A Model to Measure Information Security Awareness. Level in an Organization: Case Study of Kenya Commercial Bank.

Transcription

1 i. A Model to Measure Information Security Awareness Level in an Organization: Case Study of Kenya Commercial Bank. ERIC ANDERSON KABUGU MUGO Submitted in partial fulfillment of the requirements for the Degree of Master of Science in Information Technology Faculty of Information Technology Strathmore University Nairobi, Kenya June,2012 1\ \ 111\1 lil\1 \\111 \\II\n\, 8442l A Model to measure information secunty

2 Declaration I declare that this work has not been previously submitted and approved for the award of a degree by this or any other University. To the best of my knowledge and belief, the thesis contains no material previously published or written by another person except where due reference is made in the thesis itself. Approval The thesis of Eric A. K. Mugo was reviewed and approved by the following: Name of Supervisor Faculty Affiliation Institution Head of School/lnstitute/Faculty School Name Dean, School of Graduate Studies

3 Abstract Information Security awareness forms a key basic part of Information Security Strategy within most organizations. Organizations that tend to be more conscious regarding Information Security will invest more than organizations that are less conscious. This can be seen in Financial and Telecommunications industry as compared to Agricultural industries. Information Security awareness is an investment that organizations make to ensure that the human aspect of Information Security is taken care of. Majority of organizations that invest in Information Security awareness do not measure the levels of awareness among their staff to identify the impact of their investment. Measurement of Information Security results in value add such as positive change in staff attitudes towards Information Security, respective increase in Information Security knowledge and a more secure organization. The value add comes with other added benefits such as reduced Information Security incidents and frauds, a more knowledgeable staff and an Information Security team with visibility into the general organizations predisposition to Information Security challenges as well as general awareness. This study aims at expounding on the various techniques used to impart awareness. The study aims at proposing a model that can be used to measure Information Security awareness levels in a Local financial institution. Achievement of specific objectives of the research was done through qualitative technique. Collection of data required is done from local Members of Information Security Profession who possess the required data in the area of Information Security. Following analysis of responses from the local Information Security professionals, the model developed was based on the Kruger and Kearney Model awareness measurement model with specific modifications to suit the local financial institutions' requirements. The models' modifications were based on a local banking institution for purposes of testing and validating the mode!. The modifications are as a result of the findings from the survey. ii

4 Table of Contents Declaration... i Abstract... ii Ust of Tables... vii List of Figures... viii Acknowledgement... ix Dedication... x Chapter 1 : Introduction Background Problem Statement Research Objectives Research Questions Justification Academic Circles Local Banks Management Scope Limitations... 5 Chapter 2 : Literature Review lntroduction Establishing Information Security Awareness Techniques The Puhakainen Perspective The ENISA Perspective The Rudolph, Warshawsky and Numkin Perspective... l The Vroom and von Solms Perspective... ll iii

5 2.2.5 The Cone, Irvine, Thompson and Nguyen Perspective Information Security Awareness Techniques Summary Comparison of existing models to measure awareness levels in organizations The Kruger and Kearney perspective The Martins and Eloff Perspective The Veiga, Martins and Eloff Perspective The Schlienger and Teufel Perspective The Stanton et. al Perspective The Kruger et. al perspective The Zakaria and Gani Perspective The Tessem and Skaraas perspective The Mathisen Perspective The Morteza Perspective Summary of Measurement Metrics Perspectives Factors to Consider in establishing an Awareness Measuring Model The NIST Perspective The Kajava and Savola Perspective The Siponen Perspective Summary and conclusions Chapter 3: Research Methodology lntroduction Research Design Population and Sampling Population iv

6 3.3.2 Sampling Design and Sample Size Data Collection Methods Research Procedures Data Analysis Methods Chapter Summary Chapter 4 : Presentation of Research findings Introduction Demographic Information Gender of the Respondents Organization Structure Respondents Roles in their Respective Organizations Information Security Awareness Techniques Information Security Awareness Techniques Effectiveness Problems Affecting Information Security Awareness Programs Outsourcing of Information Security Measurement of Information Security Awareness levels Findings Need to Measure Awareness in organizations Measuring of Information Security Awareness Levels enables an organization measure change in behavior Information Security Awareness Measured at Individual and organization level Vocabulary test to Measure Awareness levels Scope of Measuring Information Security Awareness levels Levels of Awareness Desired by Respondents Information Security Awareness Metrics Structure Based Measurement v

7 4.7 Summary Chapter 5: Proposed Information Security Awareness Measurement Model S.lIntroduction Information Security Awareness Model Measurement review Kruger and Kearney (2005) Prototype Oetails: limitatio ns of the Kruger and Kearney prototype Kruger and Kearney prototype Summary Proposed Information Security Awareness Measurement MOdel... S Feature s of the proposed MOdel Modifications and Additions to Proposed MOdel Validation of proposed Information Security Awareness Measurement Model Sim plified Section of the Model Allocation of Weights to difte rent Sections of the Mode I Validation Summary and COnelUsio ns Chapte r 6 : Co nclusions and Recommendations Research Summary Benefits of this studv Recommendations Areas of Further Research APPENOICES Appendix A: letter of Introduction...., Appendix B: Questionnaire Appendix C: Information Security Questions Appendix O: Information Security POlicy vi

8 List of Tables Table 2.1 Information Security Awareness Techni q ues Table 2.2 Impact of Different User Behavior based on their Expertise and Intentions...17 Table 2.3 Impact of Different User Behavior based on their Expertise and Intentions (cont'd) Table 5.1 Kruger and Kearney (2005) Focus areas Table 5.2 Kruger and Kearney (2005) awareness pro g ram 51 Table 5.3 Simplified Model Weightings 61 vii

9 list of Figures Figure 4.1 Ge nder of responde nts Figure 4.2 argani,ation Population Figure 4.3 Staff Mem bers of the Information Security Team Figure 4.4 Current Position Figure 4.5 Years Worked in Current POSition Figure 4.6 Years Worked in Current argani,ation Figure 4.7 Information Security Awareness Techniques Figure 4.8 EIIectiveness of Information Security Awareness tech n i q ues Figure 4.9 Problems Affecting Information 5ecurity Awareness Pro g rams Figure 4.10 a utsou rci ng of Information 5ecurity Awa reness Figure 4.11 Need to Measure Awar eness Figure 4.12 Change in Security Behaviour Due to Awareness Measurement Figure 4.13 Measurement at organization and Individuallevels...42 Figu re 4.14 Use of Vocab ula ry Test Figure 4.15 Scope of Informatia n Secu rity Awareness Figure 4.16 levels of Awareness Desired...4S Figure 4.17 Information Security Awareness Metrics Figure 4.18 argani'ation Structure Measurement...47 Figure 5.1 Kruger and Kearney (2005) prototype Figure 5.2 Proposed Information Security Awareness Measurement Model Figu re 5.3 Add itia ns and Mod ifications in dotted lines Figure 5.4 Simplified Section of the Modei Figure 5.5 Information Security Measurement Mode! Validatio n viii

