Measuring Employees Information Security Compliance Behaviors:

Transcription

1 Measuring Employees Information Security Compliance Behaviors: A Holistic State Perspective 1 Xiaolong Wang, 2 Wenli Li 1, First Author Faculty of Management and Economics, Dalian University of Technology, [email protected] *1, Corresponding Author Faculty of Management and Economics, Dalian University of Technology, @qq.com 2 Faculty of Management and Economics, Dalian University of Technology, [email protected] Abstract The holistic state of information security compliance behaviors in an organization refers to a global description of the information security activities that are regulated by the information security policy, and that have to be correctly implemented by all of employees. The holistic state is measured in terms of a mathematical distribution composed of discrete numbers, each number in the distribution being the count of the compliance behaviors of every employee in a given time interval. A weighted information security compliance behaviors entropy (wiscbe) index is proposed for measuring and ranking the holistic states. The experimental results indicate that the holistic states are measured and clearly ranked by the magnitude of the wiscbe index in different departments during the same period of time, and in one department during different time intervals. The wiscbe index is expected to be useful for security managers to make decisions concerning the information security. 1. Introduction Keywords: Information Management, Information System, Information Security, Compliance, Measurement, Entropy Information security compliance behaviors refer to a set of information security activities that have to be adhered to by employees to maintain information security as defined by the information security policy of an organization [1]. Information security depends largely on the compliance behaviors of employees [2, 3, 4, 5, 6, 7]. Measurement and report of the compliance behaviors can be used for evaluating the status of the implementation of security policies, the effectiveness/efficiency of security services delivery, and the impact of the business consequences of security events as well. This has become increasingly apparent in the field of information security over the past decade [8]. Recently in many organizations, the effective measurement of the information security behaviors has been also driven by the amplified regulatory environment in which greater transparency and accountability are highly demanding [9]. In the relevant empirical studies, various factors that affect the compliance behavior intentions of employees are explored, and a number of behavioral compliance models have been proposed and tested, in which the behavioral intention is assumed as the immediate antecedent of actual behavior [10, 11, 12, 13, 14, 15, 16, 17]. Some of the other studies, however, suggest that it is preferable to measure actual behaviors rather than intentions [13, 18, 19]. The measurement of behavioral intentions has been found to be especially troubling because intentions do not always lead to behaviors [17, 19], and it is extremely complex and difficult to measure the psychosocial factors that lead to the creation of motivations and behavioral intentions [19, 20]. Some standards, frameworks and tools that are explicitly connected with the development, implementation and maintenance of information security metric/measure/measurement have been proposed [9]. These standards, frameworks and tools are not specific for the measurement of the compliance behaviors. For instance, a framework for security measurement has been presented in NIST Special Publication (Revision 1) [21], along with a set of candidate measurements in Appendix A of this standard. These candidate measurements deliver a guide for evaluating the information security performance, which is measured using simple statistical treatments such as percentage ratio. The recent study, however, has revealed that the distribution of human behaviors follows non-poisson statistics [22]. Since the information security compliance behavior is human behavior in nature, a International Journal of Information Processing and Management(IJIPM) Volume4, Number6, September

