This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Abstract-Effective user security awareness campaign can greatly enhance the information assurance posture of an organization. Information security includes organizational aspects, legal aspects, institutionalization and applications of best practices in addition to security technologies. User awareness represents a significant challenge in the security domain, with the human factor ultimately being the element that is exploited in a variety of attack scenarios. Information security awareness program is a critical component in any organizations strategy. In contrast to other information security awareness work which mostly explains methods and techniques for raising information security awareness, this paper discusses and evaluates the effectiveness of different information security awareness tools and techniques on the basis of psychological theories and models. Finally, it describes how to measure information security awareness in an organization and explains an information security campaign conducted by Al-Rajhi bank in the light of our proposed model.
Keywords: information security, awareness, effectiveness.
Information is one of the resources that an organization is heavily dependent on. If the critical information of an organization is compromised, the organization can suffer serious consequences, i.e. in the form of loss of income, loss of customers' trust and maybe legal action etc. Therefore, information should be protected and secured.
Information security awareness is about guaranteeing that all employees are aware of the rules and regulations regarding securing the information within organization. Information security awareness should therefore form an integral part of any organizations' overall information security management plan.
Many organizations use readymade information security awareness tools developed by some of the international information security companies, whereas some organizations make their own awareness tools according to the needs of the organization.
By implementing information security awareness program it is not guaranteed that every audience have understood and obeyed the guidelines, therefore, it is necessary to measure how much a particular method is effective in fulfilling its purpose.
The rest of the paper is organized as follows: Section 2 explains related work, whereas Section 3 proposes a model on the basis of psychological theories to find out effectiveness of tools. Section 4 describes some information security awareness tools and evaluates their effectiveness on the basis of the proposed model and Section 5 compares the effectiveness of the methods. Section 6 is on information Security Awareness metrics. Section 7 is on Al-Rajhi bank case study and Section 8 finally concludes this paper.
2. Related Work
Kruger and Kearney developed a prototype model for measuring information security awareness in an international gold mining company . They measured the effectiveness of information security awareness program on the basis of knowledge, attitude and behavior. However, their research lacks the study of the underlying theory of the model.
Hagen et al. conducted research by analyzing answers of research question from 87 information security managers in Norwegian organizations . Albrechtsen et al. described 'information security dialogue' as an effective tool for increasing awareness, however, the study lacks the fact that how effective is their approach as compared to other approaches of awareness .
According to Levin and Klev for a successful organizational learning, and change and development employee's participation and collective reflection are very important .
In order to increase awareness level, knowledge should be given to the audience as stated by Forcht, education is necessary for increasing user's ethical awareness . In addition, for the protection of critical information assets security education campaign helps changing manager's and employee's attitude and behavior .
Although research has been done in the area of information security awareness, however the literature lacks the study on the effectiveness of information security awareness methods on the basis of psychological theories and does not describe the underlying theory of these methods. Psychology is the science of mind and behavior. Social psychology has been used for many years for research in the area of education, learning and human behavior. In this paper we evaluate the effectiveness of each tool and technique on the basis of our proposed model which is the integration of KAB model  and Theory of Planned Behavior (TPB) .
3. Research Design and Methodology
Information security awareness can be defined as the individual's passive involvement and increased interest towards certain issues and it is considered one of the key components of consciousness-raising the other being action . According to information security forum , information security awareness can be defined as the extent to which every member of staff understands the importance of information security, the levels of information security appropriate to the organization, their individual security responsibilities, and acts accordingly. Different researchers have defined information security awareness; however, this study is based on the definition done by Information Security Forum .
Many information security awareness interventions are based on Knowledge-Attitude-Behavior (KAB) model which mainly focuses on the knowledge aspect of the human being  . According to KAB model, as knowledge accumulates in a relevant behavior, e.g., information security, health, environment, education etc., changes in attitude are initiated. It basically explains the role of knowledge in the behavior change and the accumulation of knowledge. Such accumulation of knowledge in KAB model leads to change in attitude and finally behavioral change. Research in health awareness  and environmental awareness  shows that knowledge can be integrated in other conceptual framework in order to understand the process of change, but increase in knowledge is not the ultimate factor of change in behavior. It means that more than one variable affect behavior.
