are mostly exposed to computer attack as

statistics shows over 90% are initiated by them. In this situation, security education is very

important to be taught at early age at school (Hentea, 2005).

Nowadays, with the growing technology, the advancement of applications and

functions in mobile phone makes peoples daily life become easier because mobile devices

can be easily been brought along in our pockets. However, we may not notice that we are

actually facing a new security risk at the same time. Mentioned by (Mikko Hypponen,

2006), since cellular phone evolved to smartphone which able do as computer performance

where by, allow the user to install a software application from outsource of cellular

network operator, the devices have created new vulnerabilities which are mobile malware.

Figures 2.1 and 2.2 illustrate the statistics where while smartphone users are increasing, in

the same time the mobile malware are growing up as well.

Figure 2.1: Statistic of Smartphone (Mikko Hypponen, 2006).

14

Figure 2.2: Statistic of Mobile Malware Arise (Mikko Hypponen, 2006),

Furthermore, previous study conducted by (Loraine Lawson, 2000) who launched a

TechRepublics informal survey which conclude that many companies are lack of

awareness on mobile device. He explained that majority of the respondents said that their

companies do not have a security policy which addresses mobile devices and they do not

take measure to secure their mobile devices. Figure 2.3 shows the respondents feedbacks

from the survey.

Figure 2.3: TechRepublic Survey Result (Loraine Lawson, 2000)

15

In addition, from (Androulidakis, 2011) study towards students in Budapest has

result in a negative finding. Only a few students which are 24.5 % uses passwords on a

screen-saver mode out of hundred percent as presented in Figure 2.4. This will enable their

mobile device are ready to be manipulated by unauthorized personnel. Applying a PIN to

mobile devices is not enough to protect the device from an attacker. Within few minutes,

an attack can take place which attackers download specific software (malware) to the

device without the knowledge of its owner.

Figure 2.4: Survey Result Study on Password Usage (Androulidakis, 2011).

Besides, from the study it reveals that the students in Budapest are lack of security

knowledge and have a different mind-set. Figure 2.5 has proved that 44% do not even

know whether antiviruses for mobile phone do exist, while another 19% of the users do

have knowledge on the existing antiviruses product but do not install them to their mobile

device. Only 12.3% out of them are using it. Comparing to the PC users nowadays seems

everyone installed an antivirus to their PC even the product is free. This has shown that the

security feeling on mobile device in turn those to overlook in regards to security practices

as presented in Figure 2.6.

16

Figure 2.5: Survey Result Study on Antivirus Software Usage (Androulidakis, 2011)

Figure 2.6: Survey Result Towards Security Feeling on Mobile Phones (Androulidakis,

2011)

17

As conclusion, security awareness level is currently not at satisfactory level. Even

though nowadays mobile devices users has alert to turn off their Bluetooth while not using

it (Androulidakis, 2011), but the vulnerabilities doesnt come from that particular part

only. Therefore security awareness course and program is needed in school, universities,

government and private organization as mentioned by (Aloul, 2010).

Table 2.1: Matrix Table Who Needs Awareness

Current Study/Finding (Who needs awareness)

Authors

Sta

ff /

Wo

rker

/

Em

plo

yee

s

Stu

den

t

A perspective on Achieving Information Security Awareness (Hentea, n.d.)

The Need for Effective Information Security Awareness (Aloul, 2010)

Self-Awareness before Networking (Hasan & Hussin, 2010)

Information Security Awareness in Higher Education: An Exploratory Study (Rezgui

& Marks, 2008)

A Video Game for Cyber Security Training and Awareness (Cone, Irvine,

Thompson, & Nguyen, 2007)

Value-Focused Assessment of ICT Security Awareness in an Academic Environment

(Drevin, Kruger, & Steyn, 2007)

Promoting Digital Forensics Awareness through the University of Alaska Fairbanks

ASSERT Center (Nance, Hay, & Hecker, 2007)

Differences in Users State of Awareness and Practices Regarding Mobile Phone Security Among EU Countries (Androulidakis, n.d.)

A Comparative Study of Information Security Awareness in Higher Education Based

on The Concept of Design Theorizing (Marks & Ph, 2009)

Mobile Phone Security and Practices of Sudents in Budapest (Androulidakis, 2011)

Bluetooth Usage Among Students as an Indicator of Security Awareness and Feeling

(Androulidakis & Kandus, 2011a)

Mobile Phone Downloading Among Student : The Status and Its effect on Security

(Androulidakis & Kandus, 2011b)

Constructivist Approach to Information Security Awareness in The Middle East

(Boujettif & Wang, 2010)

Five Dimensions of Information Security Awareness (Siponen, 2001)

Towards Interface Specification and Design Guidelines to Raise User Awareness of

Application Security (Macdonald & Smith, n.d.)

