Prototype for Enhancing Information Security Awareness in Industry
Human-related information security breaches within organizations are primarily caused by employees who have not been made aware of the importance of protecting the information they work with. Information security awareness is accordingly attracting more attention from industry, because stakeholders are held accountable for the information with which they work. The authors developed an Information Security Retrieval and Awareness model – entitled “ISRA" – that is tailored specifically towards enhancing information security awareness in industry amongst all users of information, to address shortcomings in existing information security awareness models. This paper is principally aimed at expounding a prototype for the ISRA model to highlight the advantages of utilizing the model. The prototype will focus on the non-technical, humanrelated information security issues in industry. The prototype will ensure that all stakeholders in an organization are part of an information security awareness process, and that these stakeholders are able to retrieve specific information related to information security issues relevant to their job category, preventing them from being overburdened with redundant information.
[1] Dlamini, M.T., Eloff, J.H. & Eloff, M.M., (2009). Information Security:
The moving target. Computers & Security. Elsevier. Accepted 26
November 2008. Available online 11 December 2008. To be published.
[2] Ernst & Young, 2008. 2008 Global Information Security Survey:
Moving beyond compliance. Available at: www.ey.com. Accessed on
17/02/2009.
[3] Dodge, R.C., Carver, C. & Ferguson, A.F., (2007). Phishing for user
security awareness. Computers & Security. 26 (1): 73-80. Elsevier.
[4] Shaw, R.S., Chen, C.C., Harris, A.L. & Huang, H., (2009). The impact
of information richness on information security awareness training
effectiveness. Computers & Education. 52 (2009): 92-100. Elsevier.
[5] BERR (2008). Department for business Enterprise & Regulatory
Reform. 2008 Information Security Breaches Survey, Technical Report.
PriceWaterhouseCoopers. Available at: www.berr.gov/sectors/infosec.
Accessed on 17/02/2009.
[6] Morwood, G., (1998). Business continuity: awareness and training
programmes, Information Management & Computer Security, 6(1): 28-
32. Emerald.
[7] Von Solms, S.H., (2001). Information Security - A Multidimensional
Discipline, Computers & Security, 20(6): 504-508. Elsevier.
[8] Peltier, T., (2005). Implementing an Information Security Awareness
Program, Security Management Practices: 37-48. Available at:
http://www.itknowledgebase.net/eJournals/articles/article_synopsis.asp
?id=89329. Accessed on 21/04/2006.
[9] Rostern, J., (2005). Dangerous Devices, The Internal Auditor, 62(5): 29-
32. Institute of Internal Auditors.
[10] Theoharidou, M., Xidara, D. & Gritzalis, D., (2008). A CBK for
Information Security and Critical Information Communication
Infrastructure Protection. International Journal of Critical Infrastructure
protection. 1 (2008): 81-96. Springer.
[11] Thomson, K. & Von Solms, R., (2005). Information Security obedience:
a definition, Computers & Security, 24(1): 69-75. Elsevier.
[12] Von Solms, R. & Von Solms, S.H., (2004). The 10 deadly sins of
information security management, Computers & Security, 23(5): 371-
376. Elsevier.
[13] Waint, T.L., (2005). Information security policy's impact on reporting
security incidents, Computers & Security, 24(6): 448-459. Elsevier.
[14] Ashenden, D., (2008). Information Security Management: A human
challenge? Information Security Technical Report. 13 (2008): 195-201.
Elsevier.
[15] Williams, P., (2008). In a ÔÇÿtrusting- environment, everyone is responsible
for information security. Information Security Technical Report. 13
(2008): 207-215. Elsevier.
[16] Irvine, C.E., Chin, S.C. & Frincke, D., (1998). Integrating Security into
Curriculum, Computer: 31(1212): 25-30. IEEE Computer Society.
[17] CSI/FBI (2005). Computer Crime and Security Survey, Available at:
www.GoCSI.com. Accessed on 12/05/2006.
[18] Wilson, M. & Hash, J., (2005). Information Technology security
awareness, training, education and certification, Available at:
http://www.itl.nist.gov/lab/bulletns/bltnoct03.htm. Accessed on:
12/04/2006
[19] Kritzinger, E. & Smith, E., (2008): Information security management:
An information security retrieval and awareness model for industry.
Computers & Security. 27 (5-6): 224-231. Elsevier.
[20] Crowley, E. (2003). Information Systems Security Curricula
Development, in Proceedings of the 4th conference on IT curriculum on
IT Education. p249-255. Lafayette.
[21] Hillburn, T.B., (1999). A Software Engineering Body of Knowledge
Version 1.0. Technical Report, Software Engineering Institute.
[1] Dlamini, M.T., Eloff, J.H. & Eloff, M.M., (2009). Information Security:
The moving target. Computers & Security. Elsevier. Accepted 26
November 2008. Available online 11 December 2008. To be published.
