How Effective Is Your Security Awareness Program? An Evaluation Methodology

Information Security Journal

Volumn 21, Issue 6, 2012, Pages 328-345

  Rantos, Konstantinos ^a   Fysarakis, Konstantinos ^b   Manifavas, Charalampos ^b  

^a TECHNOLOGICAL EDUCATIONAL INSTITUTE OF KAVALA   (Greece)

^b TECHNOLOGICAL EDUCATIONAL INSTITUTE OF CRETE   (Greece)

Author keywords

evaluation methodology; security awareness; security management

Indexed keywords

AWARENESS PROGRAM; CORRECTIVE ACTIONS; EVALUATION METHODOLOGIES; EVALUATION PROGRAM; HIGHER MANAGEMENT; SECURITY AWARENESS; SECURITY INFRASTRUCTURE; SECURITY MANAGEMENT; USERS' PERCEPTION;

EID: 84871904550     PISSN: 19393555     EISSN: 19393547     Source Type: Journal    
DOI: 10.1080/19393555.2012.747234     Document Type: Article

References (30)

1. Albrechtsen, E. 2007. A qualitative study of users' view on information security. Computers & Security, 26(4), 276--289.,
2. Bilal Khan, K. S. 2011. Effectiveness of information security awareness methods based on psychological theories. African Journal of Business Management, 5(26): 10862-10868.
3. CSI/FBI. (2008). 13th Annual CSI/FBI Computer Crime and Security Survey. www.gocsi.com (http://www.gocsi.com)
4. CSI/FBI. (2009). 14th Annual CSI/FBI Computer Crime and Security Survey.: from www.gocsi.com (http://www.gocsi.com)
5. CSI/FBI. (2010/2011). 15th Annual CSI/FBI Computer Crime and Security Survey. www.gocsi.com (http://www.gocsi.com)
6. Deloitte. (2010). Global Security Survey. www.deloitte.com (http://www.deloitte.com)
7. Deloitte. (2011). Global Security Survey. www.deloitte.com (http://www.deloitte.com)
8. Dodge, R., Carver, C. and Ferguson, A. 2007. Phishing for user security awareness. Computers & Security, 26(1): 73-80.
9. Eminaǧaoǧlu, M. U. 2010. The positive outcomes of information security awareness training in companies-a case study. Information Security Technical Report,: 223-229.
10. European Network and Information Security Agency (ENISA). (2010). The new users' guide-how to raise InfoSec awareness. http://enisa.europa.eu (http://enisa.europa.eu)
11. European Network and Information Security Agency (ENISA), PricewaterhouseCoopers LLP (PwC). (2007). Information security awareness initiatives: Current practice and the measurement of success.Availale from http://www.enisa.europa.eu (http://www.enisa.europa.eu)
12. Henning, R. E. 2002. "Information system security attribute quantification or ordering". In Proceedings of Workshop on Information Security System, Scoring and Ranking, MITRE Williamsburg, VA
13. Janne Hagen, E. A. 2011. The long-term effects of information security e-learning on organizational learning. Information Management & Computer Security, 19(3): 140-154.
14. Janne Merete Hagen, E. A. 2008. Implementation and effectiveness of organizational information security measures. Information Management & Computer Security, 16(4): 377-397.
15. Janne Merete Hagen, E. A. 2009. Effects on employees' information security abilities by e-learning. Information Management & Computer Security, 17(5): 388-407.
16. Johnson, E. C. 2006. Security awareness: Switch to a better programme. Network Security, 2: 15-18.
17. Kruger, H. 2006. A prototype for assessing information security awareness. Computers Security, 25(4): 289-296.
18. National Institute of Standards and Technology (NIST). (1998). Special publication 800-16: Information technology security training requirements: a role- and performance-based model. http://csrc.nist.gov (http://csrc.nist.gov)
19. National Institute of Standards and Technology (NIST). (2003). Special publication 800-50: Building an information technology security awareness and training program. http://csrc.nist.gov (http://csrc.nist.gov)
20. National Institute of Standards and Technology (NIST). (2008). Special publication 800-55, Revision 1: Performance measurement guide for information security. http://csrc.nist.gov (http://csrc.nist.gov)
21. National Institute of Standards and Technology (NIST). (2009). Special publication 800-53, Revision 3: Information security, recommended security controls for federal information systems and organizations. http://csrc.nist.gov (http://csrc.nist.gov)
22. Noticebored. (2008). Generic business case for an information awareness program. http://www.noticebored.com (http://www.noticebored.com)
23. Saaty, T. L. 1980. The analytic hierarchy process, New York, NY: McGraw Hill.
24. Sademies, A. 2004. Process approach to information security metrics in Finnish industry and state institutions. VTT Publications, Finland,
25. SANS Institute. (2006). A guide to security metrics. http://www.sans.org/ (http://www.sans.org/)
26. SANS Institute. (2011). Measuring psychological variables of control in information security. http://www.sans.org/ (http://www.sans.org/)
27. Savola, R. 2008. A novel security metrics taxonomy for R&D organizations. Proceedings of the ISSA 2008 Innovative Minds Conference.,
28. Schultz, E. 2004. Security training and awareness-fitting a square peg in a round hole. Computers Security, 23: 1-2.
29. TELUS-Rotman. (2011). Joint study on Canadian IT security practices. http://www.rotman.utoronto.ca/securitystudy/ (http://www.rotman.utoronto.ca/securitystudy/)
30. Teufel, T. S. 2003. Analyzing information security culture: Increased trust by an appropriate information security culture. Proceedings DEXA Workshops,: 405-409.