Investigating information security awareness: Research and practice gaps

Information Security Journal

Volumn 17, Issue 5-6, 2008, Pages 207-227

  Tsohou, Aggeliki ^a   Kokolakis, Spyros ^a   Karyda, Maria ^a   Kiountouzis, Evangelos ^b  

^a UNIVERSITY OF THE AEGEAN   (Greece)

^b ATHENS UNIVERSITY OF ECONOMICS AND BUSINESS   (Greece)

Author keywords

Information security awareness; Information security management

Indexed keywords

EID: 85016075946     PISSN: 19393555     EISSN: 19393547     Source Type: Journal    
DOI: 10.1080/19393550802492487     Document Type: Article

References (58)

1. Albrechtsen, E. (2007). A qualitative study of users' view on information security, Computers & Security, 26(4), pp. 276-289.
2. Bray, T.J. (2002). Security actions during reduction in workforce efforts: What to do when downsizing, Information System Security, 11(1), pp. 11-15.
3. Bresz, F.P. (2004). People—often the weakest link in security, but one of the best places to start, Journal of Health Care Compliance, 6(4), pp. 57-60.
4. Casmir, R. and Yngstrom, L. (2005). Towards a dynamic and adaptive information security awareness approach. In Proceedings of the IFIP TC11 WG11.8 Fourth World Conference on Information Security Education (WISE4), May 2005, Moscow, Russia.
5. Chen, C.C., Shaw, R.S. and Yang, S.C. (2006). Mitigating information security risks by increasing user security awareness: A case study of an information security awareness system, Information Technology Learning and Performance Journal, 24(1), pp. 1-14.
6. Cone, B.D., Irvine, C.E., Thompson, M.F. and Nguyen, T.D. (2007). A video game for cyber security training and awareness, Computers & Security, 26(1), pp. 63-72.
7. Cox, A., Connolly, S. and Currall, J. (2001). Raising information security awareness in the academic setting, The Journal of Information and Knowledge Management System, 31(2), pp. 11-16.
8. CSI. (2007). Computer crime and security survey 2007. Computer Security Institute. Retrieved May 28, 2008, from http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf
9. CSI/FBI. (2006). Computer crime and security survey 2006. Computer Security Institute. Retrieved May 28, 2008, from http://i.cmpnet.com/ gocsi/db_area/pdfs/fbi/FBI2006.pdf
10. CSI/FBI. (2005). Computer crime and security survey. 2006. Computer Security Institute. Retrieved May 28, 2008, from http://i.cmpnet.com/ gocsi/db_area/pdfs/fbi/FBI2005.pdf
11. Danuvasin, C., Murali, R. and Lorne, O. (2008). Improving end user behavior in password utilization: An action research initiative, Systemic Practice and Action Research, 21(1), pp. 55-72.
12. Dodge, R.C., Carver, C. and Ferguson A.J. (2007). Phishing for user security awareness, Computers & Security, 26(1), pp. 73-80.
13. Drevin, L., Kruger, H.A. and Steyn T. (2007). Value-focused assessment of ICT security awareness in an academic environment, Computers & Security, 26(1), pp. 36-43.
14. ENISA. (2006). A users' guide: How to raise information security awareness 2006. European Network and Information Security Agency. Retrieved June 9, 2008, from http://www.enisa.europa.eu/doc/pdf/ deliverables/enisa_a_users_guide_how_to_raise_IS_awareness.pdf
15. Ernst & Young. (2005). Annual global information security survey 2005. Retrieved June 9, 2008 from www.vistorm.com/uplds/EY_Global_Information_ Security_survey_20051.pdf
16. Ernst & Young. (2006). Annual global information security survey 2006. Retrieved June 9, 2008 from http://www.ey.com/Global/download. nsf/International/TSRS_-_GISS_2006/$file/EY_GISS2006.pdf
17. Everett, C.J. (2006). Security awareness: Switch to a better program, Network Security, 2, pp. 15-18.
18. Frye, D.W. (2007). Network security policies and procedures. In Series: Advances in Information Security. New York: Springer-Verlag.
19. Furnell, S. (2006). Securing the home worker, Network Security, (11), pp. 6-12.
20. Furnell, S.M., Gennatou, M. and Dowland, P.S. (2002). A prototype tool for information security awareness and training, Logistics Information Management, 15(5/6), pp. 352-357.
21. Goucher, W. (2008). Getting the most from training sessions: the art of raising security awareness without curing insomnia, Computer Fraud & Security, (4), p. 15.
22. Hansche, S. (2001a). Designing a security awareness program: Part I, Information Systems Security, 9(6), pp. 14-23.
23. Hansche, S. (2001b). Information system security training: Making it happen: Part 2, Information System Security, 10(3), pp. 51-70.
24. Hawkins, S., Yen, D.C. and Chou, D.C. (2000). Awareness and challenges of Internet security, Information Management & Computer Security, 8(3), pp. 131-143.
25. ISO/IEC. (2005). Information technology—security techniques—code of practice for information security management. ISO.IEC 17799: 2005: International Standards Association 2005.
26. Katsikas, S. (2000). Health care management and information systems security: Awareness, training or education? International Journal of Medical Informatics, 60(2), pp. 129-135.
27. Knapp, K.J., Marshall, T.E., Rainer, R.K. and Morrow, D.W. (2004). Top-ranked information security issues: The 2004 international information systems security certification consortium (ISC)2 survey results. Research Colloquium, Auburn University, Auburn, Alabama.
28. Kritzinger, E. (2006). An information security retrieval and awareness model for industry. Doctoral dissertation, University of South Africa. Retrieved October 6, 2007, from http://etd.unisa.ac.za/ETD-db/ ETD-desc/describe?urn = etd-11062006-094238
