Professional Documents
Culture Documents
Access to this document was granted through an Emerald subscription provided by emerald-srm:121184 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for
Authors service information about how to choose which publication to write for and submission guidelines
are available for all. Please visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company
manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as well as
providing an extensive range of online products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee
on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive
preservation.
Recommendations
Recommendations for for ISAT
information security awareness
training for college students
115
Eyong B. Kim
Barney School of Business, University of Hartford, West Hartford, Received 14 January 2013
Connecticut, USA Revised 17 May 2013
29 July 2013
30 July 2013
Abstract Accepted 31 July 2013
Purpose – The purpose of this paper is to survey the status of information security awareness
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)
among college students in order to develop effective information security awareness training (ISAT).
Design/methodology/approach – Based on a review of the literature and theoretical standpoints
as well as the National Institute of Standards and Technology Special Publication 800-50 report, the
author developed a questionnaire to investigate the attitudes toward information security awareness
of undergraduate and graduate students in a business college at a mid-sized university in
New England. Based on that survey and the previous literature, suggestions for more effective ISAT
are provided.
Findings – College students understand the importance and the need for ISAT but many of them do
not participate in it. However, security topics that are not commonly covered by any installed
(or built-in) programs or web sites have a significant relationship with information security awareness.
It seems that students learned security concepts piecemeal from variety of sources.
Practical implications – Universities can assess their ISAT for students based on the findings of
this study.
Originality/value – If any universities want to improve their current ISAT, or establish it, the
findings of this study offer some guidelines.
Keywords Training, Information security, Students, College students’ information security awareness,
Information security awareness training
Paper type Research paper
Introduction
Most college students use information technology and information systems (IT/IS)
extensively for many reasons such as: taking online courses, using the blackboard
system, using e-mail, accessing social networks, and using their smart phones, iPads,
and PCs. As college students use of IT/IS grows, it is more and more important to
protect their information and systems from possible security attacks. Based on an
EDUCAUSE member institution survey (Ingerman and Yang, 2011), IS security in
educational institutions has been number one or two on the “potential to become more
significant in the coming year” list for the last several years.
It was reported that most victims (83 percent) of security attacks are a target of
opportunity rather than of choice (DBIR, 2011). Opportunistic attacks mean that the
victims were identified because they exhibited a weakness or vulnerability attackers Information Management &
could exploit. To prevent the opportunistic attacks, students need to know how to Computer Security
Vol. 22 No. 1, 2014
protect their information and systems. pp. 115-126
Non-malicious end-users who do not comply with IS security policies are q Emerald Group Publishing Limited
0968-5227
responsible for more loss than malicious users (Computer Security Institute, 2010). DOI 10.1108/IMCS-01-2013-0005
IMCS Lack of training is cited as a top reason why contingency and response plans are not
22,1 effective (PwC Survey, 2013). If students are not fully aware of their school’s
information security policy, they do not understand the risks of using information
systems and the potential damage that can result. It is true that college students may
be technologically well informed but it does not mean that they know how to protect
their information and systems effectively.
116 System users need to increase their security awareness to minimize faults and
maximize the efficiency of security techniques and procedures (Siponen, 2000). Security
awareness is how well users understand the importance of information security and how
well they exercise information security controls to protect the organization’s data and
networks. The goal of a security awareness program is to heighten the importance of
both information systems security and the possible negative effects of a security breach
or failure (Hansche, 2001). To protect information and systems effectively, Ernst &
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)
Literature review
Information systems have six components: software, hardware, data, people (users),
procedures and networks. Among these, users and procedures are often overlooked in
information security considerations (Maconachy et al., 2001; Dlamini et al., 2009).
