study on information security awareness among...
TRANSCRIPT
STUDY ON INFORMATION SECURITY AWARENESS AMONG STAFFS
MALIHE MOTIEI
A dissertation submitted in partial fulfillment of the
requirements for the award of the degree of
Master of Science (Information Technology- Management)
Faculty of Computer Science and Information Systems
Universiti Teknologi Malaysia
MARCH 2012
iii
Dedicated to my beloved family especially, husband, lovely daughter Aida,
my parents and my supportive supervisor Dr. Mohd Shahizan Othman. Thank you
very much for being supportive, helpful and understanding.
iv
ACKNOWLEDGEMENT
In the Name of Allah, Most Gracious, Most Merciful
First and foremost, I would like to express heartfelt gratitude to my
supervisor Dr. Mohd Shahizan Othman for his constant support during my study at
UTM. He inspired me greatly to work in this project. His willingness to motivate me
contributed tremendously to our project. I have learned a lot from him and I am
fortunate to have him as my mentor and supervisor
Besides, I would like to thank the authority of Universiti Teknologi Malaysia
(UTM) for providing me with a good environment and facilities.
v
ABSTRACT
These days, as increasing the number of internet users, numbers of hackers
and intruders is also increasing. There also is essential need to improve information
security of organizations. One of the main parts of information security issue is
awareness of employees about new threats and vulnerability points. Hence the
organizations have often established the programs to increase the information
security awareness. So the level of awareness can be an important measure to help
top management and information security department for developing a new security
awareness program. In this research the security awareness of staff was studied and
measured. Scope of the study is to make a survey for knowing thoughts of staff about
information security. We did a survey in CICT department to reach objectives. Dean
of CICT and security team are interviewed to provide the necessary information.
They have been asked questions about how they work to raise the security awareness
and improve the attitudes among their employees and also how they measure the
level of information security awareness among staff. According to the interview
session with the dean of the CICT there is no staff’s information security awareness
survey was conducted before. This study can be as original study. The main purpose
of this study is to help the information security management to know what the level
of security awareness among staffs is. The results from this study can also be used as
additional information when improving or planning university’s information security
system.
vi
ABSTRAK
Kini, boleh dilihat pertambahan bilangan dari segi pengguna internet,
penggodam dan juga penceroboh yang semakin berleluasa. Terdapat juga keperluan
penting untuk meningkatkan keselamatan maklumat sesebuah organisasi. Salah satu
bahagian utama isu keselamatan maklumat adalah kesedaran pekerja tentang
ancaman baru dan titik kelemahan. Oleh itu organisasi telah sering mewujudkan
program-program untuk meningkatkan kesedaran keselamatan maklumat. Jadi, tahap
kesedaran boleh menjadi satu daripada langkah penting untuk membantu pengurusan
pihak atasan jabatan keselamatan dan maklumat untuk membangunkan satu program
baru berkenaan dengan kesedaran keselamatan. Dalam kajian ini kesedaran
keselamatan kakitangan akan dikaji dan diukur. Skop kajian ini adalah untuk
membuat kaji selidik bagi mengetahui pemikiran kakitangan tentang keselamatan
maklumat. Kami sedang melakukan satu kajian di jabatan CICT untuk mencapai
objektif tersebut. Dekan CICT dan pasukan keselamatan telah ditemu bual untuk
menyediakan maklumat yang diperlukan. Mereka telah ditanya soalan tentang
bagaimana mereka bekerja untuk meningkatkan kesedaran keselamatan dan
memperbaiki sikap di kalangan pekerja-pekerja mereka dan juga bagaimana mereka
mengukur tahap kesedaran keselamatan maklumat di kalangan kakitangan. Menurut
sesi temuduga dengan Dekan CICT, tiada lagi kajian berkaitan dengan maklumat
kesedaran keselamatan yang dijalankan sebelum ini. Justeru itu, kajian ini boleh
menjadi sebagai rujukan kajian asal. Tujuan utama kajian ini adalah untuk membantu
pengurusan keselamatan maklumat bagi mengetahui tahap kesedaran keselamatan di
kalangan kakitangan. Hasil daripada kajian ini juga boleh digunakan sebagai
maklumat tambahan apabila memperbaiki atau merancang sistem keselamatan
maklumat universiti.
