Professional Documents
Culture Documents
available at www.sciencedirect.com
Article history: We are currently living in an age, where the use of the Internet has become second nature
Received 1 March 2010 to millions of people. Not only businesses depend on the Internet for all types of electronic
Received in revised form transactions, but more and more home users are also experiencing the immense benefit of
11 August 2010 the Internet.
Accepted 23 August 2010 However, this dependence and use of the Internet bring new and dangerous risks. This is
due to increasing attempts from unauthorised third parties to compromise private infor-
Keywords: mation for their own benefit e the whole wide area of cyber crime.
Information security It is therefore essential that all users understand the risks of using Internet, the importance
Information security awareness of securing their personal information and the consequences if this is not done properly.
Regulating service It is well known that home users are specifically vulnerable, and that cyber criminals have
Information service provider such users squarely in their target. This vulnerability of home users is due to many factors,
Home users but one of the most important one is the fact that such home users in many cases are not
Information security enforcement aware of the risks of using the Internet, and often venture into cyber space without any
awareness preparation for this journey.
This paper specifically investigates the position of the home user, and proposes a new
model, the E-Awareness Model (E-AM), in which home users can be forced to acquaint
themselves with the risks involved in venturing into cyber space. The E-AM consists of two
components: the awareness component housed in the E-Awareness Portal, and the
enforcement component.
This model proposes a way to improve information security awareness among home users by
presenting some information security content and enforcing the absorption of this content.
The main difference between the presented model and other existing information security
awareness models is that in the presented model the acquiring/absorption of the aware-
ness content is compulsory e the user is forced to proceed via the E-Awareness Portal
without the option of bypassing it.
ª 2010 Elsevier Ltd. All rights reserved.
* Corresponding author.
E-mail addresses: kritze@unisa.ac.za (E. Kritzinger), basievs@uj.ac.za (S.H. von Solms).
0167-4048/$ e see front matter ª 2010 Elsevier Ltd. All rights reserved.
doi:10.1016/j.cose.2010.08.001
c o m p u t e r s & s e c u r i t y 2 9 ( 2 0 1 0 ) 8 4 0 e8 4 7 841
the relevant corporate information security awareness cour- ability to recognise the threats and understand the requisite
ses, and to ensure safe practices when accessing cyber space. protection (Furnell et al., 2008b).
The NHU do not actually have a choice in any of these matters. Three million computers have been infected with Koobface
This forces NHUs to gain access to the Internet and web via e a social networking site (CISCO, 2009).
a secured route. Relevant corporate policies, procedures, Spam levels are expected to rise to 30e40 per cent in 2010
guidelines and best practices enforce this. (CISCO, 2009).
This is depicted in Figs. 3 and 4. One in every 600 PDF files downloaded from the web
contains malicious software (CISCO, 2009).
23,500 infected websites are discovered every day. That is
3. Home users and information security one every 3.6 s e four times worse than the same period in
awareness 2008 (Sophos, 2009).
15 new bogus antivirus vendor websites are discovered
In the case of HU, the situation is totally different. Although every day. This number has tripled, up from average of 5
research has been done on making home users aware of the during 2008 (Sophos, 2009).
importance of securing their own information, the enforce- 89.7% of all business e-mail is spam (Sophos, 2009).
ment to do so does not usually exist. HUs therefore in many
cases venture onto the Internet without any idea of what the An extremely worrying aspect reported is the fact that
risks are and what they must do to protect themselves. trusted legitimate websites are the perfect vehicle for malware
That HUs should be information security aware, are sup- distribution. It is estimated that more than 79% of the websites
ported by the following statistics: hosting malicious code are legitimate websites that have been
exploited (CISCO, 2009).
Home users account for 95% of Internet attacks (Symantec, With growing numbers of HUs accessing the Internet for
2007). social networking, Internet banking and many other reasons,
Novice users are likely to face a range of Internet threats as the big problem and worry is that in many cases such HUs are
their unfamiliarity with the technology can limit their not information security aware, and are therefore potentially
exposing themselves in a big way. This is depicted in Figs. 5
and 6 where a typical home user gains access to the web.
Figs. 5 and 6 clearly shows that the component of awareness
and enforcement is not present.
