Information Security Awareness of TAFE South Australia Employees

Information Security Awareness of
TAFE South Australia Employees
Research Proposal
Hong Chan
External
Chaht01f
00069566
Supervisor: Dr Sameera Mubarak
Bachelor of Information Technology (Honours)
School of Computer and Information Science
University of South Australia
Submitted on 13th June 2011
1
Table of Contents
Abstract ............................................................................................................................. ii
1 Introduction ................................................................................................................... 1
1.1 Partnership – TAFE South Australia .............................................................. 2
1.2 Researcher‟s Personal Interest ........................................................................ 2
1.3 Potential Contributions ................................................................................... 2
1.4 Limitations ...................................................................................................... 2
1.5 Field of Thesis ................................................................................................ 3
1.6 Research Question .......................................................................................... 3
2 Literature Review .......................................................................................................... 4
2.1 Information Security ....................................................................................... 4
2.2 Employee Information Security Awareness ................................................... 5
2.3 Managerial Information Security Awareness ................................................. 6
2.4 Other Relevant Literature ............................................................................... 7
2.5 Assessing Information Security Awareness ................................................... 9
2.6 Literature Review Summary......................................................................... 10
3 Methodology................................................................................................................ 11
3.1 Research Design ........................................................................................... 11
3.2 Data Analysis ................................................................................................ 12
3.3 Expected Results .......................................................................................... 12
4 Ethics and Compliance ................................................................................................ 13
Reference ........................................................................................................................ 14
Project Schedule ............................................................................................................. 16
Trial Table of Contents ................................................................................................... 17
i
Abstract
Various literature and studies relating to information security emphasise the importance of
information security awareness in maintaining any organisational wide security
implementations or measures. It is also widely accepted that information security awareness is
an important factor in a successful security plan, and should be properly assessed to suggest
improvements.
While it has been established that it is important for staff from within all levels of the
organisation to have greater information security awareness, there is clearly a gap within current
literature and studies in that there has been virtually no studies into information security
awareness in an Australian context.
It is proposed that this study will directly investigate and to assess the employee information
security awareness in TAFE South Australia in order to provide much needed insight into the
extent of information awareness levels in Australian organisations.
If the gap in literature is any indication, then it is anticipated that awareness levels of TAFE
South Australia employees will be low, thereby warranting the need to explore ways in
improving information security awareness levels.
ii
1 Introduction
Due to advances in information technology and the resultant high accessibility of information
by internal and external users, information security has become highly relevant and necessary
for the survival of organisations (von Solms 1998; Cervone 2005; Thompson 2006). Failure to
protect confidential an information may result in exorbitant costs in public liabilities, which
may result in the ultimate downfall of an organisation.
Many papers such as von Solms (1998) and Cervone (2005) have concluded that to counteract
or to minimise the risk of information security breaches, it is important for an organisation to
implement an information security plan or strategy.
Further, Namjoo et al. (2008) suggested that preventative action by organisations usually take
place after the occurrence of information security breaches. By the time an incident has taken
place, it could be too late. It is better to be safe than sorry. In addition, organisations have an
ethical and or legal responsibility to ensure that client confidential information is well protected.
It is widely accepted within current literature that information security awareness is a key factor
in contributing to a successful security strategy (Siponen & Vance 2010; Spears & Barki 2010;
McFadzean, Ezingeard & Birchall 2007; Knapp et al. 2006; Mouratidis, Jahankhani & Nkhoma
2008; Hagen, Albrechtsen & Hovden 2008; Doherty, Anastasakis & Fulford 2009; Bulgurcu,
Cavusoglu & Benbasat 2010; Namjoo et al. 2008). Further, there is a positive and direct relation
between information security awareness and preventative action and thus improved security
performance (Knapp et al. 2006), which suggests that employee security awareness assessment
should be the starting point in developing or enhancing any security strategies.
According to Bulgurcu, Cavusoglu & Benbasat (2010), information security awareness is an
employee‟s knowledge of information security concepts and his or her consciousness of the
organisation‟s information security measures or plans.
