Information Management & Computer Security

Recommendations for information security awareness training for college students

Eyong B. Kim
Article information:
To cite this document:
Eyong B. Kim , (2014),"Recommendations for information security awareness training for college students",
Information Management & Computer Security, Vol. 22 Iss 1 pp. 115 - 126
Permanent link to this document:
http://dx.doi.org/10.1108/IMCS-01-2013-0005
Downloaded on: 22 February 2016, At: 18:53 (PT)
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)

References: this document contains references to 41 other documents.

To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 1077 times since 2014*
Users who downloaded this article also downloaded:
Mario Silic, Andrea Back, (2014),"Information security: Critical review and future directions for research",
Information Management & Computer Security, Vol. 22 Iss 3 pp. 279-308 http://dx.doi.org/10.1108/
IMCS-05-2013-0041
Kathryn Parsons, Agata McCormac, Malcolm Pattinson, Marcus Butavicius, Cate Jerram, (2014),"A study
of information security awareness in Australian government organisations", Information Management
& Computer Security, Vol. 22 Iss 4 pp. 334-345 http://dx.doi.org/10.1108/IMCS-10-2013-0078
Stefan Fenz, Johannes Heurix, Thomas Neubauer, Fabian Pechstein, (2014),"Current challenges in
information security risk management", Information Management & Computer Security, Vol. 22 Iss 5
pp. 410-430 http://dx.doi.org/10.1108/IMCS-07-2013-0053

Access to this document was granted through an Emerald subscription provided by emerald-srm:121184 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for
Authors service information about how to choose which publication to write for and submission guidelines
are available for all. Please visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company
manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as well as
providing an extensive range of online products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee
on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive
preservation.

*Related content and download information correct at time of download.

 The current issue and full text archive of this journal is available at
www.emeraldinsight.com/0968-5227.htm

Recommendations
Recommendations for for ISAT
information security awareness
training for college students
115
Eyong B. Kim
Barney School of Business, University of Hartford, West Hartford, Received 14 January 2013
Connecticut, USA Revised 17 May 2013
29 July 2013
30 July 2013
Abstract Accepted 31 July 2013
Purpose – The purpose of this paper is to survey the status of information security awareness
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)

among college students in order to develop effective information security awareness training (ISAT).
Design/methodology/approach – Based on a review of the literature and theoretical standpoints
as well as the National Institute of Standards and Technology Special Publication 800-50 report, the
author developed a questionnaire to investigate the attitudes toward information security awareness
of undergraduate and graduate students in a business college at a mid-sized university in
New England. Based on that survey and the previous literature, suggestions for more effective ISAT
are provided.
Findings – College students understand the importance and the need for ISAT but many of them do
not participate in it. However, security topics that are not commonly covered by any installed
(or built-in) programs or web sites have a significant relationship with information security awareness.
It seems that students learned security concepts piecemeal from variety of sources.
Practical implications – Universities can assess their ISAT for students based on the findings of
this study.
Originality/value – If any universities want to improve their current ISAT, or establish it, the
findings of this study offer some guidelines.
Keywords Training, Information security, Students, College students’ information security awareness,
Information security awareness training
Paper type Research paper

Introduction
Most college students use information technology and information systems (IT/IS)
extensively for many reasons such as: taking online courses, using the blackboard
system, using e-mail, accessing social networks, and using their smart phones, iPads,
and PCs. As college students use of IT/IS grows, it is more and more important to
protect their information and systems from possible security attacks. Based on an
EDUCAUSE member institution survey (Ingerman and Yang, 2011), IS security in
educational institutions has been number one or two on the “potential to become more
significant in the coming year” list for the last several years.
It was reported that most victims (83 percent) of security attacks are a target of
opportunity rather than of choice (DBIR, 2011). Opportunistic attacks mean that the
victims were identified because they exhibited a weakness or vulnerability attackers Information Management &
could exploit. To prevent the opportunistic attacks, students need to know how to Computer Security
Vol. 22 No. 1, 2014
protect their information and systems. pp. 115-126
Non-malicious end-users who do not comply with IS security policies are q Emerald Group Publishing Limited
0968-5227
responsible for more loss than malicious users (Computer Security Institute, 2010). DOI 10.1108/IMCS-01-2013-0005
 IMCS Lack of training is cited as a top reason why contingency and response plans are not
22,1 effective (PwC Survey, 2013). If students are not fully aware of their school’s
information security policy, they do not understand the risks of using information
systems and the potential damage that can result. It is true that college students may
be technologically well informed but it does not mean that they know how to protect
their information and systems effectively.
116 System users need to increase their security awareness to minimize faults and
maximize the efficiency of security techniques and procedures (Siponen, 2000). Security
awareness is how well users understand the importance of information security and how
well they exercise information security controls to protect the organization’s data and
networks. The goal of a security awareness program is to heighten the importance of
both information systems security and the possible negative effects of a security breach
or failure (Hansche, 2001). To protect information and systems effectively, Ernst &
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)