[2] Ernst & Young, 2008. 2008 Global Information Security Survey:
Moving beyond compliance. Available at: www.ey.com. Accessed on
17/02/2009.
[3] Dodge, R.C., Carver, C. & Ferguson, A.F., (2007). Phishing for user
security awareness. Computers & Security. 26 (1): 73-80. Elsevier.
[4] Shaw, R.S., Chen, C.C., Harris, A.L. & Huang, H., (2009). The impact
of information richness on information security awareness training
effectiveness. Computers & Education. 52 (2009): 92-100. Elsevier.
[5] BERR (2008). Department for business Enterprise & Regulatory
Reform. 2008 Information Security Breaches Survey, Technical Report.
PriceWaterhouseCoopers. Available at: www.berr.gov/sectors/infosec.
Accessed on 17/02/2009.
[6] Morwood, G., (1998). Business continuity: awareness and training
programmes, Information Management & Computer Security, 6(1): 28-
32. Emerald.
[7] Von Solms, S.H., (2001). Information Security - A Multidimensional
Discipline, Computers & Security, 20(6): 504-508. Elsevier.
[8] Peltier, T., (2005). Implementing an Information Security Awareness
Program, Security Management Practices: 37-48. Available at:
http://www.itknowledgebase.net/eJournals/articles/article_synopsis.asp
?id=89329. Accessed on 21/04/2006.
[9] Rostern, J., (2005). Dangerous Devices, The Internal Auditor, 62(5): 29-
32. Institute of Internal Auditors.
[10] Theoharidou, M., Xidara, D. & Gritzalis, D., (2008). A CBK for
Information Security and Critical Information Communication
Infrastructure Protection. International Journal of Critical Infrastructure
protection. 1 (2008): 81-96. Springer.
[11] Thomson, K. & Von Solms, R., (2005). Information Security obedience:
a definition, Computers & Security, 24(1): 69-75. Elsevier.
[12] Von Solms, R. & Von Solms, S.H., (2004). The 10 deadly sins of
information security management, Computers & Security, 23(5): 371-
376. Elsevier.
[13] Waint, T.L., (2005). Information security policy's impact on reporting
security incidents, Computers & Security, 24(6): 448-459. Elsevier.
[14] Ashenden, D., (2008). Information Security Management: A human
challenge? Information Security Technical Report. 13 (2008): 195-201.
Elsevier.
[15] Williams, P., (2008). In a ÔÇÿtrusting- environment, everyone is responsible
for information security. Information Security Technical Report. 13
(2008): 207-215. Elsevier.
[16] Irvine, C.E., Chin, S.C. & Frincke, D., (1998). Integrating Security into
Curriculum, Computer: 31(1212): 25-30. IEEE Computer Society.
[17] CSI/FBI (2005). Computer Crime and Security Survey, Available at:
www.GoCSI.com. Accessed on 12/05/2006.
[18] Wilson, M. & Hash, J., (2005). Information Technology security
awareness, training, education and certification, Available at:
http://www.itl.nist.gov/lab/bulletns/bltnoct03.htm. Accessed on:
12/04/2006
[19] Kritzinger, E. & Smith, E., (2008): Information security management:
An information security retrieval and awareness model for industry.
Computers & Security. 27 (5-6): 224-231. Elsevier.
[20] Crowley, E. (2003). Information Systems Security Curricula
Development, in Proceedings of the 4th conference on IT curriculum on
IT Education. p249-255. Lafayette.
[21] Hillburn, T.B., (1999). A Software Engineering Body of Knowledge
Version 1.0. Technical Report, Software Engineering Institute.
@article{"International Journal of Business, Human and Social Sciences:50090", author = "E. Kritzinger and E. Smith", title = "Prototype for Enhancing Information Security Awareness in Industry", abstract = "Human-related information security breaches within organizations are primarily caused by employees who have not been made aware of the importance of protecting the information they work with. Information security awareness is accordingly attracting more attention from industry, because stakeholders are held accountable for the information with which they work. The authors developed an Information Security Retrieval and Awareness model – entitled “ISRA" – that is tailored specifically towards enhancing information security awareness in industry amongst all users of information, to address shortcomings in existing information security awareness models. This paper is principally aimed at expounding a prototype for the ISRA model to highlight the advantages of utilizing the model. The prototype will focus on the non-technical, humanrelated information security issues in industry. The prototype will ensure that all stakeholders in an organization are part of an information security awareness process, and that these stakeholders are able to retrieve specific information related to information security issues relevant to their job category, preventing them from being overburdened with redundant information.
", keywords = "Information security, information security awareness, information security awareness programs", volume = "3", number = "6", pages = "620-9", }