2 percentage ratio may not be appropriate for measuring the compliance behaviors themselves. In addition, Barabanov et al. have pointed out that the standards, frameworks and tools mentioned above are multidimensional or have lateral administrative functions and hierarchical administrative levels, where the lower metrics may roll up into the higher level ones [9]. In this study, we follow the idea of statistical mechanics to treat the compliance behaviors of employees in an organization. By analogy, an organization can be treated as a physical system and an employee a molecule component of such system. A compliance behavior is defined to be that one item of the information security policy has been correctly completed by an employee. For each employee, there is a count of compliance behaviors in a given time interval. For all of employees, these counts constitute a distribution. A number of distributions are thus obtained from different time intervals. Provided that the information security compliance behaviors of each employee are independent, the information entropy statistical theory can be used to deal with the distributions [23]. Based on this consideration, such a distribution would represent the holistic state of the information security compliance behaviors of all employees in an organization within a given time interval. The information entropy theory is used to study the distribution, and an entropy index is derived to characterize the holistic state. In light of the suggestion of Barabanov et al. [9], the holistic state has the implication of a roll-up measurement. A weighted Information Security Behaviors Entropy (wiscbe) index is proposed to measure the holistic state of the information security compliance behaviors of employees in an organization. The magnitude of wiscbe is used to rank different holistic states. The main contents of this paper are structured as follows: in section 2 the information security behaviors entropy (ISCBE), Normalized ISCBE (NISCBE), and wiscbe are formulated in sequence. An experimental test is presented in section 3, and the measurement results are discussed in section 4. Concluding remarks are given in section Derivation of the wiscbe index 2.1. Information security compliance behaviors entropy ( ISCBE) The information entropy theory of Shannon has found quite a few applications in both natural and social systems [24, 25, 26, 27]. For instances in the human behavior-orientated studies, the theory has been used to estimate human workload in human-robot interaction domains [28] and multitasking behavior [29]. Using this theory, in this study a mathematical model is constructed to derive a weighted entropy index for characterizing the holistic state of the information security compliance behaviors in an organization. Appendix A of NIST Special Publication (Revision 1) contains nineteen measurement items of the impact, implementation and effectiveness/efficiency requirements. A compliance behavior is defined to be that one item has been correctly completed by an employee. Suppose that all of them are required to be correctly completed by every employee in an organization, we first introduce the information security compliance behaviors entropy (ISCBE). The number of employees of an organization is n. is assigned to be the number of compliance behaviors of the ith employee, where i = 1, 2,, n. The distribution of x i in an organization is (,,, ). Let =, here X stands for the total number of compliance behaviors in the organization within one measurement cycle. Hence, ( ) =, and ( ) = 1, the ISCBE can be calculated with the formula: = ( ) ln ( ) (1) where ( ) is the probability distribution function of the number of compliance behaviors of each employee. As a rule, 0 ln(0) is set to be zero. As a consequence, a large value of ISCBE indicates a relatively more secure holistic state. This is shown by the following example. Consider distributions (,,, ) obtained during four different measurement cycles: (18, 11, 9, 2, 5, 15), (19, 3, 1, 3, 2, 3), (19, 19, 19, 19, 19, 19), and (4, 4, 4, 4, 4, 4). Their ISCBE values are calculated to be 1.548, 1.342, 1.792, and 1.792, respectively. Therewith, the latter two values reveal a better holistic state than the former ones. However, the last two holistic states are not discriminated. Modification of this index has to be made to resolve this problem. 77

3 2.2. Normalized and weighted ISCBE A normalized ISCBE is introduced in the following form: = ( ) ln ( ) / ln() (2) where ln() is the theoretical maximum of ISCBE. The values of NISCBE thus fall into an interval [0, 1]. A large value of NISCBE is naturally obtained when the distribution (,,, ) is uniform and x i themselves are big numbers. The NISCBE values in the above example turn to be 0.864, 0.748, 1, and 1, respectively. The holistic states corresponding the two distributions (19, 19, 19, 19, 19, 19) and (4, 4, 4, 4, 4, 4) are still not discriminated. An eventual solution is reached by further introducing a weighted NISCBE, viz. wiscbe: = ( ) ln ( ) / ln() (3) where w is a weighting coefficient. For a distribution (,,,, ), the value of w is calculated with the formula: = ( )/() (4) where m is the total number of information security items that each employee has to complete correctly. A large wiscbe value thereby would signal a better holistic state. We recall the problem that arose in the distributions (4, 4, 4, 4, 4, 4) and (19, 19, 19, 19, 19, 19). Their wiscbe values are well separated as and 1. In this case, m = 19. We note that in the reality of information security management, m can take different values in an organization. 