vii
TABLE OF CONTENTS
CHAPTER TITLE PAGE
DECLERATION ii
ACKNOWLEDGEMENT iv
ABSTRACT v
ABSTRAK vi
TABLE OF CONTENTS vii
LIST OF TABLES xiii
LIST OF FIGURES xvi
LIST OF ABBREVIATIONS xvii
1 INTRODUCTION 1
1.1 Introduction 1
1.2 Background of the Problem 2
1.3 Problem Statement 5
1.4 Objectives 6
1.5 Purpose of the Study 6
1.6 Significance of the Study 7
1.7 Scope of the Study 7
1.8 Summary 7
2 LITERATURE REVIEW 8
2.1 Introduction 8
2.2 Information Security 9
2.3 Information Security Awareness 9
2.4 Information Security Awareness Program and
Training 11
viii
2.4.1 Phases of Security Awareness Program 11
2.5 Information Security Awareness Measuring 16
2.5.1 Building an Information Security
Awareness (NIST-800) 16
2.5.2 A Study of Security Awareness in Diverse
University (2010) 17
2.5.3 Effectiveness of Information Security
Awareness Methods 18
2.5.4 Measuring Information Security Awareness
(2004) 21
2.5.5 A Dynamic and Adaptive Information
Security Awareness 22
2.5.6 Security Awareness Survey: Measuring
Attitudes, Knowledge and Behavior 23
2.5.7 A prototype For Assessing Information
Security Awareness (2006) 23
2.5.8 Email Security Awareness (2010) 25
2.5.9 Evaluation of Higher Education Security
Awareness (2009) 26
2.5.10 HoneyTech Security Awareness Survey
(2010) 27
2.6 Categorization of Security Awareness Metrics 27
2.6.1 Information Security Awareness Policies 27
2.6.2 Email and Web Security 30
2.6.3 Password Security 32
2.6.4 Social Engineering Attacks 34
2.6.4.1 Social Engineering Attacks Life Cycle 35
2.6.4.2 Social Engineering Methods 36
2.6.4.3 Social Engineering Prevention 40
2.6.5 Physical Security 42
2.6.6 Data backup 44
2.7 Summary 46
ix
3 RESEARCH METHODOLOGY 47
3.1 Introduction 47
3.2 Research Framework 47
3.3 Phase 1: Finding Awareness Measuring Metrics
(Initial Survey) 52
3.3.1 Primary Data Collection 53
3.4 Phase 2: Measuring the Level of Information
Security Awareness 56
3.4.1 Case Study 57
3.4.2 Quantitative Method 58
3.4.3 Design Questionnaire 58
3.4.4 Validity and Reliability Test 61
3.4.5 Descriptive Statistical Analysis 63
3.5 Phase 3: Correlation Analysis 64
3.5.1 Spearman Correlation Analysis 64
3.6 Summary 66
4 DATA ANALYSIS AND RESULTS 67
4.1 Introduction 67
4.2 Initial Survey Finding 67
4.3 Descriptive Statistical Analysis 70
4.3.1 Demographic 70
4.3.2 Frequency Table for each Questions 73
4.3.2.1 Metric 1: Information Security Policy 73
4.3.2.2 Metric 2: Email and Web Security 75
4.3.2.3 Metric 3: Social Engineering 78
4.3.2.4 Metric 4: Data Backup 80
4.3.2.5 Metric 5: Physical Security 82
4.3.2.6 Metric 6: Password Security 84
4.3.2.7 Metric 7: Attitude/Perceive 87
x
4.3.3 Level of Information Security Awareness of
Staff 90
4.3.4 Level of Awareness for each Metrics 91
4.4 Correlation Analysis of Metrics 92
4.4.1 Relationships of Metrics and Demographic
Characteristics 93
4.4.2 Relationships of Metrics and Level of
Information Security Awareness 98
4.4.3 High Impact Questions on Level of
Security Awareness 100
4.5 Summary 102
5 CONCLUSION AND RECOMMENDATION 103
5.1 Introduction 103
5.2 Achievements 104
5.2.1 RQ1: What are the set of metrics for
measuring the level of information security
awareness? 104
5.2.2 RQ2: What is the level of information
security awareness of staffs? 105
5.2.3 RQ3: ―Are there significant relationships
between information security awareness
metrics and level of security awareness?‖ 106
5.2.4 Summary of correlation analysis of metrics 107
5.2.5 Relationships between demographic of
staffs and metrics 108
5.3 Recommendation 110
5.3.1 Critical Success Factors 110
5.3.2 An Information Security Awareness
Workflow 111
5.3.3 Guidelines 113
5.4 Limitations of the Study 114
5.5 Future Work 115
6 APPENDIX 122
xi
A. Interview Questions with Dean of CICT and
Security team manager 122
B. Information security awareness Designed
Questionnaire for CICT‘s Staffs 124
C. Vulnerability Points 130
D. Statistical Histogram Charts for Awareness Level