Thus, the KAB model, by itself is not sufficient to bring change in attitude and behavior for long term. In order to understand the change in attitude and behavior and how a change in attitude leads to change in behavior we borrow the support of the Theory of Reasoned Action (TRA) or Theory of Planned Behavior (TPB) . This theory explains relation between attitude and behavior and includes both the direct attitude-behavior path as well as an indirect attitude-intention-behavior path  .
According to the theory of planned behavior, the change in behavior depends on the intention of the person. There are two factors that influence intention. One factor is attitude and the other is subjective norms . So the level of intention towards an action will be higher if the person has a more positive attitude and more of a subjective norm towards the behavior. The attitude is what the person likes or dislikes whereas subjective norm is the person's belief what people think about him should be done. These two factors together cause intention which leads to change in behavior.
To evaluate the effectiveness of information security awareness interventions, we propose a five step stair model. These steps are knowledge, attitude, normative belief, intention and behavior, where knowledge is considered as the foundation pillar of the model. Our proposed model takes the Knowledge attribute from the KAB-model and attitude and social norms from the Theory of Planned Behavior to achieve the desired change in behavior. Table 1 lists three information security methods from formal and four from informal instruction methods  and shows their respective effectiveness in the form of 5 points likert scale, where 5 being most effective and 1 being less effective. In table 1 the tick or 'x' mark below each component indicates its presence or absence in the respective information security awareness campaign. The overall effectiveness of a campaign method can be found by counting the number of tick marks in the respective campaign method. The more a security awareness method contains elements from the model, the more it will be considered effective in raising the awareness level.
4. Effectiveness of Information Security Awareness Tools
As we have formulated that how to measure the effectiveness of information security awareness methods, now we will find out the effectiveness of the following methods one by one:
1) Educational Presentation
2) Email Messaging
3) Group Discussions
4) Newsletter Articles
5) Video Games
4.1 Educational Presentation:
Behavior change objectives refer to intended changes in audience's actual behavior. Campaigns and behavior change objectives, together contribute to the overall program objective which refers to awareness. Education is often seen as the key to changing behavior.
Different types of awareness campaigns are based on different psychological theories that focus on different aspects of human psychology. Usually the education campaigns target the knowledge aspect of the human and it ignores the motive behind the human behavior. Knowledge is not the motive for the human information security behavior; however, the lack of knowledge is a barrier in developing a desired behavior.
In educational information security awareness campaigns information is provided to the audience. Therefore these campaigns are mere the source of transfer of information and knowledge from the presenter to the audience. For example, information
Figure 1: Five step ladder model for measuring information security awareness
security awareness presentations provide information regarding password management, email management, virus protection, and organization's information security policies.
Although this is very useful information but increase in information does not lead to a change in behavior and awareness. Social norms which are more effective in causing intention are missing in presentation. In addition, these campaigns are cheap, but boring and ineffective.
Now comparing the components of presentation with our proposed model (figure 1), it is clear that information security awareness presentations are more informative and provides more knowledge, therefore they can change the attitude but due to the missing component of subjective norms the component of intention of the audience remains unchanged. Therefore the overall effectiveness of information security awareness presentation is 4 points as shown in table 1.
4.2 Email Messaging:
One type of campaign for information security awareness is email messaging. These messages disseminate useful information regarding phishing, social engineering, password management and information security incidents. This method is effective in providing security related information and hence increases information security knowledge of the recipient. However, reading email message does not mean the message has been understood and internalized. Therefore, this method is insufficient in changing the attitude of the employee as this is one way communication and may not catch the attention of the recipient.
Using email messaging for information security awareness is good in providing information and knowledge. This method catches attention and cannot change the behavior therefore effectiveness stops on the second step of the model (figure 1), i.e., the overall effect of this method in raising information
Table 1: Information security awareness methods effectiveness
security awareness is only 3 points as shown in table 1.
4.3 Group Dialogue:
One type of information security awareness intervention is an informal meeting in which there is no one way communication. In this meeting about 15-20 individuals of an organization participate and the participants take full advantage of sharing knowledge and experience . Different information security key issues are picked one by one and discussed; all participants are given equal opportunity to explain his point of view. In addition, organization policy regarding information security is discussed.