Due to the apparent gap which exists in current literature in that studies in relation to
organisational information security awareness in an Australian context are virtually nonexistent, this investigative study aims to assess the employee awareness levels of an Australian
organisation. Assessment will be conducted using a vocabulary test based on Kruger, Drevin &
Steyn (2010) which will be modified to suit the Australian context. The test will be delivered
online and the resultant collected data will be analysed to determine employee assessment
levels.
1
1.1 Partnership – TAFE South Australia
TAFE South Australia recognises the potential benefits of this study for the organisation and
Australian organisations in general. Therefore TAFE South Australia has kindly agreed to take
part in this study by allowing its employees to be the subjects for this research.
TAFE South Australia is an agency of the Department for Further Education, Science and
Technology (DFEEST) within the Government of South Australia. It is the largest provider of
vocational education and training in South Australia.
With over 2400 employees ranging from lecturing, administrative and management spread
across 48 campuses around the State of South Australia (TAFE South Australia 2011), it is
anticipated that the organisation will provide sufficient data for analysis to enable a conclusive
finding for this research.
1.2 Researcher’s Personal Interest
As a member of staff within TAFE South Australia, Hong Chan has first-hand experience in the
workings of the organisation, particularly in relation to information security, where it is
recognised through general observations that awareness is lacking. By empirically verifying this
lack of awareness, the researcher hopes that this will provide a first step in ensuring TAFE
South Australia‟s information security readiness.
1.3 Potential Contributions
It is anticipated that the result of this research will directly benefit TAFE South Australia by
providing the organisation with a critical analysis of employee information security awareness,
thereby providing a starting point in ensuring information security readiness. More importantly,
very little has been done to assess information security awareness in Australian organisations.
Therefore, this study will provide a much needed insight into security awareness in an
Australian context. Finally, the vocabulary test used in this research has the potential to be
utilised by Australian organisations to assess awareness levels.
1.4 Limitations
Assessing awareness is only the first step in the process of ensuring information security, this
study is limited in that it will not investigate how awareness can be improved. Further study is
needed, and will be considered in the future.
2
1.5 Field of Thesis
Information Security, Information Security Awareness, Information Assurance, Information
Management.
1.6 Research Question
This investigative study will utilise an information security vocabulary test to assess the
employee and managerial information security awareness levels of TAFE South Australia in
order to provide a starting point for developing or improving a security policy for TAFE South
Australia, and to provide an insight into the information security readiness of TAFE South
Australia or Australian organisations in general. The scope of this study is limited to the
assessment of information security awareness and does not investigate techniques which could
improve awareness, nor does the scope include developing information security policies or
plans.
3
2 Literature Review
The following sections provide a review of current literature relating to information security
awareness and within the scope of this proposal. Firstly, literature providing background
information will be briefly discussed. This is followed by the review of various studies which
place emphasis on information security awareness. Finally a brief summary of the reviewed
literature will be provided, explaining the justification for the need to investigate information
security awareness in an Australian context.
2.1 Information Security
The advent of the internet and electronic commerce has ensured that information security has
become increasingly vital for modern organisations (von Solms, 1998). This is because the
internet or intranets have allowed information to be easily accessible by external or internal
sources. von Solms (1998) further stated that organisations need to ensure that a high level of
information security is maintained in order to protect proprietary and confidential information.
Further, Cervone (2005) stated that due to the increasing complexity of software, vulnerabilities
of software are also increasing. Subsequently, security breaches will result. Of particular
relevance to this proposed research is the obtaining of confidential information via illegal
means. The liability to an organisation if this was to occur would financially cripple the
organisation and may cause a public outcry. In order to minimise or to prevent information
security breaches, an organisation must implement an information security preventative plan.
Cervone (2005) identified three major areas in which a security plan should include. These
were: Confidentiality, protecting information from unauthorised access; Integrity, protecting
information from unauthorised alteration; and availability, providing access to information as
required, when required.
