wiki.cis.unisa.edu.au€¦ · Web viewSpecial thanks go to my research supervisor Dr Sameera...

Information Security Awareness Levels of TAFE South Australia Employees

Minor Thesis

Submitted - 30/11/2011

Revised - 27/12/2011

Hong Chan

00069566

Supervised by Dr Sameera Mubarak

Bachelor of Information Technology (Honours)

School of Computer and Information Science

University of South Australia

DeclarationI declare that this thesis does not incorporate without acknowledgment any material

previously submitted for a degree or diploma in any university, and that to the best of

my knowledge it does not contain any materials previously published or written by

another person except where due reference is made in the text.

Hong Chan – 27/12/2011

i

AcknowledgementSpecial thanks go to my research supervisor Dr Sameera Mubarak for her valuable

guidance and insights into research methodologies and the research topic in question.

Thanks also go to Dr Jiuyong Li for letting me know that the success of any research

project is positively related to keeping the research supervisor happy. Here is to hoping

that Sameera is still happy.

At the TAFE SA end, I would like to thank Elaine Bensted, Chief Executive of the Office of

TAFE SA, for allowing the research to be conducted. I would also like to thank Michael

King for assisting with the distribution of the online questionnaire.

Last but not least, I would like to thank Leanne Brookes, my manager and the TAFE SA

Web Services team for allowing me to take time off during critical times to meet my

research commitments.

ii

AbstractVarious literature and studies relating to information security emphasise the

importance of information security awareness of employees in maintaining any

organisational wide information security implementations or measures. It is widely

accepted that information security awareness is an important contributing factor for a

successful information security plan and should be properly assessed in order to

suggest improvements.

While it has been established that it is important for staff from within all levels of the

organisation to have greater information security awareness, there is clearly a gap

within current literature and studies in that there has been very small amounts of

studies which looked into information security awareness in an Australian context.

This explorative study directly investigated and assessed the employee information

security awareness levels within TAFE South Australia for the purpose of providing

much needed insight into the extent of information awareness levels in Australian

organisations.

Using an online questionnaire, the study revealed that TAFE South Australia’s employee

information security awareness were generally lacking. The study also identified

several problem areas which had plenty of room for improvements, thus paving the way

for further research into how information security awareness levels can be improved.

It is recommended that TAFE South Australia include information security awareness as

part of its overall risk assessment strategies in order to mitigate such risks. Finally, the

adoption of programs which will enhance security awareness should also be explored in

order to foster an organisational culture of security compliance, thereby minimising any

information security risks.

iii

Table of Contents

Declaration.............................................................................................................................................................. i

Acknowledgement.............................................................................................................................................. ii

Abstract.................................................................................................................................................................. iii

List of Tables....................................................................................................................................................... vii

1. Introduction..................................................................................................................................................... 1

1.1 Partnership – TAFE South Australia..............................................................................................2

1.2 Researcher’s Personal Interest.........................................................................................................3

1.3 Contributions........................................................................................................................................... 3

1.4 Scope and Limitations.......................................................................................................................... 3

1.5 Field of Thesis.......................................................................................................................................... 3

1.6 Research Question................................................................................................................................. 4

2. Literature Review.......................................................................................................................................... 5

2.1 Information Security.............................................................................................................................5

2.2 Employee Information Security Awareness...............................................................................6

2.3 Managerial Information Security Awareness............................................................................7

2.4 Australian Information Security Awareness..............................................................................8

2.5 Other Relevant Literature...................................................................................................................9

2.6 Assessing Information Security Awareness.............................................................................12

2.7 General Information Security Concepts.....................................................................................13

2.7.1 Phishing...........................................................................................................................................13

2.7.2 Spam................................................................................................................................................. 14

2.7.3 Social Engineering...................................................................................................................... 14

2.7.4 Strong Passwords....................................................................................................................... 15

2.7.5 Data or Information Integrity................................................................................................15

iv

2.7.6 Social Networking.......................................................................................................................16

2.8 Literature Review Summary...........................................................................................................16

3. Methodology.................................................................................................................................................. 17

3.1 Aim............................................................................................................................................................. 17

3.2 Research methods...............................................................................................................................17

3.3 Questionnaire Justification..............................................................................................................17

3.4 Questionnaire Design.........................................................................................................................18

3.4.1 Section 1 – Knowledge of Concepts.....................................................................................18

3.4.2 Section 2 - Employee Behaviours and Actions...............................................................19

3.4.3 Section 3 - Consciousness of Policies.................................................................................20

3.4.4 Section 4 – Experiences Relating to Computer Crime................................................20

3.4.5 Section 5 – Demographics.......................................................................................................20

3.5 Data Collection...................................................................................................................................... 21

3.6 Data Analysis......................................................................................................................................... 21

3.7 Methodology Summary.....................................................................................................................22

4. Results.............................................................................................................................................................. 23

4.1 Demographics....................................................................................................................................... 23

4.2 Employees’ Knowledge of Concepts............................................................................................24

4.3 Employee Behaviours........................................................................................................................28

4.4 Relationships between Concepts and Behaviours................................................................31

4.5 Consciousness of Policies.................................................................................................................36

4.6 Past Experiences of Computer Crime.........................................................................................37

4.7 Results Summary................................................................................................................................. 38

4.8 Discussion............................................................................................................................................... 38

4.8.1 Lack of Knowledge of Security Concepts..........................................................................38

4.8.2 Lack of Awareness of Policies................................................................................................40

4.8.3 Lack of Information Security Awareness.........................................................................40

v

4.8.4 Relationships between Concepts and Behaviours.......................................................41

4.8.5 Recommendations......................................................................................................................42

5. Conclusion...................................................................................................................................................... 43

5.1 Research Summary.............................................................................................................................43

5.2 Limitations..............................................................................................................................................44

5.3 Future Research................................................................................................................................... 44

6. Ethics and Compliance..............................................................................................................................45

Reference............................................................................................................................................................. 46

Appendix A: Questionnaire..........................................................................................................................49

Appendix B: Questionnaire Invitation to All Staff..............................................................................53

Appendix C: Questionnaire Section 4 Responses...............................................................................55

vi

List of Tables

Table 1 : Relationships between Concepts and Behaviours..........................................................19

Table 2 : Demographics................................................................................................................................. 23

Table 3 : Demographics – Combined into Broad Categories.........................................................24

Table 4 : Knowledge of Concepts – All Staff.........................................................................................25

Table 5 : Knowledge of Concepts - Management...............................................................................25

Table 6 : Knowledge of Concepts – General Staff...............................................................................26

Table 7 : Employee Behaviours – All Staff.............................................................................................28

Table 8 : Employee Behaviours - Management...................................................................................29

Table 9 : Employee Behaviours – General Staff..................................................................................30

Table 10 : Cross Tabulation - Phishing and Spam (All Staff)........................................................31

Table 11: Cross Tabulation - Phishing and Spam (Management)...............................................31

Table 12 : Cross Tabulation - Phishing and Spam (General Staff)..............................................32

Table 13 : Cross Tabulation – Strong Passwords (All Staff)..........................................................33

Table 14 : Cross Tabulation – Strong Passwords (Management)...............................................33

Table 15 : Cross Tabulation – Strong Passwords (General Staff)...............................................34

Table 16 : Cross Tabulation – Information Integrity (All Staff)...................................................35

Table 17 : Cross Tabulation – Information Integrity (Management)........................................35

Table 18 : Cross Tabulation – Information Integrity (General Staff)........................................35

Table 19 : Consciousness of Policies – All Staff...................................................................................36

Table 20 : Consciousness of Policies – Management........................................................................36

Table 21 : Consciousness of Policies – General Staff........................................................................37

vii

1. IntroductionDue to advances in information technology and the resultant high accessibility of

information by internal and external users, information security has become highly

relevant and necessary for the survival of organisations (von Solms 1998; Cervone

2005; Thompson 2006). Failure to protect confidential information may result in

exorbitant costs in public liabilities, which may result in the ultimate downfall of an

organisation.

There are three important aspects of information security according to Cervone (2005).

Firstly, the confidentiality aspect relates to preventing unauthorised access to

information, thus ensuring that confidential data or information is well protected.

Secondly, integrity relates to the accuracy, correctness and currency of information,

thus ensuring that information is trustworthy and faithfully represents the real world in

which the data or information is based on. Thirdly, availability of information relates to

ensuring that authorised access to information or systems are provided when needed.

The main purpose of information security, therefore, is to ensure business continuity in

order to minimise damage and liability to the organisation. Furthermore, organisations

have both an ethical and legal responsibility in ensuring that confidential information is

well protected (Cervone 2005).

Many papers such as von Solms (1998) and Cervone (2005) have concluded that to

counteract or to minimise the risk of information security breaches, it is important for

an organisation to implement an information security plan or strategy.

Further, Namjoo et al. (2008) suggested that the preventative actions by organisations

usually take place after the occurrence of information security breaches. By the time an

incident has taken place, it could be too late. It is therefore better to be safe than sorry.

Information security measures usually consist of utilising technical controls in order to

mitigate information security risks. However, Dzazali, Sulaiman & Zolait (2009) stated

that technical controls become futile if the people interacting with the information

systems do not have prudent security practices. In other words, human factors must be

taken into account. Policies or controls become useless if users are not aware of any

security risks or the policies themselves.

1

It is widely accepted within current literature that information security awareness is a

key factor in contributing to a successful security strategy (Siponen & Vance 2010;

Spears & Barki 2010; McFadzean, Ezingeard & Birchall 2007; Knapp et al. 2006;

Mouratidis, Jahankhani & Nkhoma 2008; Hagen, Albrechtsen & Hovden 2008; Doherty,

Anastasakis & Fulford 2009; Bulgurcu, Cavusoglu & Benbasat 2010; Namjoo et al. 2008).

Further, there is a positive and direct relation between information security awareness

and preventative action and thus improved security performance (Knapp et al. 2006),

which suggests that employee security awareness assessment should be the starting

point in developing or enhancing any security strategies.

According to Bulgurcu, Cavusoglu & Benbasat (2010), information security awareness is

an employee’s knowledge of information security concepts and his or her consciousness

of the organisation’s information security measures or plans.