18

In matrix Table 2.1 shows that seven out of fifteen researchers suggest the

awareness course or program should be implemented only to student and three out of

fifteen researchers said to employees or staffs. The rest, which is five of the researchers,

mentioned that the awareness program should be applied to both student and employee.

Clearer view as presented below:

i. Students : 7 out of 15 researchers suggested

ii. Employees / staff : 3 out of 15 researchers suggested

iii. Both (Student & Staff) : 5 out of 15 researchers suggested

2.5 Mobile Device Technology

What is mobile device? Mobile device refers to as a handheld device or in other

word handheld computer. Mobile devices usually come with a touch or non-touch display

screen and sometimes possibly attach with other accessories like mini keyboard, mini

external speaker, and etc. There are many types of mobile device; the most common are

mobile phones, smartphones, PDAs, pagers and Personal Navigation Devices.

Smartphones and PDAs are most preferred mobile devices which offer all the

conveniences of a personal computer with very small form factor. EDAs (Enterprise

Digital Assistants) are commonly used by businessman because it best suit for their

business purposes.

2.5.1 Categories of Mobile Devices

The term mobile device is used to mean a wide range of consumer electronics.

Usually mobile device is used to describe the devices that can connect to the Internet.

However, digital cameras and standard MP3 players are classified as mobile devices as

well. The categories of mobile devices include the following devices, as well as others:

19

i. Personal Digital Assistant (PDA)

PDAs are handheld devices that combine elements of computing, telephone/fax,

Internet and networking in a single device. A typical PDA can function as a cellular phone,

fax sender, Web browser and personal organizer. Unlike portable computers, most PDAs

began as pen-based, using a stylus rather than a keyboard for input. Moreover some PDAs

are incorporated with handwriting recognition features. Some PDAs can also react to voice

input by using voice recognition technologies. There are many different types of PDAs, but

most models work with either Palmtop software or a special version of Microsoft Windows

called Windows Mobile. All models can interface with a laptop or desktop system, though

optional accessories may be required. Synchronization between computer and PDA is one

of the most popular features of this digital device.

A PDA might also incorporate cellular phone functionality and wireless local area

network (LAN) capability. Connect to the Internet to check email, send messages, or watch

the stock market. With flash card capability, a PDA can store, access, and transfer virtually

any kind of data, including maps, spreadsheets, presentations, and dockets.

ii. Smartphones

A smartphone is a high-end mobile phone built on a mobile computing platform,

with more advanced computing ability and connectivity than a contemporary feature

phone. Smartphones combine both mobile phone and handheld computers into a single

device. Today's models also serve to combine the functions of portable media players, low-

end compact digital cameras, pocket video cameras, and GPS navigation units. Modern

smartphones typically also include high-resolution touch screens, web browsers that can

access and properly display standard web pages rather than just mobile-optimized sites,

and high-speed data access via Wi-Fi and mobile broadband.

20

The most common mobile operating systems (OS) used by modern smartphones

include Apple's iOS, Google's Android, Microsoft's Windows Mobile and Windows

Phone, Nokia's Symbian, RIM's BlackBerry OS, and embedded Linux distributions such as

Maemo and MeeGo. Such operating systems can be installed on many different phone

models, and typically each device can receive multiple OS software updates over its

lifetime.

iii. Tablet PC

A tablet PC is a wireless, portable personal computer with a touch screen interface.

The tablet form factor is typically smaller than a notebook computer but larger than a smart

phone. A convertible tablet typically has a display that rotates 180 degrees and can be

folded to close, screen up, over the integrated keyboard. Convertible models may allow

user input through a variety of methods in addition to the hardware keyboard, including

natural handwriting with a stylus or digital pen and typing through a screen-based software

keyboard. A slate tablet, such as an IPad, has electronics integrated into the touch screen

unit and lacks a hardware keyboard. However, external keyboards are available for slate

tablets, some of which function as docks for the devices. Beside, some of the tablet even

can make a call such as Samsung galaxy tab.

2.5.2 Mobile Application

Revolution of mobile devices has come to advance when many applications was

added to the normal function of mobile phone before. There are many mobile application

provided, such as SMS/MMS clients, internet browser, music players, and others, which

are pre-installed on mobile phone whereas others may be provisioned or will configured on

sales. In addition, users can download the applications over the wireless network and

install them instantly or can be loaded into the mobile operators store. Mobile applications

21

have evolved to the point that they now give users rich and fast services on the go. Table

2.2 shows some example of mobile applications widely used (source from: Mobile

Marketing Association, Sept. 2008).

Table 2.2: Example of mobile application (source from: Mobile Marketing Association,

Sept. 2008).