10 Acknowledgement This Thesis would not have been possible without the assistance, support, guidance and encouragement of many people. First, I wish to extend my deep felt gratitude to my supervisor Dr. Cyrus We kesa for his support and guidance from the inception stage of this thesis to maturity. Then, I acknowledge the reference of other writers for their work however small it was in doing this proposal. I would also like to extend my gratitude and say thanks to my colleagues and c1assmates for the support, advice and encouraging assistance to complete my research in record time. I would like to acknowledge the support given by my family and Fiancee for their understanding and endurance as I committed most of my time on this research. Lastly, I would like to thank the Almighty God for providing the resources and energy to make this Thesis become a reality. ix

11 Dedication This work is dedicated to my parents; Ephraim Kamanga Mugo and Lydia Wangare Mugo, whose encouragement and support gave me the drive to carry on and who taught me that every dream is preceded by the goal and to all my friends who are my inspiration. x

12 Chapter 1 : Introduction 1.1 Background The Banking Industry has witnessed high capital investments in new information systems which have enabled the Banks release new innovative products aimed at different segments of the population. Banks have labored to increase the number of account holders in an effort to raise their cash deposits. They have also leveraged on Technology in an effort to increase revenues through alternative channels such as Mobile and Internet banking. The increasing use and reliance on Information systems indicates that the Banking organizations are continuously collecting and storing Information about their c1ients as well as the Banks' own vast amount business Intelligence Information. Most Banks have made heavy investments in Information security technology and continue to do so. One very crucial aspect of Information Security is Information Security Awareness which is not covered by Technology and completely relies on humans' awareness. In an effort to continuously improve their Information Security, Banking organizations have implemented Information Awareness programs and campaigns. The aim of these programs is to harness the power of knowledgeable users to protect the organization's information assets. Effectiveness of the awareness campaigns is in most cases not measured. The focus of this thesis will be on measurement of awareness levels within an organization. The less aware the staff are of Information Security, the more vulnerable an organization is and vice versa hence the need for measurement to correctly identify the level of awareness that an organization requires. Mitnick (2002) argues from a socio-technical view of Information Security where Information security is not a problem of technology, but a management and people problem. According to Siponen (2000), Information security awareness refers to the fact that users are aware of the obligations to the security policy of their organizations. A lot of research has been done on various aspects of Information Security awareness. Furnell, et. al (2002) argue that an Information Security policy is only effective when users know, internalize and abide by the precautions set forth in the Information Security policy. According to Hali, Sarkani and Mazzuchi 1

13 (2011) Information security strategy implementation is a cha Ile nge for most organizations and one of its key pillars is Information Security awareness. Kruger and Kearney (2006) point out that Information Security awareness focuses on creating and maintaining a positive information security environment in an organization. In this situation, implementation and adherence to Information Security policies and standards stands a better chance of success. Identifying and quantifying the levels of success with the current Information Security Awareness efforts indicate poor results in terms of awareness levels. The esi (2008) survey indicates that less than 5% of Information Security budgets was utilized on awareness initiatives. From previous research done in this area and also in the professional circles the terms Information Security awareness, Information Security education and Information Security training are used interchangeably. These terms should not be confused since they actually have different meanings. The Information Security Forum (ISF, 2003) defines information security awareness as whereby members of staff understands the importance of information security, its importance to the organization, and the individual responsibilities related to information security. 1.2 Problem Statement Most financial organizations such as banks and insurance companies conduct information systems security awareness programs to sensitize their staff on the main information systems security risks facing their business and the associated control measures. This is done because of the knowledge that even in the presence of software and hardware controls, employees use data and systems, including mobile devices, and in the absence of appropriate levels of information security awareness, these users could potentially be the weakest link in the information security process. The approaches and techniques used to impact the security awareness knowledge vary from one organization to the next. However those organizations do not measure the impact of their awareness initiatives in order to establish if the awareness is at an acceptable level. This 2

14 difficulty in measurement of information security awareness levels exists because there is no effective model that can be used to aid in measuring awareness levels. In summary, information security awareness initiatives consume valuable resources and are geared towards meeting important business and security goa Is for the organization. It is therefore very important to measure the impact of these initiatives by identifying and assessing the knowledge that an organization's staffs have regarding Information Security. The lack of a model to measure information security awareness levels in the Kenyan context is one of the main problems that has hampered the efforts to know just how much aware staff are of Information Security. 1.3 Research Objectives The general objective of this research is to focus on the measurement of Information Security awareness levels with a view of proposing a model that can be utilized by a local bank. This area of research will also touch on review of how awareness activities are carried out as well as the effectiveness of those awareness activities. The specific objectives are the following: i. Establish techniques used to impart information systems security awareness and their effectiveness. li, Establish the extent to which Kenyan Banking organizations measure their information systems security awareness levels. iii. Develop a Security Awareness Measurement Model that can be adopted in a Kenyan Banking organization. iv. Test the Security Awareness Measurement Model in a Kenyan Banking organization. 1.4 Research Questions j. How do Kenyan banking organizations carry out Information security awareness and how effective are they? 3

15 ii. How do Kenyan Banking organizations measure their Information Security awareness levels? iii. Which Information Security Awareness Measurement Model can be utilized effectively in a Kenyan Banking organization? iv. What is the outcome of the Information Security awareness Model designed for Kenyan Banking organizations. 1.5 Justification This study is beneficial to the following parties: Academic Circles The study will provide valuable information on the status of current Banking organizations techniques and models and/or frameworks that are currently in use to increase levels of Information Security awareness. The study will also help bring to the fore the issue of Measuring of awareness levels and whether it exists. (Kimwele, Mwangi and Kimani, 2011) emphasize on the need for appropriate Metrics when it comes to Information Security investments local Banks Management I.T Management will benefit from this study by gaining a Model that they can use to measure the levels of awareness within their respective organizations. By knowing the levels of awareness, they will be able to come up with better training programmes that will focus on the identified weak areas. They can also use the results to justify increase in budget allocation to Information security. Continuous Education on matters of Information Security is very important. Most Banking organizations have implemented state of the Art technologies to defend and protect their Information assets. Therefore, new sophisticated ways have been devised by criminals to attack organizations e.g. Social Networks portals. A model to measure awareness levels will help identify these weak areas to be addressed. (Hansche, 2001) argues that organizations' staffs are 4