of each Metrics 132
E. The Level of Awareness for high impact
Questions 135
F. Weighting the Questionnaire Answers 137
G. Expert Assessments 139
H. Introduction to CICT 140
I. CICT‘s Police hacks Report 142
xii
LIST OF TABLES
TABLE NO. TITLE PAGE
Table 2-1 Awareness Scale 24
Table 3-1 Research Activities 49
Table 3-2 Reliability Statistics by SPSS 63
Table 4.1 Result of RQ1: Metrics and Structure of Effective
Questionnaire 69
Table 4.2 Gender Statistics 70
Table 4.3 Education of respondents 71
Table 4.4 Employment status of Respondents 71
Table 4.5 Official Position of Respondents 72
Table 4.6 Official working experience of Respondents 72
Table 4.7 Q1. Do you know policies on which web sites you can
visit at your office? 73
Table 4.8 Q2. Can you login to your work account using public
computers such as from library? 73
Table 4.9 Q3. Does your organization allow you to download any
software from internet and install in your computer at your
office? 74
Table 4.10 Q4. Does your organization allow you to take information
from your office and use your computer at home to work
on it? 75
Table 4.11 Q5. How careful are you when open an attachment in
email? 76
Table 4.12 Q6. Do you use Social Networks such as Facebook,
Twitter? 76
Table 4.13 Q7. Can you block an email address which send to you
something unwanted? 77
Table 4.14 Q8. Do you consider URL address in ―Status bar‖ before
clicking on unknown links? 77
xiii
Table 4.15 Q9. Do you consider URL address in ―Address bar‖ before
submitting Username and Password? 78
Table 4.16 Q10. Are you aware of ―Social Engineering‖ tricks? 78
Table 4.17 Q11. Do you allow your manager/boss to know your
password if he/she call and ask you? 79
Table 4.18 Q12. Do you know what the ―Phishing attack‖ is? 79
Table 4.19 Q13. Do you know how to protect yourself from Phishing
attacks? 80
Table 4.20 Q14. Where are your ―backup media‖ stored? 81
Table 4.21 Q15. Do you use your mobile phone, pen drives or other
own personal devices to store or transfer the information
at work? 81
Table 4.22 Q16. True or False: ―A deleted file from Hard disk or USB
stick cannot be recovered.‖ 82
Table 4.23 Q17. Do you lock/or log off your computer when you
want to leave office? 83
Table 4.24 Q18. Do you clean your desk/table in your office every
times? 83
Table 4.25 Q19. Do you clean your desktop page on your computer at
office? 84
Table 4.26 Q20. Are your computer equipments physically secured? 84
Table 4.27 Q21. Do you use the same passwords for your work
accounts as you do for your personal accounts at home,
such as Facebook, or your personal email accounts? 85
Table 4.28 Q22. What is the type of your password? 85
Table 4.29 Q23. What is the length of your password? 86
Table 4.30 Q24. How often do you change your password? 86
Table 4.31 Q25. Are you aware of all threats, risks, and
vulnerabilities to your organization‘s information assets? 87
Table 4.32 Q26. How do you view/perceive information security? 87
Table 4.33 Q27. Do you allow your friends to access internet by your
computer? 88
Table 4.34 Q28. False or True: ―The best and up-to-dated antivirus
and other technical security devices can protect
information in your computer completely? 89
Table 4.35 Q29. True or False: ―Small organizations are not target for
hackers.‖ 89
Table 4.36 Q30. True or False: ―No need to change my password,
because I don‘t share it‖. 90
Table 4.37 Descriptive Statistics for Level of Security Awareness 90
xiv
Table 4.38 Level of Information Security Awareness for each Metrics 92
Table 4.39 Correlation of ―Email-Web Security‖ with ―Gender‖,
―Education‖ and ―Official working Experience‖ 93
Table 4.40 Correlation of ―Social Engineering‖ with ―Gender‖,
―Education‖ and ―Official working Experience 94
Table 4.41 Correlation of ―Data Backup‖ with ―Gender‖, ―Education‖
and ―Official working Experience 95
Table 4.42 Correlation of ―Physical Security‖ with ―Gender‖,