Mobile Application Type

Communication E-mail clients

IM clients

Mobile web and internet

browser

News/Information

clients

Social Network Client

Games Puzzle/Strategy

Action/Adventure

Sports

Multimedia Graphics/Image view

Presentation viewers

Video and Audio

Players

Streaming player

Productivity Calendars

Calculators

Diary

Notepad/memo/word processors

Banking/Finance

Travel GPS/maps

Translator

Currency converter

Weather

Utilities Profile manager

Address book

Task manager

Call manager

File manager

22

2.5.3 Mobile Device Security and Threat/Attack

The growth of technology simply turns human life at ease. Mobile devices become

such an important gadget that helps people in their daily life. The devices which been

connected to the network are exposed to security issues. For mobile phone network,

security should be an issue which is critical to end users and service providers from various

perspectives. In other word, consumers need to be assured levels of trust to embrace

wireless service. As mention in article of National Cyber Security Awareness week, (June

2010), by Australian Government said, since the number of users use the mobile phone,

computer game consoles, Wi-Fi and other devices that access to the internet is increasing, a

better cyber security over those devices also become much more important.

In the index reports of The 2009 Australian Mobile Phone Lifestyle, stated that

21% of respondents commonly surf the website on their mobile phone at least once a day.

The 25% of respondent reported use their mobile phone for banking purpose.

There are many type of risk in security issues. Some can be classified as physical

attack and some can be a logic attack. Physical attack similar to something physical such as

the device has been stolen, break down, and etc. While logic attack is something that is

related to a computer programming which manages to harm, damage, steal data, through

the network. Its spreading easily to those who are not aware while connecting to the

network or internet without people knowing it. Figure 2.7 are the list of example top

ranking of mobile phone by (Mikko Hypponen, 2006) in his article. Figure 2.8, are the list

of mobile protection from those malware.

23

Figure 2.7: List of Mobile Malware (Mikko Hypponen, 2006).

Figure 2.8: List of Mobile Protection Software (Mikko Hypponen, 2006)

24

Jamie de Guerre, (CTIA 2008) stated a report of the threat and the solution by a

recent year presented in Table 2.3. He identified the threat from a year 2005 to future

expectation. Its seem it dramatically increase from year to year.

Table 2.3: Recent Threat and Solution (Jamie de Guerre, CTIA 2008)

In matrix Table 2.4 presented the researchers study regarding the list of mobile

threat. From observation could be made, malware becomes the first rank whereby many

researchers studies has found that malware broadly goes to mobile. Thus, include a virus,

worm and Trojan horse. Seems the mobile devices ability is equal to a normal PC, they

turn to be attractive to malware developer to take a place. Mobile devices currently have

the same vulnerabilities with PC but even worst due to them have various operating system

to different brand not likes a PC.

The matrix Table 2.5 presents applications of the mobile devices versus with the

mobile threats. In previous researchers studies has found that the malware can be

exploited and spread to the whole entire of the mobile applications. Once the malware

software is installed to the devices, it will control and explore by itself to gain personal

data.

Table 2.4: Matrix Table of Threat

Mobile Threat

Authors

Mal

war

e /

Mal

icio

us

Co

de

Vir

us

Wo

rm

Sp

am

Den

ied

of

Ser

vic

e

Dat

a S

tole

n /

th

eft

/ L

ost

Ph

ish

ing

Sp

yw

are

So

ftw

are

Pir

acy

So

cial

Eng

inee

rin

g

Mo

bil

e H

ijac

kin

g

Ap

pli

cati

on

Att

ack

Jail

bre

kin

g

Tro

jan

Sn

arfi

ng

Malware goes Mobile (Hypponen, 2006) Mobile Phone Vulnerabilities: A New Generation of Malware (Jamaluddin, Zotou,

Member, & Coulton, n.d.)

Cyber Threats to Mobile Phones (Ruggiero & Foote, 2011) Exploitation and Threat Analysis of Open Mobile Devices (Liu, Zhang, Yan, &

Chen, 2009)

Mobile Phone Security, Special Edition (Alpha Omega Group, 2010) Vulnerability Analysis and Attacks on NFC-enabled Mobile Phones (Mulliner,

2009)

Towards Dynamic Malware Analysis to Increase Mobile Device Security (Becher

& Freiling, n.d.)

Intrusion Detection for Mobile Devices Using the Knowledge-Based, Temporal

Abstraction Method (Shabtai, Kanonov, & Elovici, 2010)

Users Perceptions on Mobile Device Security Awareness in Malaysia (Sabeeh, 2011)

Differences in Users State of Awareness and Practices Regarding Mobile Phone Security Among EU Countries (Androulidakis, 2010.)