Thompson (2006) expanded further the importance of protecting information by discussing
social engineering in the context of public libraries. According to Thompson (2006), “social
engineering is the use of non-technical means to gain unauthorised access to information or
computer systems”. Libraries contain a vast amount of personal information in their database
and social engineering is clearly a major threat. TAFE South Australia or any other higher
education institutions face similar threats due to the vast amount of student information
contained in their database. A major aspect of social engineering is that hackers prey on
employee trust and emotion. That is, hackers will try to gain the trust of employees in order to
obtain confidential information. Further, hackers will often use impersonation and pretend to be
someone else in order to gain trust. Finally, Thompson (2006) suggested that apart from a well
4
implemented information security plan to prevent social engineering, employees play an active
and important role. The starting point would be to ensure that employees have a high level of
information security awareness, and this forms the basis for this proposed research.
Bulgurcu, Cavusoglu & Benbasat (2010) defined information security awareness as an
employee‟s knowledge of information security and his or her consciousness of the
organisation‟s information security measures or plans. The following section will present
relevant literature relating to information security awareness which is of importance to this
proposal.
2.2 Employee Information Security Awareness
Bulgurcu, Cavusoglu & Benbasat (2010) investigated employee rationality based behaviours,
information security awareness, and their effects on information security compliance. The study
was able to show that an employee‟s intention to comply is greatly influenced by their attitude
and their outcome beliefs. More importantly for the purpose of this research, the study found
that an employee‟s attitude and outcome beliefs are affected by their level of information
security awareness. In other words, placing emphasis on information security awareness can
positively affect employee attitudes and to encourage compliance.
Siponen & Vance (2010) explained information security breaches by employees from a
neutralization theory perspective. That is, the study concluded that employees who are
responsible for any security breaches often justify or rationalise their actions using
neutralization techniques. Neutralization is a concept borrowed from the field of psychology.
The study was not directly related to information security awareness. However, Siponen &
Vance (2010) did propose that policy awareness campaigns may be used to counteract the
effects of neutralization thereby ensuring that security policies are adhered to, suggesting that
further investigation into information security awareness is warranted.
Spears & Barki (2010) explored the relationship between employee participation in risk
management and internal security compliance. The study was able to conclude that employee
participation in risk management greatly contributed to improved security control performance
due to greater alignment between security risk management and the business environment,
better policy development, and more importantly for the purpose of this research – greater
information security awareness. While the study did not explore information security awareness
as the main driver of a successful security policy, it did highlight information security
awareness as a main contributor.
5
2.3 Managerial Information Security Awareness
Most studies have so far explored the significance of information security awareness of
employees in general. This section presents current literature which has identified the
importance of managerial information security awareness.
McFadzean, Ezingeard & Birchall (2007) identified the awareness of senior management as an
important driver of effective security measures. The study argued that senior executives have a
holistic view of the organisation and therefore have the power to affect change in the
organisation through their roles as strategy implementers. It was found that board level
perceptions and thereby information security awareness are positively related to the strategic
activities of an organisation.
Similar to McFadzean, Ezingeard & Birchall (2007), Knapp et al. (2006) also identified senior
management as key players. The study found that senior management support is positively
related to both an organisation‟s security culture and the level of policy enforcement. While the
study did not directly explore managerial information security awareness as a predictor of
security performance, it does again highlight the importance of management involvement, thus
the importance of managerial information security awareness in affecting an organisation‟s
information security readiness.
Mouratidis, Jahankhani & Nkhoma (2008) aimed to study the differences in perception of
network security between general management personnel and personnel who are responsible for
actual network security. The study found that general managers do have different perspectives
towards network security than personnel from the network security management. In particular,
the effectiveness and efficiency of the network, control of security, security decision making
process, and users of the network all showed significant perceptual differences. There is a clear
lack of information security awareness within general management and as confirmed by
McFadzean, Ezingeard & Birchall (2007), this could have a negative impact on the
effectiveness of information security policies.