If end-users are not fully aware of information security, the information security
techniques or procedures can be misused, misinterpreted or not used by them (Ceraolo,
1996; Straub and Welke, 1998). To protect users’ information and systems, not only is the
proper technology required, but the human side of security should be well managed as
well, because technology alone is not sufficient to ensure information security (Aytes and
Terry, 2004; Workman et al., 2008). As the importance of information security and
assurance have risen sharply in recent years, information security awareness is
considered one of the “pervasive themes (topics addressed multiple times in multiple
classes) in IT curricula and defines one area of the IT Body of Knowledge (23 out of
314 core hours)” (Lunt et al., 2008). It is suggested that all IT foundation knowledge areas
should include information security and assurance aspects. In addition, IT graduates
need to develop a mind-set based on a user-centered approach to technology
(HCI, human factors, ergonomics, cognitive psychology, etc.) so that solutions to
problems are not always purely technological (Lunt et al., 2008).
The key to addressing human factors and competencies in information security is Recommendations
awareness, training, and education (NIST SP 800-16, 1998). Based on NIST SP 800-16, for ISAT
every individual in an organization should have “security awareness” and “security
basics and literacy” that is a stepping-stone between “awareness” and “training”.
It provides foundation knowledge, i.e. security terms and concepts, for the further security
training. The main objective of IT security awareness programs is changing security
attitudes among employees to change the organizational culture (NIST SP 800-16, 1998). 117
Because security awareness training reduces the success rate of hacking attacks at
both the individual and organizational level, a successful security awareness program
should focus on how a user gets continuous secure behavior (Okenyi and Owens, 2007).
Even though an organization develops a well-documented security guideline to
address awareness, simply presenting it in a factual manner may be an unsuitable
approach (Siponen, 2000). The end-user training and education program should have
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)
(Goldstein and Ford, 2002; Sleezer, 1993; Zemke, 1994). Organizations need to investigate
if training can address its problems and meet the objective of information security.
In doing so, an organization often conducts needs assessment, which is a three-step
process: organizational analysis, task analysis, and person analysis. Organizational
analysis can answer the following questions – which organizational goals can be
attained through personnel training, and where is training needed in the organization.
Task analysis determines what will be covered in the training materials that a
trainee must learn to perform the job effectively. Person analysis means finding out
who the targets are for the training program. Among these three processes, task
analysis is one aspect the university needs to conduct for effective ISAT for university
students.
Good examples of organization policies and how to properly use and protect the IT
resources and information can be found in the National Institute of Standards and
Technology Special Publication (NIST SP) 800-16 (NIST, 1998). In addition, there are
27 information security awareness topics suggested in NIST SP 800-50 (2003)
(NIST, 2003). These topics include, password usage and management, protection from
malicious code, e-mail and attachments, web usage, data backup, social engineering,
and others. Among these, this study includes topics students frequently experience
when they use university information systems.
Hypothesis
Based on the previous studies, students who had ISAT have a better understanding of
information security and more knowledge about what he or she needs to do.
A hypothesis is developed in the null form:
H1. There is no significant relationship between ISAT and the students’
information security awareness topics.
Among the 27 information security awareness topics suggested in the NIST SP 800-50
(NIST, 2003), 17 items have been selected to be investigated in this study. Those are
listed in “Information security awareness topics included in this study”:
(1) need an anti-virus program;
(2) need of updating virus definitions;
(3) regularly scan a computer and a storage device;
(4) use of a personal firewall; Recommendations
(5) installing software patches; for ISAT
(6) use pop-up blockers;
(7) understand the risk of downloading programs or files;
(8) understand the risk of peer-to-peer (P2P) file sharing;
(9) understand the risk of clicking on e-mail links; 119
(10) understand the risk of e-mailing passwords;
(11) understand the risk of e-mail attachments;
(12) regularly backup important files;
(13) understand the risk of smartphone viruses;
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)
Students’ attitudes toward some information security topics are significantly related to
the ISAT as shown in Table I. Those are, scanning computers and storage devices
regularly ( p ¼ 0.033), understand the risk of P2P file sharing ( p ¼ 0.025), understand
the risk of viruses in a smartphone ( p ¼ 0.004), need of anti-virus program for a smart
phone ( p ¼ 0.012), regularly backup important files ( p ¼ 0.012), use different
passwords for different systems especially financial systems ( p ¼ 0.030), and
understand the need to change passwords regularly ( p ¼ 0.004). Other information
security topics are not significantly related to ISAT. Students may be familiar with these
topics by using information systems frequently. Those topics are, use of a personal
firewall and an anti-virus program with updated virus definitions, installing software
patches whenever available, blocking pop-ups, knowing how to create a strong
password, and understanding the risk of downloading programs (or files), the risk of
clicking on e-mail links, risk of e-mailing passwords, and risk of e-mail attachment.