A Secure Energy-Efficient M-Banking Application for Mobile Devices (Cano &

Domenech-Asensi, 2011)

A Survey of Mobile Malware in the Wild (Felt, Finifter, Chin, Hanna, & Wagner,

2011)

Application Lockbox for Mobile Device Security (Luo & Kang, 2011)

Mobile Phones: The Next Frontier for Hackers? (Leavitt, 2004)

26

Table 2.5: Matrix Table of Application versus Threat

Mobile Threats

Mobile Application Type Mal

war

e

Vir

us

Wo

rm

Sp

am

Den

ial

of

Ser

vic

e

Dev

ice

Lost

/Sto

len

Ph

ish

ing

Sp

yw

are

So

ftw

are

Pir

acy

So

cial

En

gin

eeri

ng

Mobil

e H

ijac

kin

g

Ap

pli

cati

on A

ttac

k

Jail

bre

akin

g

Tro

jan

Sn

arfi

ng

Communication E-mail clients

IM clients

Mobile web and internet browser

News/Information clients

Social Network Client

SMS / MMS

Bluetooth

Games Puzzle/Strategy, Action/adventure, Sports and etc.

Multimedia Graphics/Image

Downloading Application

Video and Audio

Streaming player

Productivity Calendars

Diary

Notepad/memo/word processors

Banking/Finance

Travel GPS/maps

Utilities Profile manager

Address book

Task manager

Call manager

File manager

27

Lastly in Figure 2.9 illustrates top six threats to mobile device by Symantec

organizations. In the picture, it is briefly explain on those six threats which mostly

occurred as reported to them.

Figure 2.9: List of Top Threats by Symantec (Enterprise IT News Wednesday, 21

December 2011 00:36)

2.6 Existing Framework /Models /Guidelines /Slogans for Security Awareness

Program

A study on the existing framework, model and guideline for security awareness is

important in order to get an idea the way they conduct and in order to suit to an

organization. Some of the model may have the similarity in certain part of the model itself,

28

just a few modifications was made to enhance the previous one. Those models have a one

objective which is to increase the level of awareness among the staff in an organization.

2.6.1 The Continuum (A role and performance model)

The model is role-based presented in Figure 2.10. It defines the information

security learning needed as a person assumes different roles within an organization and

different responsibilities in relation to information systems. This document uses the model

to identify the knowledge, skills, and abilities an individual needs to perform the

information security responsibilities specific to each of his or her roles in the organization.

The model illustrates the following concepts:

i. Basic Security Awareness is explicitly required for employees, including

contractor employees who are involved in any way with information systems.

In todays environment this typically means all individuals within the

organization.

ii. Awareness Training (Basics and Literacy), is a transitional stage between

Basic Awareness and Role-based Training. It provides the foundation for

subsequent specialized or role-based training by providing a universal baseline

of key security terms and concepts.

iii. Role-based Training becomes focused on providing the knowledge, skills,

and abilities specific to an individuals roles and responsibilities relative to

information systems. At this level, training recognizes the differences between

beginning, intermediate, and advanced skill requirements.

iv. The Education level focuses on developing the ability and vision to perform

complex multi-disciplinary activities and the skills needed to further the

information security profession and to keep pace with threats and technology

changes.

29

v. The Professional Development is intended to ensure that users, from beginner

to the career security professional, possess a required level of knowledge and

competence necessary for their roles. Professional development validates skills

through certification and advanced education such undergraduate and graduate

studies and degrees.

Figure 2.10: Information Security Learning Continuum (Wilson, Hash, & Division, 2003)

30

2.6.2 NIST-SP800-50 Model 1: Centralized Program Management Model

(Centralize Policy, Strategy, and Implementation).

Figure 2.11 presents Model 1, Central Authority is responsible on budget of the IT

security awareness and training program for the entire organization. All the directives are

coordinate by this security awareness authority. The central authority is to develop the

training strategy, training plan together with the training material to help the needs of

assessment to determine the strategy. Both CIO and IT Security Program manager are

located at central authority. Two way communications need to be established between the

central authorities with the organization units.

This centralized program management model is often deployed by agencies that:

i. Are relatively small or have a high degree of structure and central management of

most IT functions;

ii. Have, at the headquarters level, the necessary resources, expertise, and knowledge

of the mission(s) and operations at the unit level; or

iii. Have a high degree of similarity in mission and operational objectives across all of

its components.

Figure 2.11: Centralized Program Management Model (Wilson et al., 2003)

31

2.6.3 NIST-SP800-50 Model 2: Partially Decentralized Program Management

Model (Centralized Policy and Strategy; Distributed Implementation

Figure 2.12 presents Model 2, security awareness and training policy and strategy

are defined by a central authority, but implementation is delegated to line management

officials in the organization. Awareness and training budget allocation, material

development, and scheduling are the responsibilities of these officials.

This partially decentralized program management model is often deployed by agencies

that:

i. Are relatively large or have a fairly decentralized structure with clear

responsibilities assigned to both the headquarters (central) and unit levels;

ii. Have functions that are spread over a wide geographical area; or

iii. Have organizational units with diverse missions, so that awareness and training

programs may differ significantly, based on unit-specific needs.