Enforcement The main difference between Figs. 3 and 4 and Figs. 5 and 6
is the enforcement component e i.e. the fact that the HU can
Information Security
Awareness tools get access without being exposed (in a compulsory way) to the
NHU relevant information security awareness tools and support
Awareness
Policies that are essential. These tools and support may be available as
Procedures
Guidelines options to the HU, but in most cases the HU does not make use
Best Practices
Awareness Courses of them because they are not enforced.
....
Online Table 1 provides a comparison of these tools, and shows
Secure access that because of the optional character in the HU’s case, the HU
does not get the benefit of these tools.
From Table 1 it is clear that because of non-enforcement,
Fig. 4 e Compulsory secured access to web for NHUs. HUs are not necessarily exposed to the benefits of such
c o m p u t e r s & s e c u r i t y 2 9 ( 2 0 1 0 ) 8 4 0 e8 4 7 843
awareness tools. Table 1 also indicates that there is a conflict- exercises. Another problem found is that these programmes
ing situation with the current information security awareness are not regularity updated with new emerging technologies,
programmes for HUs. This investigation identified that are for example the security issues regarding social networking.
a number of research projects which identified that informa- However, all these information security programmes do
tion security awareness is a problem among home users but address information security in some way but the main
there are minimum research done on designing and imple- problem still remains that if the HU does not know that he/she
menting information security awareness programmes to solve is information security illiterate, the user will not know to
it. From the information security awareness programmes that search for these awareness programmes online. From the
are available for HUs, the following issues came up. investigation above two challenges were derived. The first is
The amount of information security awareness pro- to create a framework for the design and implementation of
grammes available for HU is far less than that for NHU. The information security awareness tools. This addresses the
few that are available to HUs are mostly online programmes. challenge to ensure that HUs obtain the relevant information
These programmes are in most cases not easy to find and an security awareness to safely use the Internet.
novice HU will not have the skills and knowledge to find these The second challenge is to investigate ways in which HUs
programmes. If an HU manages to find these programmes can be forced (or guided) to get exposed to such awareness
they are in most cases not comprehensive enough, and do not tools to prepare themselves for the possible risks when
include all relevant information security issues. These sites obtaining access to the web. This challenge addresses the
start to address the information security awareness for home enforcement of information security awareness.
users but only provide limited beginner’s information. There The two challenges will be addressed by proposing
are no options for users to obtain more or in-depth informa- a model. The proposed model provides one way of addressing
tion security knowledge. There are also no dynamic interac- these challenges.
tion with the users by means of testing, examples and
implemented by ISPs. “These additional filtering services will help Bimpact on response time and delays which are neces-
parents to choose what they want filtered without having to download sarily introduced by the model and the effect on the HU,
and install software to their home computers.” (Australia, 2006) B ease of use and the user interface
Therefore the idea that ISPs can in future get much more B other as yet undetermined technical problems
involved in providing security and other types of services, for Other uses of the model, and other impacts which are
e.g. those suggested in this paper, is definitely possible. unclear at the moment.
4.3. Some practical considerations, limitations and The first two points are more socially and legally oriented,
challenges related to the proposed E-Awareness Model (E-AM) while the third is a more technical aspect. The fourth point
relates to uses of the model. The presented E-AM model is
The model presented in this paper is, of course, a theoretical specialized in the sense that it only relates to accessing the web
model, and is specifically the purpose of the paper. via ‘traditional’ ISPs, and does not try to address any other
However, it is good to briefly identify some practical aspects of Internet services or forms of enforcement. However,
aspects related to implementing the model at some stage. In the concept of the model can possibly be extended to a wider
implementing such a model, the major challenges lie in the sphere. That is something which can be investigated at a later
social, legal and technical areas. Some of the aspects which time when the prototype under development (mentioned below)
will have to be taken into account in these 3 areas include: provides answers to some of the challenges mentioned above.
A post graduate project has started to actually create
The social impact of the model, including a prototype to implement the model, and specifically look at
B User acceptance of such a model, the technical aspects, like point 3 above. When finished, it is
B the impact on the HU as far as changing the way he/she planned to test the prototype in a school environment to try to
has done things before (some behavioral change), evaluate more of the social consequences.
B the establishment and consequences of a trust relation- It is planned to report on the results of the prototype when
ship which is directly or indirectly, established between that is available.
the HU and the ISP in using such a model, As far as the legal aspects are concerned, national and
The legal environment in which the model will operate, international developments will be studied, in the light of
including aspects such as paragraph 4.2 above.