―Education‖ and ―Official working Experience 96
Table 4.43 Correlation of ―Password Security‖ with ―Gender‖,
―Education‖ and ―Official working Experience 97
Table 4.44 Correlation of ―Attitude‖ with ―Gender‖, ―Education‖ and
―Official working Experience 98
Table 4.45 Correlation of Level of Security Awareness with Email &
Web Security 99
Table 4.46 Correlation of Level of Security Awareness with Social
Engineering Metric 99
Table 5.1 Level of Staff's Information Security Awarenes 105
Table 5.2 Security Awareness Measuring Scale defined by (Kruger
2006) 106
Table 5.3 Summary of Correlation Analysis of Metrics 107
Table 5.4 Summary of demographic and metrics correlation analysis 109
Table 5.5 Recommendation and Vulnerability points 113
xv
LIST OF FIGURES
FIGURE NO. TITLE PAGE
Figure 2.1 The IT security learning continuum (Wilson 2003) 14
Figure 2.2 Key steps in the life cycle of an awareness and training
program (Wilson 2003) 15
Figure 2.3 Proposed InfoSec Awareness sequential Model by (Marks
2009) 26
Figure 2.4 The Social Engineering attacks Cycle (Malcolm 2007) 35
Figure 2.5 Using Dumster Diving technique 37
Figure 2.6 Sample of Phishing Attack in Facebook to motivate the
user 39
Figure 3.1 Research Framework 48
Figure 4.1 Histogram for Level of Information Security awareness of
Staff 91
Figure 4.2 Impact of Q8 and Q13 on Level of Awareness 100
Figure 4.3 Impact of Q10 and Q13 on Level of Awareness 101
Figure 5.1 Relationship of Security Awareness Measuring Metrics 108
Figure 5.2 Proposed Information Security Awareness Model 112
xvi
LIST OF ABBREVIATIONS
CIA Confidentiality, Integrity, Availability
InfoSec Information Security
SE Social Engineering
IAV Information Availability
NOC Network Operation Center
FTP File Transfer Protocol
IS Information System
ISO International Standard Organization
ICT Information Communication technology
CICT Center for Information and Communication technology
CHAPTER 1
1 INTRODUCTION
1.1 Introduction
With today‘s advance and widely accessible communication technologies
information security is a significant topic for protecting the organizations against
intruders. Information security awareness among staff also plays an effective role for
protecting information. Hence, level of information security awareness is defined as
one of the main concern in this area. So, researchers have proposed own techniques
for increasing awareness among employees. (Adam-mark, 1975; Mathisen, 2004;
Adam-mark, 2005; Casmir, 2005; North 2010; Khan 2011).
UTM as an academic environment also deals with security problems every
semesters. In this system there are several types of users. Staff has more access
permission to the systems information at work place (Borreson, 2006; Aloul, 2010).
Therefore, conducting a survey among staff can reflect the level of information
security of them.
In this study, we use the quantitative survey for gathering the awareness of
staff. For designing the effective questionnaire, we use seven metrics namely
Security policy, Email and web security, Social Engineering, Backup, Physical
2
security, Password and Security attitude. With descriptive statistical analysis of data,
the level of information security awareness of staff is measured. We also applied the
correlation analysis for extracting the relationship between metrics and level of
security awareness. These relationships and level of awareness are useful for
proposing a new information security awareness program workflow. The results of
this study includes information security awareness metrics, level of information
security awareness of staff, relationship of metrics and a proposed security awareness
workflow. These outputs can useful in future security plans and security awareness
programs.
In this chapter, an overview of research including the background of the
problem, statement of the problem and objectives and significant of the study will be
stated.