3. Experiment Application of the wiscbe index for the holistic state measurement of compliant behaviors has been attempted in Chinese companies. The companies of interest should have adequate implementation of information systems and information security policies for the convenient sampling to be reliable. Three such Chinese companies are chosen: a data service company in Shanghai, a software company in Dalian, and the Dalian Locomotive and Rolling Stock Co., Ltd. The former two companies primary businesses are information technology and information service, the third one being a traditional stateowned manufacturing industry. In the three companies, one or two departments are randomly selected to conduct the measurement. Data collecting has been accomplished by two independent and complementary means: (I) survey questionnaire: The questionnaire is designed mainly upon the nineteen candidate measurements included in Appendix A of NIST Special Publication (Revision 1). Apart from the nineteen measurements, an additional measurement is introduced into the questionnaire to obtain the data specifying the employees compliance behaviors that the self-motivated learning the contents of information security policy. The questionnaire thus totally contains 20 items. The employees are required to do self-report on what they have done or are being done in relation to the information security policy during the past three years (-). These questionnaires are distributed to all of the employees in these departments via ; (II) Managerial monitoring: We have had interviews with the department managers in these companies. The data collected from the questionnaires and interviews are promised to be confidential. The details of data collecting process are as follows: (1) Two departments in the Shanghai data service company are selected. There are 6 and 10 employees in department 1 and 2, respectively. The employees of department 1 deal with the internal business process, and in department 2 all of the employees are site engineers, taking care of the external business of the company. (2) In the Dalian software company, a software development team of 21 members has been surveyed. (3) A department having 12 employees in the Dalian Locomotive and Rolling Stock Co., Ltd has been taken into consideration. It is worth noting that the individuals being 78

4 investigated are regular employees, rather than part-time employees. The department managers are not included in the questionnaire, and interviews have been done with them, instead. The questionnaires have been completed by all the employees of these departments. Inspection of these questionnaires identified an invalid one from department 2 of the Shanghai data service company, two invalid ones from the team of the Dalian software company, and two invalid ones from the Dalian Locomotive and Rolling Stock Co., Ltd. The valid questionnaire ratio reaches 89%. This ratio ensures that the measurement results reflect the holistic state of the information security compliance behaviors at the department level. The variation of the holistic state against time is also examined, for which three annual year data from to have been collected. Though the time interval is fairly large, we assume that the information security related behaviors are sensitive and impressive, and after explicit questions have been designed, the employees would find it easy to recall what they have done during the past three years in relation to the information security policy. The demographical data of the employees are obtained from the valid questionnaires and summarized in Table 1. In an interview, the department manager is requested to make qualitative assessments for the annual year holistic states of the information security compliance behaviors in his departments during the past three years (-). The managers are suggested to do the assessment referring to the nineteen candidate measurements of Appendix A of NIST Special Publication (Revision 1) and the practical situations of the employees concerning the self-motivated study of the information security policy contents. The assessment results are leveled to be excellent, good, fair, poor, and bad in a qualitative fashion. 