B contractual aspects including whether the user can now The authors are convinced that the first challenge now is to
hold the ISP responsible if something ‘bad’ happens, get a prototype working to help address the type of challenges
B the precise scope of the agreement between the HU and ISP mentioned in this paragraph.
B the privacy of HU information created by the E-AM model
and stored by the ISP 4.4. The full E-Awareness Model (E-AM)
B the way this form of ‘control’ is managed to prevent
undesirable ‘down stream’ consequences To summarize, the full E-AM is depicted below.(Fig. 8)
The technical aspects, including This paper will not expand on precisely how the ISP will
B The way the model is enforced, i.e. should it be manage and control to which levels in the E-AP the user
compulsory or can the user choose to be exposed to the should be exposed to at what times. The authors see that as
model as well as categorizing different types of users very much an implementation issue.
Enforcement
HU Awareness
Online
No access Secure access
It is important to note that no matter which level the users Furnell S, Valleria T, Phippen D. Security beliefs and barriers for
choose, they are “forced” to go the route via the E-AP. The E-AP novice Internet users. Computers & Security 2008a;27:235e40.
can be used by regulating services, governments, educational Furnell S, Tsaganidi V, Phippen A. Security beliefs and barriers for
novice Internet users. Computers & Security 2008b;27:235e40.
bodies and so forth to provide comprehensive national
Hilburn TB, Hirmanpour I, Khajenoori S, Turner R, Qasem A. A
campaigns to inform users of the risks of using the web (Von software engineering body of knowledge, Version 1.0.
Solms, 2010). Pittsburgh, United States of America: Software Engineering
The E-AM model presented above is in a sense, a one way Institute; 1999.
model, addressing communication from the HU to the ISP. ITU. Understanding cybercrime: a guide for developing Countries.
In the next version of the E-AM model, the model is extended Available at: http://www.itu.int/ITU-D/cyb/cybersecurity/
docs/itu-understanding-cybercrime-guide.pdf; 2009.
to also move technical aspects like antivirus protection, patch-
Kritzinger E, Smith E. Information security management: an
ing and other matter away from the HU and hosting that at the
information security retrieval and awareness model for
regulating service (Von Solms and Kritzinger, in press). This will industry. Computers & Security 2008;27:224e31.
change the model into more of a two way model. Kumar N, Mohan K, Holowczak R. Locking the door but leaving
the computer vulnerable: factors inhibiting home users’
adoption of software firewalls. Decision Support System 2008;
46:254e64.
5. Conclusion and future research
Lusaka Times. Zambia: Internet service providers urged to fight
cyber crime. Available at: http://www.lusakatimes.com/?
Accessing the web has many risks possibly with dire conse- p¼704; 2000.
quences for the HU who has limited information security Lemos R. Europe asks ISPs to help battle cybercrime. Available at:
knowledge. Allowing such users to access the web results in http://www.securityfocus.com/print/brief/71; 2008.
the HU being exposed to serious risks, which should, in the Ronald C, Carver C, Ferguson A. Phishing for user security
awareness. Computers & Security 2007;26:73e80.
benefit of all be prevented as far as possible. It is therefore
Sophos. The Sophos security threat report e 2009. Available at:
essential to ensure that users are educated and understand
http://www.sophos.com/sophos/docs/eng/marketing_
the security risks involved and how to limit them. material/sophos-security-threat-report-jan-2009-na.pdf; 2009.
This paper proposes an E-Awareness Model that can Shaw R, Chen C, Harris A, Huang HJ. The impact of information
empower users by giving them a better understanding of richness on information security awareness. Computers &
security issues, possible threats and how to avoid them. This Education 2009;52:92e100.
model puts a responsibility on the regulating service to force Symantec. Symantec Internet security threat report. Trends for
January-June 07, vol. XII. Available at: http://www.zdnetasia.
the user to absorb the required awareness content before
com/whitepaper/symantec-internet-security-threat-report-
venturing onto the cyber highway. The model as proposed is trends-for-january-june-07-volume-xii_wp-333829.htm; 2007.
still very abstract, future research will concentrate on actually The White House. Defending America’s cyberspace: national plan
implementing the model in terms of a prototype, and then for information systems protection. Available at: http://ww.
experimenting with the prototype to try to answer many open fas.org/irp/offdocs/pdd/CIP-plan.pdf; 2000.
questions e including those mentioned throughout this paper. Von Solms SH. Securing the Internet: fact or fiction? In:
Proceedings of the IFIP iNetSec conference. Sofia, Bulgaria;
2010.