Namjoo et al. (2008) further reinforced the importance of information security awareness levels
of management by investigating the relationship between managerial information security
awareness and action. The study was able to provide empirical support for a positive
relationship between awareness and action. In other words, the higher the level of managerial
information security awareness, the more likely the managers will take action in implementing
preventative measures. The study suggested that preventative action usually occur after the fact.
6
That is, unless an actual information security breach has occurred, organisations usually take no
action in adopting security measures. Like various similar studies, Namjoo et al. (2008) implied
that by raising managerial information security awareness, information security performance
could in fact improve information security performance.
2.4 Other Relevant Literature
Hagen, Albrechtsen & Hovden (2008) studied the implementation of organisational security
measures and to assess the effectiveness of such measures. The study was conducted using a
survey in which data was collected from information security managers in various Norwegian
organisations. It was discovered that many Norwegian organisations placed emphasis on the
policies and procedures in implementing any measures, but placed very little emphasis on
security awareness. The study also showed that awareness measures were the most effective of
any security measures. As a consequence, the study showed an inverse relationship between the
implementation of security measures and their effectiveness. In other words, it is important to
place emphasis on security awareness as well as others when adopting security programs.
Hagen, Albrechtsen & Hovden (2008) only investigated Norwegian organisations. However,
due to the similar structures of western organisations (similar accounting practices, management
hierarchies, information technology infrastructure etc.), it can be posited that Australian
organisations are in a similar situation. Virtually no studies have explored information security
awareness in Australian organisations, thereby justifying the need for this proposed research.
According to Doherty, Anastasakis & Fulford (2009), ensuring the security of information has
become extremely complex and challenging. This is more so for Universities because teaching
and research activities are becoming more reliant on the availability, integrity and accuracy of
computer based information. The study aimed to empirically study the structure or content of
security policies for UK based Universities in order to fill the gap in the literature by critically
examining the structure and content of these policies. The study found that due to the wide
diversity of these policies, it was not possible to foster a coherent approach to security
management. It also found that the range of issues being covered in such policies was
surprisingly low, and reflects a highly techno-centric view rather than a user-centric view of
information security management. This suggests that the user or staff information security
awareness are not prominent nor considered in these policies. Again, while Doherty,
Anastasakis & Fulford (2009) only explored UK based Universities, it can be posited that
Australian higher education institutions such as TAFE South Australia may have similar
attitudes, thereby further justifying the need to explore information security awareness in an
Australian setting.
7
In another non-Australian context, Dzazali, Sulaiman & Zolait (2009) aimed to evaluate the
maturity level of information security in the Malaysian Public Service. The study used
convenience sampling and collected data from 970 individuals through a survey. It was revealed
that spamming was the most prevalent (42%) followed by malicious codes (41%). Notably, it
was found that 25% of incidents were from internal sources where as 11% were from external
sources, with 49% being unknown sources. Findings on the maturity level showed that 61% of
respondents were at level 3, followed by 21% at level 2. At the higher end, only 13% were at
level 4 and a miniscule 1% were at level 5. The study did not directly study security awareness,
but the finding that the internal related incidents were prevalent suggests that security awareness
is a factor when taking into the account of other studies being discussed. While this study was
conducted in relation to the Malaysian Public Sector, similar investigation could be adopted to
investigate maturity levels of information security within the Australian Public Sector in which
TAFE South Australia belongs to.
Samy, Ahmad & Ismail (2010) was another study of information security within a noneducational industry in a non-Australian setting. The study aimed to investigate the various
types of threats which exist for Malaysian healthcare information systems. The systems in
question all belonged to government funded hospitals and data were collected from these
hospitals. The study identified 22 types of threats according to major threat categories based on
ISO27002. More importantly, the results showed that the most critical threat for these systems
were power failure followed by human error. While power failure may be unavoidable, the
human errors are not. Samy, Ahmad & Ismail (2010) stated that the human errors were due to a
lack of awareness and good practice among staff.