Participants are asked to describe any information security incident happened with them and whether those incidents were reported. The consequences of such security incidents are discussed among the participants. Such strategy of discussing incidents in workshops is good to motivate the participants. This strategy is based on the theory of reasoned action, which changes which is changing intention through attitude change and social norms. Group discussion involves participants in the group conversation that increases the information security related attention and intention of the participants . Group discussion and meetings are more of interactive type and hence more effective.
This approach has been found useful in increasing the awareness level by the use of knowledge, attention, attitude, social norms, motivation and behavioral strategies. This approach uses social norms and interaction that influence individual understanding of information security.
In addition it is interactive and engages all the participants. Due to the environment participants know about information security attitudes of each other and therefore increases their motivation to adopt positive information security behavior. This method of intervention accumulates all components of our proposed model (figure 1) and therefore the overall effectiveness of information security related awareness related Group Dialogue is 5 points (see table1).
4.4 Articles in Newsletters:
Newsletter is a monthly or quarterly one to four pages information security report. These reports can be both in electronic or print format. They are distributed among the employees within organization and are designed with the aim to increase employee's information security awareness. It has a company logo on it with the date on which the newsletter was issued. The newsletter discusses the new emerging threat, for example, newly discovered viruses, information security incidents and useful guidelines for information security. These newsletters are good in transferring information security knowledge.
However, it is not possible for the security managers to know whether the employees have read the newsletter and they have understood and internalized it or not.
Newsletters are also very informative and knowledgeable material due to which they are good in changing attitude towards information security awareness. However, it does not have the component of subjective norms, due to which it cannot change the reader's intention and so behavior. The overall effectiveness of Information Security Newsletters, according to our proposed model is only 2 points.
4.5 Video Games:
Some information security awareness researchers have proposed the use of video games to increase information security awareness , . This technique is also used by researchers in other disciplines to increase health   and environment risk awareness  . It is claimed by the researchers that video game is a good technique in motivating player towards adapting the desired behavior as it catches the player's attention and engages him. However, this method does not have a component of knowledge transfer unless the player has already gained the information security knowledge before starting the game. In addition, it is related to information security in general and does not specifically reflect the policy of the organization or organization's related security issues. In our proposed model, knowledge is the foundation pillar for the increasing information security awareness and behavior.
Video games are more interactive and keep the player engaged. They are beneficial in changing attitude; however, they are not a very good source of knowledge. Due to good source of motivation they can lead to a very limited change in behavior therefore the overall effectiveness of video game on one's information security awareness is only 2 points.
Computer based training has several advantages over conventional methods of information security awareness. CBT is available at all times to all employees within the organization and it is an effective method of information security awareness training. The employees of the organization can acquire the desired training at their own pace. However, CBT requires more resources and do not reflect the organization's policies. They are readymade. In addition this method lacks the benefit of interaction between instructor and audience and among the audience. Therefore, a social norm which is one of the components of our proposed model is missing in this technique. Due to the missing component of social norms human's information security intention and behavior does not change, therefore, the overall effectiveness of CBT is 2 (table 1).
Posters are simple and effective reminders of information security that catches end user attention and reminds basic information security rules. Posters require fewer resources. Catchy slogans and attractive designs greatly contribute to the effectiveness of posters. In addition to the design and contents of the posters, location where the poster is displayed also attracts the attention of the viewer. Posters displayed in high traffic area are more likely catch the attention of the viewers.
However, relying on information security awareness posters alone is impractical as it is not possible to explain something on posters. In addition, a social norm which has a great contribution is missing in the posters. Due to the missing component of social norms, intention cannot be changed and therefore, information security related behavior remains unchanged. Hence the overall effectiveness of posters is only 2 as shown in table 1.
5. Comparative study of the effectiveness of information security awareness tools:
In the above section (section 4), the effectiveness of several information security awareness campaigns have been measured one by one. The overall effectiveness of each of them is shown in table 1. The most effective of them is information security related group discussion. It considers all components of the proposed model namely knowledge, attitude, social norms and intention. Information security awareness presentations are the second most effective method for increasing awareness as shown in figure 2. Email messaging is the third effective method whereas newsletters, video games, CBT and posters are fourth effective methods for increasing information security awareness.