Young (2008) recommended organizations invest more in training and awareness

programs that prevent users from being the weakest link in a security chain. One of the
best uses of the information security budget is for comprehensive information security
awareness programs for users because organizational management needs to realize
the importance of information security awareness among users (von Solms and
von Solms, 2004).
Information security awareness training (ISAT) generally provides awareness and
training or workshops to educate students on issues related to information security.
Through this training, students can learn the necessary security concepts and control
skills. One of the important steps in developing effective ISAT is understanding the
students’ information security awareness level. If a student had security training, Does
it differentiate the students’ attitudes toward information security? Do students have
adequate knowledge for practicing information security properly? To investigate
students’ security awareness level and the effect of security training, the present study
explores students’ attitudes toward information security awareness.

Literature review
Information systems have six components: software, hardware, data, people (users),
procedures and networks. Among these, users and procedures are often overlooked in
information security considerations (Maconachy et al., 2001; Dlamini et al., 2009).
If end-users are not fully aware of information security, the information security
techniques or procedures can be misused, misinterpreted or not used by them (Ceraolo,
1996; Straub and Welke, 1998). To protect users’ information and systems, not only is the
proper technology required, but the human side of security should be well managed as
well, because technology alone is not sufficient to ensure information security (Aytes and
Terry, 2004; Workman et al., 2008). As the importance of information security and
assurance have risen sharply in recent years, information security awareness is
considered one of the “pervasive themes (topics addressed multiple times in multiple
classes) in IT curricula and defines one area of the IT Body of Knowledge (23 out of
314 core hours)” (Lunt et al., 2008). It is suggested that all IT foundation knowledge areas
should include information security and assurance aspects. In addition, IT graduates
need to develop a mind-set based on a user-centered approach to technology
(HCI, human factors, ergonomics, cognitive psychology, etc.) so that solutions to
problems are not always purely technological (Lunt et al., 2008).
 The key to addressing human factors and competencies in information security is Recommendations
awareness, training, and education (NIST SP 800-16, 1998). Based on NIST SP 800-16, for ISAT
every individual in an organization should have “security awareness” and “security
basics and literacy” that is a stepping-stone between “awareness” and “training”.
It provides foundation knowledge, i.e. security terms and concepts, for the further security
training. The main objective of IT security awareness programs is changing security
attitudes among employees to change the organizational culture (NIST SP 800-16, 1998). 117
Because security awareness training reduces the success rate of hacking attacks at
both the individual and organizational level, a successful security awareness program
should focus on how a user gets continuous secure behavior (Okenyi and Owens, 2007).
Even though an organization develops a well-documented security guideline to
address awareness, simply presenting it in a factual manner may be an unsuitable
approach (Siponen, 2000). The end-user training and education program should have
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)

end-user buy-in and be easily accessible to be effective.

