The Role And Importance Of Information Security

Published Date: 02 Nov 2017

Abstract

The role and importance of information security policy is gaining its popularity in many large organisations. However, this is not the case for SMEs as developing and adopting information security policy requires a lot of time and resources (Doherty & Fulford, 2005). Lack of awareness, thus, exposes organisation to significant risk in ensuring security and protection of organisational assets. This paper reports awareness of information security at a SME in Malaysia. The research aims to establish among employees, 1) awareness of information security, 2) the relationship between knowledge, attitude and behaviour and information security awareness. A survey questionnaire was used to collect data about information security awareness. Partial-least square was used for data analysis. The findings present information security awareness of employees indicating attitude and behaviour found to be significantly influence confidentiality, integrity, and availability (CIA) of business information.

Keywords: small and medium enterprise; information security; information security awareness

Introduction

All organisations rely heavily on the internet, investing significant resources as means to compete in today’s global marketplace (Tawileh, Hilton & McIntosh, 2007). This investments, however exposes organisations to risks and threats that often results in major losses in financial, brand and reputation. To protect from this adverse risks and threats, companies often resort to security technology and implement it as a security medium for protecting company business information. However, according to Hearth and Rao (2007) technology alone has been found to be insufficient in ensuring security. End user commitment and behaviour plays profound role in ensuring security and integrity of organisational business assets, information, hardware and networks.

Most organisations implement security technologies as a medium to protect companies’ information, but technologies alone are insufficient. Security technologies and techniques can be misused and are vulnerable to attacks, therefore losing its usefulness (Siponen, 2000). Users’ responsibilities and behaviour towards the safeguard of organisational assets, business information, computers and network resources cannot be dealt by implementing security technologies.

Posthumus and von Solms (2004) derived three major elements of information security encompasses safeguarding information's confidentiality, integrity and availability in alleviating risks and threats through a series of security controls. Whilst, creating and maintaining security-positive behaviour to ensure information security is defined as information security awareness (Kruger & Kearney, 2006). ISF (2003) define information security awareness as individual responsibilities of their own individual security responsibilities, understanding the importance of information security that is appropriate to organisation and to act accordingly.

In a recent survey by Australian Chamber of Commerce and Industry (ACCI), revealed that 60% of small businesses suffered security breach in 2012. PricewaterhouseCoopers reported that 76% of small businesses in United Kingdom suffered security breaches which have caused financial losses. Although the importance of information security is essential in protecting organisational assets, developing and enforcing information security requires time and resources, thus presenting challenges to SMEs due to its organisation size. In particular, SMEs are not prepared to adopt information security simply because a documented information security is not required due to its small size (Kuusisto & Ilvonen, 2003; Doherty & Fulford, 2005). Nevertheless, it is imperative to know perception of end users to information security adopted and whether they are aware of information security policy implemented in organisation. Thus, the research question is formulated accordingly; Is there a relationship between knowledge, attitude and behaviour to information security awareness? The research aims to determine the relationship among knowledge, attitude and behaviour to information security awareness using partial least square.

Literature review and hypotheses

This section discusses the theoretical foundations for the research. Drawing on literature on information security and social psychology, we seek to establish and test a theoretical model.

Maintaining information security generally focuses on protecting three main aspects of confidentiality, integrity and availability of information (Kruger & Kearney, 2006; McLeod & Schell, 2008). Confidentiality, integrity and availability (CIA) serves as major and critical attributes for information security management objectives (Ma, Johnston, & Pearson, 2008). According to McLeod and Schell (1997), confidentiality is referred to as protection of data and information from disclosure to unauthorised person; integrity as providing an accurate representation of the physical reality that data represents; and availability is about allowing those authorised to have access to data. Therefore an attack is detrimental to organisational asset by affecting its confidentiality, integrity, or availability, henceforth, possibility of business losses.

According to Cox, Connolly and Currall (2001), human behaviour is very crucial in ensuring efficient environment for information security and cannot rely entirely on technical solutions. Based from social psychology field, Kruger and Kearney (2006), developed a prototype for measuring information security awareness using knowledge, attitude and behaviour (KAB). The underlying theory for KAB is that it seeks to understand the relationship between these three components, suggesting that as knowledge accumulates in a relevant behaviour, say for example in information security, health, education, it will eventually initiate changes in attitude that will gradually initiate the change in behaviour.