4. Results and discussion Using the questionnaire data, the wiscbe index is calculated with equations (3) and (4). For the discrimination of the holistic state at the department level, we assign an excellent state for wiscbe 0.800; > wiscbe for a good state; > wiscbe for a fair state; > wiscbe for a poor state; and wiscbe < for a bad state. Each wiscbe index value and the corresponding discrimination level are summarized in Table 2. Also included in Table 2 are the assessments of the managers on the holistic states of their respective departments. It is seen that the measurement results from the wiscbe index are almost consistent with those given by the managers. An exception is found in the measurement for the Dalian Locomotive and Rolling Stock Co., Ltd. The department manager assigned a fair state for the holistic state of, while wiscbe is worked out to be 0.610, which is indicative of a good state. The wiscbe index calculation results are illustrated by the bar chart in Fig. 1. The bar heights compare the annual year holistic states of the information security compliance behaviors of the employees in each department, and those between different departments as well. For instance for department 1 in the Shanghai data service company, the annual year holistic state gets improved from a fair state (wiscbe: and 0.587) in and to a good state (wiscbe = 0.713) in. For comparison, the assessment results of the manager of department 1 are taken into account for the three annual years. The manager reported that the holistic state in was better than and. This is consistent with the variation tendency of the annual year holistic state shown by the bar chart. In the other departments of the three companies, the consistency between the quantitative calculation with the wiscbe index and the department manager report is also found. The application of the wiscbe index calculation for a single compliance behavior has also been studied. Consider for example the specific measurement twelve (Media protection) of Appendix A of NIST Special Publication (Revision 1). Here the questionnaire data obtained from department 1 and 2 in the Shanghai data service company are used for the calculation. The calculated wiscbe index values are summarized in Table 3, and the corresponding bar chart is presented in Fig. 2. The qualitative assessment results of the department manager for the specific measurement are also included in Table 3. The consistency of the results obtained from the two complementary means is also confirmed. Moreover, it is found that the wiscbe index is capable of characterizing the holistic state specified by every single compliance behavior. The experimental results indicate that the wiscbe index can exploit quantification and comparison of the holistic states in different departments in the same time interval, and in one department for different time intervals. The criterion for ranking the holistic state is simply the magnitude of the 79

5 wiscbe index. A smaller wiscbe index value is indicative of the less number of the compliance behaviors, and the less uniform distribution of the counts of the compliance behaviors in a department, thereby signaling an inferior holistic state. Therewith, the wiscbe index provides a simple and effective measure for the holistic state of the information security compliance behaviors of employees in a department. This attribute of the wiscbe index renders an immediate prejudgment on the holistic state of the information security compliance behaviors of employees in a department possible. Moreover, as shown by fig. 1, the evolution of the holistic state in a department over a long period of time is readily seen. These results are useful reference for security managers to make decisions. In this case, the wiscbe index appears as a derivative measure, playing the role of a roll-up measurement for the assessment of the information security compliance behaviors. Considering the statistical nature of wiscbe, the application for departments/organizations having a large number of employees would be more suitable, and its effectiveness would be more convincing. The formation of our questionnaire is mainly based on the nineteen candidate measurements of NIST Special Publication (Revision 1). These measurements are initially employed to assess the performance of the information security. Here the measurements are modified to take responsibility for the compliance behaviors of employees, viz., what the employees have ever done or are being done concerning with the information security policy of the department/organization. A set of standard information technology terms are used in the original measurements appeared in Appendix A of NIST Special Publication (Revision 1) so that the un-equivalence [30, 31] is avoided in the questionnaire. On the other hand, the content validity [32], the uni-dimensionality [33] and the internal consistency of the present questionnaires also depend on these original measurements. As regards the interview with a department manager, a concise structural question is used, and the relevant concepts are defined in advance for reference. It should be mentioned that in a questionnaire or an interview, the respondents are naturally not willing to reveal their true responses to items they perceive might have negative consequences to their personal image or job [19]. There is an inherent difficulty in collecting actual behaviors data in the context of information security. In this study, the self-reported behavioral data from employees and answers from managers are independent and cross checked, and the unreliability of the data is supposed to get reduced to a certain extent. Table 1. Demographic characteristic of employees Variables Mathematical expectation Standard deviation Sample size Percentage Age *3; 9*3; 19*3; 10*3 Years of working 6 5 6*3; 9*3; 19*3; 10*3 Degree of education *3; 9*3; 19*3; 10*3 Gender Male 35 79% Female 9 21% Race Yellow 6; 9; 19; % Note: Values for age, years of working and degree of education are expressed in years; *3 stands for 3 times the sample size. Organization Table 2. Results of the annual year holistic state measurements Department Measurement period Questionnaire data wiscbe index /ranking Assessment of manager The data service corporation in Shanghai Department 1 (17, 15, 15, 11, 13, 15) (14, 13, 13, 9, 12, 9) (4, 13, 16, 6, 11, 7) 0.713/ 0.587/ 0.544/ 80

6 The software corporation in Dalian Dalian Locomotive and Rolling Stock Co., Ltd Department 2 A development team A department (7, 13, 11, 9, 10, 11, 12, 17, 11) (6, 8, 13, 10, 10, 10, 12, 13, 9) (5, 11, 14, 10, 8, 10, 8, 13, 11) (10, 16, 12, 7, 18, 10, 16, 13, 17, 8, 18, 14, 10, 15, 8, 9, 11, 10, 14) (10, 16, 11, 5, 17, 10, 10, 9, 10, 7, 18, 8, 8, 14, 8, 8, 7, 7, 12) (10, 18, 11, 6, 16, 10, 8, 10, 9, 8,18, 9, 7, 13, 8, 8, 5, 6, 12) (14, 10, 9, 11, 12, 14, 13, 18, 12, 10) (14, 7, 8, 11, 13, 14, 13, 13, 12, 10) (13, 6, 6, 10, 11, 8, 13, 7, 12, 10) 0.496/ 0.456/ 0.449/ 0.613/ 0.503/ / 0.610/ 0.569/ 0.472/ Table 3. Measurement results of a single information security compliance behavior Organization Department Year The data service corporation in Shanghai Department 1 Department 2 Questionnaire data (20, 10, 10, 16, 16, 16) (20, 10, 10, 16, 16, 10) (20, 10, 10, 16, 10, 10) (20, 10, 4, 16, 4, 10, 10, 20, 16, 16) (10, 10, 4, 16, 10, 4, 10, 20, 10, 16) (16, 4, 4, 16, 4, 0, 10, 20, 10, 16) wiscbe index /ranking 0.672/ 0.667/ 0.616/ 0.600/ 0.526/ 0.445/ Assessment of manager wiscbe values Shanghai department 1 Shanghai department 2 Dalian Software Dalian Locomotive Annual year Figure 1. The bar heights showing the magnitudes of wiscbe of the annual year holistic states from to in the four different departments of three Chinese companies 81

7 wiscbe values Department 1 Department 2 Annual year Figure 2. The bar heights showing the magnitudes of wiscbe of the annual year holistic states from to in the two departments of the data service corporation in Shanghai 5. Conclusion The holistic state of the information security compliance behaviors of all employees in an department /organization has been studied. The weighted information security compliance behaviors entropy (wiscbe) index is proposed to measure and rank a holistic state. The values of the wiscbe index are readily separated in the interval [0, 1]. The larger the magnitude of the wiscbe index is, the better would be the holistic state. An experiment has been designed to test the effectiveness of this index in ranking a holistic state. The results indicate that the wiscbe index is capable of measuring and comparing the holistic states in different departments/organizations in the same period of time, and in one department/organization in different time intervals. The wiscbe index can be a useful reference for security managers to inspect the trend of the information security compliance behaviors of employees at the team, department or organizational level. 6. Acknowledgement The authors acknowledge the supports of the National Natural Science Foundation of China (No /G0211 and No /G0211) and Dalian University of Technology (No. DUT12Z D208). 7. References [1] Keshnee Padayachee, Taxonomy of Compliant Information Security Behavior, Computers & Security, Elsevier, vol.31, no. 5, pp ,. [2] Rossouw Von Solms, Basie Von Solms, From Policies to Culture, Computers & Security, Elsevier, vol. 23, no.4, pp , [3] Jeffrey M. Stanton, Paul R. Mastrangelo, Kathryn R. Stam, Jeffrey Jolton, Behavioral Information Security: Two End User Survey Studies of Motivation and Security Practices, In Proceedings of the Tenth Americas Conference on Information Systems, pp.175, [4] Jeffrey. M. Stanton, Kathryn R. Stama, Paul Mastrangelo, Jeffrey Jolton, Analysis of End User Security Behaviors, Computers & Security, Elsevier, vol. 24, no.2, pp , [5] Cheryl Vroom, Rossouw Von Solms, Towards Information Security Behavioural Compliance, Computers & Security, Elsevier, vol. 23, no.3, pp ,