Social engineering attacks are increasing and difficult to manage because attackers
are generally taking advantage of legitimate employees’ vulnerabilities (Hadnagy et al.,
2010). Because social engineering is based on employee behavior, they often ignore the
significance of failure to take precautions against social engineering threats (Workman,
2007). The Dimensional Research Survey (2011) showed that companies were lacking
the proactive training for their employees. For example, only 26 percent of respondents
did ongoing training while 34 percent did not currently make any attempt to educate
employees even though 86 percent of all IT professionals were aware of this potential
security threat. Trends and tactics of social engineering threats were analyzed using a
database of the virus bulletin that serves as a repository of reported malware incidents
worldwide (Abraham and Chengalur-Smith, 2010). They found out that social
engineering attackers used tactics of psychological ploys, curiosity, empathy,
excitement, fear and greed of a possible victim. In addition, commonly used channels
were e-mail, web sites, social software (i.e. Facebook, Twitter, others) and portable
storage drives (i.e. CD-ROM or USB). They claimed e-mail was the most popular medium
of attack and social software attack was on the rise. Even though user training is
somewhat effective against social engineering attacks such as awareness of the dangers
with unsolicited e-mail attachments helped users showed caution for it (Dodge et al.,
2007), it was not easy to train employees to identify social engineering and phishing in all
their guises (Karakasiliotis et al., 2007). To minimize social engineering threats, there
were four factors users need to consider such as legitimacy of a request, importance of
information, source verification, and timing of response (Bakhski et al., 2009).
To improve information security in an organization, two approaches have been
suggested in the literature. One is the “sanction-based approach” where fear of
sanctions determines whether users comply with information security policies (Straub,
1990; Siponen et al., 2007). Therefore, information security actions can discourage
potential computer abusers from committing implicit or explicit security violations.
This paper examines the other approach, ISAT (or education) (Siponen, 2000).
In general, the objective of ISAT is to persuade end-users and stimulate their thinking
processes about information security. The goal is to have users internalize the reasons why
it is important to comply with security policies (Gardner, 2004). Training is an appropriate
intervention method in the human performance improvement (HPI) model when the root
cause of problem is lack of individual knowledge, skill, or attitude (King et al., 2001, p. 7).
 IMCS Because a training program that does not work in practice is of limited value, IS
22,1 security practitioners need empirically proven approaches to improve compliance
(Puhakainen and Siponen, 2010). There are four steps for effective training: planning,
organizing, implementing, and evaluating and follow-up (Vincent and Ross, 2001). The
planning phase includes need assessment, promotion of the training program, and
selection of trainers. In organizing training, the content of the training should be
118 specified to include objectives, instructional strategies, learning theories, lesson plans,
course notebook or manual, and the training program or curriculum as a whole.
Learning actually happens in the phase of implementation by presentation,
explanation and interaction between trainer and trainees. Lastly, it is recommended
to have an evaluation for accountability and productivity improvement.
In addition to the four steps, to have an effective training program, conducting a
systematic need assessment is a crucial initial step to training design and development
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)

(Goldstein and Ford, 2002; Sleezer, 1993; Zemke, 1994). Organizations need to investigate
if training can address its problems and meet the objective of information security.
In doing so, an organization often conducts needs assessment, which is a three-step
process: organizational analysis, task analysis, and person analysis. Organizational
analysis can answer the following questions – which organizational goals can be
attained through personnel training, and where is training needed in the organization.
Task analysis determines what will be covered in the training materials that a
trainee must learn to perform the job effectively. Person analysis means finding out
who the targets are for the training program. Among these three processes, task
analysis is one aspect the university needs to conduct for effective ISAT for university
students.
Good examples of organization policies and how to properly use and protect the IT
resources and information can be found in the National Institute of Standards and
Technology Special Publication (NIST SP) 800-16 (NIST, 1998). In addition, there are
27 information security awareness topics suggested in NIST SP 800-50 (2003)
(NIST, 2003). These topics include, password usage and management, protection from
malicious code, e-mail and attachments, web usage, data backup, social engineering,
and others. Among these, this study includes topics students frequently experience
when they use university information systems.

Hypothesis
Based on the previous studies, students who had ISAT have a better understanding of
information security and more knowledge about what he or she needs to do.
A hypothesis is developed in the null form:
H1. There is no significant relationship between ISAT and the students’
information security awareness topics.
Among the 27 information security awareness topics suggested in the NIST SP 800-50
(NIST, 2003), 17 items have been selected to be investigated in this study. Those are
listed in “Information security awareness topics included in this study”:
(1) need an anti-virus program;
(2) need of updating virus definitions;
(3) regularly scan a computer and a storage device;
 (4) use of a personal firewall; Recommendations
(5) installing software patches; for ISAT
(6) use pop-up blockers;
(7) understand the risk of downloading programs or files;
(8) understand the risk of peer-to-peer (P2P) file sharing;
(9) understand the risk of clicking on e-mail links; 119
(10) understand the risk of e-mailing passwords;
(11) understand the risk of e-mail attachments;
(12) regularly backup important files;
(13) understand the risk of smartphone viruses;
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)

(14) need of anti-virus program for a smart phone;

(15) know the strong password characteristics;
(16) use different passwords for different systems; and
(17) change passwords regularly.

Students may have different perceptions of safety in information security depending

on their ISAT experience. A hypothesis is developed in the null form:
H2. There is no significant relationship between ISAT and the students’
perception of safety in information security.