Von Solms SH, Kritzinger E. Cyber security for home users: from
references
thick user Clients to Thin user Clients, in press.
Yasubsac A. Information security curricula in computer science
departments: theory and practice. Journal of Information
Australia. Measures to improve safety of the Internet for families. Security 2002;1(2).
Available at: http://www.minister.dbcde.gov.au/media/
media_releases/2009/115; 2006.
BCS. What future for internet service providers?. Available at: Dr.Elmarie Kritzinger is a Senior Lecturer in the School of
http://www.bcs.org/server.php?show¼ConWebDoc.24111; Computing at the University of South Africa (UNISA). She has been
2009. lecturing Computer Science and Information Systems since 2000.
Bishop M. Academia and education in information security: Four She obtained her PhD (Information Systems) at UNISA in 2006 and
years later. In: Proceedings of the Fourth National won the “Youngest PhD award” in the same year. She wrote
colloquium on information system security education. a number of articles that was published in conference proceed-
Washington, DC; 2000. ings, journals and books. Her main research focus is Information
CISCO. A comprehensive proactive approach to web-based Security Awareness and Education.
threats. CISCO IronPort Web Reputation White Paper.
Available at, http://www.ironport.com/pdf/ironport_web_ Prof SH (Basie) von Solms is a Research Professor in the Academy
reputation_whitepaper.pdf; 2009. for Information Technology of the University of Johannesburg in
Crowley E. Information systems security curricula development. Johannesburg, South Africa. He had been the Chairman of the
In: Proceedings of the 4th conference on IT curriculum on IT Academy for Information Technology from 1978 to 2006. He
education. Lafayette, Indiana, USA; 2003. obtained his PhD in Computer Science at University of Johan-
European Network and Information Security Agency e ENISA. A nesburg (formerly the Rand Afrikaans University) and has been
users’ guide: how to raise information security awareness. lecturing Computer Science and IT at this University since 1
Available at: http://www.enisa.europa.eu/act/ar/deliverables/ October 1970. The professor specializes in research and consul-
2006/ar-guide/en; 2006. tancy in the area of Information Security, Information Security
Furnell S, Bryant P, Phippen D. Assessing the security perceptions Governance, Cyber Security and Critical Information Infrastruc-
of personal Internet users. Computers & Security 2007;26: ture Protection. In 2009, the book “Information Security Gover-
410e7. nance”, co-authored with his brother, Professor Rossouw von
c o m p u t e r s & s e c u r i t y 2 9 ( 2 0 1 0 ) 8 4 0 e8 4 7 847
Solms, was published internationally by Springer. The book ‘The medal is one of the most important awards made by the
documents the experience and research resulting from coopera- Academy for leadership on the highest level in the area of science
tion between the two brothers over the last 10 years. He has and technology. The award is the crown on a life time career, and
written more than 100 papers regarding this field e most of which can only be awarded to a person once in his/her life time. The
have been published internationally. In addition, Prof. von Solms award reflects the candidate’s creative contributions towards the
has, up to date, supervised 15 Ph.D. students and more then 70 development, organization and continuous expansion of a branch
Master students. Prof von Solms has given numerous papers, or branches of scientific or technology, where such contribution
related to Information Security, at international conferences and has played a significant part in the advancement of science and
is regularly invited to be a member of the Program Committees for technology, and had also been to the benefit of the country.’
international subject conferences. In 2005 he was awarded the ICT Leadership Award by the
Prof von Solms is the President of IFIP, the International South African IT industry and the Computer Society of South
Federation for Information Processing. See also IFIP Activities. He Africa for ‘exceptional thought leadership qualities and sustain-
has been a consultant to industry on the subject of Information able contribution to the development and growth of the South
Security for the last 10 years, and has consulted in this area locally African IT Industry’.
and internationally. The South African Academy for Science and He is a Fellow of the Computer Society of South Africa (FCSSA),
Arts announced in April 2006 that the MT Steyn Medal for Scientific and a Fellow of the British Computer Society (FBCS). The professor
and Technical Achievement for 2006 had been awarded to Prof is also a Chartered Information Technology Professional (CITP), as
Basie von Solms. The Academy describes the award as follows: well as a SAATCA certified Auditor for ISO 17799.