Similar to Samy, Ahmad & Ismail (2010), Williams (2008) studied the failure of the American
health industry in recognising the seriousness of information security threats to patients and
practice information. The study suggested that this failure is attributed to the lack of
understanding of security concepts, underestimating potential threats and the difficulty in setting
up security measures. In order to appreciate these factors, research into the general practitioner
security practice and perceptions of security was undertaken. It was found that poor security
measures implementation and a lack of knowledge were key factors. The results also showed
that information security was overwhelmingly reliant on trusting staff and the computer systems
themselves, rather than implementing an overall security policy, which the study recommended.
While Samy, Ahmad, & Ismail (2010) and Williams (2008) both investigated information
security in the context of the health industry from Malaysia and America respectively, it can be
posited that Australian based higher education institutions face similar threats due to the large
8
amount of confidential and personal data relating to students which exist in their database, thus
warranting further investigations.
2.5 Assessing Information Security Awareness
Since the proposed research is to assess information security awareness of TAFE South
Australia employees, this section provides a review of literature which has directly used various
methodologies in gauging awareness. This will provide an important basis for the proposed
methodology for this research.
Most of the literature reviewed so far has only briefly discussed employee or managerial
information security awareness in their studies, or has only implicated, assumed or posited the
importance of information security (Siponen & Vance 2010; Spears & Barki 2010; McFadzean,
Ezingeard & Birchall 2007; Knapp et al. 2006; Mouratidis, Jahankhani & Nkhoma 2008;
Hagen, Albrechtsen & Hovden 2008; Doherty, Anastasakis & Fulford 2009). Few studies have
actually directly assessed information security awareness.
In determining a positive relationship between information security awareness, employee
rationality based behaviours and policy compliance, Bulgurcu, Cavusoglu & Benbasat (2010)
included three simple questions in their questionnaire to gauge security awareness. These
questions are:
1. I know the rules and regulations prescribed by the ISP of my organisation.
2. I understand the rules and regulations prescribed by the ISP of my organisation.
3. I know my responsibilities as prescribed in the ISP to enhance the IS security of my
organisation.
(Bulgurcu, Cavusoglu & Benbasat 2010)
As can be seen, these questions are all directly relating to an organisation‟s existing information
security policy (ISP as stated in the questions) and do not involve gauging an employee‟s
awareness of information security concepts such as social engineering (Cervone 2005). While
there are clear limitations to the methodology of Bulgurcu, Cavusoglu & Benbasat (2010), the
study did provide a part example of how awareness can be gauged.
Similarly, the study by Namjoo et al. (2008) looked at information security awareness of
managers in determining its relationship and managerial action relating to prevention. Like
Bulgurcu, Cavusoglu & Benbasat (2010), simple questions were used to gauge awareness. The
questions were again limited in that they were only relevant in the context of an existing
security policy.
9
Perhaps the most extensive tool for assessing information security awareness was proposed by
Kruger, Drevin & Steyn (2010). Like many studies, Kruger, Drevin & Steyn (2010)
acknowledged that an organisation‟s survival necessitates a security program. Due to the
importance of information security awareness in ensuring a successful plan, the study proposed
that the starting point in developing a plan is to assess awareness levels of employees. The study
aimed to examine the feasibility of an information security awareness test for employees,
thereby identifying suitable topics to include in an information security awareness training
program. It was found that the use of a vocabulary test to assess awareness levels is beneficial in
gauging the awareness of employees. It is important to note however, that the test population
used by the study were all University students rather than employees from an actual
organisation. However, for the purpose of this proposed research, the vocabulary test proposed
by Kruger, Drevin & Steyn (2010) will be modified to fit the Australian organisational context
and will be used to assess awareness levels of TAFE South Australia employees. This will be
further discussed in the methodology section of this proposal.
2.6 Literature Review Summary
All studies reviewed above have identified information security as a key contributor of
successful security plans or measures. There is a clear gap in the reviewed literature in that very
little studies into information security awareness have been conducted for Australian
organisations. As a matter of fact, during the search for literature in relation to this proposal,
virtually nothing was found that were in an Australian context. This clearly justifies the
importance of the research being proposed, the result of which could provide an insight into the
awareness levels, and thus the information security readiness of Australian organisations.