Throughout the research, information security awareness is an integrated model encompasses KAB (Baranowski et al., 2003; Kruger & Kearney, 2008; Khan et al., 2011) and components of information security including CIA (Wang, 2005; Kruger & Kearney, 2008; Andress, 2011). In KAB, knowledge refers to the focus of what an employee knows; attitude focuses on what an employee think; and behaviour is about what an employee does.

Accordingly, knowledge is based on user knowledge on how to behave in certain condition (Kruger & Kearney, 2008). The ability to maximise confidentiality, integrity and availability of information, is based on the ability of knowing what the concept means (Kruger, Drevin & Steyn, 2010). As an example, in order to minimise virus infection from utilisation of internet and email in responsible manner, knowing that scanning all attachment to e-mails and only access trust site is able to maximise the confidentiality of data, the concept of using strong password is able to maximise the integrity of data from unauthorised access, and the concept of maximising the information transfer of regular backups to alternative locations is able to maximise the availability of data (Kruger, Drevin & Steyn, 2007). Knowledge in security is vital for information security awareness since it deals with user knowledge on security and ability to distinguish threats and attacks (Sabeeh & Lashkari, 2011). Therefore, it is hypothesised that:

H1a: There is a significant relationship between knowledge and confidentiality.

H1b: There is a significant relationship between knowledge and integrity.

H1c: There is a significant relationship between knowledge and availability.

Attitude refers to users’ attitude (how you feel or beliefs) towards possible consequences of such behaviour (Kruger & Kearney, 2008). User belief to maximising integrity of data, consistency of data can be maintained to minimise unauthorised access (Kruger & Kearney, 2005). User belief that keeping password a secret and that it should not be written down or given to others will ensure from unauthorised access which then leads to maximising confidentiality of data (Kruger & Kearney, 2006). Accordingly, user may belief that maximising availability through uninterrupted usage of data is simply making sure that hardware and equipments are available and in working condition (Kruger, Drevin, & Steyn, 2007). Thus, we hypothesise:

H2a: There is significant relationship between attitude and confidentiality.

H2b: There is significant relationship between attitude and integrity.

H2c: There is significant relationship between attitude and availability.

The notion of behaviour is based on what employee does and relates to actual behaviour (Kruger & Kearney, 2008). As an example, keeping passwords a secret and assured that password is strong and that it remains as a strong password (Kruger, Drevin & Steyn, 2010). Scanning email attachments for viruses is a good partice to prevent loss of data as a result from virus infection which can further compromise integrity of data. Regularly running data backups in other locations prevents disruption of availability of data. Thus, it is hypothesise that:

H3a: There is significant relationship between behaviour and confidentiality.

H3b: There is significant relationship between behaviour and integrity.

H3c: There is significant relationship between behaviour and availability.

Figure 1 shows the present research theoretical model.

Figure 1: Research model

Research design

Research Context

The research was conducted with employees as research participants at a small and medium enterprise in Malaysia. The company background chosen is from an aeronautical industry primarily focuses on developing aerospace technologies. A survey questionnaire was used as the instrument.

Population and Sampling

The estimated population for the research is 110. Due to the small number in population size, questionnaire was distributed to all respondents in the population.

Measures

The instrument was designed to evaluate employees’ information security awareness which consists of 31 items. Instrument contained seven point Likert-scale to measure for knowledge, attitude, behaviour, confidentiality, integrity and availability attributes. The scale was refers to 1 as strongly disagree to 7 as strongly agree.

Data Analysis

Descriptive analysis and reliability analysis were made using SPSS version 16 for Windows. Path analysis approach was adopted using SmartPLS 2.0 version M3.

Results

Descriptive Profile of Sample

Table 1 shows the breakdown of respondents by gender, age and number of years experience in information systems. The analysis is reported in frequency and percentage.