Figure 2.12: Partially Decentralized Program Management Model (Wilson et al., 2003)

32

2.6.4 NIST-SP800-50 Model 3: Fully Decentralized Program Management Model.

(Centralized Policy, Distribute Strategy and Implementation)

Figure 2.13 presents Model 3, the central security awareness and training authority

(CIO/IT security program manager) disseminates broad policy and expectations regarding

security awareness and training requirements, but give responsibilities for executing the

entire program to other organizational units. This model normally uses a series of

distributed authority directives, driven from the central authority. This normally means

creation of a subsystem of CIOs and IT security program managers subordinate to the

central CIO and IT security officer.

This fully decentralized program management model is often deployed by agencies

that:

i. Are relatively large;

ii. Have a much decentralized structure with general responsibilities assigned to the

headquarters (central) and specific responsibilities assigned to unit levels;

iii. Have functions that are spread over a wide geographical area; or

iv. Have quasi-autonomous organizational units with separate and distinct missions, so

that awareness and training programs may need to differ greatly.

Figure 2.13: Fully Decentralized Program Management Model (Wilson et al., 2003)

33

2.6.5 IS Security Awareness Sequential Model

Figure 2.14 is the combination the idea of Yacine Rezgui, Adam Mark and P.

Pihakainen (2006) to produce the sequential model. From their finding, it is found that the

application of design theorizing in general and application of training, campaigning, and

reward and punishment as effective tools in achieving IS security awareness. They believe

that the combined use of the three IS security awareness approaches will yield better

results than the independent use of these approaches. In fact, Pihakainen (2006) states that

the three IS security awareness approaches (training, campaigning, reward and

punishment) can be used independently

Figure 2.14: IS Security Awareness Sequential Model (Marks & Ph, 2009)

34

2.6.6 Full E-Awareness Model (E-AM)

Figure 2.15 shows the E-Awareness model proposed by E. Kritzinger and S.H. Von

Solm (2010). The first component of the model is the awareness component, called the E-

Awareness Portal (E-AP). The main function of the E-AP is to provide up to date content

regarding information security risks within the home user environment. This component

will address the information security awareness content. The aim is therefore to introduce

home users to relevant information security issues such as what information security is,

why it is important and how to use it. It is important to understand that those users who

will use this portal have limited or no information security background.

Figure 2.15: The Full E-Awareness Model (E-AM) (E. Kritzinger and S.H. Von Solm,

2010).

35

2.6.7 Framework for Evaluating ICT Security Awareness

Figure 2.16 present a framework for evaluating security awareness by (HA. Kruger,

et al., 2006). The purpose of the framework is to address an effective manner when

implementing and evaluating the ICT awareness training program. It also helps in focus

questions or aspect to be measured in developing tools as example survey questions. The

framework was to assist the management team to deal with a task of awareness training

program. The framework was developed jointly in an academic environment and at private

enterprise and it forms a part of ongoing research process. All stakeholders are necessary

to ensure the focus areas. Value focused approach (VFA) take into account stakeholders

wishes, concerns, problems and values pertaining to information security awareness to

identify the focus areas. Then employees being surveyed to determine their awareness

level based components presents in the framework which are behavior, knowledge and

attitude. These three components become a basis to be used to develop a model.

Figure 2.16: Framework for Evaluating Security Awareness (Science, 2006)

36

2.6.8 Southern African Cyber Security Awareness Framework

The framework for CSAP (depicted in Figure 2.17) provides a basis for organizing

such campaigns within a country. The national cyber security policies, legislation,

procedures, laws and standards should serve as the foundation where CSAPs will be built

upon (Y. Rezgui and A. Marks, 2008)

Figure 2.17: Southern African Cyber Security Awareness Framework (Leenen, et al.,

2011)

The CSAP framework further suggests that Planning, Designing, Implementation

and Evaluation processes should be continuous. Since the cyber security awareness

37

programs are cyclic processes, the four processes should also use the same cyclic pattern

(B.D. Cone, C.E. Irvine, M.F. Thompson and T.D. Nguyen, 2008). The following

components constitute the process of formulating cyber security awareness programs:

i. Security Awareness Goals and Objectives: this must be defined in terms of

the national legislation, laws, policies and standards as well as continental

policies and agreements.

ii. Identify Current Training Needs: see Figure 2.17

iii. Obtain Support: see Figure 2.17

iv. Identify Intended Audience: these are the target trainees, to whom cyber

security awareness program will be delivered (e.g. community citizens, IT

employees, non-IT employees, students, learner, etc.).

v. Define Topics to be covered: the list of topics must be evaluated in terms of

relevance to each targeted audience.

vi. Establish Security Policy: this policy will state the governance of all

security related assets, devices, and infrastructures to assist in governing all

cyber security related gadgets.

vii. Define Delivery Methods to be used: this includes the way in which the

CSAP will be presented to different audiences (e.g. primary learner: use

cyber security posters and drawings, employees: use emailing system,

company newsletter, seminars, etc.).

viii. Develop a Strategy for Implementation: this should be decided on all levels

and the entire program should be evaluated for possible loopholes (e.g. the

programs implementation should start from the grade zero, in schools; or

the arrangement of the seminars in the workplace, that is, which group

attends it first in order to avoid disturbing all the company duties).