Due to the apparent gap which exists in current literature in that studies in relation to

organisational information security awareness in an Australian context are minimal,

this investigative study aims to assess the employee awareness levels of an Australian

organisation. Assessment will be conducted using a questionnaire in which the design

and methodologies are based on the study presented by Kruger, Drevin & Steyn (2010).

The questionnaire will be delivered online and the resultant collected data will be

analysed to gain insight into employee assessment levels.

1.1 Partnership – TAFE South Australia

TAFE South Australia recognises the potential benefits of this study for the organisation

and Australian organisations in general. Therefore TAFE South Australia has kindly

agreed to take part in this study by allowing its employees to be the subjects for this

research.

TAFE South Australia is an agency of the Department for Further Education, Science and

Technology (DFEEST) within the Government of South Australia. It is the largest

provider of vocational education and training in South Australia.

With over 2400 employees ranging from lecturing, administrative and management

spread across 48 campuses around the State of South Australia (TAFE South Australia

2011), the organisation is a highly suitable subject for the purpose of this research

2

because nearly all aspects of the business are conducted using information systems, as

is the case for most organisations of today. TAFE SA holds vast amounts of confidential

student and staff data and is therefore obligated to ensure such information is kept well

protected from unauthorised access. In addition, TAFE South Australia recently spent

over 20 million dollars in implementing a student information system consisting of an

online and public component that will increase the potential of exposing confidential

data to the public.

1.2 Researcher’s Personal Interest

As a member of staff within TAFE South Australia, the researcher has first-hand

experience in the workings of the organisation, particularly in relation to information

security, where it is recognised through general observations that awareness is lacking.

By verifying this lack of awareness, the researcher hopes that this will provide a first

step in ensuring TAFE South Australia’s information security readiness.

1.3 Contributions

The results of this research will directly benefit TAFE South Australia by providing the

organisation with a critical analysis of employee information security awareness,

thereby providing a starting point in ensuring information security readiness. More

importantly, very little has been done to assess information security awareness in

Australian organisations. Therefore, this study may provide a much needed insight into

security awareness in an Australian context. The results of this study will be given to

TAFE South Australia.

1.4 Scope and Limitations

Assessing awareness is only the initial step in the process of ensuring information

security. This study is limited in that it does not investigate how awareness can be

improved through best practices. Further study is needed, and will be considered in the

future.

1.5 Field of Thesis

Information Security, Information Security Awareness, Information Assurance,

Information Management.

3

1.6 Research Question

This exploratory study will utilise an information security questionnaire to assess both

the employee and managerial information security awareness levels of TAFE South

Australia in order to identify areas that need improvement. The study will provide a

starting point for developing or improving existing security policies for TAFE South

Australia. The study may also provide an insight into the information security readiness

of other similar Australian organisations. The scope of this study is limited to the

assessment of information security awareness and related employee behaviours and

does not investigate techniques which could improve awareness, nor does the scope

include developing information security policies or plans.

4

2. Literature ReviewThe following sections provide a review of current literature relating to information

security awareness and within the scope of this study. Firstly, literature providing

background information will be briefly discussed. This is followed by the review of

various studies which place emphasis on information security awareness. Finally a brief

summary of the reviewed literature will be provided, explaining the justification for the

need to investigate information security awareness in an Australian context.

2.1 Information Security

The advent of the internet and electronic commerce has ensured that information

security has become increasingly vital for modern organisations (von Solms, 1998). This

is because the internet or intranets have enabled information to be easily accessible by

external or internal sources. von Solms (1998) further stated that organisations need to

ensure that a high level of information security is maintained in order to protect

proprietary and confidential information.

Further, Cervone (2005) stated that due to the increasing complexity of software,

vulnerabilities of software are also increasing. Subsequently, security breaches will

result. Of particular relevance to this research is the unauthorised access to confidential

information via illegal means. The liability to an organisation if this was to occur would

financially cripple the organisation and may cause a public outcry. In order to minimise

or to prevent information security breaches, an organisation must implement an

information security preventative plan. Cervone (2005) identified three major areas in

which a security plan should address. These were: Confidentiality, protecting

information from unauthorised access; Integrity, protecting information from

unauthorised alteration; and availability, providing access to information as required,

when required.

Thompson (2006) expanded further the importance of protecting information by

discussing social engineering in the context of public libraries. According to Thompson

(2006), “social engineering is the use of non-technical means to gain unauthorised

access to information or computer systems”. Libraries contain a vast amount of

personal information in their database and social engineering is clearly a major threat.

Social engineering will be further discussed in a latter section. TAFE South Australia or

5

any other higher education institutions face similar threats due to the vast amount of

student information contained in their database. A major aspect of social engineering is

that hackers prey on employee trust and emotion. That is, hackers will try to gain the

trust of employees in order to obtain confidential information. Further, hackers will

often use impersonation and pretend to be someone else in order to gain trust. Finally,

Thompson (2006) suggested that apart from a well implemented information security

plan to prevent social engineering, employees play an active and important role. The

starting point would be to ensure that employees have a high level of information

security awareness, and this forms the basis for this research.

Bulgurcu, Cavusoglu & Benbasat (2010) defined information security awareness as an

employee’s knowledge of information security and his or her consciousness of the

organisation’s information security measures or plans. The following section will

present relevant literature relating to information security awareness which is of

importance to this research.

2.2 Employee Information Security Awareness

Bulgurcu, Cavusoglu & Benbasat (2010) investigated employee rationality based

behaviours, information security awareness, and their effects on information security

compliance. The study was able to show that an employee’s intention to comply is

greatly influenced by their attitude and their outcome beliefs. More importantly for the

purpose of this research, the study found that an employee’s attitude and outcome

beliefs are affected by their level of information security awareness. In other words,

placing emphasis on information security awareness can positively affect employee

attitudes and to encourage compliance.

Siponen & Vance (2010) explained information security breaches by employees from a

neutralization theory perspective. That is, the study concluded that employees who are

responsible for any security breaches often justify or rationalise their actions using

neutralization techniques. Neutralization is a concept borrowed from the field of

psychology. The study was not directly related to information security awareness.

However, Siponen & Vance (2010) did propose that policy awareness campaigns may

be used to counteract the effects of neutralization thereby ensuring that security

6

policies are adhered to, suggesting that further investigation into information security

awareness is warranted.

Spears & Barki (2010) explored the relationship between employee participation in risk

management and internal security compliance. The study was able to conclude that

employee participation in risk management greatly contributed to improved security

control performance due to greater alignment between security risk management and

the business environment, better policy development, and more importantly for the

purpose of this research – greater information security awareness. While the study did

not explore information security awareness as the main driver of a successful security

policy, it did highlight information security awareness as a main contributor.

2.3 Managerial Information Security Awareness

Most studies have so far explored the significance of information security awareness of

employees in general. This section presents current literature which has identified the

importance of managerial information security awareness.

McFadzean, Ezingeard & Birchall (2007) identified the awareness of senior

management as an important driver of effective security measures. The study argued

that senior executives have a holistic view of the organisation and therefore have the

power to affect change in the organisation through their roles as strategy implementers.

It was found that board level perceptions and thereby information security awareness

are positively related to the strategic activities of an organisation.

Similar to McFadzean, Ezingeard & Birchall (2007), Knapp et al. (2006) also identified

senior management as key players. The study found that senior management support is

positively related to both an organisation’s security culture and the level of policy

enforcement. While the study did not directly explore managerial information security

awareness as a predictor of security performance, it did again highlight the importance

of management involvement, thus the importance of managerial information security

awareness in affecting an organisation’s information security readiness.

Mouratidis, Jahankhani & Nkhoma (2008) aimed to study the differences in perception

of network security between general management personnel and personnel who are

responsible for actual network security. The study found that general managers do have

7

different perspectives towards network security than personnel from the network

security management. In particular, the effectiveness and efficiency of the network,

control of security, security decision making process, and users of the network all

showed significant perceptual differences. There is a clear lack of information security

awareness within general management and as confirmed by McFadzean, Ezingeard &

Birchall (2007), this could have a negative impact on the effectiveness of information

security policies.

Namjoo et al. (2008) further reinforced the importance of information security

awareness levels of management by investigating the relationship between managerial

information security awareness and action. The study was able to provide empirical

support for a positive relationship between awareness and action. In other words, the

higher the level of managerial information security awareness, the more likely the

managers will take action in implementing preventative measures. The study suggested

that preventative action usually occur after the fact. That is, unless an actual

information security breach has occurred, organisations usually take no action in

adopting security measures. Like various similar studies, Namjoo et al. (2008) implied

that by raising managerial information security awareness, information security

performance could in fact improve information security performance.

2.4 Australian Information Security Awareness

This section identifies two studies which are of high relevance for this current study.

These studies are conducted in an Australian Higher Education context in which the

organisation exists within.

The exploratory study conducted by Lane (2007) identified that in relation to

information security management in Australian Universities, information security

awareness activities remain a challenge. Lane (2007) suggested that information

security consist of the awareness of organisational requirements and behaviours, as

well as the willingness to comply with policies and rules. In addition, if employees do

not hold an interest in security, such as in the case of information security professionals,

then they are less likely to comply. Lane (2007) concluded that compliance is difficult to

achieve if security awareness levels are low. The study suggested that Australian

Universities do not have adequate security awareness programs in place to counteract

8

the low levels of awareness, therefore compliance is also low. The study stressed the

importance of information security awareness programs in order to foster a culture of

compliance, which will ultimately enhance employee compliance of information

security. It is important to note that Lane (2007) looked at information management as

a subject of the exploratory study and only briefly discussed information security

awareness.

In another Australian Higher Education context, and similar to Spears & Barki (2010),

Yeo, Rahim & Miri (2007) explored security risk assessment strategies of an Australian

University. Again, the study only briefly discussed the implications of user’s information

security awareness. The study identified security awareness as an important

component which must be assessed as part an organisation’s risk assessment. User non-

compliance is a serious risk for any organisations, and awareness is positively related to

compliance, as concluded by other studies discussed in this thesis. The study concluded

that information security awareness of employees must be risked assessed as part of an

overall organisational risk assessment strategies in order to identify areas which need

improvements. In other words, the lack of information security awareness poses serious

threats to an organisation and must be properly risk assessed and mitigated. As

suggested by Lane (2007), mitigation can be in the form of the adoption of security

awareness training programs.