16 one of the most important factors in ensuring Information security. According to her, most employees cause IS security incidents because they are not aware of the consequences of their actions. More importantly, single most important asset in detecting and preventing IS security incidents is users who are aware and conversant with Information Security issues. Mathisen (2004) argues that investment in Information Security training must compete with other investments either in Information Technology or Information Security. Through measuring the resultant change in people's behaviour as a result of the implemented trainings, campaigns, requests for budget are likely to be granted due to a solid proposal which has been presented. Posthumus and Von Solms (2004) argue that Information Security can and should be intergrated with the overall functions of management i.e. directing and controlling. As such organizations with an Information Security governance framework in place, need feedback on what is going on in terms on Information Security within the organization. 1.6Scope Kankanhalli et al. (2003). Points out that financial organization have more stringent security than most industries. According to (Jarvenpaa and Ives, 1990), banking products are based and run on information. This Information is now stored and processed by systems. Kankanhalli et al. (2003) also points out that Small and Medium Sized organizations have not engaged in as many activities to secure their information systems as large organizations. Therefore we can see that in terms of size, large organizations tend to invest more in Information Security. We can also conclude that in terms of Industries, financial organizations and Telecommunications Companies tend to invest more in Information Security than other organizations. It will therefore make practical sense to focus the research on a Banking organization. 1.7 limitations Information Security primarily is about securing Information. Getting access to Banks Information regarding a topic of interest su ch as awareness levels may prove to be achallenge 5

17 due to the suspicion it may generate within the respective organizations. Banking organizations especially have stringent policies on sharing of Information and getting approvals to allow certain individuals to give information may be lengthy in term of time. 6

18 Chapter 2 : Literature Review 2.1lntroduction The literature review has been organized into three main themes. The first section will review various techniques used to impart Information Security awareness and their effectiveness. The second section will be to review studies done on existing models to measure awareness levels in organizations. The last section will focus on establishing the various success factors needed to be considered while developing a model to measure awareness levels in a banking organization. In this section the first and second Objectives of this study are addressed by reviewing various studies completed in the past. 2.2 Establishing Information Security Awareness Techniques According to Kruger and Kearney (2006), Information Security awareness is a dynamic and ongoing process made more complex by risks that are continuously adapting to the current environment. Siponen (2001) argues that for a long time information security was taken seriously only by organizations whose core business demands high levels of security. Kruger, Drevin and Steyn (2010) propose a method of testing Information Security awareness that makes use of cognitive psychology. Thomson and Solms (1998) talk about the use of Sodai psychology as one of the effective means to use for purposes of conducting effective Information Security Awareness. From the above, various schools of thought exist regarding effective awareness initiatives and their effectiveness. Furnell (2002) further goes on to point out that most organizations do not understand on how they can go about conducting Information security awareness. Most organizations focus on technical solutions and ignore human based solutions which are more cost effective and can potentially give higher returns on investment and also human factors to Information Security need to be taken care of first before making use of technology. Whitman (2010) While Security awareness is the base, Security education is used to maintain and grow the awareness levels in the organization. This can be done at a point of entry for employees and 7

19 during major Information system upgrades or implementation. According to (Whitman and Mattord, 2011) Information Security Training takes a very specific and direct approach regarding Information Security which is mainly either done in house or outsourced. In a nutshell Information Security Education and training are used to enhance information Security awareness levels in an organization. Schlienger and Teufel (2003) discuss this where awareness and training programs lead from "become awa re" to "stayaware" and ends up in "be awa re", which changes a security culture definitively. They concluded that one has to focus on the organizational culture in addressing the human element so as to minimize risks to information assets and concentrate on the information security culture of the organization The Puhakainen Perspective According to Puhakainen (2006) 59 techniques to impart awareness have been brought to the fore by scholars and practitioners. A combination of several approaches is recommended as a way to increase awareness. The main overriding factor to decide on which approach to use is the most effective technique that will bring about positive change to the users attitude towards information security. A good example is presented whereby management is expected to follow good information security practices and once other users are trained they will follow suit and observe those practices. Puhakainen (2006) argues that information security can be looked at from three perspectives which will assist when deciding on the best technique to be used to impart knowledge. These are the technical perspective, the social perspective and the socio-technica! perspective. The tecbnlco! perspective focuses on technical measures considered to be important in information systems security. This can be in the form of technical controls put in place to force users to comply. It could also mean implementation of surveillance using technology to identify and root our non-compliant users. The social perspective mainly looks at users' perceptions and motivational factors with respect to compliance with Information Security policies and regulations. The sodai aspect also addresses organizational issues related to Information Security. The socio-technical perspective, a combination of sodai and technical perspectives, 8

20 seeks to bridge the gap between the sodai and technical aspects of security hence helping to solve problems that arise due that gap The ENISA Perspective The (European Network and Information Security Agency [ENISA] 2007) ENISA report released in the year 2007 was a study of European organizations that practise Information Security Strategy and implementation. According to (ENISA, 2007), eighteen items were identified as the main techniques used to impart awareness. The respondent organizations were required to select which techniques they used and the results bore different strategies by different organizations. The same techniques are shown in the table 2.1. Previous researches have identified several other techniques used to impart Information Security awareness. The list presented in Table 2.1 forms one of the most comprehensive and up to date list that is practiced in most awareness campaigns of any kind especially in the business of Marketing organizations products and services. The researcher would like to adopt the Iist of awareness activities above in an effort to identify which is commonly used across Kenyan Banking organizations. This will be able to answer one of the main Research objectives regarding establishing of the main techniques used to impart awareness to staff in organizations. 9