As described, some information security topics are significantly related to ISAT while
other topics are not. One reason may be that students learn some security concepts from
the built-in functions (or programs) in a computer to protect it from computer malfunctions
or external threats such as the software patch management program that automatically
searches for a new software patch and asks users a permission to install them. Some of the
IMCS topics that are not significantly related to ISAT are pop-up blockers, downloading new
22,1 virus definitions, warnings for visiting suspicious web sites and for downloading files.
In addition, some security topics are well explained by a system or web sites when college
students use them. For example, most students know how to create a strong password
probably because many programs (or web sites) show the strengths of a password users
entered and explain the characteristics of a strong password. Therefore, it seems that
122 students know well the security topics that are managed by programs or web sites.
However, students seemed not well aware of some security topics even though a
program helps them execute necessary actions to protect their system. For example,
the windows operating system comes with the action center that alerts users of the
need of backup to a removable storage device. However, students seemed to be not
following this recommendation. Only half of them responded that they did backup
important files regularly (34 out of 67). The reason may be the action center does not
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)
clearly explain what to backup and why backup is necessary. In addition, students
may not want to wait to back up the system. As a result, some students do not know
the importance of backing up files unless they learn it from their security training.
Students also do not understand the danger of P2P file sharing possibly because of
the popularity of social networking sites that make file and information sharing over
the network so easy these days. When using P2P file sharing network, students can
store files on their computer and go online to search for and share files with others
using the same software programs such as BitTorrent, Morpheus, Kazaa, LimeWire,
iMesh, and many others. Students might expose their computer to viruses, spyware or
other unwanted software and may violate copyright laws because the content of a
shared file may not be in the public domain (Microsoft, 2010).
Even though technology has done many things to protect end-users’ information
systems, it is argued by security experts that technology alone cannot protect end-users’
information systems effectively (Okenyi and Owens, 2007). Generally speaking, security
topics that are not commonly covered by any installed (or built-in) programs or web sites
have a significant relationship with ISAT. Those topics are the ones that students need
to learn and practice to keep their information and systems safe.
There is a significant relationship between security training and students’ perception
of information system safety. As shown in Table II, students who participated in security
training believe that their personal information and systems are sufficiently protected.
It implies that, if ISAT is not comprehensive in nature, students may be in a more
dangerous situation because they may be relaxed with limited (or wrong) security
knowledge. For example, if a student learned about the need to backing up files but not to a
different storage device, he or she may feel safe when the original file and the backup copy
are on the same storage device. If the device fails, both files will be lost. Thus, ISAT should
include all necessary topics that a student needs to know about information security.
Recommendations
Even though many students (53 out of 68, 78 percent) understand the importance and the
need for ISAT, the majority of students (51 out of 68, 76.1 percent) did not participate in
ISAT at the university or at work. Only 3 students (out of 68) participated in ISAT
offered by a university. This may be because students do not know the existence of the
ISAT for them. If a university offers ISAT for students, it should encourage students to
participate in it because, as described in the literature review, simply offering ISAT
is not worth at all. About 43.5 percent of full time working students (ten out of 23) had Recommendations
ISAT that is much higher rate than full-time students. It seems that industries provide for ISAT
more opportunities for ISAT than university for end-users.
And it seems that students learned security concepts piecemeal from variety of
sources such as software use, web site instructions, news media, and others. Instead,
what students need is comprehensive ISAT that allows them to learn most of important
security concepts and control methods to deal with the information security issues. Until 123
the significant changes in security technology or different types of attacks emerge, the
results suggest that security awareness training should focus on the topics such as
regular scanning of any storage devices, P2P file sharing risk, smartphone viruses,
backup files, need of different passwords for different systems, and change passwords
regularly. To achieve this objective, there are several things a university may need to do
such as maintaining a solid security policy, assessing students’ security awareness level
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)
Conclusions
College students need to participate in ISAT more often. Information security awareness
deals with the use of security awareness programs to create and maintain
security-positive behavior as a critical element in an effective information security
environment (Kruger and Kearney, 2006). Thus, universities should provide students
with comprehensive ISAT to protect their systems and information effectively.