38

2.6.9 Awareness Model by [SecurityResearch.at]

The human factor is one of the imminent security risks within an organization.

Every single employees awareness of security issues is a basic necessity for a proper

quality level of information security. Well-trained employees will provide timely detection

of social attacks and will contribute significantly to the companys overall security

standard.

The security awareness trainings focus on different target audiences, such as

management, IT administrators and users. Security awareness trainings might encompass

the following elements to conquer some of the most important risk factors in organization.

The securityresearch.at has come out with a model as presented in Figure 2.18 to be

use by an organization as to guide them.

Figure 2.18: Model by (DI.Mag. Andreas Tomek, securityresearch.at)

39

2.6.10 Japanese National Information Security Center Slogan

Figure 2.19 presented the slogan Aware, Secure, Continue was adopted in

February, which is Information Security Awareness Month. This short and simple slogan

expressing the essence of information security measures was used in various programs and

activities throughout the month by an organization in Japan. The slogans alert the staff to

mind each their step to be more secure. It also helps as a guideline to the worker.

Figure 2.19: Slogans by Japanese National Information Security Center (NISC, 2011-

2012)

40

2.6.11 Awareness Noticeboard

Noticeboard presented in Figure 2.20 is creative product that contributes to

awareness, training and educational (ATE) activities. In Special Publication 800-50 and the

earlier 800-16, NIST explains:

i. Awareness involves guiding and motivating people on appropriate behaviors;

ii. Training helps people develop specific skills;

iii. Education provides a broad basis through explaining conceptual frameworks and

factual information.

Figure 2.20: Noticeboard by (Dr Gary Hinson PhD MBA CISSP, 2012)

Noticeboard includes elements from all three but its primary aim is to raise

awareness, provide information and guidance to the identified audience groups (staff,

managers and IT professionals) and motivate them to change their behaviors. It is

important to emphasize security awareness supplements, rather than replaces, technical

security controls. Security awareness is just one of several essential security measures.

41

Noticeboard supports the three Es by helping customers:

i. Establish the requirements for information security, the rules as defined

in policy, and raise awareness of the need for compliance;

ii. Educate employees on their information security obligations and the potential

consequences of ignoring them, through an ongoing awareness program; and

iii. Enforce the rules by promoting suitable compliance activities, coupled with

controls to identify and minimize information security near-misses as well as

actual incidents (learning from others mistakes is even more valuable than learning

from our own because we dont suffer the impacts of failure, only the benefits of

enhanced security awareness).

2.6.12 Security Awareness Maturity Model

One of the biggest challenges in security awareness is its lack of maturity. Many

fields within information security have developed and matured over the years with entire

frameworks built around them, fields such as penetration testing, system hardening secure

software development and digital forensics. However no framework or maturity model for

awareness. The Security Awareness Maturity Model is an important first step to help

address this. Developed by consensus from over twenty different organizations, this model

in Figure 2.21 can helps organizations identify how mature (or immature) their program is

and where they can take it.

42

Figure 2.21: Security Awareness Maturity Model (Ispitzner, 2012)

2.6.13 Factor of Influence Awareness

The four factors shown in Figure 2.22 were identified from the matrix analysis of

factors that influence information security, from the perspective of awareness and its

measurement. These factors are the main points of understanding, taken from the previous

articles, research, and dissertations of several authors. The next paragraph will explain how

these factors relate to information security awareness.

43

Figure 2.22: Four Factor Influence Awareness (Kamal, Fakeh, Zulhemay, Shahibi, & Ali,

2012)

Policy is a reference for employees. It is a tool for management to guide their

subordinates, by educating them based on what the policy states. Education is a

communication between user and educator. Education can influence the knowledge of the

end user. Knowledge of technology is important, as information is organized and

communicated using technology. For example, before users receive education about

malicious software, they simply take the installed programs for granted, and click any links

they want, in received emails. However, by educating them about how harmful these links

can be, because of malicious programs and fraudulent links, they are then made more

aware. This is how education relates to the knowledge of technology and interrelated

items. Knowledge can change human behavior. By having knowledge, users can act

appropriately. They know how to act when something occurs, by making the right decision

for a situation, and in a time that can avoid inappropriate events in the workplace.

44

2.6.14 Summary of Existing Framework/Model/Guidelines

As a conclusion, the selection of existing framework/model element has been

transform into a matrix table to give a clear view of selection being made. Its also to make

easier to mapping of each component or elements before can make a selection. The Table

2.6 presented the analysis of the component/elements that been map to each other.