2.5 Other Relevant Literature

Hagen, Albrechtsen & Hovden (2008) studied the implementation of organisational

security measures and to assess the effectiveness of such measures. The study was

conducted using a survey in which data was collected from information security

managers in various Norwegian organisations. It was discovered that many Norwegian

organisations placed emphasis on the policies and procedures in implementing any

measures, but placed very little emphasis on security awareness. The study also showed

that awareness measures were the most effective of any security measures. As a

consequence, the study showed an inverse relationship between the implementation of

security measures and their effectiveness. In other words, it is important to place

emphasis on security awareness as well as technical controls when adopting security

programs. Hagen, Albrechtsen & Hovden (2008) only investigated Norwegian

organisations. However, due to the similar structures of western organisations (similar

9

accounting practices, management hierarchies, information technology infrastructure

etc.), it can be posited that Australian organisations are in a similar situation. Virtually

no studies have explored information security awareness in Australian organisations,

thereby justifying the need for this proposed research.

According to Doherty, Anastasakis & Fulford (2009), ensuring the security of

information has become extremely complex and challenging. This is more so for

Universities because teaching and research activities are becoming more reliant on the

availability, integrity and accuracy of computer based information. The study aimed to

empirically study the structure or content of security policies for UK based Universities

in order to fill the gap in the literature by critically examining the structure and content

of these policies. The study found that due to the wide diversity of these policies, it was

not possible to foster a coherent approach to security management. It also found that

the range of issues being covered in such policies was surprisingly low, and reflects a

highly techno-centric view rather than a user-centric view of information security

management. This suggests that the user or staff information security awareness are

not prominent nor considered in these policies. Again, while Doherty, Anastasakis &

Fulford (2009) only explored UK based Universities, it can be posited that Australian

higher education institutions such as TAFE South Australia may have similar attitudes,

thereby further justifying the need to explore information security awareness in an

Australian setting.

In another non-Australian context, Dzazali, Sulaiman & Zolait (2009) aimed to evaluate

the maturity level of information security in the Malaysian Public Service. The study

used convenience sampling and collected data from 970 individuals through a survey. It

was revealed that spamming was the most prevalent (42%) followed by malicious codes

(41%). Notably, it was found that 25% of incidents were from internal sources where as

11% were from external sources, with 49% being unknown sources. Findings on the

maturity level showed that 61% of respondents were at level 3, followed by 21% at

level 2. At the higher end, only 13% were at level 4 and a miniscule 1% was at level 5.

The study did not directly study security awareness, but the finding that the internal

related incidents were prevalent suggests that security awareness is a factor when

taking into the account other studies being discussed. While this study was conducted in

relation to the Malaysian Public Sector, similar investigation could be adopted to

10

investigate maturity levels of information security within the Australian Public Sector in

which TAFE South Australia belongs to.

Samy, Ahmad & Ismail (2010) was another study into information security within a

non-educational industry in a non-Australian setting. The study aimed to investigate the

various types of threats which exist for Malaysian healthcare information systems. The

systems in question all belonged to government funded hospitals and data were

collected from these hospitals. The study identified 22 types of threats according to

major threat categories based on ISO27002. More importantly, the results showed that

the most critical threat for these systems were power failure followed by human error.

While power failure may be unavoidable, the human errors are not. Samy, Ahmad &

Ismail (2010) stated that the human errors were due to a lack of awareness and good

practice among staff.

Similar to Samy, Ahmad & Ismail (2010), Williams (2008) studied the failure of the

American health industry in recognising the seriousness of information security threats

to patients and practice information. The study suggested that this failure is attributed

to the lack of understanding of security concepts, underestimating potential threats and

the difficulty in setting up security measures. In order to appreciate these factors,

research into the general practitioner security practice and perceptions of security was

undertaken. It was found that poor security measures implementation and a lack of

knowledge were key factors. The results also showed that information security was

overwhelmingly reliant on trusting staff and the computer systems themselves, rather

than implementing an overall security policy, which the study recommended.

While Samy, Ahmad, & Ismail (2010) and Williams (2008) both investigated

information security in the context of the health industry from Malaysia and America

respectively, it can be posited that Australian based higher education institutions face

similar threats due to the large amount of confidential and personal data relating to

students which exist in their database, thus warranting further investigations.

Laaksonen & Niemimaa (2011) conducted an exploratory study into information

security policies and their effectiveness. It is important to note that information security

awareness was not a main focus of the study. However, the study did suggest that

11

information security awareness did influence employee perception of security policies

and therefore must be taken into account when devising such policies.

2.6 Assessing Information Security Awareness

Since the proposed research is to assess information security awareness of TAFE South

Australia employees, this section provides a review of literature which has directly used

various methodologies in gauging awareness. This provides an important basis for the

methodology adopted for this research.

Most of the literature reviewed so far has only briefly discussed employee or

managerial information security awareness in their studies, or has only implicated,

assumed or posited the importance of information security (Siponen & Vance 2010;

Spears & Barki 2010; McFadzean, Ezingeard & Birchall 2007; Knapp et al. 2006;

Mouratidis, Jahankhani & Nkhoma 2008; Hagen, Albrechtsen & Hovden 2008; Doherty,

Anastasakis & Fulford 2009). Few studies have actually directly assessed information

security awareness.

In determining a positive relationship between information security awareness,

employee rationality based behaviours and policy compliance, Bulgurcu, Cavusoglu &

Benbasat (2010) included three simple questions in their questionnaire to gauge

security awareness. These questions are:

1. I know the rules and regulations prescribed by the ISP of my organisation.

2. I understand the rules and regulations prescribed by the ISP of my organisation.

3. I know my responsibilities as prescribed in the ISP to enhance the IS security of

my organisation.

As can be seen, these questions are all directly related to an organisation’s existing

information security policy (ISP as stated in the questions) and do not involve gauging

an employee’s awareness of information security concepts such as social engineering

(Cervone 2005). While there are clear limitations to the methodology of Bulgurcu,

Cavusoglu & Benbasat (2010), the study did provide a part example of how awareness

can be gauged.

12

Similarly, the study by Namjoo et al. (2008) looked at information security awareness of

managers in determining its relationship and managerial action relating to prevention.

Like Bulgurcu, Cavusoglu & Benbasat (2010), simple questions were used to gauge

awareness. The questions were again limited in that they were only relevant in the

context of an existing security policy.

Perhaps the most extensive tool for assessing information security awareness was

proposed by Kruger, Drevin & Steyn (2010). Like many studies, Kruger, Drevin & Steyn

(2010) acknowledged that an organisation’s survival necessitates a security program.

Due to the importance of information security awareness in ensuring a successful plan,

the study proposed that the starting point in developing a plan is to assess awareness

levels of employees. The study aimed to examine the feasibility of an information

security awareness test for employees, thereby identifying suitable topics to include in

an information security awareness training program. It was found that the use of a

vocabulary test to assess awareness levels is beneficial in gauging the awareness of

employees. It is important to note however, that the test population used by the study

were all University students rather than employees from an actual organisation.

However, for the purpose of this proposed research, the vocabulary test proposed by

Kruger, Drevin & Steyn (2010) will be modified to fit the Australian organisational

context and will be used to assess awareness levels of TAFE South Australia employees.

This will be further discussed in the methodology section of thesis.

2.7 General Information Security Concepts

This section identifies from literature the most relevant concepts relating to

information security and for the purpose of this study. These concepts will form the

basis of the questionnaire design in which respondents will be assessed in their

knowledge of these concepts.

2.7.1 Phishing

According to Whitman & Mattord (2008), phishing is the attempt to obtain confidential

information or to conduct identity theft by using seemingly harmless emails or forged

websites that imitate a real corresponding website. Phishing is also performed by using

non-technical means such as social engineering (discussed in section 2.5.1.3) and may

also be used in conjunction with spam (discussed in the next section) as a mode of

13

carrying out a phishing attack. Phishing is a common threat against the confidentiality

aspect of information security and is therefore important for employees to be aware of

the concept and its dangers.

2.7.2 Spam

Spam is defined as any unsolicited commercial emails or messages (Whitman & Mattord

2005). It may seem trivial but spam is not simply an annoyance to the receiver. Spam

has the potential to cause disasters and disrupt systems. For example, malicious codes

such as viruses and Trojan horses often use spam as a vehicle for distribution. Malicious

code could reduce information systems to a standstill and restrict access to users, thus

violating the availability aspect of information security.

In addition, phishing attacks are often conducted using spam which may contain links to

phishing websites. While most organisational technical controls may prevent spam from

entering the organisation’s email system, it may not be possible to achieve 100%

mitigation. Therefore, it is important for individual employees to be aware of the

concept of spam and its related dangers.

2.7.3 Social Engineering

Social engineering was briefly discussed in section 2.1. This section further expands on

the concept. In the context of information security, social engineering is the use of non-

technical means to perform identity theft or to obtain confidential information

(Thompson 2006). Attackers in this case may use a combination of psychological

manipulation and impersonation in order to induce the unwilling victim into providing

confidential information.

This is further expanded by Btoush et al. (2011), which stated that social engineering is

represented as the ability to build improper trust relations with people who are

working inside the organisation in order to obtain unauthorised access privileges or to

gain sensitive and confidential information using psychological trickery. Due to the very

human aspects of social engineering, it is not possible to prevent these types of attacks

using technical controls. Social engineering mitigation is therefore heavily reliant on

employees’ awareness of the concept and the enforcement of organisational policies

relating to security and privacy.

14

2.7.4 Strong Passwords

A password is the key to authenticating a user and to prevent unauthorised access to a

system. In addition to social engineering or phishing means, passwords can be

illegitimately or illegally obtained by using two types of cyber-attacks known as

password cracking. According to Whitman and Mattord (2005), these attacks are brute

force and dictionary attacks. It is not a question of whether or not a password can be

cracked, but rather how long it takes for a password to be cracked. The stronger the

password is, the longer it takes. Subsequently, a strong password ensures that the

feasibility of a password attack is dramatically diminished for the attacker. It is true that

technical password controls can enforce the strength of a password, but not all

information systems consist of such controls and therefore it is ultimately up to the

employees to ensure that their passwords are of sufficient strength. Knowledge of the

concept of a strong password is therefore vital.