Table 1: Profile of Respondents

Profile of Respondents

Frequency

%

Gender Male

Female

64

21

75.3

24.7

Age 21-30

31-40

41-50

Above 50

9

20

19

37

10.6

23.5

22.4

43.5

Number of years 1-3

experience in IS 4-6

7-9

10-12

More than 12

9

15

8

20

33

10.6

17.6

9.4

23.5

38.8

Total

85

The table showed that majority of respondents were male (75.3%). The age distribution of respondents showed that majority of respondents belongs into the age group of above 50 years old (43.5%). As the organisation core business involves aerospace technologies, retired employees from related industry are hired due to their skill and experience. Majority of the respondents (38.8%) have more than 13 years of experience in information systems.

Descriptive Profile of Measurement Item

Table 2 shows the result of Likert-scale measures. Generally the mean value for knowledge, attitude, behaviour, confidentiality, integrity and availability are well above 5.00. This indicates that the majority agrees with the statements.

Table 2: Profile of Likert-scale Measures

Measures

Mean

Knowledge

I have the necessary knowledge to handle information security in my working situation. (K1)

5.74

I know what information security is. (K2)

5.56

I know what an information security incident is. (K3)

5.48

Internet access on the company’s system is a corporate resource and should be used for business purposes only. (K4)

6.21

Phishing e-mail is the act of stealing users’ sensitive and personal information. I am familiar with this threat. (K5)

Average knowledge score:

6.13

5.83

Attitude

My practice in handling sensitive information is appropriate and effective. (A1)

6.46

My practice in exercising care when opening a suspicious email is a wise move. (A2)

6.45

In my view, using password protected computer is as wise ideas. (A3)

6.67

The thought of using antivirus program is appealing to me. (A4)

6.49

Using the Firewall system at work is a good idea. (A5)

Average attitude score:

6.56

6.53

Behaviour

I am aware that I should never give my password to somebody else; however, my work is such a nature that I do give my password from time to time to a colleague that I trust. (B1)

5.39

I do not open email attachments if the content of the email looks suspicious. (B2)

6.50

Before reading an email, I will first check if the subject and the sender make sense. (B3)

6.55

I never give my personal information (like home/email address, telephone number, etc.) to unknown websites. (B4)

6.74

I never download files (like documents, music, picture, software, etc.) from the Internet if the files are from unknown people. (B5)

6.22

I pay attention to anti-virus updates every time I use a computer. (B6)

Average behaviour score:

5.52

6.16

Confidentiality

Your company has well implemented security practices to protect important information from stolen by malicious intrusions (such as break-in, Trojans, and spy-wares). (C1)

6.24

Unauthorized employees are prohibited from accessing company’s information resources. (C2)

6.74

Information security measures are implemented in your company to prevent sensitive information from unauthorized disclosure. (C3)

6.35

Logging all access attempts of confidential files is mandatory. (C4)

6.58

Physical access control is always no.1 priority. (C5)

Average confidentiality score:

6.79

6.54

Integrity

The database is periodically reconciled and regularly maintained in order to increase the accuracy and reliability of information. (I1)

6.44

When acquiring important information from the information sources or business partners, the information will be stored into the company’s database. (I2)

6.58

Your company has security controls (such as change management procedures) in place to prevent unauthorized information changes (creation, alternation, and deletion). (I3)

6.36

Information should be protected or secured from unauthorized use. (I4)

6.81

The privacy of employees and customers should be protected. (I5)

6.84

Integrity of the information on systems must be maintained. (I6)

Average integrity score:

6.76

6.63

Availability

The probability of information system breakdown and information service disruption in my organization is low. (Av1)

5.92

A legitimate user with business needs can access company information at anytime and at any place. (Av2)

6.53

The company should have redundancy in hardware to tolerate hardware failure. (Av3)

6.78

All servers should be continuously available to their clients. (Av4)

Average availability score:

6.76

6.50

Partial Least Square Findings

Partial least square is a predictive modelling technique to detect relationships among constructs. Construct validity is established to ensure reliability and validity of measures that represent a construct. Several criteria will be assessed such as composite reliability (above 0.6), average variance extracted (AVE) (above 0.5) and discriminant validity must be established (Henseler, Ringle, and Sinkovics, 2009). Table 3 summarises reliability and validity for each construct. The table shows that item reliability ranges between 0.523 and 0.927 which showed an acceptable reliability as it is above the estimated range of 0.50 (Hair et al., 1998). The composite reliability ranges between 0.89 and 0.93 indicating an acceptable scale. The score is above 0.60, as per recommendation by Bagozzi and Yi (1988). Average variance extracted (AVE) shows scale above 0.50 which presents an acceptable construct (Fornell and Larcker, 1981). Since all reliability and validity test is satisfied, therefore construct validity is established.

