Search results

This paper aims to introduce the concept of a framework of cyber-security controls that are adaptable to different types of organisations and different types of employees. One of these adaptive controls, namely, the mode of training provided, is then empirically tested for its effectiveness.

In total, 1,048 working Australian adults completed the human aspects of the information security questionnaire (HAIS-Q) to determine their individual information security awareness (ISA). This included questions relating to the various modes of cyber-security training they had received and how often it was provided. Also, a set of questions called the cyber-security learning-styles inventory was used to identify their preferred learning styles for training.

The extent to which the training that an individual received matched their learning preferences was positively associated with their information security awareness (ISA) level. However, the frequency of such training did not directly predict ISA levels.

Further research should examine the influence of matching cyber-security learning styles to training packages more directly by conducting a controlled trial where the training packages provided differ only in the mode of learning. Further research should also investigate how individual tailoring of aspects of an adaptive control framework (ACF), other than training, may improve ISA.

If cyber-security training is adapted to the preferred learning styles of individuals, their level of ISA will improve, and therefore, their non-malicious behaviour, whilst using a digital device to do their work, will be safer.

A review of the literature confirmed that ACFs for cyber-security does exist, but only in terms of hardware and software controls. There is no evidence of any literature on frameworks that include controls that are adaptable to human factors within the context of information security. In addition, this is the first study to show that ISA is improved when cyber-security training is provided in line with an individual’s preferred learning style. Similar improvement was not evident when the training frequency was increased suggesting real-world improvements in ISA may be possible without increasing training budgets but by simply matching individuals to their desired mode of training.

The purpose of this study was to investigate the relationship between resilience, job stress and information security awareness (ISA). The study examined the effect of resilience and job stress on the three components that comprise ISA, namely, knowledge, attitude and behaviour.

A total of 1,048 working Australians completed an online questionnaire. ISA was measured with the Human Aspects of Information Security Questionnaire. Participants also completed the Brief Resilience Scale and the Job Stress Scale.

It was found that participants with greater resilience also had higher ISA and experienced lower levels of job stress. More specifically, individuals who reported higher levels of resilience had significantly better knowledge, attitude and behaviour. Similarly, participants who reported lower levels of job stress also reported significantly better knowledge, attitude and behaviour. Resilience plays an important mediating role in the relationship between job stress and ISA. This means that even if people have high levels of job stress, if they are better able to cope with or adapt to stress (i.e. have higher resilience), they are less likely to have lower ISA. Results of this study add to the body of literature emphasising the positive effects of resilience and suggest that resilience is associated with improved ISA and therefore more secure behaviour.

Future research should focus on assessing the influence of resilience training in the workplace.

Given the constructive findings, it may be valuable to focus on the effect of organisational culture, and organisational security culture, on resilience, job stress and ISA.

The aim of this study was first to confirm that a specific bank’s employees were generally more information security-aware than employees in other Australian industries and second to identify the major factors that contributed to this bank’s high levels of information security awareness (ISA).

A Web-based questionnaire (the Human Aspects of Information Security Questionnaire – HAIS-Q) was used in two separate studies to assess the ISA of individuals who used computers at their workplace. The first study assessed 198 employees at an Australian bank and the second study assessed 500 working Australians from various industries. Both studies used a Qualtrics-based questionnaire that was distributed via an email link.

The results showed that the average level of ISA among bank employees was consistently 20 per cent higher than that among general workforce participants in all focus areas and overall. There were no significant differences between the ISA scores for those who received more frequent training compared to those who received less frequent training. This result suggests that the frequency of training is not a contributing factor to an employee’s level of ISA.

This current research did not investigate the information security (InfoSec) culture that prevailed within the bank in question because the objective of the research was to compare a bank’s employees with general workforce employees rather than compare organisations. The Research did not include questions relating to the type of training participants had received at work.

This study provided the bank’s InfoSec management with evidence that their multi-channelled InfoSec training regime was responsible for a substantially higher-than-average ISA for their employees. Future research of this nature should examine the effectiveness of various ISA programmes in light of individual differences and learning styles. This would form the basis of an adaptive control framework that would complement many of the current international standards, such as ISO’s 27000 series, NIST’s SP800 series and ISACA’s COBIT5.

The purpose of this paper is to report on the use of two studies that assessed the attitudes of typical computer users. The aim of the research was to compare a self-reporting online survey with a set of one-on-one repertory grid technique interviews. More specifically, this research focussed on participant attitudes toward naive and accidental information security behaviours.

In the first study, 23 university students responded to an online survey within a university laboratory setting that captured their attitudes toward behaviours in each of seven focus areas. In the second study, the same students participated in a one-on-one repertory grid technique interview that elicited their attitudes toward the same seven behaviours. Results were analysed using Spearman correlations.