1.2 Background of the Problem
Everyday new incidents such as data breaches, threats, risk etc are reported
and almost every time these incidents are due to human errors and lack of
information security awareness. Many analysts claim that human component of any
information security framework is the weakest link. Information is one of the
resources that an organization is heavily dependent on. If the critical information of
an organization is leaked, the organization can suffer serious consequences, e.g., in
the form of loss of income, loss of customers‘ trust and maybe legal action etc.
therefore, information should be protected and secured (Risvold, 2010; Khan 2011).
Information security awareness plays an effective role in establishing the
security in the systems. It can be said one of the most important criteria for
evaluation safety of the system is level of security awareness of the users and
3
employees in the organization (Siponen, 2000; Shulaili 2010). Low level of the
security awareness can be a danger vulnerability points in systems. Hence several
researchers (Wilson 2003; North 2006; Yacine 2008) have proposed own techniques
for measuring the security awareness of the users in their organizations (Krishna,
2010). Some of them conducted own surveys with effective questionnaire for their
system and users, and others proposed techniques as research-based papers (Young,
2004; Puhakainen, 2006; Albrechtsen 2010). Here we explain briefly five research
about the measuring the information security awareness.
Higher education institutions possess a vast amount of information and
computing power. They also provide a relatively open access to their constituents
and the public. The concerns of Information Systems (IS) Security and
confidentiality in higher education are not recent. In fact, they can be traced back to
the 1970s (Adam-mark, 1975). But, even today, with all the available Information
Systems Security and best practices, only some of universities provide acceptable
InfoSec measures and establish proper InfoSec awareness training (North 2006).
According to a quantitative survey of 435 higher education institutions in the US
(Updegrove 2003), only a third of the examined institutions had applied InfoSec
awareness training for students and staff. In fact, most InfoSec managers pay more
attention to technical aspects and solutions (such as firewalls, routers, and intrusion
detection software), and ignore the socio-organizational issues such as the hazards
caused by end users‘ lack of InfoSec awareness (Katz, 2005).
These days many intruders target the human (end-user), bypassing most
security controls and using techniques such as social engineering to get what they
want. Hence, awareness is becoming a key factor in an organization‘s ability to
improve security, protect information (Navarro, 2007; Bulgurcu, 2009).
Social engineering is an underestimated security risk that is rarely addressed
by companies. Security awareness training and education is the most important
4
method of preventing social engineering attacks. It should be continuous and
dynamic. Organizations can reduce the impact of social engineering attacks by
implementing information security awareness program (Jason Baker, 2005).
Social Engineers are well aware that low-level employees and employees
with low company morale are more susceptible to a Social Engineering attack thus
they are easy targets for information revealing. But since Social Engineers can attack
any employee for information, all employees should be concerned with methods of
attack and be aware of who to trust when a problem occurs (Hermansson 2005)
(Nelson, 2004).
Since many users do not believe that anyone would ever attack them, because
they are not ―rich and famous‖, and that hackers cannot do much damage anyway
(Sasse 2001; Stewart, 2009), social engineering attacks can be highly successful.
This attitude is also influenced by the fact that most users do not understand how
security works. The ―old‖ way of managing information security has led to two
specific problems (Adams 1999):
users‘ lack of security awareness, and
Security departments‘ lack of knowledge about users, producing security
mechanisms and systems that are not usable. These two factors lower
users‘ motivation to produce secure work practices.
In addition, the user‘s lack of security awareness and the protective measures
are not well liked, among the users, or usable. Organizations also need to establish a
clear and strong policy (Terry 2005; Martin, 2006; Muda, 2010), including standards,
processes and procedures to help eliminate the threat of social engineering.
5
A significant problem is that it is not easy to investigate people‘s attitudes
and behavior patterns in relation to complex technological matters such as ICT
security, since there is a real risk that the respondents in a survey simply do not
understand the questions put to them.
Enhancing information security does not depend on only technical solutions
in a company. Based on the literature (Abawajy 2008), the first and important
problem in this area can be difficulty in measuring the security awareness among
staffs. In fact, the problem is in designing the best and effective questionnaire to be
suitable to own companies to evaluate the level of information security awareness
among staffs (Mathisen, 2004; Adam-mark, 2005).