Methodology and instrument development

A questionnaire survey was conducted on 357 undergraduate and graduate students in a
mid-sized university in New England. They were randomly selected from the business
college. The survey questionnaires were sent to students as an e-mail attachment.
A reminder e-mail was sent one week after the initial e-mail notification. As a result, total
of 70 students out of 357 returned the survey, providing a 19.6 percent of return rate. The
survey participation was voluntary and made anonymous by having a third party
collect the questionnaires. The principal investigator received responses without any
identification. The principal investigator did not conduct any ISAT for this study and
had no control over the content or length of ISAT that sample subjects received. Among
the 70 responses, two of them were deleted because they did not specify if they had ISAT.
The remaining 68 responses were analyzed using the IBM Statistical Package for the
Social Sciences (SPSS).
Based on a review of the literature and theoretical standpoints as well as NIST SP
800-50 report (NIST, 2003), the author developed a questionnaire that has 27 items for
investigating the attitudes toward information security awareness of undergraduate
and graduate students in a business college. The first five items are for demographic
information about the respondents and the next one item is related to ISAT. These
six questions utilize the categorical variables for asking school year, working status,
gender, age, major, and if a student had any ISAT previously. The next 18 items
examine students’ attitudes toward information security using a five-item Likert scale.
These 18 items are based on the security topics in “Information security awareness
topics included in this study” and the remaining three items are for H2.
 IMCS Sample characteristics
22,1 Among the respondents, 40 (58.8 percent) students are undergraduates (two Freshmen,
ten Sophomores, 15 Juniors, and 13 Seniors) and 28 (41.2 percent) are MBA students.
Twenty-three students (33.8 percent) are working full time, 19 students (27.9 percent)
work part time and the remaining 25 students (36.8 percent) do not work at all (one student
did not respond). More than half (37 students or 54.4 percent) are male students,
120 28 students (41.2 percent) are female students, and three students did not specify their
gender. Age distribution of the sample is as follows: 38 students (55.9 percent) are
between 18 and 23 years old, 15 students (22.1 percent) are between 24 and 30 years old,
13 students (19.1 percent) are older than 30 and two students did not specify their age.

Reliability and validity of the instrument

To test the reliability of these questionnaire items, Cronbach’s a test was conducted.
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)

Cronbach’s a is a model of internal consistency, based on the average inter-item

correlation and is one of the established techniques for reliability testing. The a
coefficient of these questionnaire items is 0.779. This is high enough to be considered a
reliable measure of a construct for exploratory studies (Nunnally, 1978). Concerning the
validity, the questionnaire items were developed based on the previous studies and
NIST SP 800-50 as discussed above.
The raw matrix of 67 responses was analyzed by the principal components analysis
with varimax rotation (Kaiser’s varimax method) with the latent root criterion
(eigenvalue one criterion) applied to obtain the eight factors (factor loadings greater
than 0.40). Only those factors with eigenvalues (the column sum of squares for a factor)
greater than 1 are considered significant. Kaiser’s (1958) varimax method maximizes
the sum of variances of squared loadings in the columns of the factor matrix. It is one of
the most widely used methods to obtain an orthogonal rotation.
The results revealed that 75.4 percent of the variance could be explained by the first
eight factors with eigenvalues of 1.0 or more. Sixteen percent of the variance is
explained by a single factor, 10.6 percent of the variance is explained by a second
factor, 9.8 percent of the variance is explained by a third factor, 9.1 percent of the
variance is explained by a fourth factor, 8.5 percent of the variance is explained by a
fifth factor, 8.4 percent of the variance is explained by a sixth factor, 6.7 percent of the
variance is explained by a seventh factor, and 6.3 percent of the variance is explained
by a eighth factor. After analyzing loaded items on each factor, the author consider the
factor 1 as cyber attack, factor 2 as mobile security, factor 3 as document safety, factor
4 as e-mail security, factor 5 as network security, factor 6 as perceived safety on
information systems, factor 7 as web browser security, and factor 8 as social
engineering in information security. These eight dimensions of information security
seem to represent the security issues the current college students are experiencing.

Results and discussions

The Kruskal-Wallis test was performed to test the hypotheses. The Kruskal-Wallis test
is appropriate when there is one nominal variable and one measurement variable and
the measurement variable does not meet the normality assumption. The significance
level was set at the 95 percent ( p . 0.05). A null hypothesis of no significant
relationship between ISAT and students’ information security awareness topics are
summarized in Tables I and II.
 Recommendations
Attitude Sig. H1 test
for ISAT
Need an anti-virus program 0.196
Need of updating virus definitions 0.312
Regularly scan a computer and a storage device 0.033 Reject
Use of a personal firewall 0.114
Installing software patches 0.216
Use pop-up blockers 0.564
121
Understand the risk of P2P file sharing 0.025 Reject
Understand the risk of downloading programs
or files 0.255
Understand the risk of clicking on e-mail links 0.580
Understand the risk of e-mailing passwords 0.674
Regularly backup important files 0.012 Reject
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)

