Information Security Awareness Levels of TAFE South Australia Employees Hong Chan Bachelor of IT (...
-
Upload
sharon-robertson -
Category
Documents
-
view
248 -
download
3
Transcript of Information Security Awareness Levels of TAFE South Australia Employees Hong Chan Bachelor of IT (...
Information Security Awareness Levels of TAFE South Australia Employees
Hong Chan
Bachelor of IT ( Honours )
Supervisor: Dr Sameera Mubarak
Information Security Confidentiality – prevent unauthorised access Integrity – accuracy and correctness Availability – authorised access when needed
Ensure business continuity Minimise damage and liability Ethical and legal responsibility
Information security plans or policies are needed, usually consist of technical controls
Background Information
Information Security Awareness – Human Aspects
Employee knowledge of information security concepts
Management knowledge of information security concepts
Consciousness of security plans
Literature suggests positive relationship between awareness and security plan success. Should be included in plans.
Background Information
TAFE South Australia Largest vocational education provider in SA 2400 employees across over 50 campuses
Suitable for this research All aspects of the business are conducted using
information systems. Holds vast amount of confidential student data. Recently implemented new student
information system
Background Information
Motivation for Research Gap in literature Australian Context Personal interest as an employee
Background Information
Potential Contributions Directly benefit TAFE SA Finalised report (thesis) to be given to TAFE
SA Provide insight into other similar Australian
Organisations
Background Information
To gain an insight into the information security awareness levels of TAFE SA Employees in order to identify areas that need improvement
Does not look into improving awareness through “best practices”
Research Question
Online Questionnaire Knowledge of concepts = Awareness of threats Behavioural questions = Employee actions which
may cause breaches Consciousness of policies’ existence
Quantitative Methods Used Tabulated percentages
Methodology
Population: 2400 staffSample: 308 responses 13% of entire organisation responded
Demographics Management ( 19% ) General Staff (81%) Mushroom ??
Results
Knew what Phishing is
Knew what Spam is
Results
Yes No
Management 32% 68%
General Employees 23% 77%
Yes No
Management 78% 22%
General Employees 87% 13%
Has clicked on unknown links embedded in external third party emails
Knew what Social Engineering is
Results
Yes No
Management 24% 76%
General Employees 16% 84%
Yes No
Management 78% 22%
General Employees 73% 27%
Knew what a strong password should be
Has given away passwords or logged someone in
Questionnaire may have prompted ICT’s action ??
Results
Yes No
Management 64% 36%
General Employees 66% 34%
Yes No
Management 56% 44%
General Employees 52% 48%
Has left computer unlocked and unattended
Used appropriate methods for password storage
Results
Yes No
Management 73% 27%
General Employees 78% 22%
Yes No
Management 68% 32%
General Employees 65% 35%
Knew the importance of data/information integrity
Has amended data without due process
Results
Yes No
Management 93% 7%
General Employees 91% 9%
Yes No
Management 7% 93%
General Employees 8% 92%
Has discussed work related issues on social networking sites
Very few research into this topic, that is, social media can be a source of data/information leakage
Results
Yes No
Management 7% 93%
General Employees 8% 92%
Awareness of existence of information security policy
Awareness of existence of password policy
Results
Yes No
Management 59% 41%
General Employees 37% 63%
Yes No
Management 41% 59%
General Employees 31% 69%
TAFE SA needs improvements Passwords given to colleagues Leaving computers unlocked and unattended Lack of awareness of policies
Conclusion
Limitations TAFE SA’s Chief Executive’s disapproval of
question “Social Engineering” is an ambiguous term
Conclusion
Future Research How awareness can be improved Explore adoption of awareness programs Look into Including awareness as part of an
overall security strategy
Conclusion
My Telstra Story [email protected] Potential for malicious acts is huge!