21 Table 2.1In/ormation Security Awareness Techniques No. Technique Description 1 A formally documented security policy has been published outlining security safeguards. 2 Intranet site provides guidance on information security matters. 3 Security requirements are covered in staff handbook or procedures manuals. 4 Security awareness training is built into the induction process when new staff joins the organization. 5 Security responsibilities are included in contract or letter of appointment for new staff. 6 A specific document/leaflet (that covers information security policy) is distributed to staff. 7 Poster campaigns on information security topics. 8 Formai communication plan (Le. how you will communicate with staff on information security awareness). 9 Regular or newsletter distributed to staff. 10 Formai analysis of target groups (Le. which staff it is important to ensue have good information securityawareness). 11 Other promotional material (e.g. screensavers, pens, mouse mats). 12 Security messages are integrated into existing business training courses that staff attends. 13 Optional computer-based security awareness training. 14 Mandatory computer-based security awareness training. 15 Optional classroom security awareness training. 16 Quizzes on security matters (e.g. offering prizes) in staff magazines. 17 Use of external/outsourced expertise (e.g. security awareness training vendors). 18 Mandatory classroom security awareness training The Rudolph, Warshawsky and Numkin Perspective Rudolph, Warshawsky and Numkin (2002) formulated an Information Security awareness program targeting the security behavior of employees. They propose a media campaign 10

22 covering the following main issues: risks related to Information Security, basic Information Security measures and their use, employees' responsibilities and Information security incident reporting. They propose several tools and techniques for delivering the training namely: logos, themes, images, leetures with stories and examples, screen savers, sign-on messages, posters, videos, trinkets and giveaways, newsletters, IS security surveys, suggestion programs, contests, IS security audits, various events, briefings, conferences, and presentations. Here we can see a lot of similarity to the techniques studied by the (ENISA, 2007) report. Sasse, Brostoff and Weirich (2001) opine that users rnust have knowledge of security issues and they must be motivated to use security measures. They also state that security mechanisms must be matched to users' capabilities and tasks. Possible ways to increase users' knowledge and motivale them, they propose the use of training, punishment and reporting security related incidents. The punishment method is the not common term other than the rest that have been suggested by other authors as a means of ensuring users remain knowledgeable of Security measures The Vroom and von Solms Perspective Vroom and von Solms (2002) proposed different target groups for an IS security awareness program: end-users, information technology (IT) staff and senior management. They go ahead to propose a model for an IS security awareness program composed of the following seven stages (Vroom & von Solms 2002 p ): i. Educating top management in the necessity of IS security awareness, ii. Making use of the existing international IS security standards as a guideline for IS security policies, the iii. Creating the IS security policies of the company, iv. Reviewing and maintaining IS security, v. Implementing a formai program for IS securityawareness, vi. Addressing general security measures applicable to all users, and vii. Providing guidelines on the protective measures within various departments. 11

23 2.2.5 The Cone, Irvine, Thompson and Nguyen Perspective According to (Cone, Irvine, Thompson and Nguyen, 2007) many forms of Information Security awareness training and education are not successful as they do not engage the users to think critically. They go ahead to propose the use of a video game that not only leads users into an adventure of learning Information Security but can also be used as a tool to impart Information Security awareness knowledge to organizations staff. In their opinion most users despite their knowledge of Information Security opt not to implement what they know since they think they will not be affected. The game proposed by the authors is called CyberCIEGE which comes loaded with different scenarios that actively cha Ile nge the user to make decisions under various circumstances in an effort to protect the organizations Information Security assets. Furthermore the authors indicate that the game allows the organization to formulate new customized scenarios that can be used to further educate users on organization specific scenarios. The scenarios that are covered, focus on target groups meaning that scenarios designed for Information technology Staff are not the same as those designed for Senior management or junior staff. Some scenarios are general since they are applicable to all cadres of staff in an organization. (Cone et. al, 2006) Information Security Awareness Techniques Summary The Techniques reviewed in this section by different authors fali in two major categories. The first category tends to look at specific techniques used to impart Information Security awareness knowledge regardless of the intended Audience. The second broad category seems to base the technique to be used to impart the Information Security knowledge based on the intended audience i.e. different techniques and content are designed based on the intended audience. The audience is broadly categorized based on seniority and responsibilities within the organization e.g. Strategic decision makers are differentiated from day to day operational staff. 12

24 2.3 Comparison of existing models to measure awareness levels in organizations. The focus of the effort in measuring awareness levels has focused on increasing of compliance to Information Security policies within an organization {Pahnila, Siponen and Mahmood, 2007}. However, a new focus that comes into play looks at the issue of budget requirements for Information Security and on ways to justify increase in the same. Kruger {2010} argues that the two key issues surrounding Information Security budgets revolve around how to utilize the budgets effectively and justify increase in Information Security funding. From this argument, we can deduce that measuring of Information Security Awareness levels can be an effective means of justifying allocation of budget for Information Security awareness. Local organizations attribute one of their reasons for having few awareness initiatives revolve around low budget allocation. This trend can be reversed if the same organizations were able to effectively state the level at which their staff are in terms of Information Security awareness and areas that require improvement. Koroliov, Brolin and Turesson (2009) argue based on the premise that there is a difference of correlation between employees' knowledge of Information Security and their adherence to the knowledge that they have meaning that despite the fact that they know some aspects of Information Security that they are supposed to adhere to, their actions are not guided by their knowledge. As a result of this gap, their research evaluated three aspects namely the employees' knowledge, attitude and behavior towards information security. Research around Metrics of Information Security awareness helps an organization to design and implement an awareness programme that is effective and which seeks to reverse identified weak areas of Information Security knowledge and its application. Metrics to be used in measuring awareness levels are mainly formulated from two perspectives mainly Individual and Organization's perspectives. A combination of the two perspectives will provide a comprehensive set of metrics that can be used to measure the level of awareness of an organization. By weighing the awareness levels of an organization, what we are actually measuring is the impact of information security awareness training on change in human 13