8 [6] Michael Workman, Gaining Access with Social Engineering: An Empirical Study of the Threat, Information Systems Security, Taylor & Francis, vol.16, pp , [7] Salvatore Aurigemma, Raymond Panko, A Composite Framework for Behavioral Compliance with Information Security Policies, In Proceedings of the 45th Hawaii International Conference on System Sciences, pp ,. [8] IATAC, Measuring Cyber Security and Information Assurance: State-of-the-art Report, IATAC, iac.dtic.mil/ iatac/ download/cybersecurity.pdf, [9] Rostyslav Barabanov, Stewart Kowalski, Louise Yngström, Information Security Metrics: State of the Art. DSV Report Series No ,. [10] Detmar W. Straub, Jr. William D. Nance, Discovering and Disciplining Computer Abuse in Organization: a Field Study, MIS Quarterly, Management Information Systems Research Center, University of Minnesota, vol.14, no.1, pp.45-60,1990. [11] Qing Hu, Tamara Dinev, Paul Hart, Donna Cooke, Managing Employee Compliance with Information Policies: The Role of Top Management and Organizational Culture, Decision Sciences, Decision Science Institute, vol.43, no.4, pp ,. [12] Burcu Bulgurcu, Hasan Cavusoglu, Izak Benbasat, Information Security Policy Compliance: An Empirical Study of Rationality-based Beliefs and Information Security Awareness, MIS Quarterly, Management Information Systems Research Center, University of Minnesota, vol.34, no.3, pp ,. [13] Catherine L. Anderson, Ritu Agarwal. Practicing Safe Computing: A Multi-method Empirical Examination of Home Computer User Security Behavioral Intentions, MIS Quarterly, Management Information Systems Research Center, University of Minnesota, vol. 34, no.3, pp ,. [14] Allen C. Johnston, Merrill Warkentin, Fear Appeals and Information Security Behaviors: An Empirical Study, MIS Quarterly, Management Information Systems Research Center, University of Minnesota, vol. 34, no.3, pp ,. [15] Merrill Warkentin, Robert Willison, Behavioral and Policy Issue in Information Systems Security: The Insider Threat, European Journal of Information Systems, Palgrave Macmillan, vol.18, no.2, pp , [16] Seppo Pahnila, Mikko Siponen, Adam Mahmood, Employees Behavior Towards IS Security Policy Compliance, In Proceedings of the 40th Hawaii International Conference on System Sciences, paper 156, [17] Robert E. Crossler, Allen C. Johnston, Paul Benjamin Lowry, Qing Hu, Merrill Warkentin, Richard Baskerville, Future Directions for Behavioral Information Security Research, Computer & Security, Elsevier, vol. 32, pp , [18] M. Adam Mahmood, Mikko Siponen, Detmar Straub, H. Raghav Rao, T. S. Raghu, Moving Toward Black Hat Research in Information Systems Security: An Editorial Introduction to the Special Issue, MIS Quarterly, Management Information Systems Research Center, University of Minnesota, vol.34, no.3, pp ,. [19] Merrill Warkentin, Detmar Straub, Kalana Malimage, Measuring Secure Behavior: A Research Commentary, In Proceedings of the Annual Symposium on Information Assurance, pp.1-8,. [20] Robert Willison, Merrill Warkentin, Beyond Deterrence: An Expanded View of Employee Computer Abuse, MIS Quarterly, Management Information Systems Research Center, University of Minnesota, vol. 37, no.1, pp. 1-20, [21] Elizabeth Chew, Marianne Swanson, Kevin Stine, Nadya Bartol, Anthony Brown, Will Robinson, Performance Measurement Guide for Information Security, NIST Special Publication Revision 1, gov/publications/nistpubs/ Rev1/SP rev1.pdf, [22] Albert-László Barabási, The Origins of Bursts and Heavy Tails in Human Dynamics, Nature, NPG, vol.435, pp , [23] Claude Elwood Shannon, A Mathematical Theory of Communication, The Bell System Technical Journal, American Telephone and Telegraph Company, vol.27, pp , pp , [24] C. Radhakrishna Rao, Diversity: Its Measurement, Decomposition, Apportionment and Analysis, The Indian Journal of Statistics, Springer, vol.44 (series A), no.1, pp.1-22,