Further, it would provide a means to gauge awareness and thus identifying any aspects of
information awareness requiring improvements to be included in a security training program or
security policy.
10
3 Methodology
This study is an investigative or case study. A questionnaire based on Kruger, Drevin & Steyn
(2010) will be developed to assess information security awareness of TAFE South Australia
employees. This questionnaire is to be delivered online (Web based) to ensure a greater reach,
thus ensuring enough responses is obtained for a conclusive data analysis.
3.1 Research Design
Based on the definition of Information security awareness by Bulgurcu, Cavusoglu & Benbasat
(2010), the questionnaire will be based on two sections:
1. Questions relating to general information security concepts
2. Questions relating to the organisation‟s security policy, similar to the three questions
used by Bulgurcu, Cavusoglu & Benbasat (2010)
It has not been finalised, but it is anticipated that section 1 questions will be based on generally
accepted terminology relating to information security in order to gauge an employee‟s general
knowledge about information security. A tentative sample question is provided as follow:
Sample multiple choice question – Spam is:
(a) Another word for e-mail or electronic messages
(b) A marketing technique
(c) Any unsolicited electronic mail
(d) All of the above
(e) I don‟t know
(Kruger, Drevin & Steyn 2010)
Again, the questions for section 2 has not been finalised, the questions will be relating to the
organisation‟s security strategy or plan in order to gauge the employee‟s awareness of any
existing strategy or plan. A tentative sample question is provided as follows:
Sample section 2 question – Does your organisation have a security policy?
(a) Yes
(b) No
(c) I don‟t know
In addition to the questions, respondents will be requested to provide their level within the
organisation such as non-management, management and executive management. This will
11
enable the results to be split into demographic sections in which results could be compared
against each demographical group.
3.2 Data Analysis
Each questions will be given an arbitrary score (yet to be determined) for the purpose of
performing qualitative analysis using descriptive statistics.
3.3 Expected Results
It is anticipated that like Anastasakis & Fulford (2009), an educational institution like TAFE
South Australia has a very low level of employee information security awareness. If this is to be
proven so, then further studies into how awareness can be improved will be suggested.
12
4 Ethics and Compliance
The University of South Australia is bound by the Australian Code for Responsible Conduct of
Research and the National Statement on Ethical Conduct in Human Research.
Due to the human involvement required in this study, an application for approval will be
submitted to the University‟s Human Research Ethics Committee before any human interactions
will take place.
In addition, verbal permission has already been obtained from TAFE South Australia to interact
with employees and to deliver appropriate questions to the employees, and to obtain relevant
data in relation to TAFE South Australia and its employees. However, as required by the
University of South Australia, written approval will be requested from the authorising body of
TAFE South Australia before any data collection or human interaction will take place.
Finally, the online questionnaire to be delivered as part of this study may involve gathering
information relating to psychological condition or collection of personal data and as required by
the University, the Insurance for Research Projects and Health Sciences Fieldwork form will be
submitted to the Human Research Ethics Committee to ensure that the project is covered by
insurance.
13
Reference
Bulgurcu, B, Cavusoglu, H & Benbasat, I 2010, „Information Security Policy Compliance: An
Empirical Study of Rationality-Based Beliefs and Information Security Awareness,‟ MIS
Quarterly, vol. 34, no. 3, pp. 523-A7.
Cervone, F 2005, „Understanding The Big Picture So You Can Plan For Network Security,‟
Computers in Libraries, vol. 25, no. 3, pp. 10- 15.
Doherty, NF, Anastasakis, L & Fulford, H 2009, „The information security policy unpacked: A
critical study of the content of university policies,‟ International Journal of Information
Management, vol. 29, no. 6, pp. 449-457.
Dzazali, S, Sulaiman, A & Zolait, AH 2009, „Information security landscape and maturity level:
Case study of Malaysian Public Service (MPS) organizations,‟ Government Information
Quarterly, vol. 24, no. 4, pp. 584-593.