There is no widely accepted definition of a strong password. For the purpose of this

study, Microsoft’s definition was used. According to Microsoft Safety & Security Centre

(2011), a strong password should consist of sufficient length, and should contain a

combination of letters, numbers and symbols.

2.7.5 Data or Information Integrity

Data or information integrity relates to the integrity aspect of information security.

According to Boritz (2005), information integrity has the following core attributes

which are relevant for this study:

Accuracy or Correctness – that is, information must be accurate and correct in

that the information or data must be precise and in line with the real world

object by which the data is mapped to. For example, a student’s date of birth

stored in a system must have no room for error.

Trustworthiness - ensuring accuracy and correctness will subsequently ensure

that the information stored in the system is a faithful representation of a real

world object, thus one can trust the information.

Currency and Timeliness – using a student’s date of birth as an example, the

actual date of birth itself is a variable which changes over time. Information

15

currency is therefore affected by real world changes over time and must be

catered for.

2.7.6 Social Networking

The idea that social media or networking sites such as Facebook or Twitter as sources of

confidential information leakage has become highly relevant in recent years. However,

very little research has been conducted in this area. Due to the critical mass of social

media uptake by individuals and businesses alike, there is a potential for users to

expose confidential work related information. According to Everett (2010), social

media has recently been identified as the platform of choice by hackers for spreading

malware through tainted web links. Further, the anonymity nature of such sites means

that unwitting users are also subjected to phishing scams. Finally, Everett (2010)

suggested that social media is definitely a source of data leakage when employees

disclose information relating to the workplace on social media sites. It is therefore an

important inclusion for any security plans or policies. Awareness of the dangers of

social networking in relation to information security is very important.

2.8 Literature Review Summary

All studies reviewed above have identified information security as a key contributor to

successful security plans or measures. There is a clear gap in the reviewed literature in

that very little studies into information security awareness have been conducted for

Australian organisations. As a matter of fact, during the search for literature in relation

to this study, only a small amount of studies was found to be related to Australian

organisations. More importantly, very little amount of studies have been identified in

relation to information security awareness. This further justifies the need for this type

of study. The result of this study may provide an insight into the awareness levels, and

thus the information security readiness of Australian organisations. Further, it would

provide a means to gauge awareness and thus identify any aspects of information

awareness requiring improvements to be included in a security training program or

security policy.

16

3. MethodologyThe following sections will discuss the methodologies adopted for the purpose of this

study. The aim of this study will be declared, followed by the methodology approach in

relation to research methods. Discussion will then place emphasis on the design of the

questionnaire followed by data collection and analysis. Finally, a brief summary of this

section will be provided.

3.1 Aim

The aim of this study is to gain an insight into the information security awareness levels

of TAFE South Australia employees in order to identify areas that need improvement. In

other words, this study is an investigative or explorative study.

3.2 Research methods

Due to the fact that theoretical models based on information security awareness are

virtually non-existent, the nature of this research is exploratory rather than to test for

hypothesis. The same dilemma was present in the research methods adopted by De

Haes & Van Grembergen (2009) in their study into IT governance which has a similarly

scarce amount of available resources and existing research. The approach adopted in

this research is therefore exploratory. According to Ryerson (2007 cited in De Haes &

Van Grembergen, 2009), exploratory research includes a mixture of secondary research

methods such as summarising quantitative data obtained by surveys and literature

review. Therefore, the use of quantitative methods and literature review discussed in

section 2 in order to gain insight into the topic of information security awareness was

adopted for this study.

3.3 Questionnaire Justification

A questionnaire was used for this explorative study because a related study has proven

the use of such questionnaires in assessing information awareness to be both beneficial

and practical (Kruger, Drevin & Steyn 2010). The design of the questionnaire was also

based on the study conducted by Kruger, Drevin & Steyn (2010).

An online questionnaire consisting of five sections and totalling seventeen questions

was developed to assess the awareness levels and the behaviours of TAFE South

Australia employees in relation to various aspects of information security. The web-

17

based deployment of the questionnaire ensures a greater reach and better response

rates. The questionnaire requires about ten minutes of the respondent’s time for

completion and the resulting collected data is immediately available.

3.4 Questionnaire Design

Based on the definition of information security awareness by Bulgurcu, Cavusoglu &

Benbasat (2010), the questionnaire included two areas to test the respondents’

knowledge of common information security concepts and a latter section which gauges

an employee’s consciousness or awareness of TAFE South Australia’s security and

password policies’ existence. In addition, employee behaviours in relation to

information security were also tested in a third section. The remainder of the

questionnaire aimed to obtain the respondent’s demographic attribute and an open-

ended section which aims to identify any respondent’s previous experiences relating to

information security incidents or breaches. The ensuing sections will provide an

overview of the questionnaire design and the questionnaire can be found in Appendix A.

3.4.1 Section 1 – Knowledge of Concepts

Similar to Kruger, Drevin & Steyn (2010), various generally known or common concepts

identified in the literature review were included in this section of the questionnaire

because the purpose of this study is to explore and to gauge awareness levels of all

employee types and not just information security professionals. The underlying

assumption is that most general employees would not know the meaning of lesser

known concepts such as “botnets” or “Steganography” (Kruger, Drevin & Steyn 2010).

All concepts included in this area were identified to be relevant for this study and

applicable for TAFE South Australia. A total of five questions are included in section 1

(see Appendix A) and are used to assess the respondents’ knowledge in the following

concepts discussed in the literature review:

Question 1: Phishing

Question 2: Spam

Question 3: Social Engineering

Question 4: Strong Passwords

Question 5: Information Integrity

18

The questions are multiple-choice based, with only one possible correct response for

each question. The exception to this is question 4: strong passwords in which the

question is open-ended in order to prevent respondents from easily selecting the most

likely and obvious choice. The choices for the other questions are not so clear or

obvious.

3.4.2 Section 2 - Employee Behaviours and Actions

The second section of the questionnaire consisted of scenario based questions. The idea

that behaviours should be assessed along with concepts is adapted from Kruger, Drevin

& Steyn (2010) who observed that there are significant relationships between security

concepts and behaviours. The questions in this section evaluate the respondent’s action

taken in their past based on scenarios within an information security context. The basis

for these questions is that the questions are linked with a corresponding security

concept being assessed in section 1 of the questionnaire. For example, spam and

phishing are concepts linked to question 9 which asks whether the respondent has ever

clicked on an unknown link embedded in a third party email. As discussed in the

literature review, spam has a high potential for being a distribution method for

malicious codes and phishing attacks. The concepts of spam and phishing are therefore

related to question 9. The following table summarises similar linkages between section

1 and section 2 of the questionnaire:

Concepts (Section 1) Corresponding Behaviours (Section 2)

Phishing, Spam Clicking on embedded links in emails (Question 9)

Strong Password Giving away Passwords (Question 6)

Leaving computer unlocked and unattended (Question 7)

Using inappropriate methods for storing passwords (Question 8)

Information Integrity Amending data without confirmation or due process (Question 10)

Table 1 : Relationships between Concepts and Behaviours

All section 2 questions are multiple-choice based and there is only one possible correct

answer for each question (refer to Appendix A: Section 2). No linkages between social

19

engineering and a corresponding behavioural question were identified. The reason for

this will be discussed further as a limitation at the conclusion of the thesis.

3.4.3 Section 3 - Consciousness of Policies

This section of the questionnaire relates to the second part of the definition of

information security awareness as defined by Bulgurcu, Cavusoglu & Benbasat (2010).

That is, in addition to the knowledge of concepts, information security awareness also

consists of an employee’s consciousness or knowledge of an organisation’s policies in

relation to information security. Note that for the purpose of this study, the existence or

the details of any TAFE South Australia policies in relation to information security are

not discussed because such information is deemed to be private and confidential. The

section consists of two multiple choice questions with each having only one possible

correct answer. The first question relates to information security policy and the latter

question relates to password policy.

3.4.4 Section 4 – Experiences Relating to Computer Crime

This section of the questionnaire attempts to identify any previous employee

experiences relating to security incidents/breaches or computer crime. The purpose is

to gain an overview or insights into employee perceptions of such incidents and the

actions taken as a result of such incidents. Section 4 consists of three questions. The first

question asks whether or not the respondent has ever experienced computer crime.

Based on the response, the subsequent questions are open-ended and request details of

the experience.

3.4.5 Section 5 – Demographics

The last section of the questionnaire has only one question and simply identifies each

respondent’s demographic groups. The categories listed in the question’s multiple

choices (refer to Appendix A) will be further combined into two broad categories of

management and general employees. The reason for the merging of the categories is

that the literature review has identified both management and general employees as

distinct groups of stakeholders in regards to information security.

20

3.5 Data Collection

The online questionnaire was created and deployed using the web-based survey service

provider Qualtrics (http://www.qualtrics.com). Qualtrics was selected for the task

because it is highly secure and can handle the storage of large amounts of responses.

The responses can be exported into most commonly used statistical formats such as

Microsoft Excel compatible files. Qualtrics also allows for all question types such as

multiple-choice, text boxes, and has support for selectively releasing questions based on

responses from previous questions. Qualtrics is widely used by many research

institutions including the University of South Australia.

The link to the online questionnaire was distributed to all TAFE South Australia

employees via the internal email system. The email invited all employees to voluntarily

take part in the research. Further, the invitation stated clearly that the responses to the

survey will remain strictly anonymous and that no individuals can possibly be identified

in the collected data. The purpose and details of the research was outlined in the email.

The email also stated that by submitting the responses to the online questionnaire,

consent was thereby simultaneously given by the respondents. The collected data as a

result of this study will be stored at a safe location in accordance with the policy of the

University of South Australia. The email inviting all TAFE SA staff to participate in the

questionnaire can be found in Appendix B.

3.6 Data Analysis

Quantitative methods and Microsoft Excel 2010 were used to obtain tabulated

percentages of all responses to closed questions. In addition, content analysis was

performed on responses to open-ended questions in order to determine whether the

responses were deemed positive or negative. For example, in relation to strong

passwords, content analysis was used to group responses into either yes (has

knowledge of strong password) or no. Content analysis was performed for open-ended

questions which only served to obtain a general overview or insight into the employee

perception and actions taken in relation to computer crime or information security

incidents. Finally, the cross-tabulation (pivot tables) functionality within Microsoft

Excel 2010 was used to show the relationships between information concepts and

related behaviours (refer to Section 3.4.2 – Table 1).