Table 3: Loading, CR and AVE

Construct

Item

reliability

Composite

reliability

AVE

Knowledge

0.926

0.718

K1

0.869

K2

0.902

K3

0.756

K4

0.750

K5

0.824

Attitude

0.934

0.739

A1

0.815

A2

0.843

A3

0.812

A4

0.738

A5

0.790

Behaviour

0.895

0.631

B1

0.788

B2

0.831

B3

0.832

B4

0.523

B5

0.684

B6

0.796

Confidentiality

0.890

0.619

C1

0.819

C2

0.628

C3

0.834

C4

0.768

C5

0.801

Integrity

0.921

0.662

I1

0.782

I2

0.777

I3

0.807

I4

0.927

I5

0.893

Availability

0.892

0.677

Av1

0.629

Av2

0.756

Av3

0.847

Av4

0.770

The inter-construct correlations were shown in Table 4. The square-root of AVE were higher than correlations, thus supporting discriminant validity.

Table 4: Inter-construct Correlations

K

A

B

C

I

Av

Knowledge (K)

0.847

Attitude (A)

0.653

0.860

Behaviour (B)

0.774

0.674

0.795

Confidentiality (C)

0.701

0.709

0.791

0.787

Integrity (I)

0.638

0.608

0.669

0.883

0.814

Availability (Av)

0.539

0.697

0.638

0.791

0.810

0.822

Figure 2 shows path results for the research model. The values stated on the path are path coefficient and t-value (in bracket).

0.34

(1.98)*

(

0.49 (3.94)**

(

-0.05

(0.44)

(

0.50 (4.41)**

0.23

(1.47)

(

0.29

(2.26)*

(

0.12

(0.98)

(

Knowledge

Behaviour

Confidentiality

R2=68.9%

Integrity R2=51.1%

Availability R2=53.9%

0.22

(1.56)

(

0.34

(2.70)**

(

Attitude

Figure 2: Path Results

68.9% of the variance in confidentiality can be explained by attitude and behaviour. 51.1% of the variance in integrity can be explained by behaviour. Availability accounts for 53.9% of the variance explained by attitude and behaviour. Out of the original nine hypothesised relationships, five hypotheses found to be significant.

Surprisingly there is no significant relationship between knowledge and confidentiality, integrity and availability. The findings indicate that attitude and behaviour are the determinants of confidentiality, suggesting that employees have necessary attributes of attitude and behaviour in performing measures to ensure confidentiality of information. The findings also show that, only behaviour influence integrity, suggesting that users have the necessary attributes of behaviour to ensure integrity. Our findings also indicate that only attitude and behaviour are the determinants for availability, suggesting that users might have the necessary attributes of attitude and behaviour while knowledge is not significant to availability.

Conclusion

This study started with the concern over information security awareness among SMEs. In line with the research objectives, this research has attempted to evaluate information security awareness among employees in a SME. The findings were summarised as follows:

The findings indicate that there are significance relationship between users’ attitude and behaviour with information security awareness. Knowledge showed no significant relationship with information security awareness.

The findings also indicate that attitude and behaviour had significant relationship to confidentiality suggesting that employees are aware of their responsibilities in maintaining confidentiality of the business information and resources.

Feedbacks from users indicate that they lack necessary knowledge in handling information security issues, such as phishing email. This could explain the non significance of knowledge construct. Organisation should play a role in educating and improving employees’ knowledge in information security.

Cyber Security Malaysia has published Information Security guidelines for Small and Medium Enterprises (SMEs). The guideline indicates the importance aspects in handling information security and basic principle in executing information security.

The research presents limitation that should be acknowledged. Sample size in this study is limited to one organisation, therefore findings cannot be generalised to all SMEs. Future work should consider replicating the study to other SMEs.