Hagen, JM, Albrechtsen, E & Hovden, J 2008, „Implementation and effectiveness of
organizational information security measures,‟ Information Management & Computer Security,
vol. 16, no. 4, pp. 377-397.
Knapp, KJ, Marshall, TE, Rainer, RK, & Ford, FN 2006, „Information security: management's
effect on culture and policy,‟ Information Management & Computer Security, vol. 14, no. 1, pp.
24-36.
Kruger, H, Drevin, L & Steyn, T 2010, „A vocabulary test to assess information security
awareness,‟ Information Management & Computer Security, vol. 18, no. 5, pp. 316-327.
McFadzean, E, Ezingeard, J & Birchall, D 2007, „Perception of risk and the strategic impact of
existing IT on information security strategy at board level,‟ Online Information Review, vol. 31,
no. 5, pp. 622-660.
Mouratidis, H, Jahankhani, H & Nikhoma, MZ 2008, „Management versus security specialists:
an empirical study on security related perceptions,‟ Information Management & Computer
Security, vol. 16, no. 2, pp. 187-205.
Namjoo, C, Kim, D, Goo, J & Whitemore, A 2008, „Knowing is doing: An empirical validation
of the relationship between managerial information security awareness and action,‟ Information
Management & Computer Security, vol. 16, no. 5, pp. 484-501.
Samy, NG, Ahmad, R & Ismail, Z 2010, „Security threats categories in healthcare information
systems,‟ Health Informatics Journal, vol. 16, no. 3, pp. 201-209.
Siponen, M & Vance, A 2010, „Neutralization: New Insights Into The Problem Of Employee
Information Systems Security Policy Violations,‟ MIS Quarterly, vol. 34, no. 3, pp. 487-A12.
14
Spears, JL & Barki, H 2010, „User Participation in Information Systems Security Risk
Management,‟ MIS Quarterly, vol. 34, no. 3, pp. 503-A5.
TAFE South Australia 2011, TAFE South Australia, Adelaide, viewed 12 June 2011,
<http://www.tafe.sa.edu.au/about-tafesa.aspx>.
Thompson, STC 2006, „Helping the Hacker? Library Information, Security, and Social
Engineering,‟ Information Technology & Libraries, vol. 25, no. 4, pp. 222-225.
von Solms, R 1998, „Information Security Management (1): Why Information Security is so
Important,‟ Information Management & Computer Security, vol. 6, no. 4, pp. 174-177.
Williams, PAH 2008, „When trust defies common security sense‟ Health Informatics Journal,
vol. 14, no. 3, pp. 211-221.
15
Project Schedule
Task
Deadline
Status
Supervisor's Acceptance (Dr Sameera Mubarak)
Literature Search
Annotated Bibliography
Extended Abstract
Research Proposal
Submit Application to Ethics Committee
Obtain Written Authorisation from TAFE SA
Submit Project Insurance Form
Finalise questionnaire
Transfer Questionnaire to Web Platform
Begin Thesis Draft
Begin Data Collection
Further Literature Search
Data Analysis
Summarise Findings
Project Review and Thesis Draft
Complete Thesis
March
April
April
May
June
June
June
June
July
July
August
September
September
October
October
October
November
Completed
Completed
Completed
Completed
Completed
Commenced
Commenced
Commenced
Commenced
Waiting
Waiting
Waiting
Waiting
Waiting
Waiting
Waiting
Waiting
16
Trial Table of Contents
Abstract
1 Introduction
1.1 Partnership – TAFE South Australia
1.2 Researcher‟s Personal Interest
1.3 Potential Contributions
1.4 Limitations
1.5 Field of Thesis
1.6 Research Question
2 Literature Review
2.1 Information Security
2.2 Employee Information Security Awareness
2.3 Managerial Information Security Awareness
2.4 Other Relevant Literature
2.5 Assessing Information Security Awareness
2.6 Literature Review Summary
3 Methodology
3.1 Research Design
3.2 Data Analysis
4 Results
5 Conclusion
6 Recommendations
Reference
17