There were significant correlations for three of the seven behaviours, although attitudes relating to password management, use of social networking sites, information handling and reporting of security incidents were not significantly correlated.

The small sample size (n = 23) and the fact that participants were not necessarily representative of typical employees, may have impacted on the results.

This study contributes to the challenge of developing a reliable instrument that will assess individual InfoSec awareness. Senior management will be better placed to design intervention strategies, such as training and education of employees, if individual attitudes are known. This, in turn, will reduce risk-inclined behaviour and a more secure organisation.

The literature review indicates that this study addresses a genuine gap in the research.

The purpose of this paper is to investigate the human-based information security (InfoSec) vulnerabilities in three Australian government organisations.

A Web-based survey was developed to test attitudes, knowledge and behaviour across eight policy-based focus areas. It was completed by 203 participants across the three organisations. This was complemented by interviews with senior management from these agencies.

Overall, management and employees had reasonable levels of InfoSec awareness. However, weaknesses were identified in the use of wireless technology, the reporting of security incidents and the use of social networking sites. These weaknesses were identified in the survey data of the employees and corroborated in the management interviews.

As with all such surveys, responses to the questions on attitude and behaviour (but not knowledge) may have been influenced by the social desirability bias. Further research should establish more extensive baseline data for the survey and examine its effectiveness in assessing the impact of training and risk communication interventions.

A new survey tool is presented and tested which is of interest to academics as well as management and IT systems (security) auditors.

The purpose of this paper is to investigate the behaviour response of computer users when either phishing e‐mails or genuine e‐mails arrive in their inbox. The paper describes how this research was conducted and presents and discusses the findings.

This study was a scenario‐based role‐play experiment that involved the development of a web‐based questionnaire that was only accessible by invited participants when they attended a one‐hour, facilitated session in a computer laboratory.

The findings indicate that overall, genuine e‐mails were managed better than phishing e‐mails. However, informed participants managed phishing e‐mails better than not‐informed participants. Other findings show how familiarity with computers, cognitive impulsivity and personality traits affect behavioural responses to both types of e‐mail.

This study does not claim to evaluate actual susceptibility to phishing emails. The subjects were University students and therefore the conclusions are not necessarily representative of the general population of e‐mail users.

The outcomes of this research would assist management in their endeavours to improve computer user behaviour and, as a result, help to mitigate risks to their organisational information systems.

The literature review indicates that this paper addresses a genuine gap in the research.

A work orientation represents a person’s beliefs about the meaning of work – the function work plays in the person’s life and the constellation of values and assumptions the person holds about the work domain. Research has suggested that adults tend to favor one of three primary work orientations: job, career, or calling. Empirical studies have shown that adults with different primary work orientations tend to experience different work and career outcomes; however, scholars have not analyzed how or why an individual first develops a work orientation. In this study, we take a first step toward investigating the origins of adults’ work orientations.

We propose hypotheses drawing on extant literature on the development of work values and occupational inheritance. We test hypotheses using a retrospective research design and survey methodology, with a sample of working adults.

Work orientations are developed through socialization processes with parents during adolescence. There are different patterns of development across the three work orientation categories: stronger calling orientations are developed when both parents possess strong calling orientations; stronger career orientations develop in accordance with fathers’ career orientations; and job orientations are related more to the nature of the adolescent’s relationship with parents than with parents’ own work orientations.

This research provides the first empirical study of the origin and development of work orientations.

This research offers insight into ways generations are connected through the perceived meaning of their work, even as the nature of work changes. We encourage future scholars to use this as a starting point for research on the development of work orientations, and to continue exploring these questions using additional methods, particularly longitudinal study designs.

Life studies are a rich source for further research on the role of the Afro‐American woman in society. They are especially useful to gain a better understanding of the Afro‐American experience and to show the joys, sorrows, needs, and ideals of the Afro‐American woman as she struggles from day to day.

Students with extensive supports needs (ESN) often require pervasive and intensive supports to access the full benefits of educational programming. In this chapter, the authors describe the application of both established and innovative technologies for promoting equitable access and opportunity for these students. They provide guidance for the use of technology across the areas of academic instruction, social communication, behavior supports, daily living, and employment.

Witchcraft in Honduras is an unprotected marginalized woman’s efforts to gain social, economic, and political power through an informal economy by utilizing the cultural belief in the witches’ supernatural power. The Honduran post-colonial Latin American culture allows for a persistent informal economy, in part, based on the commoditization of witchcraft and exorcism. The case study provides a specific example through ethnographic interviews of this under-researched informal economy driven by fear and economic desperation. Further research and analysis of these poorly understood and rarely recorded modern phenomena and the associated informal economy is needed.