The Enemy Within:

A Behavioural Intention Model and an Information Security Awareness Process

Tapiwa Gundu Stephen V Flowerday

Department Information Systems Department Information Systems
University of Fort Hare University of Fort Hare
East London, South Africa East London, South Africa
[email protected] [email protected]

Abstract—Most employees in small and medium enterprise Engineering firms rely heavily on digital information stored
(SME) engineering firms now have access to their own personal on networked servers. This information includes patented and
workstations which have become part of their daily functions. unpatented private and confidential designs, drawings and
This has led to an increased need for information security client information that are prone to security threats.
management to safeguard against loss/alteration or theft of the Engineering SMEs tend to ignore the risk of the uninformed
firm’s important information. SMEs tend to be concerned with employee and be more concerned with vulnerabilities from
vulnerabilities from external threats, although industry research external threats although industry research suggests that the
suggests that a substantial proportion of security incidents uninformed employee not behaving securely may expose the
originate from insiders within the firm. Hence, physical
firm to serious security risks (data corruption, deletion,
preventative measures such as antivirus software and firewalls
are proving to solve only part of the problem as the employees
commercial espionage, etc.) [33]; [1]; [6]; [22]; [5].
controlling them do not have adequate information security An uninformed employee (insider) may expose the firm’s
knowledge. This tends to expose the firm to costly mistakes that information assets to risk by making naïve mistakes, visiting
can be made by naïve/uninformed employees. This paper malware infested websites, responding to phishing emails,
presents an information security awareness process that seeks to using weak passwords, storing their login information in
cultivate positive security behaviours using the behavioural unsecured locations, or giving out sensitive information over
intentions models i.e. the Theory of Reasoned Action and the
the phone when exposed to social engineering techniques. The
Protection Motivation Theory. The process presented has been
unintentional insecurity by the employee is not an attempt to
tested at an SME engineering firm, and findings are also
presented and discussed in this paper. discredit the firm or make a profit by selling confidential data,
but rather as a result of inadequate employee training on
Keywords- Information Security Awareness; Security security, or lack of security awareness of the consequences of
Behaviour their actions. The weakness they present can never be totally
eliminated, but a well-structured security awareness campaign
helps to reduce the risk to acceptable levels [19]; [22].
I. INTRODUCTION The insider risk to the firm can be divided into 2 categories,
SMEs, especially those in the engineering sector, are intentional and unintentional risk. This paper focuses on
continually investing significantly in their overall Information unintentional insecurity/naïve mistakes although intentional
and Communication Technologies (ICTs) making Information insecurity/dangerous tinkering by disgruntled employees is also
Security a major concern for the safeguarding of their significant. This is an area still open for further research.
information assets [10]; [15]. SME engineering firms often assume significant trust levels
Most of these SMEs have information security policies from employees; hence they believe information security
providing a solid foundation for the development and awareness is not an issue for them [42]. Ironically, it is more
implementation of secure practices within the firms. These important for SMEs compared to larger firms as employees
policies present the rules that must be adhered to [19]. The often have multiple roles and thus have access to a variety of
existence of these formal security policies does not necessarily financial, organizational, customer, and employee information
mean that employees will adhere to the rules [10]. as well access to multiple services such as the Internet and
Subsequently, the employees need to be aware of the security email. Furthermore, there is less segregation of duties in SME
practices prescribed in the policy. Information security engineering firms, thus less control over access to information.
awareness and training are frequently used for training Whilst exposed to the same threats and vulnerabilities as large
employees towards safe information security behaviour. This organisations, SMEs also do not have access to the same level
ensures employees realise the importance of security and the of resources [42]; this makes their risk even higher than larger
adverse consequences of security failure and that there is the organisations.
potential for people to deliberately or accidentally steal, This paper bases its argument on two principal theories, the
damage, or misuse data stored within a firm’s information Theory of Reasoned Action (TRA) [3] and the Protection
systems and throughout the organisation [20]. Motivation Theory (PMT) [28]. Previous works have used