21

http://www.qualtrics.com/

3.7 Methodology Summary

In summary, the explorative nature of this study justifies the combined methods of data

collection via an online questionnaire and literature review (refer to section 2). The use

of an online questionnaire ensures a higher rate of responses compared with traditional

paper based surveys due to its convenience for respondents. The design of the

questionnaire itself is based on principles used in similar studies which have proven to

be both practical and beneficial. The results of the questionnaire will be presented in

the ensuing section 4.

22

4. ResultsThe online questionnaire was distributed to all TAFE South Australia employees. There

are approximately 2400 employees (TAFE South Australia 2011) equating to a

population of 2400 for statistical purposes. 308 responses were received in total,

representing the sample population of 308. In other words, 12.8% of the organisation

responded to the questionnaire. The ensuing sections will present the results and

findings of the questionnaire. The results are only briefly described in this section. A

more extensive discussion of the findings will be provided in section 5 of this report.

4.1 Demographics

Question 17 (refer to Appendix) contained an open-ended section which allowed the

respondents to specify “other” in best describing their roles within the organisation.

Content analysis was conducted and these responses were distributed amongst the four

other groups as seen in Table 2.

Demographic Group Responses Percentage

Senior Management 7 2.3%

Middle or Operational Management 52 16.9%

Lecturing staff 161 52.3%

General Administration or Frontline 88 28.6%

Total 308 100.0%

Table 2 : Demographics

Since this study is concerned with the importance of information security awareness of

two main groups (management and general employees), the demographic groups were

further combined into two categories as seen in Table 3. Lecturing staff and general

administrative staff were grouped together as general staff because they are deemed to

be information system users. On the other hand, senior management and middle or

operational management are deemed to be strategy and policy promoters or enforcers.

Therefore were simply grouped into the management category.

Demographic Group Responses Percentage

23

Management 59 19.2%

General Staff 249 80.8%

Total 308 100.0%

Table 3 : Demographics – Combined into Broad Categories

All ensuing sections will therefore present three result sets for each section of the

questionnaire in order to facilitate better comparisons. These are: Responses from all

staff (308 out of 308 respondents); Responses from all respondents belonging to the

management category (59 out of 308 respondents were considered to be management);

Responses from all respondents belonging to the general staff category (249 out of 308

respondents were considered to be general staff)

4.2 Employees’ Knowledge of Concepts

This section presents the results of Section 1 of the questionnaire.

Table 4 summarises the results of the knowledge based questions for each concept as a

number of responses and as a percentage of all respondents. Table 5 and Table 6

summarises the results for management and general staff respectively.

In relation to the concept of strong passwords, respondents were asked to state what

they think a strong password should be. Based on manual content analysis, the

responses were compared against the definition provided by Microsoft Safety & Security

Centre (2011) to determine whether the respondent had a good idea of a strong

password. For example:

“A mixture of alpha and numeric” was deemed insufficient and therefore deemed

incorrect.

“One that uses letters, numbers, and symbols, and has sufficient length” was

deemed to be correct.

The criterion for a correct response is that sufficient length, the combination of alpha-

numeric, and symbols must all be mentioned.

Concept Knew the Concept

Responses Percentage

Phishing Yes 76 24.7%

24

No 232 75.3%Total 308 100.0%

SpamYes 263 85.4%No 45 14.6%

Total 308 100.0%

Social EngineeringYes 55 17.9%No 253 82.1%

Total 308 100.0%

Strong PasswordYes 203 65.9%No 105 34.1%

Total 308 100.0%

Information IntegrityYes 281 91.2%No 27 8.8%

Total 308 100.0%

Table 4 : Knowledge of Concepts – All Staff

ConceptKnew the Concept Responses Percentage

PhishingYes 19 32.2%No 40 67.8%

Total 59 100.0%

SpamYes 46 78.0%

No 13 22.0%

Total 59 100.0%

Social EngineeringYes 14 23.7%No 45 76.3%

Total 59 100.0%

Strong PasswordYes 38 64.4%No 21 35.6%

Total 59 100.0%

Information IntegrityYes 55 93.2%No 4 6.8%

Total 59 100.0%

Table 5 : Knowledge of Concepts - Management

Concept Knew the Concept Responses Percentage

25

Phishing Yes 57 22.9%No 192 77.1%

Total 249 100.0%

Spam Yes 217 87.1%No 32 12.9%

Total 249 100.0%

Social Engineering Yes 41 16.5%

No 208 83.5%

Total 249 100.0%

Strong Password Yes 165 66.3%No 84 33.7%

Total 249 100.0%

Information Integrity Yes 226 90.8%No 23 9.2%

Total 249 100.0%

Table 6 : Knowledge of Concepts – General Staff

The results shown in Table 4 are summarised as follows:

Only 24.7% of all staff knew the term phishing. 85.4% of all staff knew what spam is.

Only 17.9% of all staff knew the term social engineering. 65.9% of all staff had an idea of

what a strong password should be. 91.2% of all staff knew the importance of

information integrity.


Only 32.2% of managers knew the term phishing. 78% of managers knew what spam is.

Only 23.7% of managers knew the term social engineering. 64.4% of managers had an

idea of what a strong password should be. 93.2% of managers knew the importance of

information integrity.


26

Only 22.9% of general staff knew the term phishing. 87.1% of general staff knew what

spam is. Only 16.5% of general staff knew the term social engineering. 66.3% of general

staff had an idea of what a strong password should be. 90.8% of general staff knew the

importance of information integrity.

27

4.3 Employee Behaviours

This section presents and summarises the results of section 2 of the questionnaire.

Action Performed Action Responses Percentage

Given away passwords or logged someone onto a computer using own password

Yes 163 52.9%

No 145 47.1%

Total 308 100.0%

Left computer unattended and unlocked

Yes 238 77.3%No 70 22.7%

Total 308 100.0%

Used inappropriate methods for storing passwords

Yes 105 34.1%No 203 65.9%

Total 308 100.0%

Clicked on unknown links embedded in third party emails

Yes 228 74.0%No 80 26.0%

Total 308 100.0%

Amended data without confirming accuracy or authenticity

Yes 24 7.8%No 284 92.2%

Total 308 100.0%

Disclosed work related information on social networking sites

Yes 23 7.5%

No 285 92.5%Total 308 100.0%

Table 7 : Employee Behaviours – All Staff


A surprising 52.9% of all staff have given away passwords or logged someone onto a

computer using their own password. A surprising 77.3% of all staff have left their

computer unattended and unlocked. 34.1% of all staff used inappropriate methods for

storing passwords. A surprising 74% of all staff has clicked on unknown links

embedded in third party emails. Only 7.8% of all staff has amended data without

confirming accuracy or authenticity. Only 7.5% of all staff has disclosed work related

information on social media.

28



Yes 33 55.9%

No 26 44.1%

Total 59 100.0%


Yes 43 72.9%No 16 27.1%

Total 59 100.0%


Yes 19 32.2%No 40 67.8%

Total 59 100.0%


Yes 46 78.0%No 13 22.0%

Total 59 100.0%


Yes 4 6.8%No 55 93.2%

Total 59 100.0%


Yes 4 6.8%

No 55 93.2%Total 59 100.0%

Table 8 : Employee Behaviours - Management


A surprising 55.9% of managers have given away passwords or logged someone onto a

computer using their own password. A surprising 72.9% of managers have left their

computer unattended and unlocked. 32.2% of managers used inappropriate methods

for storing passwords. A surprising 78% of managers have clicked on unknown links

embedded in third party emails. 6.8% of managers have amended data without

confirming accuracy or authenticity. 6.8% of managers have disclosed work related

information on social media.

29



Yes 130 52.2%

No 119 47.8%

Total 249 100.0%


Yes 195 78.3%No 54 21.7%

Total 249 100.0%


Yes 86 34.5%No 163 65.5%

Total 249 100.0%


Yes 182 73.1%No 67 26.9%

Total 249 100.0%


Yes 20 8.0%No 229 92.0%

Total 249 100.0%


Yes 19 7.6%

No 230 92.4%Total 249 100.0%

Table 9 : Employee Behaviours – General Staff


A surprising 52.2% of general staff have given away passwords or logged someone onto

a computer using their own password. A surprising 78.3% of general staff have left their

computer unattended and unlocked. 34.5% of general staff used inappropriate methods

for storing passwords. A surprising 73.1% of general staff have clicked on unknown

links embedded in third party emails. Only 8% of general staff have amended data

without confirming accuracy or authenticity. Only 7.6% of general staff have disclosed

work related information on social media.

30

4.4 Relationships between Concepts and Behaviours

The results of section 4.2 and 4.3 were cross tabulated to gain an insight into the

relationship between concepts and corresponding behaviours (Section 3.4.2 – Table 1)

Has clicked on unknown embedded links from third

party emailsYes No Total

Knew what phishing isResponses 172 60 232Percentage 74.1% 25.9% 100.0%

Did not know what phishing isResponses 56 20 76Percentage 73.7% 26.3% 100.0%

308

Knew what spam isResponses 198 65 263Percentage 75.3% 24.7% 100.0%

Did not know what spam isResponses 30 15 45Percentage 66.7% 33.3% 100.0%

308

Table 10 : Cross Tabulation - Phishing and Spam (All Staff)


Surprisingly, 74.1% of all staff who knew what phishing is still clicked on unknown

embedded links. Similarly, 75.3% of all staff who knew what phishing is still clicked on

unknown embedded links.



Knew what phishing isResponses 15 4 19Percentage 78.9% 21.1% 100.0%

Did not know what phishing isResponses 31 9 40Percentage 77.5% 22.5% 100.0%Total 59



59

Table 11: Cross Tabulation - Phishing and Spam (Management)

31


Surprisingly, 78.9% of all managers who knew what phishing is still clicked on

unknown embedded links. Similarly, 76.1% of all managers who knew what phishing is

still clicked on unknown embedded links.



Knew what phishing isResponses 41 16 57

Percentage 71.9% 28.1% 100.0%

Did not know what phishing isResponses 141 51 192Percentage 73.4% 26.6% 100.0%

249



249

Table 12 : Cross Tabulation - Phishing and Spam (General Staff)


Surprisingly, 71.9% of general staff who knew what phishing is still clicked on unknown

embedded links. Similarly, 75.1% of general staff who knew what phishing is still

clicked on unknown embedded links.