Understand the risk of e-mail attachment 0.138

Understand the risk of smartphone viruses 0.004 Reject
Need of anti-virus program for a smart phone 0.012 Reject
Know the strong password characteristics 0.139 Table I.
Use different passwords for different systems 0.030 Reject ISAT and security
Change passwords regularly 0.004 Reject attitudes

Perceived safety Sig. H2 test

University information security program

effectiveness 0.452
Information is sufficiently protected in this Table II.
university 0.754 ISAT and perceived
Protect my computers and information sufficiently 0.001 Reject safety

Students’ attitudes toward some information security topics are significantly related to
the ISAT as shown in Table I. Those are, scanning computers and storage devices
regularly ( p ¼ 0.033), understand the risk of P2P file sharing ( p ¼ 0.025), understand
the risk of viruses in a smartphone ( p ¼ 0.004), need of anti-virus program for a smart
phone ( p ¼ 0.012), regularly backup important files ( p ¼ 0.012), use different
passwords for different systems especially financial systems ( p ¼ 0.030), and
understand the need to change passwords regularly ( p ¼ 0.004). Other information
security topics are not significantly related to ISAT. Students may be familiar with these
topics by using information systems frequently. Those topics are, use of a personal
firewall and an anti-virus program with updated virus definitions, installing software
patches whenever available, blocking pop-ups, knowing how to create a strong
password, and understanding the risk of downloading programs (or files), the risk of
clicking on e-mail links, risk of e-mailing passwords, and risk of e-mail attachment.
As described, some information security topics are significantly related to ISAT while
other topics are not. One reason may be that students learn some security concepts from
the built-in functions (or programs) in a computer to protect it from computer malfunctions
or external threats such as the software patch management program that automatically
searches for a new software patch and asks users a permission to install them. Some of the
 IMCS topics that are not significantly related to ISAT are pop-up blockers, downloading new
22,1 virus definitions, warnings for visiting suspicious web sites and for downloading files.
In addition, some security topics are well explained by a system or web sites when college
students use them. For example, most students know how to create a strong password
probably because many programs (or web sites) show the strengths of a password users
entered and explain the characteristics of a strong password. Therefore, it seems that
122 students know well the security topics that are managed by programs or web sites.
However, students seemed not well aware of some security topics even though a
program helps them execute necessary actions to protect their system. For example,
the windows operating system comes with the action center that alerts users of the
need of backup to a removable storage device. However, students seemed to be not
following this recommendation. Only half of them responded that they did backup
important files regularly (34 out of 67). The reason may be the action center does not
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)

clearly explain what to backup and why backup is necessary. In addition, students
may not want to wait to back up the system. As a result, some students do not know
the importance of backing up files unless they learn it from their security training.
Students also do not understand the danger of P2P file sharing possibly because of
the popularity of social networking sites that make file and information sharing over
the network so easy these days. When using P2P file sharing network, students can
store files on their computer and go online to search for and share files with others
using the same software programs such as BitTorrent, Morpheus, Kazaa, LimeWire,
iMesh, and many others. Students might expose their computer to viruses, spyware or
other unwanted software and may violate copyright laws because the content of a
shared file may not be in the public domain (Microsoft, 2010).
Even though technology has done many things to protect end-users’ information
systems, it is argued by security experts that technology alone cannot protect end-users’
information systems effectively (Okenyi and Owens, 2007). Generally speaking, security
topics that are not commonly covered by any installed (or built-in) programs or web sites
have a significant relationship with ISAT. Those topics are the ones that students need
to learn and practice to keep their information and systems safe.
There is a significant relationship between security training and students’ perception
of information system safety. As shown in Table II, students who participated in security
training believe that their personal information and systems are sufficiently protected.
It implies that, if ISAT is not comprehensive in nature, students may be in a more
dangerous situation because they may be relaxed with limited (or wrong) security
knowledge. For example, if a student learned about the need to backing up files but not to a
different storage device, he or she may feel safe when the original file and the backup copy
are on the same storage device. If the device fails, both files will be lost. Thus, ISAT should
include all necessary topics that a student needs to know about information security.