978-1-4673-2159-4/12/$31.00 ©2012 IEEE

Authorized licensed use limited to: University of Johannesburg. Downloaded on October 07,2023 at 08:11:45 UTC from IEEE Xplore. Restrictions apply.
research frameworks that integrated TRA and PMT with other summary, information security awareness campaigns will help
theories (e.g. [13]; [10]; [30]). According to Anderson and change employee attitudes towards security and will aid in
Agarwal’s [27] review of literature in this area no prior communicating the firm’s expectations to the employees.
information security research has used both theories in a single
information security study.
2.2 Protection Motivation Theory
The purpose of this paper is to examine the factors that
influence employee behaviour towards information security Protection Motivation Theory (PMT) was developed by
and present a practical design of an information e-learning Rogers (1983). It was developed from the expectancy-value
based security awareness process that can be used by SME theories and the cognitive processing theories: its aim being to
engineering firms in order to cultivate positive employee assist and clarify fear appeals. PMT has been noted as one of
information security behaviour. The remainder of the paper is the most powerful explanatory theories for predicting an
organised as follows: first, information about the study’s individual’s intention to engage in protective actions [27].
theoretical foundation is presented; second, presentation of the Information security awareness and training instil knowledge
proposed information security awareness process; next, in the employees and assists in motivating protection. In
information about the analysis and results is presented; the essence, protection motivation emanates from both the threat
paper concludes by discussing its findings. appraisal and the coping appraisal. Threat appraisal describes
an individual’s assessment of the level of danger posed by a
threatening event [28]; [40]. It is composed of the following
II. THEORETICAL BACKGROUND two items:
Based on the problem presented in the preceding section, (i) Perceived vulnerability i.e. an employee’s assessment of
this section serves to propose, explain and relate the Theory of the probability of threatening events. In this study, threats
Reasoned Action (TRA) and the Protection Motivation Theory resulting from noncompliance with the firm’s information
(PMT) to the study. security policy (ISP).

2.1 Theory of Reasoned Action (ii) Perceived severity i.e. the severity of the consequences of
the event. In this instance, imminent threats to the firm’s
TRA framework specifically evaluates the relative information security arising from noncompliance with the
importance of two incentive components: (1) attitude (2) firm’s ISP.
subjective norm. It suggests that a person's Behavioural
Intention (BI) depends on the person's Attitude (A) about the The coping appraisal aspect of PMT refers to the employee’s
behaviour and Subjective Norms (SN) i.e. (BI = A + SN). assessment of his or her ability to cope with and avoid the
Attitude towards behaviour is defined as the individual's potential loss or damage arising from the threat [40]. Coping
positive or negative feelings about performing a behaviour. appraisals are made up of three sub constituents:
Subjective norm is defined as an individual's perception of
whether people important to the individual think the behaviour (i) Self-efficacy: this factor emphasizes the employee’s ability
should be performed. As a general rule, the more favorable the or judgment regarding his or her capabilities to cope with or
attitude and the subjective norm, the greater the perceived perform the recommended behaviour. In the context of this
control and therefore the stronger the employee’s intention to paper, it refers to the sorts of skills and measures needed to
perform the behaviour in question [7]; [23]; [17]; [29]. protect the firm’s information asset [11]; [40]; [30].
The Theory of Reasoned Action helps to explain how the (ii) Response efficacy: this factor relates to the belief about the
employee’s attitude towards security and the employee’s perceived benefits of the action taken by the individual [28].
perceived corporate expectation affects the employee’s Here, it refers to the compliance with the information security
behaviour towards information security. The employee’s policy as being an effective mechanism for detecting a threat
attitude and perceived expectations influence the employee’s to the firm’s information assets.
behavioural intention. (iii) Response cost: this factor emphasizes the perceived
The employee’s attitude is affected by cultural, opportunity costs in terms of monetary, time and effort
dispositional and knowledge influences. Cultural influences expended in adopting the recommended behaviour, in this
are associated with the employee’s background. Dispositional instance the cost of complying with the ISP.
influences are associated with the employee’s usual way of Previous research have used PMT and found it useful in
doing things. Knowledge influences are associated with the predicting behaviours related to an individual’s computer
level of knowledge of the subject in question. The employee’s security behaviour both at home and in the work situation [9];
attitude can therefore be moulded, by information security [27] as well as Information Security Policy (ISP) compliance
awareness and training. The subjective norm is what the [10]; [30].
employee perceives the firm requires of him/her and perception
of how peers would behave in similar scenarios [9], [30]; [13]. III. THE RESEARCH MODEL
Corporate expectations can therefore be communicated to Following the preceding discussion, the research model
employees via information security and training sessions. In implemented in this study is presented in Figure. 1. It can be