9 [25] Sandrine Pavoine, Sylvain Dolédec, The Apportionment of Quadratic Entropy: A Useful Alternative for Partitioning Diversity in Ecological Data, Environmental and Ecological Statistics, Springer, vol.12, pp , [26] Kenneth D. Bailey, Social Entropy Theory, State University of New York Press, USA, [27] Erwin R. Boer, Behavioral Entropy As an Index of Workload, In Proceedings of the Human Factors and Ergonomics Society Annual Meeting, pp , [28] Michael A. rich, Erwin R. Boer, Jacob W. Crandall, R. W. Ricks, Morgon L. Quigley, Behavioral Entropy in Human-robot Interaction, In Proceedings of the Performance Metrics for Intelligent Systems, paper 12, [29] Raquel Benbunan-Fich, An Entropy Index for Multitasking Behavior, In Proceedings of the International Conference on Information Systems, paper 2,. [30] Ronald K. Hambleton, Liane Patsula, Adapting Tests for Use in Multiple Languages and Cultures, Social Indicators Research, Springer, vol.45, no.1-3, pp , [31] Janet A. Harkness, Questionnaire Translation, (In: Harkness JA, Van de vijver FIR, Mohler PPH, editors, Cross-cultural Survey Methods), John Wiley & Sons, pp.35-56, [32] Stephen N. Haynes, David C. S. Richard, Edward S. Kubany, Content Validity in Psychological Assessment: A Functional Approach to Concepts and Methods, Psychological Assessment, American Psychology Association, vol.7, no.3, pp , [33] David W. Gerbing, James C. Anderson, An Updated Paradigm for Scale Development Incorporating Uni-dimensionality and Its Assessment, Journal of Marketing Research, vol. XXV, pp , Candidate Measurements of NIST Special Publication (Revision 1) Measurement 1: Security budget Measurement 2: Vulnerability Management Measurement 3: Access Control Measurement 4: Awareness and Training Measurement 5 : Audit and Accountability Measurement 6: Certification, accreditation and security assessments Measurement 7: Configuration management Measurement 8: Contingency planning Measurement 9: Identification and authentication Measurement 10: Incident response Measurement 11 : Maintenance Appendix 1: Questionnaire and Interview Questionnaire (Respondents: all of employees) Item 1: Does the security budget of the department have any influences on the information security compliance behavior of the employee? Item 2: Has the high vulnerabilities of the information system been mitigated in time by the employee? Item 3: Have the un-authorized remote accesses to the information system been blocked by the employee? Item 4: Has the employee been trained concerning the information security? Item 5: Has the employee ever checked the contents of the audit reports on the improper information security behaviors of the department? Item 6: Has the employee ever used the software without security certification? Item 7: Have the configurations of the hardware been updated by the employee without authorization? Item 8: Has the employee ever taken part in the annual year contingency exercise? Item 9: Have the legal usernames and passwords always been used by the employee to access the information system? Item 10: Have the information security incidents been reported in time by the employee? Item 11: Have the security maintenance been performed by the employee following the formal procedures? Interview (Respondents: department managers) Please refer to the definition of the information security compliance behavior, NIST Special Publication (Revision 1), and the twenty items involved in the survey questionnaire to make assessments on the annual year (, and ) holistic states of the information security compliance behaviors of all employees in your department. 1. Excellent ; 2. ; 3. ; 4. Poor ; 5. Bad. 84

10 Measurement 12 : Media protection Measurement 13 : Physical and environmental Measurement 14 : Planning Measurement 15 : Personnel security Measurement 16 : Risk assessment Measurement 17 : System and services acquisition Measurement 18 : System and communications protection Measurement 19 : System and information integrity Measurement 20: Initiative study of information security policy Item 12: Have the data been cleaned up from the discarded U-sticks by the employee? Item 13: Has the employee ever entered into the computer facilities without authorization? Item 14: Have the rules of behavioral acknowledgements of information security been signed by the employee? Item 15: Have the information system ever been used by the un-authorized employee? Item 16: Have the security vulnerabilities of the information system been remediated by the employee following the procedures regulated by the information security policy? Item 17: Have the information security requirements been emphasized by the employee in acquisition of information systems and service? Item 18: Have the cryptographic operations been performed strictly in the employee s laptop? Item 19: Have the patching programs been set up by the employee for the computer operation system? Item 20: Has the employee ever studied self-motivated the clauses of the information security policy? 85