Recommendations
Even though many students (53 out of 68, 78 percent) understand the importance and the
need for ISAT, the majority of students (51 out of 68, 76.1 percent) did not participate in
ISAT at the university or at work. Only 3 students (out of 68) participated in ISAT
offered by a university. This may be because students do not know the existence of the
ISAT for them. If a university offers ISAT for students, it should encourage students to
participate in it because, as described in the literature review, simply offering ISAT
 is not worth at all. About 43.5 percent of full time working students (ten out of 23) had Recommendations
ISAT that is much higher rate than full-time students. It seems that industries provide for ISAT
more opportunities for ISAT than university for end-users.
And it seems that students learned security concepts piecemeal from variety of
sources such as software use, web site instructions, news media, and others. Instead,
what students need is comprehensive ISAT that allows them to learn most of important
security concepts and control methods to deal with the information security issues. Until 123
the significant changes in security technology or different types of attacks emerge, the
results suggest that security awareness training should focus on the topics such as
regular scanning of any storage devices, P2P file sharing risk, smartphone viruses,
backup files, need of different passwords for different systems, and change passwords
regularly. To achieve this objective, there are several things a university may need to do
such as maintaining a solid security policy, assessing students’ security awareness level
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)

regularly, developing easily accessible ISAT sessions, and establishing an

implementation plan to encourage students participate in the ISAT.
Because the training intends to change human behavior, the training should be
time-efficient and focused on what trainees must know or do to perform their work
successfully, not nice to know (King et al., 2001, p. 9). Universities should measure the
students’ security awareness level constantly to provide the current training contents
students need. ISAT does not have to be a traditional training or workshop at all. It may
be virtual training (online training session or CD/DVD recorded training) that allows
students learn security concepts and controls at their convenience. This can be a
practical approach to improve students’ security awareness without costing too much to
a university. The budget constraint is one important barrier to information security
awareness program (Shaw et al., 2009).
Another important aspect is how to make students actually participate in a security
training session. There are several approaches that a university can implement
effectively such as making virtual training a requirement of any IT/IS courses; require it
during a new student orientation session; require it when students log on to a blackboard
site at the beginning of each semester; and require it to register courses. By doing so, not
only will students learn the necessary security concepts and skills but they will also
update their security knowledge and be reminded of the importance of information
security regularly. In addition, a university can provide a short video clip or a dialog box
(or a note window) about one topic of information security. Then, whenever students log
on or do something using the school system, it displays as if a web site displays the note
for “strong password creation”. This approach will work as a constant reminder of
security and provide updates of important security concepts.
It is important to mention that some of suggestions made in this paper are only valid
until information security technology advances significantly or serious new attacks
(i.e. new type of attacks that never been identified) emerge. If security technology advances
to minimize a specific type of security risk, users may use a system without learning how
to deal with that specific risk. For example, a pop-up blocker helped users surf the web
safely without doing any specific security actions. In that regard, the content of ISAT
needs to be adjusted.
It is desirable to modify the content of ISAT based on the threats at the time of training
in addition to the basics of information security awareness. The threat-based awareness
training will help end-users prepare for the technology advancement in defense and
 IMCS threats. New or emerging security threats are not often covered in training immediately to
22,1 minimize the damage. For example, “social engineering attacks” is common nowadays but
not widely covered in user training yet (Dimensional Research, 2011). To prepare end-users
against the social engineering attacks, training is considered as an important component
(Workman, 2007). In this study, one type of social engineering threat, P2P file sharing
demonstrated significant difference between training participants and non-participants
124 while other types of attacks seemed no difference between two groups. Thus, ISAT should
provide enough coverage of the emerging threats such as social engineering attacks.
To reconfirm the results of this study, it is suggested to replicate this study using
more diversified sample (e.g. colleges in overseas) because a Cisco Systems (2008)
survey study found that there were differences in information security behaviors
between respondents in different countries.
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)

Conclusions
College students need to participate in ISAT more often. Information security awareness
deals with the use of security awareness programs to create and maintain
security-positive behavior as a critical element in an effective information security
environment (Kruger and Kearney, 2006). Thus, universities should provide students
with comprehensive ISAT to protect their systems and information effectively.
ISAT should be detailed and comprehensive enough to make students know what and
how to protect their systems and information effectively. The training not only explains
the security concepts, but also does hands-on practice to make students deal with different
security issues well. The students need to repeat ISAT regularly because information
security issues are always changing. Because information systems technology constantly
advances and new security threats emerge, some security topics may be de-emphasized
while others will need to be added. Even with the current limitations of budget
and resources, universities can still offer online ISAT for their students. The important
issue is students’ participation in the ISAT, not having the ISAT itself. Thus, universities
should understand how to encourage students to participate in the ISAT.