29. Kruger, H.A. and Kearney, W.D. (2006). A prototype for assessing information security awareness, Computers & Security, 25(1), pp. 289-296.
30. Leach, J. (2003). Improving user security behavior, Computers & Security, 22(8), pp. 685-692.
31. Maeyer, D.D. (2007). Setting up an effective information security awareness program. In ISSE/SECURE 2007 Securing Electronic Business Processes Highlights of the Information Security Solutions Europe/ SECURE 2007 Conference (part 1), Vieweg, pp. 49-58.
32. Mathisen, J. (2004). Measuring information security awareness - A survey showing the Norwegian way to do it. Master Thesis, NISlab Norwegian Information Security Laboratory, campus IT university. Retrieved October 6, 2007, from http://dsv.su.se/en/seclab/pages/msckththeses-en
33. McCoy, C. and Fowler, R.T. (2004). You are the key to security: Establishing a successful security awareness program. In Proceedings of the 32nd Annual ACM SIGUCCS Conference on User Services, Baltimore, MD, pp. 346-349.
34. NIST. (2003). Building an information technology security awareness and training program. In M. Wilson (ed.), NIST Special Publication 800-50. Gaithersburg, MD: National Institute of Standards and Technology. Retrieved October 6, 2007, from http://csrc.nist.gov/publications/ nistpubs/
35. NIST. (1998). Information technology security training requirements: A role- and performance-based model. In M. Wilson (ed.), NIST Special Publication 800-16. Gaithersburg, MD: National Institute of Standards and Technology. Retrieved October 6, 2007, from http:// csrc.nist.gov/publications/nistpubs/
36. Okenyi, P.O. and Owens, T.J. (2007). On the anatomy of human hacking, Information Systems Security, 16(6), pp. 302-314.
37. Peltier, T.R. (2005). Implementing an information security awareness program, Information Systems Security, 14(2), pp. 37-48.
38. Power, E.M. (2007). Developing a culture of privacy: A case study, IEEE Security and Privacy, 5(6), pp. 58-60.
39. Power, R. and Forte, D. (2006). Case study: A bold new approach to awareness and education, and how it met an ignoble fate, Computer Fraud & Security, 2006(5), pp. 7-10.
40. Puhakainen, P. (2006). A design theory for information security awareness. Doctoral Dissertation, Department of information processing science, University of Oulu. Retrieved October 6, 2007, from http://herkules.oulu.fi/isbn9514281144/
41. PWHC. (2006). Pricewaterhouse Coopers. Information security breaches survey - Technical report 2006. Retrieved October 6, 2007, from http://www.pwc.com/Extweb/pwcpublications.nsf/docid/F9843CD3C8E0FB828025715A0058C63B
42. Qing, T., Ng, B. and Kankanhalli A. (2007). Individual's response to security messages: A decision-making perspective, decision support for global enterprises, In Series: Annals of Information Systems. New York: Springer-Verlag, pp. 177-191.
43. Schlienger, T. and Teufel, S. (2003). Information security culture - from analysis to change. In Proceedings of ISSA 2003, Johannesburg, South Africa.
44. Security Awareness Index Report. (2002). The state of security awareness among organizations worldwide. ITToolBox and Pentasafe, 2002. From Web Site: http://security.ittoolbox.com/pub/AM101502a.pdf [accessed at: 09-06-2008].
45. Siponen, T. M. (2000). A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8 (1), 31-41.
46. Spurling, P. (1995). Promoting security awareness and commitment. Information Management and Computer Security, 3(2), 20-26.
47. Stanton, M.J., Stam, R. K., Mastrangelo, P., & Jolton, J. (2005). Analysis of end user security behaviours. Computers & Security, 24(2), 124-133.
48. Steyn, T., Kruger, H., & Drevin, L. (2007). Identity Theft - Empirical evidence from a Phishing exercise. In: IFIP International Federation for Information Processing, Vol. 232, New Approaches for Security, Privacy and Trust in Complex Environments, eds. Venter, H., Eloff, M. Labuschagne, L., Eloff, j., von Sohns, R., (Boston: Springer), pp. 193-203, 2007.
49. Strauss, L. A., & Corbin, J. (1990). Basics of Qualitative Research: Grounded Theory Procedures and Techniques, Newbury Park, CA: Sage.
50. Thomson, M. (1999). Making information security awareness and training more effective. In: Proceedings of the IFIP TC11 WG11.3 First World Conference on Information Security Education (WISE1), Kista, Sweden, 1999.
51. Thomson, M.E., & von Solms, R. (1998). Information security awareness: educating your users effectively. Information Management & Computer Security, 6(4), 167-173.
52. Valentine, J.A. (2006). Enhancing the employee security awareness model. Computer Fraud & Security, 2006 (6), 17-19.
53. van Wyk, K.R., & Steven, J. (2006). Essential Factors for Successful Software Security Awareness Training. IEEE Security & Privacy,4 (5), 80-83.
54. von Solms, B. (2000). Information Security - The Third Wave?. Computers and Security, 19 (7), 615-620.
55. Vroom, C., & von Solms, R. (2002). A Practical Approach to Information Security Awareness in the Organization. In: Proceedings of the IFIP TC11 17th International Conference on Information Security: Visions and Perspectives, 2002.
56. Vroom, C., & von Solms, R. (2004). Towards information security behavioural compliance. Computers & Security, 23(3), 191-198.
57. Wood, C. C. (1995). Information security awareness raising methods. Computer Fraud & Security Bulletin, 1995(6), 13-15.
58. Yngstrom, L., & Bjorck, F. (1999). The Value and Assessment of Information Security Education and Training. In: Proceedings of the IFIP TC11 WG11.8 First World Conference on Information Security Education (WISE1), Stockholm, 1999.