1.3 Problem Statement
The most important problem in information security issue is level of
information security awareness among staffs. Usually employees don‘t have enough
attention about information security to protect their information system completely.
The main problem is:
―The awareness, attitudes, and behavior of the users are important to make
higher level of safety in our system, but for designing the new security awareness
program, we need the level of current security awareness of staffs which is
unfortunately not easily sensible. Hence the main problem is: ―what is the level of
information security awareness among employees?‖
6
Extracted sub-questions are also as follow:
RQ1: What are the set of metrics for measuring the level of information
security awareness?
RQ2: What is the level of information security awareness among staffs?
RQ3: Are there significant relationships between information security
awareness metrics, level of security awareness, and personal profile of
staffs?
1.4 Objectives
The aims of this study are:
To find the information security awareness measuring metrics in order to
design an effective survey questionnaire
To measure the level of information security awareness of staffs by
descriptive statistical analysis tools
To identify impact of each metrics on level of security awareness by
correlation analysis
1.5 Purpose of the Study
The purpose of this study is measuring the level of information security
awareness among CICT staffs. This level of awareness and also correlation analysis
of metrics will be applied to propose the Critical Success Factors and effective
security model.
7
1.6 Significance of the Study
According to the interview session with the dean of the CICT there is no
information security awareness survey was conducted before. This study is an
original study that can help the information security management to know what the
level of security awareness among staffs is. It hopes that the result of this research
offers a positive impact on the CICT organization. The result of this study can be
useful in future security planning and security awareness programs.
1.7 Scope of the Study
Respondent: All CICT staffs
Questionnaire: based on information security awareness metrics
Data gathering: Quantitative methodology
Data analysis: SPSS software
Measuring the level of awareness: Descriptive Statistical analysis
Correlation analysis: Spearman Correlation Analysis
1.8 Summary
This chapter discussed an overview of this study. There are four project
objectives that need to successfully achieve as the goals of this research. The scope
and importance of this project have also been pointed out.
6
7 REFERENCES
Abawajy, J. H., K. Thatcher, et al. (2008). Investigation of Stakeholders
Commitment to Information Security Awareness Programs. Information
Security and Assurance, 2008. ISA 2008. International Conference on.
Adam-mark (2005) "The Effect of a University Information Security Survey on
Instructing Methods in Information Security."
Adam-mark, B. K. (1975). "Security and Confidentiality in a university computer
network."
Adams, A. and M. A. Sasse (1999). "Users are not the enemy." Commun. ACM
42(12): 40-46.
Albrechtsen, E. and J. Hovden (2010). "Improving information security awareness
and behaviour through dialogue, participation and collective reflection. An
intervention study." Computers & Security 29(4): 432-445.
Aloul, F. (2010). "The Need for Effective Information Security Awareness."
International Journal of Intelligent Computing Research (IJICR) Volume 1,
Issue 3.
Bonoma, T. V. (1985). "Case Research in Marketing: Opportunities, Problems,
and a Process." Journal of Marketing research pp. 199-208.
Borreson, J. (2006) "Safeguarding the tower: IT security in higher education."
Bourner, T. (1996) "The research process: four steps to success." Research methods:
guidance for postgraduates.
Bulgurcu, B. (2009). Roles of Information Security Awareness and Perceived
Fairness in Information Security Policy Compliance. Americas Conference on
Information Systems (AMCIS).
Casmir, R.,(2005) Casmir, R., A Dynamic and Adaptive Information Security
Awareness (DAISA) Approach,Department of Computer and Systems
Sciences,
117
Chandler, D. (2004) "Reviewing the Literature." The Media and Communication
Studies Site.
CIT-AWARE,(2006) CIT-AWARE, An Investigation of Citizen ICT Safety and
Security Awareness,
Cooper, D. R. and P. S. Schindler (2003). Business Research Method, Brent Gordon:
McGraw Hill.
Danchev, D. (2003) "Building and Implementing a Successful Information Security
Policy." Windows Security.
Eric, L., C. Tubb, et al. (2010) "Using Deception for Assuring Security."
Gartner (2005) "Management Update: How Businesses Can Defend against Social
Engineering Attacks."
Global, S. (2008) "Information Security Awareness Survey."
Gollmann, D. (1999). Computer security, John Wiley \\& Sons, Inc.
