Information Security Awareness Levels of TAFE South Australia Employees

Hong Chan

Bachelor of IT ( Honours )

Supervisor: Dr Sameera Mubarak

Outline Background Information Research Question Methodology Results Conclusion

Information Security Confidentiality – prevent unauthorised access Integrity – accuracy and correctness Availability – authorised access when needed

Ensure business continuity Minimise damage and liability Ethical and legal responsibility

Information security plans or policies are needed, usually consist of technical controls

Background Information

Information Security Awareness – Human Aspects

Employee knowledge of information security concepts

Management knowledge of information security concepts

Consciousness of security plans

Literature suggests positive relationship between awareness and security plan success. Should be included in plans.

Background Information

TAFE South Australia Largest vocational education provider in SA 2400 employees across over 50 campuses

Suitable for this research All aspects of the business are conducted using

information systems. Holds vast amount of confidential student data. Recently implemented new student

information system

Background Information

Motivation for Research Gap in literature Australian Context Personal interest as an employee

Background Information

Potential Contributions Directly benefit TAFE SA Finalised report (thesis) to be given to TAFE

SA Provide insight into other similar Australian

Organisations

Background Information

To gain an insight into the information security awareness levels of TAFE SA Employees in order to identify areas that need improvement

Does not look into improving awareness through “best practices”

Research Question

Online Questionnaire Knowledge of concepts = Awareness of threats Behavioural questions = Employee actions which

may cause breaches Consciousness of policies’ existence

Quantitative Methods Used Tabulated percentages

Methodology

Population: 2400 staffSample: 308 responses 13% of entire organisation responded

Demographics Management ( 19% ) General Staff (81%) Mushroom ??

Results

Knew what Phishing is

Knew what Spam is

Results

Yes No

Management 32% 68%

General Employees 23% 77%

Yes No

Management 78% 22%

General Employees 87% 13%

Has clicked on unknown links embedded in external third party emails

Knew what Social Engineering is

Results

Yes No

Management 24% 76%

General Employees 16% 84%

Yes No

Management 78% 22%

General Employees 73% 27%

Knew what a strong password should be

Has given away passwords or logged someone in

Questionnaire may have prompted ICT’s action ??

Results

Yes No

Management 64% 36%

General Employees 66% 34%

Yes No

Management 56% 44%

General Employees 52% 48%

Has left computer unlocked and unattended

Used appropriate methods for password storage

Results

Yes No

Management 73% 27%

General Employees 78% 22%

Yes No

Management 68% 32%

General Employees 65% 35%

Knew the importance of data/information integrity

Has amended data without due process

Results

Yes No

Management 93% 7%

General Employees 91% 9%

Yes No

Management 7% 93%

General Employees 8% 92%

Has discussed work related issues on social networking sites

Very few research into this topic, that is, social media can be a source of data/information leakage

Results

Yes No

Management 7% 93%

General Employees 8% 92%

Awareness of existence of information security policy

Awareness of existence of password policy

Results

Yes No

Management 59% 41%

General Employees 37% 63%

Yes No

Management 41% 59%

General Employees 31% 69%

TAFE SA needs improvements Passwords given to colleagues Leaving computers unlocked and unattended Lack of awareness of policies

Conclusion

Limitations TAFE SA’s Chief Executive’s disapproval of

question “Social Engineering” is an ambiguous term

Conclusion

Future Research How awareness can be improved Explore adoption of awareness programs Look into Including awareness as part of an

overall security strategy

Conclusion

My Telstra Story chief.executive@telstra.com Potential for malicious acts is huge!

Thank You

Tip: If you work fulltime, do not commence a research degree.I am actually 19 but I look 40.

-Hong Chan