A Study of the Development of Information Security Awareness Scale

• Main Authors: Ming-Yu Tsao, 曹明玉
• Other Authors: Ruey-Shiang Shaw
• Format: Others
• Language: zh-TW
• Published: 2006
• Online Access: http://ndltd.ncl.edu.tw/handle/55937449924997239593

碩士 === 淡江大學 === 資訊管理學系碩士班 === 94 === Today enterprises and organizations in the world depend on Information Technology more and more, which arouses managers thinking highly of the issues on Information Security. Presently, more and more enterprises and organizations start to bring in some standards or systems of Information Security. No matter of BS7799, COBIT and so on, are based on “organization” to examine the Confidentiality, Integrity, and Availability of Information Security. However, many Information Security incidents still emerge in an endless stream, most of which result from the internal staffs’ intentional or unintentional actions. References for Information Security nowadays are deficient of the notion taking “people” as a threshold into consideration, and few are researching the level of Information Security Awareness of the personnel in the enterprise the scale and improve it. Regarding twenty-six concepts of “ABC’s of Information Technology Security” of NIST Special Publication 800-16 as the basis of the development of Information Security Awareness Scale, it measures them whether people have the knowledge of basic significance of the concepts of Information Security, and meanwhile verifies the applicability of this scale. After a series of steps in designing the scale such as questionnaires design, Delphi Method development, first-edition of the scale establishment, and domestic experts survey and interview, we, together with four different units, proceed to analyze and probe, verifying the scale’s availability from the testes’ reaction to understand his or her discrepancy on Information Security knowledge. After verify, this research reveals as follows. (1) Were the staff taking training on Information Security related, his or her Information Security knowledge level would have difference to some extent, and different trainings would have different influence on the staff. Therefore, the high-ranking managers must take his or her subordinates’ knowledge level on this aspect seriously. (2) Mark off the level to three diverse ranks, low, middle, and high. The organization could be aimed at the middle-below grades to go forward another phase of advocacy and reinforcement, or being as the training materials. (3) Analyze the degree of difficulty of the scale. Were we in the future testing based on this scale, we could also choose different level questionnaire to make tests. And most of the supplementary questions on individual interview with experts are in the middle level which conforms to the availability. Since being lack of references in this aspect, the scale is used to measure staffs in the department the level of Information Security Awareness and supports the basis to do Information Security Training in the future. And it is able to verify people the degree of effects after they have taken some training of Information Security.