References
Abraham, S. and Chengalur-Smith, I. (2010), “An overview of social engineering malware: trends,
tactics, and implications”, Technology in Society, Vol. 32 No. 3, pp. 183-196.
Aytes, K. and Terry, C. (2004), “Computer security and risky computing practices: a rational choice
perspective”, Journal of Organizational and End User Computing, Vol. 16 No. 3, pp. 22-40.
Bakhski, T., Papadaki, M. and Furnell, S. (2009), “Social engineering: assessing vulnerabilities in
practice”, Information Management & Computer Security, Vol. 17 No. 1, pp. 53-63.
Ceraolo, J.P. (1996), “Penetration testing through social engineering”, Information Systems
Security, Vol. 4 No. 4, pp. 37-48.
Cisco Systems (2008), “Data leakage worldwide: the high cost of insider threats”, available at: www.
cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-506224.pdf
Computer Security Institute (2010), CSI Survey 2010/2011: The 15th Annual Computer Crime
and Security Survey, Computer Security Institute, available at: https://cours.etsmtl.ca/
log619/documents/divers/CSIsurvey2010.pdf
DBIR (2011), Verizon, Data Breach Investigation Report, available at: www.verizonbusiness.
com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf (accessed
10 December 2012).
 Dimensional Research (2011), The Risk of Social Engineering on Information Security: A Survey Recommendations
of IT Professionals, available at: www.checkpoint.com/press/downloads/social-
engineering-survey.pdf
for ISAT
Dlamini, M.T., Eloff, J.H.P. and Eloff, M.M. (2009), “Information security: the moving target”,
Computer & Security, Vol. 28 Nos 3/4, pp. 189-198.
Dodge, R.C., Carver, C. and Ferguson, A.J. (2007), “Phishing for user security awareness”,
Computers and Security, Vol. 26 No. 1, pp. 73-80. 125
Ernst & Young (2008), Global Information Security Survey, Ernst & Young, London.
Gardner, H. (2004), Changing Minds: The Art and Science of Changing Our Own and Other
People’s Mind, Harvard Business School Press, Boston, MA.
Goldstein, I.L. and Ford, J.K. (2002), Training in Organizations: Needs Assessment, Development,
and Evaluation, 4th ed., Wadsworth, Belmont, CA.
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)

Hadnagy, C.J., Aharoni, M. and O’Gorman, J. (2010), Social Engineering Capture the Flag Results,
Defcon 18 Social Engineering CTF, available at: www.social-engineer.org/resources/sectf/
Social-Engineer_CTF_Report.pdf
Hansche, S. (2001), “Designing a security awareness program: part 1”, Information Systems
Security, January/February, pp. 14-22.
Ingerman, B.L. and Yang, C. (2011), “Top 10 IT issues 2011”, Educause Review, May/June, pp. 26-40.
Kaiser, H.F. (1958), “The varimax criterion for analytic rotation in factor analysis”,
Psychometrika, Vol. 23, pp. 187-200.
Karakasiliotis, A., Furnell, S. and Papadaki, M. (2007), “An assessment of end user vulnerability
to phishing attacks”, Journal of Information Warfare, Vol. 6 No. 1, pp. 17-28.
King, S.B., King, M. and Rothwell, W.J. (2001), The Complete Guide to Training Delivery,
AMACOM: A Division of American Management Association, New York, NY.
Kruger, H.A. and Kearney, W.D. (2006), “A prototype for assessing information security
awareness”, Computers & Security, Vol. 25 No. 4, pp. 289-296.
Lunt, B.M., Ekstrom, J.J., Gorka, S., Hislop, G., Kamali, R., Lawson, E., LeBlanc, R., Miller, J. and
Reichgelt, H. (2008), Curriculum Guidelines for Undergraduate Degree Programs in
Information Technology, Association for Computing Machinery (ACM) IEEE Computer
Society, New York, NY.
Maconachy, W.V., Schou, C.D., Ragsdale, D. and Welch, D. (2001), “A model for information
assurance: an integrated approach”, Proceedings of the 2001 IEEE Workshop on Information
Assurance and Security, United States Military Academy, West Point, NY, 5-6 June.
Microsoft (2010), “P2P file sharing: know the risks, security for your home”, March 9, available at:
www.microsoft.com/canada/protect/protect-yourself/protect-your-data/article.aspx?
article¼p2p-file-sharing-know-the-risks (accessed December 10, 2012).
NIST SP 800-16 (1998), National Institute of Standards and Technology (NIST), Information
Technology Training Requirements: A Role- and Performance-based Model (NIST Special
Publication 800-16), US Department of Commerce, Washington, DC.
NIST SP 800-50 (2003), National Institute of Standards and Technology (NIST), Building an
Information Technology Security Awareness and Training Program (NIST SP 800-50),
US Department of Commerce, Washington, DC.
Nunnally, J.C. (1978), Psychometric Theory, 2nd ed., McGraw-Hill, New York, NY.
Okenyi, P.O. and Owens, T.J. (2007), “On the anatomy of human hacking”, Information Systems
Security, Vol. 16, pp. 302-314.
 IMCS Puhakainen, P. and Siponen, M.T. (2010), “Improving employees’ compliance through information
systems security training: an action research study”, MIS Quarterly, Vol. 34 No. 4, pp. 757-778.
22,1 PwC Survey (2013), Changing the Game Key Findings from the Global State of Information
Security Survey 2013, available at www.pwc.com/gx/en/consulting-services/information-
security-survey/assets/2013-giss-report.pdf
Shaw, R.S., Chen, C.C., Harris, A.L. and Huang, H.J. (2009), “The impact of information richness
126 on information security awareness training effectiveness”, Computers & Education,
Vol. 52, pp. 92-100.
Siponen, M.T. (2000), “A conceptual foundation for organizational information security
awareness”, Information Management & Computer Security, Vol. 8 No. 1, pp. 31-41.
Siponen, M.T., Pahnila, S. and Mahmood, A. (2007), “Employees’ adherence to information
security policies: an empirical study”, New Approaches for Security, Privacy and Trust in
Complex Environments Proceedings of the 22nd International Federation for Information
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)