32

Knew the concept of a strong password

Yes NoResponse Percentage Response Percentage

Has given away passwords or logged someone in using own password

Yes 105 51.7% 58 55.2%

No 98 48.3% 47 44.8%

Total 203 100.0% 105 100.0%

Has left computer unattended and unlocked

Yes 161 79.3% 77 73.3%No 42 20.7% 28 26.7%

Total 203 100.0% 105 100.0%

Has used inappropriate methods for storing passwords

Yes 61 30.0% 44 41.9%No 142 70.0% 61 58.1%

Total 203 100.0% 105 100.0%

Table 13 : Cross Tabulation – Strong Passwords (All Staff)


51.7% of all staff who knew the concept of a strong password has admitted to giving

away their passwords. 79.3% of all staff who knew the concept of a strong password

have admitted to leaving their computers unattended and unlocked. 30% of all staff who

knew the concept of a strong password used inappropriate methods for storing

passwords.




Yes 19 50.0% 14 66.7%

No 19 50.0% 7 33.3%

Total 38 100.0% 21 100.0%


Yes 28 73.7% 15 71.4%No 10 26.3% 6 28.6%

Total 38 100.0% 21 100.0%


Yes 11 28.9% 8 38.1%No 27 71.1% 13 61.9%

Total 38 100.0% 21 100.0%

Table 14 : Cross Tabulation – Strong Passwords (Management)


33

50% of managers who knew the concept of a strong password have admitted to giving

away their passwords. 73.7% of managers who knew the concept of a strong password

have admitted to leaving their computers unattended and unlocked. 28.9% of managers

who knew the concept of a strong password used inappropriate methods for storing

passwords.




Yes 86 52.1% 44 52.4%

No 79 47.9% 40 47.6%

Total 165 100.0% 84 100.0%


Yes 133 80.6% 62 73.8%

No 32 19.4% 22 26.2%Total 165 100.0% 84 100.0%


Yes 50 30.3% 36 42.9%

No 115 69.7% 48 57.1%Total 165 100.0% 84 100.0%

Table 15 : Cross Tabulation – Strong Passwords (General Staff)


52.1% of general staff who knew the concept of a strong password have admitted to

giving away their passwords. 80.6% of general who knew the concept of a strong

password have admitted to leaving their computers unattended and unlocked. 30.3% of

general staff who knew the concept of a strong password used inappropriate methods

for storing passwords.

Has amended data without confirmation or due process

Yes No Total

34

Knew the importance of information integrity

Responses 21 260 281Percentage 7.5% 92.5% 100.0%

Did not know the importance of information integrity


308

Table 16 : Cross Tabulation – Information Integrity (All Staff)


7.5% of all staff who understood the importance of information integrity have amended

data without confirmation or due process.


Yes No TotalKnew the importance of information integrity




59

Table 17 : Cross Tabulation – Information Integrity (Management)


7.3% of managers who understood the importance of information integrity have

amended data without confirmation or due process.


Yes No TotalKnew the importance of information integrity




249

Table 18 : Cross Tabulation – Information Integrity (General Staff)


7.5% of general staff who understood the importance of information integrity have

amended data without confirmation or due process.

35

4.5 Consciousness of Policies

This section presents and summarises the results of section 3 of the questionnaire

which assesses the awareness or consciousness of existing security policies of

respondents.

Policy Aware of Policy's Existence Responses Percentage

Information Security PolicyYes 126 40.9%No 182 59.1%

Total 308 100.0%

Password PolicyYes 101 32.8%No 207 67.2%

Total 308 100.0%

Table 19 : Consciousness of Policies – All Staff

The results shown in Table19 are summarised as follows:

Only 40.9% of all staff knew the existence of an information security policy. Only 32.8%

of all staff knew the existence of a password policy.



Total 59 100.0%


Total 59 100.0%

Table 20 : Consciousness of Policies – Management


59.3% of all managers knew the existence of an information security policy. Only 40.7%

of managers knew the existence of a password policy.

36



Total 249 100.0%


Total 249 100.0%

Table 21 : Consciousness of Policies – General Staff


Only 36.5% of general staff knew the existence of an information security policy. Only

30.9% of general staff knew the existence of a password policy.

4.6 Past Experiences of Computer Crime

Appendix C shows the results of the open-ended questions in section 4 of the

questionnaire. The section begins by asking the respondents whether or not they have

experienced or believed to have experienced computer crime in the past. If the response

was yes, they were then asked to provide details of the experience and the actions

taken. The purpose of this section is to gain an overview or insight into employee

perceptions of any incidents and the actions taken as a result of such incidents.

Only 28 respondents from the sample population of 308 answered yes. However, due to

a technical glitch, users of Microsoft’s Internet Explorer were initially not able to

provide details in the text box in relation to their experience. The glitch was rectified,

but 9 respondents left the details blank as a result of the glitch. Due to the anonymous

nature of the questionnaire, it was not possible to identify the respondents and

therefore they could not be contacted for resubmission of the responses. All 19 valid

responses are presented the Appendix C.

Content analysis was performed on these responses and failed to reveal any noteworthy

findings relevant for this research. However, various experiences were in relation to

phishing attacks. For example, 5 respondents reported experiences relating to credit

37

card theft suggesting that phishing scams are prevalent and highly active. A few

experiences were in relation to attempts of hackers to gain access to email accounts.

Apart from the credit card scams, there were simply too small a sample set to reveal

anything useful.

4.7 Results Summary

It was interesting to note that there were minimal deviations between the scores of the

organisation as a whole (all staff), management and general staff in all sections of the

questionnaire. All three result sets displayed similar scores. However, the results

themselves were surprising. For example, only about 24.7% of all staff knew what the

term phishing meant. Similarly, the scores achieved by management and general staff

were 32.2% and 22.9% respectively. In relation to behaviours, the results were

alarming. For example, more than half the organisation (52.9%) has admitted to giving

away passwords. Management and general staff returned similar results, 55.9% and

52.2 respectively. The implications of the results of the questionnaire will be discussed

in greater detail in next section.

4.8 Discussion

As can be seen in section 4, the results of the questionnaire were both alarming and

surprising. Information security awareness as defined by Bulgurcu, Cavusoglu &

Benbasat (2010) of TAFE South Australia employees were generally poor. That is, there

was a clear lack of knowledge in terms of information security concepts, as well as

generally low levels of consciousness or awareness of policies. The generally low levels

of awareness were reflected in employee behaviours, whereby most employees have

admitted to performing actions which could have negative consequences for the

organisation. The ensuing sections discuss in greater detail the findings of this study.

4.8.1 Lack of Knowledge of Security Concepts

The results in section 4.1 demonstrated that the organisation performed poorly in

relation to knowledge of common security concepts. The results were particularly poor

for social engineering (all staff – 17.9%, management – 23.7%, general staff - 16.5%).

One explanation for the low scores could be that social engineering is an ambiguous

term in that the terminology is borrowed from the field of political science. Its original

meaning relates to governmental influence on society. The term was adopted by the

38

information technology industry to describe the psychological manipulation used by

hackers to obtain information (Thompson, 2006). In fact, several respondents

complained that none of the available choices for the question reflected their version of

what social engineering meant (they used the open-ended sections of the questionnaire

to express their concerns). However, given the context (information security) in which

the question was asked, it is safe to conclude that they just did not know the answer.

Even so, the synonymous nature of the term suggests that the question must be

regarded as a limitation of this study.

On the other hand, the organisation scored highly in relation to the concept of

information security (all staff – 91%, management – 93.2%, general staff – 90.8%). In

retrospect, the multiple choices available in the question (see Appendix A – Question 5)

may have been too obvious for a respondent to hazard a guess. In this case, the core

attributes of the concept as defined by Boritz (2005) were all options with the

subsequent correct answer being “All of the above”. Simple logic would suggest that

many would guess the correct answer. However, the relatively high score did reflect in

the positive results obtained in Question 10, which asked whether or not a respondent

have ever amended data without confirming accuracy and correctness. The scores were

very low (all staff – 7.8%, management – 6.8%, general staff – 8.0%) demonstrating that

only a small portion of the organisation has performed this negative action.

Phishing and spam are concepts which go hand in hand because phishing attacks are

often conducted via spam (Whitman & Mattord 2005). However, the organisation

scored relatively high for spam (all staff – 85.4%, management – 78%, general staff –

87.1%) but very low for phishing (all staff – 24.7%, management – 32.2%, general staff

– 22.9%). Such a large variance may be explained by Bulgurcu, Cavusoglu & Benbasat

(2010) which suggested that information security awareness in regards to concepts are

often built upon life experiences. For example, one may not know of a concept if they

have never experienced the phenomenon first-hand. Spam is a tremendously frequent

occurrence affecting most people, whereas phishing may not be so obvious until an

attack has been committed. Therefore not many people may know the term compared

to spam.

39

It is of the opinion that the organisation scored moderately in relation to the concept of

a strong password (all staff – 65.9%, management – 64.4%, general staff – 66.3%).

However, the accuracy of the results must be questioned due to the fact that the initial

308 responses were all subjected to manual content analysis in order to determine

whether each response was correct. The manual nature of the analysis in addition to the

unlimited variations of open-ended responses raises the possibility of incorrectly

classifying each response. This is similar to a University lecturer marking many exam

papers. Discrepancies would undoubtedly occur.

4.8.2 Lack of Awareness of Policies

The results of the questionnaire showed that many TAFE SA employees did not know of

the existence or the details of the organisation’s security related policies. Less than half

of all staff knew about an actual information security policy (40.9%) and even less for

password policy (32.8%). Management performed slightly better, with a score of 59.3%

for information security policy and 40.7% for password policy. The most alarming

results relate to the general staff, which scored only 36.5% for information security

policy and 30.9% for password policy. The poor results suggest that security policies

are not well promoted or enforced by the organisation and that emphasis is heavily

placed on technical controls without taking into account the human aspects of

information security. Dzazali, Sulaiman & Zolait (2009) suggested that policies or plans

become useless if no consideration is given to the human factors of information

security. In this case, by not ensuring that employees become proficient in the

knowledge of the organisation’s policies, the policies themselves are futile. The lack of

awareness and knowledge of policies may have allowed for staff to violate such policies,

as demonstrated and reflected in the results of the behavioural questions summarised

in section 4.3. In particularly password based actions, where it was observed that many

employees shared passwords, left computer unattended and also used inappropriate

methods for password storage. These actions are generally prohibited by an

organisation’s security and password policies if properly enforced. This is not the case

for TAFE South Australia.