25 behaviour and its impact on the organization's ability to reach its goal of increasing Security through knowledge. (Mathisen, 2004) The Kruger and Kearney perspective Kruger and Kearney, (2006) developed a model that focuses on identifying the ma in aspects or Risks that need to be addressed by the awareness programme, educating the staff on the identified risks and then measuring the impact of their training on their staff Le. their knowledge and practice of the same. An evaluation of six specific risks is highlighted as the ones that will be focused on in the awareness initiative. Here we see that it was considered important that while the toolkit came with a wide variety of awareness mate ria I, only the material regarding the risks identified was used. Some of the content was also modified to fit in with the organization specific needs. On the issue of measuring, depending on an organization setup, there are several ways to achieve it. A regionai organization might require measurement at a Global level. This can be achieved via measuring regionai levels and aggregating to global levels. Use of quantitative measurement of security awareness levels is touted as the best In order for security awareness programs to add value to an organization it is necessary to use a structured approach to study and measure its performance. (Kruger and Kearney, 2006) The approach utilized by (Kruger and Kearney, 2006) opted to c1assify the areas to measure into dimensions of knowledge. The first dimension focuses on knowledge focusing on what the user knows, attitude focusing on the users thoughts and the users behavior focusing on the users actions. The six specific risks mentioned in the earlier paragraph were classified into the three dimensions and further broken down into specific factors e.g. weak password management. Since not all factors contributed to the awareness level in the same way, weightings were introduced that would finally add to the overall awareness levels. As a result a questionnaire was designed with questions derived from the specific factors that would be distributed for feedback. The questionnaire included open-ended questions, multiple-choice questions, oneon-one interviews with respondents and the use of facilities. 14

26 One of the strengths of this approach was its ability to split an organization into regions and have the ability to showcase the levels of awareness in the different regions comparatively. This would go along way into giving the management of an organization the ability to be able to get visibility in a regionai organization in terms of Information Security. In their Thesis Research, (Koriolov et. Al, 2009) adopted this model in their attempts to measure the awareness levels of an organization. In their thesis they reviewed the Information Security Program Maturity Grid developed by (Stacey, 1996) which they felt was not good enough. This researcher was also unable to find much content on the same model The Martins and Eloft Perspective Martins and Eloff (2001) suggested that the measurement of information security management should be performed on business and management process level and at a technical level. This formed the basis for the information security culture questionnaire developed by the researchers to assess information security culture. One way of measuring the level of an organization's information security culture is to use an information security culture assessment instrument (questionnaire). The ISF 2000 report contained definitions of Information Security Culture and factors to consider when measuring it The Veiga, Martins and Eloft Perspective Veiga, Martins and Eloff (2007) suggest that "Organizations need to assess their employees' behaviour and attitudes towards the protection of information assets in order to establish whether employee behaviour is an asset or a threat to the protection of information." By assessing the Information Security culture of an organization, the organization is now in a position to check whether an acceptable level of awareness exists and if the current levels are not satisfactory, the organization is able to decide what action needs to be taken to reverse the levels. They managed to assess the Information security culture using an Information Security Culture Questionnaire. These questions asked in a questionnaire typically looked at security requirements that employees are expected to know i.e. their current knowledge. This argument is supported by an example such as If an employee is not able to recognize an 15

27 Information Security Incident, then the same employee is not expected to report su ch an incident. The questionnaire was split into three sections namely: i. Information Security culture statements - The statements where in a likeart scale the respondents will either agree, disagree in various strengths. The statements generally reflect the attitude of the organization regarding Information Security in the eyes of the respondents. An example of such a statement was "The organization protects its information assets adequately (for example, systems and information)." ii. Knowledge Questions - This section analyzes just how much an organizations' employees are aware of Information Security. The answers required were typically YES/NO answers. An Example of such a question was "I know what an information security incident is." iii. Biographical Questions - These kinds of questions are important due to their ability to help the researcher differentiate the data and draw comparisons within the population e.g. senior management, supervisors, junior staff etc The Schlienger and Teufel Perspective Schlienger and Teufel (2003; 2005) through a survey utilized a questionnaire, to gain an understanding of the official rules that influence the security behaviour of employees. The questionnaire measured 20 areas (for example, leadership, problem management, communication and attitude). The research was undertaken to come up with a decisionsupport system that analyzed the results automatically and which allowed online completion of the questionnaire. This tool was later implemented in a private bank The Stanton et. al Perspective Stanton et al. (2005) presented work on the systematical classification of information security end user behaviours that could be used when analyzing (measure) security behaviour. They state that their results suggested "six categories of end user security-related behaviors 16

28 appeared to fit well on a two-dimensional map where one dimension captured the level of technical knowledge needed to enact the behavior and another dimension captured the intentionality of their behavior. The focus of measurement is on end users behaviour with regards to their intentions and their technical know how. They were also able to showcase levels of end user behaviour variation in various industries. The six dimensions of user behaviours were as shown below Table 2.2 Impact of Different User Behavior based on their Expertise and Intentions Expertise Intentions Title Description High Malicious Intentional Behavior requires technical expertise together with a Destruction strong intention to do harm to the organization's I.T and resources. Example: employee break into employer's Protected files in order to steal s a trade secret. an Low Malicious Detrimental Behavior requires minimai technical expertise but Misuse nonetheless includes intention to do harm through annoyance, harassment, rule breaking etc. Example: using company for spam messages marketing a sideline business. High Neutral Dangerous Behavior requires technical expertise but no c1ea r Tinkering intention to do harm to the organization's IT and resources. Example: Employee configures a wireless gateway that inadvertently allows wireless access to the company's network by people in passing cars. Low Neutral Na"ive Behavior requires minimai technical expertise and no Mistakes c1ea intention to do harm to the organization's r information technology a resources. Example: recognizing the presence of n a backdoor program d through careful observation of own pe. 17

29 Table 2.3 Impact of Different User Behavior based on their Expertise and Intentions (cont'd) Expertise Intentions Title Description High Beneficial Aware Behavior requires technical expertise together with a Assurance strong intention to do good by preserving and protecting the organizations information technology and resources. Example: recognizing the presence of a backdoor program through careful observation of own pc. Low Beneficial Basic Behavior requires no technical expertise but includes hygiene clear intention to preserve and protect the organizations IT and resources. Example: a trained and aware employee resists an attempt at social engineering by refusing to reveal her password to a caller c1aiming to be from computer services The Kruger et. al perspective Kruger, Drevin and Steyn (2010) propose the use of an information security vocabulary test to assess awareness levels. It would also assist with the identification of topics to be focused on in an information security awareness program. They found that end users have a poor record of enacting the basic security behaviors that are important in maintaining the safety of user accounts e.g frequent password changing. They also found that the amounts of effective/ineffective behavior varied across organizations, with better performance by organizations whose missions depend highly upon security. Stages of Security awareness that exist would further complicate the awareness measurement of awareness levels. The stages of IT security awareness according to Kajava and Siponen (1997) are: i. Drawing people's attention to security issues, ii. Getting user acceptance, iii. Getting users to learn and internalize the necessary information security activities. The ( ) standard states that "providing appropriate training, education and awareness" is critical to the successful implementation of information security. This makes it 18