45

Table 2.6: Matrix Table of Features

The Elements / Features / Component / Studies

Authors

Po

licy

Aw

are

nes

s

Ed

uca

tio

n

Tra

inin

g

Gu

idel

ines

Ev

alu

ati

on

/ A

sses

smen

t

Mo

tiv

ati

on

(B

eha

vio

r &

Att

itu

de)

En

forc

emen

t

To

ols

Ap

pli

cati

on

Ca

mp

aig

n

Pu

nis

hm

ent

/ R

ewa

rd

Pro

ced

ure

s

Kn

ow

led

ge

of

Tec

hn

olo

gy

NIST-SP800-50 (Wilson et al., 2003)

A Framework for Evaluating ICT Security Awareness (HA Kruger, L Drevin,

T Steyn)

Cyber Security for Home Users: A new way of protection through awareness

enforcement (Kritzinger & von Solms, 2010)

Setting up an Effective Information Security Awareness Programme (Maeyer,

n.d.)

Information Security Awareness Amongst Academic Librarian (Kamal et al.,

2012)

A Comparative Study of Information Security Awareness in Higher Education

Based on The Concept of Design Theorizing (Marks & Ph, 2009)

Developing Security Education and Awareness Programs (Payne, 2003)

NIST-SP800-124 Guidelines on Cell Phone and PDA Security (Jansen &

Scarfone, n.d.)

(Chapter 17 Information Security Awareness Chapter Objectives 17 . 1 Ensuring Employees Understand Their Role in Security 17 . 3 Information

Security Awareness Elements, n.d.)

46

Information Security Management: An Information Security Retrieval and

Awareness Model for Industry (Kritzinger & Smith, 2008)

A Prototype for Assessing Information Security Awareness (Kruger &

Kearney, 2006)

An Overview of International Cyber-Security Awareness Raising and

Educational Initiatives (Street & Park, 2011)

Proceedings of the First IFIP TC9 / TC11 Southern African Cyber Security

Awareness Workshop 2011 Gaborone, Botswana 12 May 2011 (Leenen et al.,

2011)

Information Security Awareness in Higher Education: An Exploratory Study

(Rezgui & Marks, 2008)

IT Security Awareness and Training: Changing the Culture of State

Government (Awareness, May, & Your, 2007)

47

2.7 Current Technique of Designing, Developing and Implementing the

Awareness Program

There are many current techniques of designing, developing and implementing the

awareness program in organizations. Some of the organizations use a model or guideline

from the NIST suggestion which suit to them, and some are none. Probably depend on

their own policy of their organization. One of the examples in Figure 2.23 shows an

approach for an effective information security awareness program.

Figure 2.23: Approach for an Effective Information Security Awareness Program

(Maeyer, 2007)

48

The key phases in this approach are:

i. Set clear, defined and measurable objectives and goals for security awareness

that addresses the problems of security-negative behavior.

ii. Scope and design the security awareness program by creating a formal project.

The program can contain one or more awareness campaigns. Each campaign should

have its own specific goal to change a specific aspect of security-negative behavior.

After developing the awareness plan organizational buy-in needs to be sought and

secured.

iii. Develop the security awareness campaigns that support the business needs of the

organization and are relevant to the organizations culture.

iv. Implement the security awareness campaigns that deliver the awareness

messages in a meaningful way to the employees. Employees should get the feeling

that the messages were developed specifically for them.

v. Measure the effectiveness of the campaigns so that effective activities can be

repeated, if necessary, and other activities can be revised. Monitoring compliance

and effectiveness should lead to continuous improvement. After all, for security

awareness you never can do enough.

2.8 Summary

This chapter briefly presents the issues of Information Security Awareness based

from previous researchers. Various sub-topic been discussed in this chapter to cover all the

needs of the study. The current level of public awareness is vital in order to further the

study. Mobile threat which correlate with the awareness also been discussed to support the

findings. With those review on the sub-topic, it will contribute to a useful idea for the next

49

chapter. All the information in literature review will use in proposing the operational

framework of the study.

CHAPTER 3

METHODOLOGY

3.1 Introduction

Methodology is one of the important parts in a project or in a research. It is

discussed the flow of technique being used in the studies in order to achieve the goals of

the project. The technique or method will be explained in details in this chapter in a sub

topic. The operational framework describes overall picture of the project flows and the

summarize table explain the activities to match with the research objectives. Explanation

of phases in operational framework will be detailed up in this chapter.

3.2 Operational Framework

In this operational framework, it is divided into three phases which are phase 1

(information gathering), phase 2 (design) and phase 3 (validation). Each phase is related to

each other as to achieve the objective which been stated in chapter 1. Those phases will be

well organized step by step to give a clear flow process of the research. Figure 3.1, shows

the operational framework. Table 3.1, presents the summary of each activities which

applied to the studies to meet the project objective.

51

Figure 3.1: Operational Framework

NO

Additional

ideas from

the survey

result

Applied

selected

existing

elements.

