1 - 4 of 4
ItemAnalyze Before You Sensitize: Preparation of a Targeted ISA Training( 2020-01-07)This paper describes a procedure to enable the planning of targeted measures to increase the Information Security Awareness (ISA) of employees of an institution. The procedure is practically applied at a German university. With the help of a comprehensive analysis, which is based on findings of social psychology, necessary topics for ISA measures are identified. In addition, reasons are sought for why employees do not conduct information security. The procedure consists of a qualitative phase with interviews and a quantitative phase with a questionnaire. It turned out that the procedure provided many clues to the design of ISA measures. These include organizational and technical measures that can help employees to ensure information-safe behavior. In addition, it was found that there were deviations between the qualitative and quantitative phases and therefore, both phases are necessary. The paper critically discusses the procedure and also addresses the strengths and weaknesses of the analysis.
ItemFrom Data Flows to Privacy Issues: A User-Centric Semantic Model for Representing and Discovering Privacy Issues( 2020-01-07)In today's highly connected cyber-physical world, people are constantly disclosing personal and sensitive data to different organizations and other people through the use of online and physical services. Such data disclosure activities can lead to unexpected privacy issues. However, there is a general lack of tools that help to improve users' awareness of such privacy issues and to make more informed decisions on their data disclosure activities in wider contexts. To fill this gap, this paper presents a novel user-centric, data-flow graph based semantic model, which can show how a given user's personal and sensitive data are disclosed to different entities and how different types of privacy issues can emerge from such data disclosure activities. The model enables both manual and automatic analysis of privacy issues, therefore laying the theoretical foundation of building data-driven and user-centric software tools for people to better manage their data disclosure activities in the cyber-physical world.
ItemAbout the Measuring of Information Security Awareness: A Systematic Literature Review( 2020-01-07)To make employees aware of their important role for information security, companies typically carry out security awareness campaigns. The success and effectiveness of those campaigns has to be measured to justify the budget for example. Therefore, we did a systematic literature review in order to learn how information security awareness (ISA) is measured in theory and practice. We covered published literature as well as unpublished information. The unpublished information was retrieved by interviewing experts of small and medium-sized enterprises. The results showed that ISA is mostly measured via questionnaires. Round about 40 % of the questionnaires are based on the Knowledge-Attitude-Behavior-Model which is itself scientifically weak. According to studies measuring knowledge is not sufficient and,behavior has to be measured. Our results show that the answers of participants in questionnaires often differ from the truth due to wrong perception or social desirability bias. Therefore, behavior should be measured through behavior tests.