30 very important that the members of an organisation's staff are aware and conscious of information security in their daily work activities The Zakaria and Gani Perspective Zakaria and Gani (2003) propose a conceptual information security culture checklist. Due to the dynamism of Information Security, the authors term their list as conceptual since it is bound to be changed and updated constantly. The objective of the conceptual checklist is to assist the management to implement an information security culture and raise awareness among an organizations staff about the securing of information. The same checklist can be used as a metric to establish how aware users of an organization are regarding their Information Security The Tessem and Skaraas perspective According to Tessem and Skaraas (2005), organizations should also consider measuring the level of their in-house information security culture. In this case, the term culture analyses user behaviour in deeper terms than simply being aware of what is required of a user in terms of Information Security. They are of the opinion that it is difficult to provide empirical data on information security and it is also difficult to make an accurate analysis of information security awareness. However they propose a few metrics that can be used to establish the level of awareness of staff in a particular organization such as the percentage of an organizations staff who have completed awareness training; the number of reported information security incidents; how many staff member leave confidential Information on their Desks and the percentage of lost passwords The Mathisen Perspective Mathisen (2004), established a set of nine (9) metrics that can be used to measure awareness levels based on Interviews he carried out across I.T practitioners drawn from different industries namely financial, telecommunications and manufacturing Industries. One of his main observations is that across the industries, the methods used to carry out awareness, approaches used, expected results did not indicate any significant differences. The nine metrics identified by Mathisen that could be used to measure awareness levels were: 19

31 i. Percentage of employees who have finished the security training. ii. Number of reported Information security incidents iii. Percentage of employees having a clean desk at the end of the day iv. Percentage of paper waste shredding v. Percentage of iiiegal traffic on the internai computer network vi. Percentage of weak user passwords vii. Number of hits to Information security web pages viii. Number of requests to security department ix, Customer satisfaction According to (Mathisen, 2004) the metrics could further be developed into a model that can then be used via a Questionnaire to gain a better insight into how aware an organization's users are. He further argues that the list is by no means exhaustive and that further metrics could be added to the Iist of metrics depending on the areas that an organization feels is more important The Morteza Perspective Morteza (2010) proposes a model to measure the general level of Information Security in an organization with respect to the overall function of the Corporate Information Security Officer who is required to provide to the Organization the general level of Information Security at a particular time. This is because the modern day organizations need different types of metrics to enable them maintain an efficient and effective mode of operation. The author proposes what is known as the SM Framework. The SM framework is composed of five main steps that will be briefly mentioned below i. Defining Organization assets. In this step, a list of Information assets is prepared ii. Assign value metrics to the listed assets. The value assigned is dependant upon the importance of the asset to the organization. iii. Classification of Information based on sensitivity where information can be c1assified as Secret, top secret, confidential etc. 20

32 iv. Threat analysis. This forms the analysis of threats that exist against the assets and Information. v. Vulnerability assessment. In this stage the model reviews existing vulnerabilities against the listed assets. A mapping of vulnerabilities versus the damage that it can cause is established. vi. Valuation of Defense Methods. This stage involves the identification of various types of defense method s to mitigate against the vulnerabilities that may be utilized to attack the system. From the process above, the measurement is not tied down to Awareness levels but looks at Information Security in general. However this framework can be modified slightly at stage stage 4, 5 and 6 to look at measuring of awareness levels. A mathematical formula is involved in this model which would make it complex hence its not a viable framework to utilize Summary of Measurement Metrics Perspectives In summary, different innovative models of measuring awareness levels in an organization have been proposed by different authors. Each method has its own unique features and some of them are simple and effective e.g. measuring of Information Security vocabulary. The three main factors measured are user behavior, attitude and knowledge possessed in as far as Information Security is concerned. Risk based assessments are used to decided which areas of the business to focus on as far as awareness is concerned. Simplicity while attempting to cover as much ground as possible on Items considered to be important for respective organizations has been the main overriding factor in the creation of the models. In conclusion, before a measurement model is defined and tested, the key considerations of the business must be identified and must have adequate representation in the model. 2.4 Factors to Consider in establishing an Awareness Measuring Model Measuring usually will start from an aspect of establishing metrics which shall then be used to measure awareness levels respectively. A tricky element when it comes to measuring involves the aspect of knowledge verses application of that knowledge in the same vein as a matter of 21

33 health where individuals are aware of how to take good care of themselves health wise but do nothing about it as long as everything is okay. If things go wrong, everyones becomes very interested in the problem and the issue will then require a larger than normal amount of effort to recover from The NIST Perspective According to (Nationallnstitute of Standards and Technology [NISTL 2009) report, evaluation of Information security training is important. Its importance is due to the fact that it helps the trainer, trainee and organization involved to establish whether their individual and collective needs were met. This roughly translates to measuring of the success of activities that have been engaged in to shore up the levels of awareness in organizations. This is especially important since financial resources and human resources are usually committed into making the project a success. Measurement of activities such as training therefore helps to formulate and utilize effective techniques of increasing awareness levels of Information Security. According to (NIST, 2009L while considering the effectiveness of Information security training, the following is measured L The extent to which right environment for learning and the learner's satisfaction; ii. Learning outcome. What the student learnt. iii. Long term pattern of outcomes. What students have been learning over time. iv. The value of the specific class or training event compared to other options in the context of an agency's overall information security training program; i.e., program effectiveness The Kajava and Savola Perspective Kajava and Savola, (2005) look at factors to consider when coming up with Information Security metrics. They argue that input is required from security objects in order to come up with appropriate metrics when coming up with a model to measure Information Security. A lot of studies have been done that attempt to come up with either a model or framework to measure 22

34 Information Security in general. Some of the factors that come out as general areas to focus on are such as the pillars of Information Security i.e. Confidentiality, Integrity and availability. According to (Kajava and Savola, 2005L they state that measurements offer specific measurable parameters and are represented by numbers, weights or binary statements. In order to avoid confusion, metrics are produced by taking measurements over time and comparing two or more measurements with predefined baselines, hence providing a platform for interpretation for the collected data. Kajava and Savola, (2005) opine that techniques of security measurement include risk analysis, certification and measures of Intrusion process. They also argue that Security metrics can be arrived at through the following techniques Goal establishment, prediction, comparison, monitoring and analysis. Their paper is basically a guide on howa researcher or an organization may come up with metrics to measure the state of information Security in their organizations. In the same breadth, the techniques highlighted here may also serve to differentiate between measurement and metrics The Siponen Perspective Siponen (2001) argues that Information Security awareness should be generally looked at in five dimensions Organizational Dimensions Siponen (2001) proposes that a general outlook of an organization can be broken into different categories that can then be used to craft different awareness content for the different categories. The Categories may be c1assified as top management, Information Technology Management, Information security staff, computing/is professionals, end users of various kinds (e.g. Human Resources, Engineers, sophisticated end-users and stand-alone users) and third parties. For top management, the awareness is more gea red towards convincing them to support Information Security Policies and their implementation. Awareness targeted towards the General Staff is 23