Confirm Model

Design

LITERATURE REVIEW

Analyze on Existing

Framework, Model and

Guideline

Output:

Matrix table comparison.

Elements and features of existing framework

and model to be

applied.

PRE-STUDY

Output:

Current level of attitude, behavior and

awareness concern

toward Information

Security Awareness.

Distribute

Questionnaire to

Students

representative of each

Faculty in UTMs

DESIGN SOLUTION

Pre-Design Model of

Information Security

Awareness on Mobile

Device

VALIDATION DONE BY: CICT of UTM Support by others Expert witnesses:

ICT of UTHM

IT Department of Ministry of Women, Family and Community Development

Validate

the Design

Model

YES

PHASE 1

PHASE 2

PHASE 3

52

Table 3.1: Activities Summarization Table

Objective Activity Result

1. To identify current state of

security awareness on

mobile device user

(UTMs students) before

undergoes training or has

a proper education in

Security Awareness

Course or Program.

1. Made a review on previous

research paper and studied an

existing framework, model

and guideline of security

awareness.

2. Review current issues and

current statistic of Information

Security awareness.

3. Pre-study (Informal or indirect

interview to close friends).

4. Observation on students

surrounding attitude and

behavior.

5. Distribute pre online basic

questionnaire of Information

Security Awareness on mobile

device to UTMs students via

Facebook.

6. Analyze the existing

framework, model and

feedback of the questionnaire.

1. List of framework,

model and guideline.

2. Current attitude and

behavior of the

students on security

awareness concern.

3. Current level of

awareness among

UTMs students.

4. Matrix table

comparison and threat

to a mobile device.

5. Statistic of the

questionnaire result.

2. To design an appropriate

model of Information

Security Awareness to

raise up awareness

concern among students

1. Selection of the elements in

existing framework and model

to propose a new appropriate

model.

2. Reanalyze the pre-design

model.

3. Design a second phase

questionnaire which more

details and focus target

1. Conceptual framework

design (Pre-design

model).

2. Statistic of a new

feedback data.

3. Current level and

attitude of every detail

on students

background of study

53

respondents.

4. Distribute to each faculty that

can contribute to three

representative of each faculty.

5. Analyze feedback of the

questionnaire.

6. Alter the pre-design model

which suitable and map to the

new data.

toward the Information

Security Awareness on

Mobile Device.

4. Additional and

alteration of features

and elements to the

pre-design model.

3. To analyze, evaluate and

validate the model which

been proposed

1. Design validation

questionnaire.

2. Dealing with head of CICT

from UTM and others support

expert witnesses.

3. Distribute questionnaires to

each representative of expert

witnesses mentioned to support

validation process model.

4. Analyze feedback if there any

changes to be apply.

5. Finalize the model.

1. Feedback of the

validation and

approval to the model.

2. Enhancement if any.

3. Security Awareness

Model on Mobile

Device.

3.2.1 Phase 1 (Information Gathering)

On phase 1 which is gathering information done with an analysis on existing

previous researchers frameworks, models and guidelines of Information Security

Awareness. Besides, current issues and statistic related to Information Security Awareness

on mobile device has been reviewed in order to support the literature review of the study.

From those activities, useful information has been presented in matrix table, while

prediction to current level of awareness concern among UTMs student could be decide.

54

In addition, to confirm the initial state of security awareness concern on mobile

device toward the students, pre-study has been done by doing online preliminary survey in

Project 1 but that was only a few basic questions to random respondent of UTMs student.

Then the extended survey design as attached in Appendix A was distributed accordingly

using manual technique to a representative of faculty which a few faculties been selected to

represent the whole particular faculty in UTMs. Those representative faculties was

divided into three categories domain. There are as follows:

i. Faculty of Engineering Represent for all engineering faculties such as

mechanical, electrical, chemical, civil and etc.

ii. Faculty of Science Represent for faculty of computer science, faculty of

science & mathematic, geo-information, and built environment.

iii. Faculty of Management Represent for faculty of management and faculty

of education.

The result of the survey was converted to a statistical view to give a clear picture

review which been discussed in the next chapter. Feedback from the questionnaire,

contribute to current level of attitude, behavior and awareness knowledge and concern

toward Information Security Awareness on Mobile Device among the students from a

different background of studies. Hence, these results become an additional ideas to be

mapping with literature review study to propose the design solution in phase 2.

3.2.2 Phase 2 (Propose Design)

The design model of the information security awareness has been done at this

phase. At first, during the sketch of the model design, considering which existing elements

from the framework and model are suitable for a new model and applicable with the

students current level of awareness knowledge and concern. Selection of each element and

the features of existing framework or model were important in order to match with

students current level of awareness.

55

Somehow, most of the existing framework and model were more toward to

staff/worker in organization, by the way, new propose design model was based on the

combination of an analysis from the literature review and the pre-study section. Resu