GoogleScholar. "GoogleScholar." from http://scholar.google.com/-.
Granger, S. (2002). "Social Engineering Fundamentals, Part II : Combat Strategies."
Gupta, V., S. Goswami, et al. (2004). "Networking and Security Measures."
DESIDOC Bulletin of Information Technology Vol. 24, No. 2,.
Hair, J. F. (2005) "Multivariate data analysis." Pearson Prentice Hall.
Halim (2009) "Academic Report Writing."
Hasan, M. (2010). "Case Study On Social Engineering Techniques For Persuasion."
International journal on applications of graph theory in wireless ad hoc
networks and sensor networks 17-23.
Heare, S. (2001) "Data Center Physical Security Checklist."
Hermansson, M. and R. Ravne,(2005) Hermansson, M. and R. Ravne, Fighting
Social Engineering,University of Stockholm / Royal Institute of Technology
HoneyTech (2010). Security Awareness Survey Description.
HoneyTech (2010) "Security Awareness Survey Description." Creative Commons
Attribution-Noncommercial.
Huang, C.-Y., S.-P. Ma, et al. (2011). "Using one-time passwords to prevent
password phishing attacks." Journal of Network and Computer Applications
34(4): 1292-1301.
IEEE. "IEEE Xplore." from http://ieeexplore.ieee.org/
118
Jan Møller Jensen, T. H. (2006). "An empirical examination of brand loyalty."
Journal of Product & Brand Management Vol. 15 Iss: 7, pp.442 - 449.
Jason Baker, B. L. (2005) "The Impact of Social Engineering Attacks on
Organizations A differentiated Study."
K Rudolph and a. L. N. Gale Warshawsky (2001). Computer security Handbook.
Kark, K. (2006). "Five Steps to Effective Security Awareness." Forrester Research.
Katz, F. H. (2005). The effect of a university information security survey on
instruction methods in information security. Proceedings of the 2nd annual
conference on Information security curriculum development, Kennesaw,
Georgia, ACM.
Khan, B., K. S. Alghathbar, et al. (2011). Information Security Awareness
Campaign: An Alternate Approach Information Security and Assurance. T.-h.
Kim, H. Adeli, R. J. Robles and M. Balitanas, Springer Berlin Heidelberg.
200: 1-10.
Krishna, M.,(2010) Krishna, M., A Methodology for Measuring Information Security
Maturity in Norwegian and Indian MSME’s with special focus on people
factor,
Kruger, H. A., S. Flowerday, et al. (2011). An assessment of the role of cultural
factors in information security awareness. Information Security South Africa
(ISSA), 2011.
Kruger, H. A. and W. D. Kearney (2006). "A prototype for assessing information
security awareness." Computers & Security 25(4): 289-296.
Lincoln and G. E. (1985) "Naturalist Inquiry." Sage Publications.
Luker, M. and R. Petersen (2003). Computer and Network Security in Higher
Education (ID: PUB7008), EDUCAUSE
MAAWG (2010). Email Security Awareness and Usage Report.
Malcolm and Allen (2007) "Social Engineering: A Means To Violate A Computer
System."
Marks, A. and Y. Rezgui (2009). A Comparative Study of Information Security
Awareness in Higher Education Based on the Concept of Design Theorizing.
Management and Service Science, 2009. MASS '09. International Conference
on.
Martin, A. P. (2006). Information Availability and Security Policy. Proceedings of
the Twelfth Americas Conference on Information Systems.
Mathisen, J.,(2004) Mathisen, J., Measuring Information Security Awareness – A
survey showing the Norwegian way to do it,
119
Mathisen, J.,(2004) Mathisen, J., Measuring Information Security Awareness – A
survey showing the Norwegian way to do it,NISlab,
McDowell, M. (2007) "Avoiding Social Engineering and Phishing Attacks."
MicrosoftWebpage.
Mitnick, Kevin, et al. (2002). The Art of Deception Wiley.
Muda, M. Z. B.,(2010) Muda, M. Z. B., Awareness And Acceptance Analysis Of
Information Security Policy,UTM Master Thesis,
Murphy (1996) " Backup strategy."
Navarro, L., (2007), Train employees - your best defense - for security awareness
Nelson, R. (2004) "Methods of hacking: Social Engineering."