35 more gea red towards informing them of the rules and regulations contained in the Policy and their need to adhere to them. This categorization is relevant in today's organizations. Kenyan organizations especially the Financial Organizations consist of mainiya large population of end users and few Information Security Specialists. Therefore categorization of the staff into various sections depending on their ranking and use of Information Systems requires a systematic differential kind of awareness that looks into specific issues General Public Dimension The general public awareness is important since it covers basic central Information Security Information. The main idea is to cover anyone who uses Information Systems. This kind may not be achieved by one organization aione however. Traditionally, awareness covered only use of Computing systems however in todays world, the general public awareness will also cover Mobile phone transactions, online trading by use of credit/debit cards, safe use of ATM. The current threat that needs awareness to be conducted to the general public is the use of Social Media which organizations are grappling with how to deal with it according to Global Survey on Social Media Risks (2011) Sodo Political Dimensions In most societies, legislation is of ten said to be left behind current technological development. As a result certain groups in the Society i.e. Lawyers, government and politicians should be aware of information security issues in high level and ethical factors, because in most cases they are directly or indirectly responsible for making legislative decisions. Lack of laws in these areas willlead to a Gap in knowledge that leaves the society in a difficult position when it comes to dealing with su ch occurrences as resolving disputes arising out of use of information systems Computer Ethical Dimensions This aspect helps to bridge the gap between the technological advances in Information Security and the moral aspects of their use and are mainly used to prevent certain activities that are 24

36 interpreted as misuse with improper intentions. The same ethical issues are also intimately connected with legislature. Laws are taken more seriously when they have a Moral front unless the law is considered to be important. If individuals were made aware of issues su ch as Security breaches, misuses or abuses (e.g. distribution of viruses) are considered immoral, they might avoid them Organizational Education Dimension This aspect refers to introduction and knowledge of Information Security right from the countries education system. One difficulty that exists is on the amount of Technical know how to impart and at what levels. The increasing numbers within the society making use of computing resources is ever increasing and hence the numbers of people targeted by online criminals has also increased at the same rate. However the basics of Information Security are solid enough to be included in the Education system and its only challenge will be the constant update to take care of Information Technology changes. 2.5 Summary and conclusions Information Security budget that is allocated to Information Security is low in most organizations. This affects the levels of awareness in a particular organization negatively. We have also observed that most I.T Security staff regard the current Awareness initiatives as having a low impact on the awareness levels within the organization. Another issue that seems to be prevalent is that whereby, I.T personnel are aware that Awareness initiatives need to be undertaken but are not aware of what to do to resolve it. Most professionals agree that Information Security is 30% Technology and 70% Human. In organizations where Information Security Awareness activities take place, little or no measurement of their impact on awareness takes place. As mentioned in the earlier sections, the practice of measuring the awareness levels in an organization is useful to the organizations management, the Information Security management and generally to the organization as a whole in terms of reducing the risks of having security incidents due to ignorance on the part of the organizations employees. 25

37 Chapter 3 : Research Methodology 3.1lntroduction The general idea of this study was to enable the organization know the effectiveness of its Information Security awareness activities by measuring the Information Security knowledge possessed by their Staff. Part of the research aims at identifying which of the different techniques are used to impart awareness to staff in the identified Banking Institutions. The study also aimed at designing a model that will be used to measure the information Security awareness levels of organizations' staff. The model will be customized in an effort to fit local Banking Institutions requirements. This chapter highlights the various methods and procedures the researcher will adopt in conducting the study in order to answer the research questions raised in the first chapter. 3.2 Research Design This research adopted a sequential two step qualitative research design. The main strategies to be used are a survey and a single case study. This research will tend towards a mixed method s format. A mixed methods Research design employs the collection and analyzing of both qualitative and quantitative forms of data in a single study. On one hand it will involve observing and describing the behavior of a subject without influencing it in any way. According to (Creswell, 2003) a mixed method approach is useful in certain scenarios such as when the results of one method help to inform the other method. In this study, the rationale for using quantitative method s is that an Information Security awareness model could only be developed from data collected through a quantitative approach by use of a survey that will explore the necessary key requirements of the model. The model will then be validated through a qualitative instrument that can be applied to a larger sample of a selected population from a single case study. This study will tend more towards an exploratory kind of research based on the type of research questions. From chapter 2, the 26

38 research Questions focus on the "what" question which will be further expounded by "how many" and "how much" i.e. to what extent kind of questions. (Yin, 2003) 3.3 Population and Sampling Population Cooper and Schindler (2006) describe a population as the total collection of elements whereby references have to be made. The researcher aims to get from a sample of local banks as indicated on the CBK report (2010). According (CBK, 2010) peer grouping of banking institutions in Kenya, there are 6 large banks, 15 Medium banks and 22 small banks. The report also states that the Large Banks accounted for 56 percent of total assets, fifty five percent of customer deposits, fifty seven percent of capital & reserves and sixty three percent of the sector's profit before tax. In the literature review, some of the articles indicate that large financial lnstitutions invest more in Information Security awareness for their staff than smaller institutions in the same industry. The validation of the model was accomplished by making use of a single case study of Kenya Commercial Bank which is a part of the six local institutions identified as large institutions Sampling Design and Sample Size Sampling Frame A sampling frame is a list of elements from which the sample is actually drawn and closelv related to the population (Cooper and Schindler, 2006). This will ensure that the sampling frame is current, complete and relevant for the attainment of the study objectives. One reason for selecting the large banking institutions is their organization structure, high staff numbers and large Branch network which complicate their efforts to deliver Information Security awareness education and measure awareness levels as well. Due to the above reasons and limitation of financial and time resources, the survey will be Iimited to 25 (twenty five) local large banking institutions. 27