ISAT should be detailed and comprehensive enough to make students know what and
how to protect their systems and information effectively. The training not only explains
the security concepts, but also does hands-on practice to make students deal with different
security issues well. The students need to repeat ISAT regularly because information
security issues are always changing. Because information systems technology constantly
advances and new security threats emerge, some security topics may be de-emphasized
while others will need to be added. Even with the current limitations of budget
and resources, universities can still offer online ISAT for their students. The important
issue is students’ participation in the ISAT, not having the ISAT itself. Thus, universities
should understand how to encourage students to participate in the ISAT.
References
Abraham, S. and Chengalur-Smith, I. (2010), “An overview of social engineering malware: trends,
tactics, and implications”, Technology in Society, Vol. 32 No. 3, pp. 183-196.
Aytes, K. and Terry, C. (2004), “Computer security and risky computing practices: a rational choice
perspective”, Journal of Organizational and End User Computing, Vol. 16 No. 3, pp. 22-40.
Bakhski, T., Papadaki, M. and Furnell, S. (2009), “Social engineering: assessing vulnerabilities in
practice”, Information Management & Computer Security, Vol. 17 No. 1, pp. 53-63.
Ceraolo, J.P. (1996), “Penetration testing through social engineering”, Information Systems
Security, Vol. 4 No. 4, pp. 37-48.
Cisco Systems (2008), “Data leakage worldwide: the high cost of insider threats”, available at: www.
cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-506224.pdf
Computer Security Institute (2010), CSI Survey 2010/2011: The 15th Annual Computer Crime
and Security Survey, Computer Security Institute, available at: https://cours.etsmtl.ca/
log619/documents/divers/CSIsurvey2010.pdf
DBIR (2011), Verizon, Data Breach Investigation Report, available at: www.verizonbusiness.
com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf (accessed
10 December 2012).
Dimensional Research (2011), The Risk of Social Engineering on Information Security: A Survey Recommendations
of IT Professionals, available at: www.checkpoint.com/press/downloads/social-
engineering-survey.pdf
for ISAT
Dlamini, M.T., Eloff, J.H.P. and Eloff, M.M. (2009), “Information security: the moving target”,
Computer & Security, Vol. 28 Nos 3/4, pp. 189-198.
Dodge, R.C., Carver, C. and Ferguson, A.J. (2007), “Phishing for user security awareness”,
Computers and Security, Vol. 26 No. 1, pp. 73-80. 125
Ernst & Young (2008), Global Information Security Survey, Ernst & Young, London.
Gardner, H. (2004), Changing Minds: The Art and Science of Changing Our Own and Other
People’s Mind, Harvard Business School Press, Boston, MA.
Goldstein, I.L. and Ford, J.K. (2002), Training in Organizations: Needs Assessment, Development,
and Evaluation, 4th ed., Wadsworth, Belmont, CA.
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)
Hadnagy, C.J., Aharoni, M. and O’Gorman, J. (2010), Social Engineering Capture the Flag Results,
Defcon 18 Social Engineering CTF, available at: www.social-engineer.org/resources/sectf/
Social-Engineer_CTF_Report.pdf
Hansche, S. (2001), “Designing a security awareness program: part 1”, Information Systems
Security, January/February, pp. 14-22.
Ingerman, B.L. and Yang, C. (2011), “Top 10 IT issues 2011”, Educause Review, May/June, pp. 26-40.
Kaiser, H.F. (1958), “The varimax criterion for analytic rotation in factor analysis”,
Psychometrika, Vol. 23, pp. 187-200.
Karakasiliotis, A., Furnell, S. and Papadaki, M. (2007), “An assessment of end user vulnerability
to phishing attacks”, Journal of Information Warfare, Vol. 6 No. 1, pp. 17-28.