6. Information Security Awareness Metrics:
According to NIST 800-50 and NIST 800-55, metrics is defined as tools to facilitate decision making, improve performance and accountability and help determine an organization's IT security awareness and training. Information security managers need methods to measure the information security awareness level of employees of
Figure 2: Comparison of effectiveness of ISA tools
their organization. A thorough literature review is failed to provide a universally accepted and validated measure of information security awareness. In this section we present the methods to measure the information security awareness. These metrics are specific, measureable etc.
6.1 Security related helpdesk calls:
Information security awareness of employees can be measured by counting security related calls to helpdesk. However, the type of calls to the helpdesk varies and therefore every call to the helpdesk cannot be counted in the measurement of awareness. For example if the calls are for resetting the password to unlock the account then this is due to the ignorance of the user. But if an employee or customer calls helpdesk for the advice regarding choosing password then it is counted in measuring information security awareness level. The more the number of such calls to helpdesk the more the level of information security awareness in the organization.
6.2 Accesses to unauthorized online services:
Some organizations do not allow the use of certain online services which are not related to the organization's business. With the use of automated tools it is possible to find out the number of attempts made to access those unauthorized services. Such measurement can be done on monthly or quarterly depending the information security management policy of the organization.
6.3 Accesses to information security intranet pages:
Many organizations create informative websites for the purpose of information security awareness training of the employees. Employees are instructed to visit those pages for the information security awareness training. The gradual increase in the number of hits to the website shows an increased interest of employees in information security awareness. The number of hits means the number of users being exposed to the information security awareness material.
6.4 Survey questionnaires based on knowledge:
A survey based on information security questionnaire can be conducted within the organization among the employees. Unlike other types of measure this survey assesses the knowledge of the employees about information security which indirectly measures the information security awareness level. Such includes question like, How to make a strong password? Is it secure to open an email from unknown sender? Do you leave the system unlocked while away from the desk? Or do you lock the system before leaving? Such type of survey has many advantages and gives a clear whether the employees have knowledge about information security. Thus an increase in the correct answers of the survey shows an increase level in information security awareness. Such survey can be conducted monthly or quarterly depending on the policy of the organization to measure the level of information security awareness within organization.
6.5 Phishing emails:
It is beneficial to find out the number of phishing emails that have been opened by the employees of the organization. The number of accessed phishing emails shows the level of information security awareness. The more is the number of phishing emails accessed, the less the level of awareness. Information security conscious users will less likely access suspected phishing emails. Such information can be collected either by asking employees whether they have received any phishing emails in a specified period of time or using an automated tool.
6.6 Security Incident Database:
Information security awareness can also be measured by counting the number of security incidents being reported. It also indicates the awareness of the user who knows who to contact when an information security incident occurs. Therefore, increase in the number of reported incidents as compared to the number of unreported incidents shows the increase level of information security awareness.
In addition to the above strategies, the statistics of increase and decrease in the number of Trojan horse attacks and analysis of log files of intrusion detection system can assist in measuring the information security awareness.
Table 2: Information Security Awareness metrics
7. Case Study: Survey of Information Security Awareness of online users of Al-Rajhi Bank:
Al-Rajhi bank is one of the largest banks in the kingdom of Saudi Arabia, founded in 1957. It has over one million customers including business customers. The number of employees working in Al-Rajhi bank is over 7,447. It has about 550 branches more than 2600 ATM's, 16700 POS terminals installed with merchants and the largest customer base of any kind in the kingdom. Apart from Saudi Arabia, it has branches operating in Malaysia, Kuwait and Jordan.
Al-Rajhi bank uses latest information technology to provide better service to its customers. Like other banks and financial organizations, Al-Rajhi bank also faces internal and external threat in terms of customer's identity theft. The management of Al-Rajhi bank agreed to assist us in the information security awareness program. The output of which was to find the effectiveness of two information security awareness raising methods.
8. Conclusion and future work
This research is a theoretical study of information security awareness based on the psychological theories of awareness and behavior. This study shows that psychological theories of education, learning, environmental and health behavioral change can be used to make information security awareness methods more effective. It further clarifies that the aim of many information security campaigns is to increase information security knowledge. Many post-campaign surveys ask questions focusing mainly on the knowledge of the participant and not behavior. Answering questions correctly does not mean that the user is motivated to behave according to the knowledge they gained during the campaign.
According to this study this is the actual behavior which, in fact, reflects the awareness of the end-users before and after the information security awareness program.