39 Sampling Techniques The sampling approach chosen in the first quantitative survey was a non probability sample where 20 Large and Medium banking institutions were selected to represent the entire banking institutions population with a significant footprint size in terms of operations. This initial sample was targeted by the survey to collect data that was analyzed and its results used as input into formulating the Information Security awareness measurement model. Due to its lower error rate and also to take advantage of the naturally occurring groups, stratified random sampling will be used to validate the Information Security awareness measurement model (Yates, Daniel, Moore and Starnes, 2008) Sample Size The sample size is a smaller set of the larger population (Cooper and Schindler, 2006). Determining sample size is a very important issue for collecting an accurate result within a quantitative survey design. The sample population for the first Questionnaire was 25 Banks. One of the real advantages of quantitative methods is their ability to use smaller groups of people to make inferences about larger groups that would be prohibitively expensive to study. 3.4 Data Collection Methods The study used primary data. The primary data collection method was collected by the use of questionnaires. (Maholtra and Birks, 2007) explain that questionnaires are an important data collection tool. In addition, the use of questionnaires is justified because they provide an effective and efficient way of gathering information within a very short time. Further, questionnaires facilitate easier coding and analysis of data coliected. The questionnaires to be administered included a few open ended questions. This is because open ended questions provided an insight of new ideas whereas closed ended questions ensure that the respondents are restricted to certain categories in their responses. 28

40 3.5 Research Procedures A pilot test involving 2 respondents was carried out to evaluate the completeness, precision, accuracy and clarity of the questionnaires. This ensured the reliability of the data collection instruments that were used. 3.6 Data Analysis Methods The collected data from the first and second questionnaire was edited and analyzed using Microsoft Excel. Data analysis conducted was in the format of descriptive statistics. Descriptive analysis can be described as a process that involves transforming a mass of raw data into tables, charts, with frequency distribution and percentages which are a vital part of making sense of the data (Denscombe, 1998). 3.7 Chapter Summary This chapter highlighted the various methods and procedures the researcher was adopted to conduct the study in order to answer the research questions raised in the first chapter. 29

41 Chapter 4 : Presentation of Research findings 4.0lntroduction This chapter presents the findings of the study based on the data collected from the field using questionnaire. The analysis focused on answering the following research objectives, Establishing of techniques used to impart information systems security awareness and their effectiveness; Establishing of the extent to which Kenyan Banking organizations measure their information systems security awareness levels; Developing of a Security Awareness Measurement Model that can be adopted in a Kenyan Banking organization and testing of the Security Awareness Measurement Model in a Kenyan Banking organization. A total of 25 entities were identified as comprising the population for the study. Two of these were used for pilot testing the questionnaire. The questionnaires were distributed on the entire population of whom 20 responded representing an 80.0% response rate. 4.1 Demographic Information The demographic information for the study comprised of the respondents' gender, position in the organization, age, educationallevel, work experience in the organization Gender of the Respondents The researcher sought to find out the gender of the target respondents involved in the study. Figure 4.1 shows that the respondents were not equally distributed in terms of gender. The respondents of male gender were 80 percent and female 20 percent. This is an indicator of the fact that the Information Security Industry is swi dominated by the male gender. 30

42 4.1.2 Organization Structure Figure 4.2 demonstrates that less those organizations with less than one thousand staff account for fourty five percent of the respondents followed closelv by organizations with three thousand and less staff at thirty five percent. From the perspective of Central Bank ranking of banking institutions in Kenya, most of the respondents are presently attached to Large and medium banking institutions. None of the respondents worked for an organization that had more than Six (6000) thousand employees. Figure 4.2 Organization Popu!ation Figure 4.3 demonstrates further the number of resources in the respective Information Security teams. It is interesting to note that most teams are composed of 1-3 staff members form the bulk of respondents at sixty percent. Larger teams composed of 3-6 members of staff were only twenty five percent. Only ten percent had a bigger team of 6-9 members and five percent with more than 10 staff members. 31

43 Figure 4.3 Staff Members of the Information Security Team While the target population was 25 financial institutions, 20 responses were received due to the fact that most of the organizations have less than 3 members of the Information Security teams. This survey was targeting Information Security professionals in those respective organizations in order to get accurate responses on Information Security awareness measurements Respondents Roles in their Respective Organizations Out of the 20 respondents, fourty percent are designated as Information Security Managers in their organizations. Another twenty percent are Information System auditors. This category of employee's works closelv with Information Security managers to ensure appropriate controls are implemented and maintained in an organization. 32

44 In figure 4.5, eighty five percent of the respondents have been working in their respective organizations for a period of between one to five years. This can be deduced to indicate a fair level of accuracy in their responses which are based on their observation over the same period of time. The accuracy of the respondents is drawn from their duration in their current position and their direct or indirect role played in Information Security Awareness. From the findings in Figure 4.6 above, sixty five percent of respondents had worked in the same organization between one to five years. Only fifteen percent had worked in less than a year. These finding shows that a bigger percentage of the respondents have been in the same role and in the same organization for the same duration of time. 4.2 Information Security Awareness Techniques Figure 4.7 is snapshot of the responses given to various techniques that are used to spread Information Security awareness in the organizations. 33

45 Figure 4.7 shows the major Information Security Techniques and the responses received in terms of usage. The findings in Figure 4.7 show that Information Security Policy with ninety percent, Intranet Information Security Guides with eighty five percent, Information Security Staff manuals with eighty percent, Information Security induction for New Employees with seventy percent and Information Security and responsibilities in contracts with sixty five percent were the most frequently used Information Security Awareness techniques in most of their organizations. The results also showed that the Information Security Awareness techniques which had the lowest usage among the respondents were Information Security Posters with twenty five percent, Information Security awareness content for different group targets with thirty percent and Quizzes on security matters with incentives with twenty percent. The researcher in the literature review had identified that most organizations do not have different content targeting different members of the organization e.g. senior management content as compared to that of junior staff content. However the existence of the different content would then make it more complex to measure an organizations' Information Security awareness. The results presented two techniques that are used by half the number of respondents namely Information Security messages in existing business courses with fifty percent and Computer based Information Security awareness with flftv percent. From the researchers understanding, their position in terms of usage is mainly due to the gaining acceptance of the importance of Information Security awareness hence their inclusion in the normal mainstream training courses that existed prior to the introduction of Information Security awareness courses. 34

46 k. Other Techniques that are in use by the respondents that were not part of the survey questions included use of punitive measures, use of internai visua I audio communication systems to broadcast and use of Security tools su ch as Data Loss prevention tools that will display warning messages to users that are coupled with Information Security Content. 35