Processing Conference, pp. 133-144.

Sleezer, C.M. (1993), “Training needs assessment at work: a dynamic process”, Human Resource
Development Quarterly, Vol. 4, pp. 247-264.
Straub, D.W. (1990), “Effective is security: an empirical study”, Information Systems Research,
Vol. 1 No. 3, pp. 255-276.
Straub, D.W. and Welke, R.J. (1998), “Coping with systems risk: security planning models for
management decision making”, MIS Quarterly, Vol. 22 No. 4, pp. 441-464.
Vincent, A. and Ross, D. (2001), “Personalize training: determine learning styles, personality
types and multiple intelligences online”, The Learning Organization, Vol. 8 No. 1, pp. 36-43.
von Solms, B. and von Solms, R. (2004), “The 10 deadly sins of information security
management”, Computers & Security, Vol. 23, pp. 371-376.
Workman, M. (2007), “Gaining access with social engineering: an empirical study of the threat”,
Information Systems Security, Vol. 16, pp. 315-331.
Workman, M., Bommer, W.H. and Straub, D. (2008), “Security lapses and the omission of
information security measures: a threat control model and empirical test”, Computers in
Human Behavior, Vol. 24 No. 6, pp. 2799-2816.
Zemke, R.E. (1994), “Training needs assessment: the broadening focus of a simple construct”, in
Howard, A. (Ed.), Diagnosis for Organizational Change: Methods and Models, Guilford
Press, New York, NY, pp. 139-151.

Further reading
Wood, C.C. (2002), “The human firewall manifesto”, Computer Security Journal, Vol. 18 No. 1, pp. 15-18.

About the author

Eyong B. Kim is an Associate Professor of management information systems at the Barney
School of Business at University of Hartford. His research interests include information security,
E-commerce, and online education. He has published papers in Communications of the ACM,
Decision Sciences, Decision Sciences Journal of Innovative Education, Journal of Operational
Research Society, Omega and others. Eyong B. Kim can be contacted at: ekim@hartford.edu

To purchase reprints of this article please e-mail: reprints@emeraldinsight.com

Or visit our web site for further details: www.emeraldinsight.com/reprints
 This article has been cited by:

1. Beth H. Jones, Amita Goyal Chin. 2015. On the efficacy of smartphone security: A critical analysis of
modifications in business students’ practices over time. International Journal of Information Management
35, 561-571. [CrossRef]
2. Noor Hayani Abd Rahim, Suraya Hamid, Miss Laiha Mat Kiah, Shahaboddin Shamshirband, Steven
Furnell. 2015. A systematic review of approaches to assessing cybersecurity awareness. Kybernetes 44:4,
606-622. [Abstract] [Full Text] [PDF]
3. Eric Amankwa, Marianne Loock, Elmarie KritzingerA conceptual analysis of information security
education, information security training and information security awareness definitions 248-252.
[CrossRef]
4. Beth H. Jones, Amita Goyal Chin, Peter Aiken. 2014. Risky business: Students and smartphones.
TechTrends 58, 73-83. [CrossRef]
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)