Enhancing employees information security awareness in private and public organisations: A systematic literature review

Khando, Khando; Gao, Shang; Islam, M. Sirajul; Salman, Ali

doi:10.1016/j.cose.2021.102267

Cited by 122 publications

(72 citation statements)

References 65 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is in line with a study conducted in public organizations in Greece where the findings showed that the level of employee information security awareness is low and needs to be raised (Loukis and Spinellis, 2001). Furthermore, other previous studies also confirm the lack of information security awareness among employees (Chan and Mubarak, 2012;Mataracioglu and Ozkan, 2011;Khando et al, 2021) and highlight the fact that the human factor is one of the most common reasons for security breaches in organizations due to the employees' lack of information security awareness (Soomro et al, 2016;Spears and Barki, 2010;Parsons et al, 2014). Information where loss of confidentiality/integrity/availability leads to a minor damage to external actors (companies, other municipalities, regions, other authorities).…”

Section: Theoretical Contributionsupporting

confidence: 90%

An information classification model for public sector organizations in Sweden: a case study of a Swedish municipality

Bergquist

Tinet

Gao

2021

ICS

Self Cite

View full text Add to dashboard Cite

Purpose The purpose of this study is to create an information classification model that is tailored to suit the specific needs of public sector organizations in Sweden. Design/methodology/approach To address the purpose of this research, a case study in a Swedish municipality was conducted. Data was collected through a mixture of techniques such as literature, document and website review. Empirical data was collected through interviews with 11 employees working within 7 different sections of the municipality. Findings This study resulted in an information classification model that is tailored to the specific needs of Swedish municipalities. In addition, a set of steps for tailoring an information classification model to suit a specific public organization are recommended. The findings also indicate that for a successful information classification it is necessary to educate the employees about the basics of information security and classification and create an understandable and unified information security language. Practical implications This study also highlights that to have a tailored information classification model, it is imperative to understand the value of information and what kind of consequences a violation of established information security principles could have through the perspectives of the employees. Originality/value It is the first of its kind in tailoring an information classification model to the specific needs of a Swedish municipality. The model provided by this study can be used as a tool to facilitate a common ground for classifying information within all Swedish municipalities, thereby contributing the first step toward a Swedish municipal model for information classification.

show abstract

Section: Theoretical Contributionsupporting

confidence: 90%

An information classification model for public sector organizations in Sweden: a case study of a Swedish municipality

Bergquist

Tinet

Gao

2021

ICS

Self Cite

View full text Add to dashboard Cite

show abstract

“…Relevant research stated that an appropriate level of information security in organizations requires a holistic, multidimensional approach (Yildirim, 2016), (Khando et al , 2021) composed of different major components. Panguluri et al (2017) report that the main components are technical measures, people and processes.…”

Section: Resultsmentioning

confidence: 99%

“…As noticed, different authors with different complexity and depth describe the concept of information security culture, but no matter of their approaches, it is possible to notice that all of them emphasize the importance of consistent behaviour of people against the rules defined in security policies. In that capacity, human dimension of information security cannot be fully addressed by technical and management measures (Chang and Lin, 2007) (Khando et al , 2021). The objective of information security culture is to protect information assets by promoting cautious and secure employee behaviour, i.e.…”

Section: Theoretical Background and Motivationmentioning

confidence: 99%

“…Increasing security needs have expanded researchers' attention to explore the role of executive levels in information security management (Soomro et al , 2016). In that light, researchers agreed that technology cannot provide a complete solution and information security can no longer be ensured by using only technological solutions and controls (Tang et al , 2016), since security is not a “technical issue” any more but also “human problem” (Alhogail, 2015) (Khando et al , 2021).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Holistic framework for evaluating and improving information security culture

Arbanas¹,

Spremić

Hrustek³

2021

AJIM

View full text Add to dashboard Cite

PurposeThe objective of this research was to propose and validate a holistic framework for information security culture evaluation, built around a novel approach, which includes technological, organizational and social issues. The framework's validity and reliability were determined with the help of experts in the information security field and by using multivariate statistical methods.Design/methodology/approachThe conceptual framework was constructed upon a detailed literature review and validated using a range of methods: first, measuring instrument was developed, and then content and construct validity of measuring instrument was confirmed via experts' opinion and by closed map sorting method. Convergent validity was confirmed by factor analysis, while the reliability of the measuring instrument was tested using Cronbach's alpha coefficient to measure internal consistency.FindingsThe proposed framework was validated based upon the results of empirical research and the usage of multivariate analysis. The resulting framework ultimately consists of 46 items (manifest variables), describing eight factors (first level latent variables), grouped into three categories (second level latent variables). These three categories were built around technological, organizational and social issues.Originality/valueThis paper contributes to the body of knowledge in information security culture by developing and validating holistic framework for information security culture evaluation, which does not observe information security culture in only one aspect but takes into account its organizational, sociological and technical component.

show abstract

“…One potential way to continue to increase employees' 1) ability to detect and 2) motivation to report phishing emails might be through the gamification of the mock phishing campaign experience. The addition of gaming elements to non-gaming situations in this and other cyber-related contexts has been explored (Francia et al, 2014;Gjertsen et al, 2017;Emm, 2021;Khando et al, 2021). For example, gamification has demonstrated promise in the education of normal users regarding password security (Scholefield and Shepherd, 2019), and gamified systems can increase motivation to comply with security policy and reduce mock phishing failures, significantly outperforming training provided via email (Silic and Lowry, 2020).…”

Section: Background On Phishingmentioning

confidence: 99%

Phish Derby: Shoring the Human Shield Through Gamified Phishing Attacks

Canham¹,

Posey

Constantino

2022

Front. Educ.

View full text Add to dashboard Cite

To better understand employees’ reporting behaviors in relation to phishing emails, we gamified the phishing security awareness training process by creating and conducting a month-long “Phish Derby” competition at a large university in the U.S. The university’s Information Security Office challenged employees to prove they could detect phishing emails as part of the simulated phishing program currently in place. Employees volunteered to compete for prizes during this special event and were instructed to report suspicious emails as potential phishing attacks. Prior to the beginning of the competition, we collected demographics and data related to the concepts central to two theoretical foundations: the Big Five personality traits and goal orientation theory. We found several notable relationships between demographic variables and Phish Derby performance, which was operationalized from the number of phishing attacks reported and employee report speed. Several key findings emerged, including past performance on simulated phishing campaigns positively predicted Phish Derby performance; older participants performed better than their younger colleagues, but more educated participants performed poorer; and individuals who used a mix of PCs and Macs at work performed worse than those using a single platform. We also found that two of the Big Five personality dimensions, extraversion and agreeableness, were both associated with poorer performance in phishing detection and reporting. Likewise, individuals who were driven to perform well in the Phish Derby because they desired to learn from the experience (i.e., learning goal orientation) performed at a lower level than those driven by other goals. Interestingly, self-reported levels of computer skill and the perceived ability to detect phishing messages failed to exhibit a significant relationship with Phish Derby performance. We discuss these findings and describe how focusing on motivating the good in employee cyber behaviors is a necessary yet too often overlooked component in organizations whose training cyber cultures are rooted in employee click rates alone.

show abstract

Enhancing employees information security awareness in private and public organisations: A systematic literature review

Cited by 122 publications

References 65 publications

An information classification model for public sector organizations in Sweden: a case study of a Swedish municipality

An information classification model for public sector organizations in Sweden: a case study of a Swedish municipality

Holistic framework for evaluating and improving information security culture

Phish Derby: Shoring the Human Shield Through Gamified Phishing Attacks

Contact Info

Product

Resources

About