4.8.3 Lack of Information Security Awareness

Information security awareness is the combination of the knowledge of concepts and

awareness of existing policies (Bulgurcu, Cavusoglu & Benbasat 2010). Due to the fact

40

that the organisation as a whole lack both knowledge of security concepts and

awareness of policies as demonstrated by the results, it can be concluded that TAFE

South Australia employees lack information security awareness. This is in line with the

observation made by Knapp et al. (2006) that there is a positive relationship between

information security awareness and preventative action. That is, employees are more

likely to have positive behaviours in relation to information security if their awareness

levels are high. In the case of TAFE South Australia, the lack of awareness have resulted

in many employees engaging in negative actions and behaviours in violation of

information security, thus reaffirming the relationship as defined by Knapp et al. (2006)

4.8.4 Relationships between Concepts and Behaviours

The study into the feasibility of a vocabulary test to assess information security

awareness conducted by Kruger, Drevin & Steyn (2010) identified significant

relationships between knowledge of concepts and behaviours. That is, knowing a

concept will translate into positive behaviours relating to the concept. However, the

current study is in contrast to Kruger, Drevin & Steyn (2010). The results shown in the

cross-tabulations between concepts and corresponding behaviours (refer to Table 1)

identified surprising results which contradicted Kruger, Drevin & Steyn (2010). For

instance, an alarming 74.1% of all staff who knew the concept of phishing still engaged

in clicking on links embedded in potential spam. Both management and general staff

sample sets showed similar results, 78.9% and 71.9% respectively. Similarly, an

alarming 75.3% of all staff who knew what spam is also engaged in the clicking of links

embedded in potential spam. Again, there were hardly any differentiations between the

management and general staff result sets, 76.1% and 75.1% respectively. It can be

concluded that knowing the concept of spam and phishing did not mean that the

employees will not take the risk and click on potentially dangerous links. The likely

reason for this may again be attributed to the lack of policy enforcement or promotion.

In relation to strong passwords, the results also contradicted Kruger, Drevin & Steyn

(2010) in that knowing the concept of a strong password still resulted in staff engaging

in password sharing, leaving computers unattended and unlocked. Using the all staff

result set as an example (management and general staff again showed minor variance),

51.7% of staff who knew what a strong password is did not stop them from sharing

passwords. Similarly, an alarming 79.3% of staff who knew the concept of a strong

41

password have admitted to leaving their computer terminals unattended and unlocked.

The reason for such actions could be a result of the trust formed between co-workers.

However, the security risks are clearly present.

4.8.5 Recommendations

TAFE South Australia is clearly plagued with employee non-compliance of information

security policies. The low levels of awareness may have contributed to such non-

compliance. As suggested by Yeo, Rahim & Miri (2007), the lack of awareness and non-

compliance poses serious risks for the organisation and should be properly assessed

and mitigated as part of the organisation’s overall risk assessment strategies. It is

therefore highly recommended that TAFE South Australia implement proper risk

assessment strategies which include information security awareness as an important

component.

Further, once the security risks are properly assessed, they can be mitigated by

improving security awareness. As suggested by Lane (2007), the adoption of adequate

information security awareness training programs will ensure that employees know of

their responsibilities and also foster an organisational culture of information security

compliance, thereby improving the mitigation of such risks. It is therefore

recommended that TAFE South Australia explore such programs. The exploration of

these programs forms the basis of the suggestion follow up studies in the future.

42

5. Conclusion

5.1 Research Summary

Employee information security awareness has been widely regarded as an important

contributing factor in any successful organisational information security plans.

However, there is a gap in literature in that very little has been done in an Australian

context in relation to information security awareness, thus giving rise to this study.

This exploratory study utilised a specially designed online questionnaire to assess the

levels of information security awareness within TAFE South Australia.

Information security awareness can be defined as the combination of a person’s

knowledge of security concepts and the person’s awareness or consciousness of the

existence of any security related policies. Therefore the questionnaire was used to test

the respondents’ knowledge of commonly known security concepts as well as the

respondents’ consciousness of the organisations security policies in order to gain

insight into the awareness levels of the organisations. In addition, the questionnaire

also tested for behaviours which are related to corresponding security concept.

The results of the study revealed that employee awareness levels for TAFE South

Australia are surprisingly low, with employees lacking in both knowledge of concepts

and awareness of the organisation’s policies. The lack of information security

awareness was reflected in the admission by many employees that they had previously

engaged in behaviours (such as password sharing) which were in direct violation of

information security. This may be a result of the lack of policy promotion and

enforcement.

Finally, this exploratory study has achieved the aim of gaining valuable insight into the

workings of an Australian organisation in relation to information security awareness.

It is important that TAFE South Australia explore information security awareness as an

organisational risk which must be assessed and mitigated. Subsequently, the identified

risks may be mitigated by adopting relevant awareness programs which will ultimately

foster an organisational wide culture of information security compliance.

43

5.2 Limitations

Due to time constraints, a full appreciation of the importance of terminologies used in

the questionnaire was not realised. For instance, social engineering is an ambiguous

term in that it is synonymous with a different meaning within the field of political

science. In relation to the responses to strong password, manually conducting content

analysis for the relatively large number of responses may have increased the chance for

discrepancies.

The initial design of the questionnaire included a question which asked respondents’

whether or not they have ever knowingly provided confidential information to

outsiders in circumstances they felt it was justified to do so. At TAFE South Australia’s

request, the question was omitted from the final version of the questionnaire. The

reasoning was that the responses to such a question could potentially create a public

outcry for the organisation. For instance, if the responses revealed that employees did

in fact knowingly released confidential information, the public would have every right

to question TAFE South Australia’s integrity. However, by omitting the question, this

study may have lost valuable insights.

5.3 Future Research

Assessing information security awareness is deemed to be an initial step in achieving

security readiness. The next step would naturally be to determine how the problem

areas identified in this study can be approved through best practices. That is, future

research should focus on how awareness levels can be improved, thus improving the

security readiness of the organisation. In the long run, future research should also focus

on including information security awareness as part of an overall organisational

security strategy by adopting suitable awareness enhancing programs.

44

6. Ethics and ComplianceThe University of South Australia is bound by the Australian Code for Responsible

Conduct of Research and the National Statement on Ethical Conduct in Human Research.

Due to the human involvement required in this study, an application for approval was

submitted to the University’s Human Research Ethics Committee. Subsequently,

approval was given by the committee.

In addition, permission was obtained from TAFE South Australia to interact with

employees and to deliver appropriate questions to the employees, and to obtain

relevant data in relation to TAFE South Australia and its employees. Written approval to

conduct all activities relating to this study was given by the Chief Executive of the Office

of TAFE SA.

Finally, the online questionnaire to be delivered as part of this study may have involved

gathering information relating to psychological condition or collection of personal data

and as required by the University, the Insurance for Research Projects and Health

Sciences Fieldwork form was submitted to the Human Research Ethics Committee to

ensure that the project is covered by insurance. Subsequently, approval for insurance

cover was given by the committee.

45

Reference

Bulgurcu, B, Cavusoglu, H & Benbasat, I 2010, ‘Information Security Policy Compliance:

An Empirical Study of Rationality-Based Beliefs and Information Security Awareness’,

MIS Quarterly, vol. 34, no. 3, pp. 523-A7.

Boritz, JE 2005, ‘IS Practitioners’ Views on Core Concepts of Information Integrity’,

International Journal of Accounting Information Systems, vol. 6, no. 4, pp. 260-279.

Btoush, M, Alarabeyat, A, Zboon, M, Ryati, O, Hassan, M & Ahmad, S 2011, ‘Increasing

Information Security Inside Organizations Through Awareness Learning for Employees’,

Journal of Theoretical & Applied Information Technology, vol. 24, no. 2, pp. 79-85.

Cervone, F 2005, ‘Understanding The Big Picture So You Can Plan For Network Security’,

Computers in Libraries, vol. 25, no. 3, pp. 10- 15.

Doherty, NF, Anastasakis, L & Fulford, H 2009, ‘The information security policy

unpacked: A critical study of the content of university policies’, International Journal of

Information Management, vol. 29, no. 6, pp. 449-457.

Dzazali, S, Sulaiman, A & Zolait, AH 2009, ‘Information security landscape and maturity

level: Case study of Malaysian Public Service (MPS) organizations’, Government

Information Quarterly, vol. 24, no. 4, pp. 584-593.

Everett, C 2010, ‘Social Media: Opportunity or Risk?’, Computer Fraud & Security, vol.

2010, no. 6, pp. 8-10.

De Haes, S, Van Grembergen, W 2009, ‘An Exploratory study into IT Governance

Implementations and its Impact on Business/IT Alignment’, Information Systems

Management, vol. 26, no. 2, pp. 123-137.

Hagen, JM, Albrechtsen, E & Hovden, J 2008, ‘Implementation and effectiveness of

organizational information security measures’, Information Management & Computer

Security, vol. 16, no. 4, pp. 377-397.

46

Knapp, KJ, Marshall, TE, Rainer, RK, & Ford, FN 2006, ‘Information security:

management's effect on culture and policy’, Information Management & Computer

Security, vol. 14, no. 1, pp. 24-36.

Kruger, H, Drevin, L & Steyn, T 2010, ‘A vocabulary test to assess information security

awareness,’ Information Management & Computer Security, vol. 18, no. 5, pp. 316-327.

Laaksonen, E & Niemimaa M 2011, ‘Information Security Policies, a Frames of Reference

Perspective’, Department of Computer Science Master thesis, Lulea University of

Technology.

Lane, T 2007, ‘Information Security Management in Australian Universities – An

Exploratory Analysis’, Faculty of Information Technology Master thesis, Queensland

University of Technology.

Microsoft Safety & Security Centre 2011, Microsoft, viewed 9 October 2011,

<http://www.microsoft.com/en-gb/security/online-privacy/passwords-create.aspx>

McFadzean, E, Ezingeard, J & Birchall, D 2007, ‘Perception of risk and the strategic

impact of existing IT on information security strategy at board level’, Online Information

Review, vol. 31, no. 5, pp. 622-660.