King, S.B., King, M. and Rothwell, W.J. (2001), The Complete Guide to Training Delivery,
AMACOM: A Division of American Management Association, New York, NY.
Kruger, H.A. and Kearney, W.D. (2006), “A prototype for assessing information security
awareness”, Computers & Security, Vol. 25 No. 4, pp. 289-296.
Lunt, B.M., Ekstrom, J.J., Gorka, S., Hislop, G., Kamali, R., Lawson, E., LeBlanc, R., Miller, J. and
Reichgelt, H. (2008), Curriculum Guidelines for Undergraduate Degree Programs in
Information Technology, Association for Computing Machinery (ACM) IEEE Computer
Society, New York, NY.
Maconachy, W.V., Schou, C.D., Ragsdale, D. and Welch, D. (2001), “A model for information
assurance: an integrated approach”, Proceedings of the 2001 IEEE Workshop on Information
Assurance and Security, United States Military Academy, West Point, NY, 5-6 June.
Microsoft (2010), “P2P file sharing: know the risks, security for your home”, March 9, available at:
www.microsoft.com/canada/protect/protect-yourself/protect-your-data/article.aspx?
article¼p2p-file-sharing-know-the-risks (accessed December 10, 2012).
NIST SP 800-16 (1998), National Institute of Standards and Technology (NIST), Information
Technology Training Requirements: A Role- and Performance-based Model (NIST Special
Publication 800-16), US Department of Commerce, Washington, DC.
NIST SP 800-50 (2003), National Institute of Standards and Technology (NIST), Building an
Information Technology Security Awareness and Training Program (NIST SP 800-50),
US Department of Commerce, Washington, DC.
Nunnally, J.C. (1978), Psychometric Theory, 2nd ed., McGraw-Hill, New York, NY.
Okenyi, P.O. and Owens, T.J. (2007), “On the anatomy of human hacking”, Information Systems
Security, Vol. 16, pp. 302-314.
IMCS Puhakainen, P. and Siponen, M.T. (2010), “Improving employees’ compliance through information
systems security training: an action research study”, MIS Quarterly, Vol. 34 No. 4, pp. 757-778.
22,1 PwC Survey (2013), Changing the Game Key Findings from the Global State of Information
Security Survey 2013, available at www.pwc.com/gx/en/consulting-services/information-
security-survey/assets/2013-giss-report.pdf
Shaw, R.S., Chen, C.C., Harris, A.L. and Huang, H.J. (2009), “The impact of information richness
126 on information security awareness training effectiveness”, Computers & Education,
Vol. 52, pp. 92-100.
Siponen, M.T. (2000), “A conceptual foundation for organizational information security
awareness”, Information Management & Computer Security, Vol. 8 No. 1, pp. 31-41.
Siponen, M.T., Pahnila, S. and Mahmood, A. (2007), “Employees’ adherence to information
security policies: an empirical study”, New Approaches for Security, Privacy and Trust in
Complex Environments Proceedings of the 22nd International Federation for Information
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)
Further reading
Wood, C.C. (2002), “The human firewall manifesto”, Computer Security Journal, Vol. 18 No. 1, pp. 15-18.
1. Beth H. Jones, Amita Goyal Chin. 2015. On the efficacy of smartphone security: A critical analysis of
modifications in business students’ practices over time. International Journal of Information Management
35, 561-571. [CrossRef]
2. Noor Hayani Abd Rahim, Suraya Hamid, Miss Laiha Mat Kiah, Shahaboddin Shamshirband, Steven
Furnell. 2015. A systematic review of approaches to assessing cybersecurity awareness. Kybernetes 44:4,
606-622. [Abstract] [Full Text] [PDF]
3. Eric Amankwa, Marianne Loock, Elmarie KritzingerA conceptual analysis of information security
education, information security training and information security awareness definitions 248-252.
[CrossRef]
4. Beth H. Jones, Amita Goyal Chin, Peter Aiken. 2014. Risky business: Students and smartphones.
TechTrends 58, 73-83. [CrossRef]
Downloaded by University of Pittsburgh At 18:53 22 February 2016 (PT)