Nohlberg, M.,(2008) Nohlberg, M., Securing Information Assets: Understanding,
Measuring and Protecting against Social Engineering Attacks,
North, M., DeAnthony Perryman, et al. (2010). "A Comparative Study Of
Information Security And Ethics Awareness In Diverse University
Environments." Consortium for Computing Sciences in Colleges.
North, M. M., R. George, et al. (2006). Computer security and ethics awareness in
university environments: a challenge for management of information systems.
Proceedings of the 44th annual Southeast regional conference, Melbourne,
Florida, ACM.
Parrish (2001) "Security considerations for enterprise level backups."
Peltier, T. R. (2005). "Implementing an Information Security Awareness Program."
Security Management Practices.
Pfleeger, C. P. and S. L. Pfleeger (2009). Security in Computing, 4th Edition
PSZ. "Perpustakaan Sultanah Zanariah ", from http://www.utm.my/psz/.
Puhakainen, P. (2006). "A Design Theory For Information Security Awareness."
Rasli, A. (2006). Data Analysis and interpretation, UTM.
Riley, S., Ed.117ds. (2006). Password Security: What Users Know and What They
Actually Do.
Risvold, M. O.,(2010) Risvold, M. O., Organizational Issue related to information
security behavior,Lulea University of technology
Salem, O., A. Hossain, et al. (2010). Awareness Program and AI based Tool to
Reduce Risk of Phishing Attacks. Computer and Information Technology
(CIT), 2010 IEEE 10th International Conference on.
120
Sasse, M. A., S. Brostoff, et al. (2001). "Transforming the ‗Weakest Link‘ — a
Human/Computer Interaction Approach to Usable and Effective Security."
BT Technology Journal 19(3): 122-131.
ScienceDirect. "ScienceDirect." from http://www.sciencedirect.com/.
Seppo, P., S. Mikko, et al. (2007). Employees' Behavior towards IS Security Policy
Compliance. System Sciences, 2007. HICSS 2007. 40th Annual Hawaii
International Conference on.
Shaikh, A. A.,(2006) Shaikh, A. A., An Investigation into the Corporate Security
Awareness and Training Program,Master‘s Thesis in Accounting HANKEN-
Swedish School of Economics and Business Administration
Shaw, R. S., C. C. Chen, et al. (2009). "The impact of information richness on
information security awareness training effectiveness." Computers &
Education 52(1): 92-100.
Shulaili, T., N. L. Clarke, et al. (2010). An Analysis of Information Security
Awareness within Home and Work Environments. Availability, Reliability,
and Security, 2010. ARES '10 International Conference on.
Siponen, M., S. Pahnila, et al. (2007). Employees’ Adherence to Information Security
Policies: An Empirical Study New Approaches for Security, Privacy and
Trust in Complex Environments. H. Venter, M. Eloff, L. Labuschagne, J.
Eloff and R. von Solms, Springer Boston. 232: 133-144.
Siponen, M. T. (2000). "A conceptual foundation for organizational information
security awareness." Information Management & Computer Security Vol. 8
Iss: 1, pp.31 - 41.
Stewart, G.,(2009) Stewart, G., Maximising the Effectiveness of Information Security
Awareness Using Marketing and Psychology Principles,
Terry and W. (2005). "Information security policy's impact on reporting security
incidents." Computers & Security 24(6): 448-459.
Thanasegaran, G. (2009). "Reliability and Validity Issues in Research." Integration
& Dissemination vol. 4, pp. 35-40.
Updegrove and a. W. Gordon (2003) "Computers and Network Security in Higher
Education." EDUCAUSE.
WIKIPEDIA. "WIKIPEDIA." from
http://en.wikipedia.org/wiki/Spearman's_rank_correlation_coefficient
Wilson, Mark (Ed), et al. (1998). "Information Technology Security Training
Requirements: A Role- and Performance-Based Model." NIST Special
Publication 800-16.
121
Wilson, M. and Joan Hash (NIST) (2003) "Building an Information Technology
Security Awareness and Training Program. ." NIST Special Publication 800-
50, October 2003.
Yacine, Rezgui, et al. (2008). "Information security awareness in higher education:
An exploratory study." Computers & Security 27(7-8): 241-253.
Young, E. a. (2004). "Global Information Security Survey."