Mouratidis, H, Jahankhani, H & Nikhoma, MZ 2008, ‘Management versus security

specialists: an empirical study on security related perceptions’, Information

Management & Computer Security, vol. 16, no. 2, pp. 187-205.

Namjoo, C, Kim, D, Goo, J & Whitemore, A 2008, ‘Knowing is doing: An empirical

validation of the relationship between managerial information security awareness and

action’, Information Management & Computer Security, vol. 16, no. 5, pp. 484-501.

Samy, NG, Ahmad, R & Ismail, Z 2010, ‘Security threats categories in healthcare

information systems’, Health Informatics Journal, vol. 16, no. 3, pp. 201-209.

Siponen, M & Vance, A 2010, ‘Neutralization: New Insights Into The Problem Of

Employee Information Systems Security Policy Violations’, MIS Quarterly, vol. 34, no. 3,

pp. 487-A12.

47

Spears, JL & Barki, H 2010, ‘User Participation in Information Systems Security Risk

Management’, MIS Quarterly, vol. 34, no. 3, pp. 503-A5.

TAFE South Australia 2011, TAFE South Australia, Adelaide, viewed 12 June 2011,

<http://www.tafe.sa.edu.au/about-tafesa.aspx>.

Thompson, STC 2006, ‘Helping the Hacker? Library Information, Security, and Social

Engineering’, Information Technology & Libraries, vol. 25, no. 4, pp. 222-225.

von Solms, R 1998, ‘Information Security Management (1): Why Information Security is

so Important’, Information Management & Computer Security, vol. 6, no. 4, pp. 174-177.

Whitman, ME & Mattord HJ 2008, Management of Information Security, 2nd edn,

Thompson Course Technology, Australia.

Whitman, ME & Mattord HJ 2005, Principles of Information Security, 2nd edn, Thompson

Course Technology, Australia.

Williams, PAH 2008, ‘When trust defies common security sense’, Health Informatics

Journal, vol. 14, no. 3, pp. 211-221.

Yeo, AC, Rahim, M & Miri L 2007, ‘Understanding Factors Affecting Success of

Information Security Risk Assessment: The Case of an Australian Higher Educational

Institution’, in Proceedings of the Pacific Asia Conference on Information Systems 2007,

Auckland

48

Appendix A: Questionnaire

Section 1 – Knowledge of Concepts

Question 1: Phishing is:

a) ☐ The use of an email message which appears to be legitimate for the purpose of obtaining confidential information

b) ☐ When someone is persuaded to give away confidential information

c) ☐ The use of an email message which appears to be legitimate for the purpose of obtaining confidential information

d) ☐ Is also known as identity theft

e) ☐ All of the above – correct answer

f) ☐ I don’t know

Question 2: Spam is:

a) ☐ Another word for email or electronic messages

b) ☐ A marketing technique

c) ☐ Any unsolicited electronic mail – correct answer

d) ☐ All of the above

e) ☐ I don’t know

Question 3: Social Engineering is:

a) ☐ The use of technical means to gain unauthorised access to information

b) ☐ The use of non-technical means to gain unauthorised access to information – correct answer

c) ☐ Related to social media

d) ☐ I don’t know

Question 4: Please explain in a few words what your idea of a strong password is:

49

Question 5: Please select from the following what you believe to be the most important:

a) ☐ Data or information must be accurate

b) ☐ Data or information must be trustworthy

c) ☐ Data or information must be current

d) ☐ All of the above are important – correct answer

e) ☐ I don’t know

Section 2 – Behaviours and Actions

Question 6: Have you ever given your computer passwords to anyone such as a colleague, or logged someone onto a computer using your own passwords?

a) ☐ Yes

b) ☐ No

Question 7: Have you ever left your computer unattended without logging off or locking the computer?

a) ☐ Yes

b) ☐ No

Question 8: In relation to passwords:

a) ☐ I never change my passwords

b) ☐ I always choose passwords which are simple and easy to remember

c) ☐ I give my passwords to someone else (e.g., a colleague) for safe keeping

d) ☐ I change my non-simple passwords all the time, but I still manage to memorise them

e) ☐ I write them down and store them near my computer

e) ☐ I write them down and store them in a safe place

Question 9: Have you ever clicked on a link which has been embedded into an email which you have received from an external company?

a) ☐ Yes

b) ☐ No

Question 10: Have you ever amended data or performed data entry

50

without confirming the correctness of the data? For example, changing a student’s name or address in SMS or SIS without seeing proof?

a) ☐ Yes

b) ☐ No

Question 11: Have you ever discussed information or issues relating to your workplace on any social networking sites (e.g., Facebook, Twitter)?

a) ☐ Yes

b) ☐ No

Section 3 – Consciousness of Policies

Question 12: Are you aware of the existence of an information security policy for TAFE SA?

a) ☐ Yes – I know exactly where to find it

b) ☐ Yes I’ve heard of such a policy, but I don’t know the details

c) ☐ No

d) ☐ I don’t know what an information security policy is

Question 13: Are you aware of the existence of a password policy for TAFE SA?

a) ☐ Yes – I know exactly where to find it

b) ☐ Yes I’ve heard of such a policy, but I don’t know the details

c) ☐ No

d) ☐ I don’t know what a password policy is

Section 4 – Experiences with Computer Crime

Question 14: Have you ever experienced or felt that you have experienced computer crime at work or outside of work? (For example, unauthorised access to your computer accounts, or you have had your personal details stolen)

a) ☐ Yes

b) ☐ No

Question 15: If you have answered yes in the last question, please briefly

51

provide details of the computer crime you experienced:

Question 16: In relation to the computer crime you experienced, what actions did you take? (for example, did you report the incident? Who did you report the incident to?) Please briefly provide details:

Section 5 – Demographics

Question 17: Which of the following best describes your role?

a) ☐ Senior management

b) ☐ Middle or operational management

c) ☐ Lecturing staff

d) ☐ General administration or frontline

e) ☐Other – please specify:

52

Appendix B: Questionnaire Invitation to All Staff

53

Appendix C: Questionnaire Section 4 Responses

Details of experience Action taken

My world of warcraft and hotmail account have been hacked in the past, but have rectified the situation.

Called Blizzard to fix up the WoW issue, and changed me PW for hotmail while making sure that no other email accounts were attached, cause thats how they keep at you.

Wireless internet access - when I got my wireless router I had no idea how to work it. Months later I researched when my usage was high and found out someone else connecting to it.

I just used the tools to password protect my internet. Something about DHCP client or similar rings a bell?

Web site been hacked and used as a phishing site. Another site hacked - but perpetrator reported the security loophole.

Phishing site had already been reported (I was notified by a security firm).

my boss uses my password change my password.

they access my details to an accountThey actually notified me straight away and put a hold on the information

my password given to casual staff when I went on leave giving them access to my drives, emails, etc

should of but didn't

had the experience of watching my cursor passing across my screen, clicking into areas on my computer in same way remote access from IT happens. However was not in communication with IT department or given approval for remote access at the time.

reported it to IT department,who responded by saying that it "was probably another person in close proximity using a wireless mouse who was on the sam frequency as me and the signals got confused and went to my computer instead??"

Spam and unsolicited emails with links from AOL or similar providers

Notified ICT and then hard deleted without opening the link

A hacker from another country gained access to my VISA card details from, I believe, some transactions I had made to ebay or some other internet site. Fortunately I didnt have a lot of money in the account but the bank was able to credit me with the money stolen!!!

The bank contacted me, I didnt even know my account had been accessed - as this was done over a weekend!

56

Opening the last document in word, and someone elses document came up; It was confirmed to me that ICT remoted into my computer on numerous occassions to attempt to find fault with my machine or usage; they are probably the culprits (YES - I reported the invasions to my managers - Who thought that I was imagining things! - But like I said when a staff of ICT left the TAFE he confirmed off record what I had suspected).

Reported to work manager; problem is that ICT was (I believe but un supported- involved)

Someone tried to guess my yahoo email account password.

I changed my password. Didn't report the incident to anyone.

My personal files being accessed without my knowledge or permission

Told my manager

An IT help desk person logged into my computer without my consent after our call had concluded, the IT person on campus followed up with this issue.

It happened as I was sitting at my desk, I got the IT personell on campus & they contacted the other person & then the IT manager followed up with the incident

As a systems administrator in industry, servers under my control were compromised, but no information was stolen.

Rebuilt servers to remove backdoors and patched the vulnerability used to gasin access. Incidents were not reported to police.

Asked for varification of account details via email stating that they are from the ANZ and Commonwealth banks and Paypal restricted account email. The ANZ banking requests come alsmot daily at present and weekly for the Commonwealth bank. I have had money taken from my Paypal account which was reversed and money removed from my ANZ Visacard from overseas. /

Removed all funds from tageted account changed all passwords and cancelled Visa Card (replaced). Altered Passwords on PayPal and all bank accounts. Downloaded and ANZ bank App for my Iphone and use PIN's as well as passwords.

Identifty theft resulting in unauthorised financial transactions.

Yes, reported to my financial organisation. They tracked and corrected it, although it took many months to sort out.

Credit card fraud reported it to bank.

My manager wanted access to my computer while I was on leave so contacted ICT who freely gave out that information. On my return I inadvertantly found out and found out they still had access.

I complained in writing to ICT and I understand ICT have stopped doing that now. They ended up sending an email out to all staff advisign that passwords were not to be givne out etc. / / Let's hope it really was ICT..........hee hee

My work and home credit card details were stolen and used without my consent, even though I have virus/security software on my computers. I am required to shop online for my job, and also do some at home, so this is how my details were stolen. Both cards were cancelled and replaced with new ones.

I reported my work one to the purchase card people and ANZ at work, who then cancelled the card. My home details that were taken were picked up by my bank's security system, and they let me know of this. I then rang the bank to confirm what was being said.

57

wiki.cis.unisa.edu.au€¦ · Web viewSpecial thanks go to my research supervisor Dr Sameera...

Documents

Transcript of wiki.cis.unisa.edu.au€¦ · Web viewSpecial thanks go to my research supervisor Dr Sameera...