Authorized licensed use limited to: University of Johannesburg. Downloaded on October 07,2023 at 08:11:45 UTC from IEEE Xplore. Restrictions apply.
observed that both the TRA and PMT can be fused to effect Response cost will have a negative effect on ISP
desirable behavioural intention. Discussions on the research compliance behavioural intention. When an individual
hypotheses are represented next. possesses requisite knowledge about the effectiveness of a
recommended coping mechanism in providing protection from
a threat or danger, the individual is more likely to adopt an
TRA adaptive behaviour [28]; [40]; [9]. On the other hand, if the
Subjective Norms individual has less belief regarding the effectiveness of a
measure, he or she may not readily accept it [18]. Accordingly,
Attitude individuals who believe that their organization’s ISP has
guidelines and coping mechanisms to avert threats and dangers
Behavioural Intention in their context, they are more likely to develop an intention to
PMT adopt it [10].
Threat Appraisal
Towards Policy
Perceived vulnerability Compliance Response efficacy will have a positive effect on ISP
compliance behavioural intention. In general, when employees
Perceived severity perceive a threat, they often adjust their behaviours in response
Towards Positive to the amount of risk and determine if they are willing to accept
Coping Appraisal Security Culture
the threat or not [8]; [41]. Thus, an individual’s perceived
Response efficacy severity tends to be positively linked to their intentions to
follow protective actions [36]. If an individual perceives a
Response cost
threat to his or her firm’s Information Systems (IS) assets, such
Self-efficacy an individual will more than likely follow guidelines and
requirements laid out in their ISP [13]; [30].
. Perceived severity will have a positive effect on ISP
Figure 1: Behavioural Intention Model compliance behavioural intention with respect to safe
computing in the firm; however, individuals who view
Subjective norms will have a positive effect on ISP themselves immune to security threats are more likely to ignore
compliance behavioural intention. TRA indicates that security measures at work [10]; [13]; [30]. On the other hand, it
individuals’ attitudes impact behavioural intentions [24]. To is reasonable to expect that an individual who perceives high
that end, a positive attitude toward ISP compliance bodes well vulnerability to their firm’s information system resource will
for ISP compliance and good behavioural intention. be more likely to adopt protective behaviours.
Conversely, negative attitudes will diminish an individual’s
ISP compliance and good behavioural intention. Thus, Therefore, perceived vulnerability will have a positive
individuals with positive beliefs and values about their firm’s effect on Information Security Policy (ISP) compliance
ISP will display favourable tendencies towards complying with behavioural intention.
such rules, requirements, and guidelines [10]; [13].
Attitude toward Information Security Policy (ISP)
IV. METHODOLOGY - (THE INFORMATION SECURITY
compliance will have a positive effect on ISP compliance
AWARENESS PROCESS)
behavioural intention. With respect to ISP, it is to be expected
that individuals with high information security capabilities and
competence will appreciate the need to follow organizational Information security theories posit that in order for security
ISPs and such individuals may be better placed to realise the efforts to be effective, firms must ensure that employees are
threats of noncompliance [43]. part of the security efforts [4]; [38]; [32]; [34].

Self-efficacy will have a positive effect on ISP compliance Having discussed the theoretical background of the study,
behavioural intention. According to Pahnila et al. [30], this section discusses the proposed information security
response costs may include monetary expense, timing awareness process in the form of a flow chart. The process is
inconveniences, embarrassment or other negative based on the Behavioural Intention Model discussed. This
consequences, which result from an individual’s behaviour. process was verified through expert review and tested through
Employees are reluctant to follow or adopt recommended action research. The Action research was conducted at an
responses if they perceive that a considerable amount of SME civil engineering firm in South Africa. Three iterations of
resources i.e. time, effort, and money will be used toward a the processes indicated above were conducted to verify the
goal [8]; [9]. Conversely, if small amounts of resources are outcome of the results.
required in implementing a measure, it may be adopted [36]; The process starts by checking the existence of an up to
[41]. Reducing the Response Cost tends to increase the date Information Security Policy (ISP); however, the firm at
likelihood of an individual performing a recommended which the action research was conducted had a sound and up to
behaviour [40]. Past studies have confirmed that Response date policy that accurately reflected its overall posture towards
Costs are negatively related to intention to use security information security. The step of drafting/updating an
measures [41]; [9]. Information Security Policy (ISP) was not carried out and is
beyond the scope of this study. Figure 2 shows the proposed

Authorized licensed use limited to: University of Johannesburg. Downloaded on October 07,2023 at 08:11:45 UTC from IEEE Xplore. Restrictions apply.
information security awareness process for SME engineering scales used, these will be discussed in the data analysis section.
firms. The process was then run again for a second and third time.
The results of the third iteration were satisfactory and the
START process was stopped.

Does an information
security policy exist? 4.1 Information Security Awareness Campaign and
Training
Draft an information
No security policy Awareness from a different perspective: “It is believed that
Yes about 200 years ago people did not know about the germ
theory; they did not know that they should wash their hands
Is the information security and boil surgical tools to limit the spread of disease and
policy up to date? infection. Even though people know these things today, do they
always wash their hands before eating, or even after doing
something icky?” [39]. Unfortunately not everyone does so
Update the information even when they know better. This highlights that the real
No
Yes security policy challenge is not just to teach people, but also to help them
change their behaviour. Security knowledge cannot help much
if employees do not act on it; hence, this section provides
guidelines for implementing and maintaining comprehensive e-
learning information security awareness and training
Measure employee information
security awareness levels &
campaigns.
carry out a needs assessment.
Study
Security awareness and training assists in tempering the
Area attitude that security policy is restrictive and interferes with an
Is the awareness employee’s ability to do his/her work. The better the
level satisfactory? employee’s understanding of security issues, the more they
understand the importance of security and the ways in which
Run information
security protects them and enables them to do their work in a
Yes No security awareness safer and more effective environment [19].
campaigns & training
Information security campaigns are divided into awareness
and training. Awareness aims to raise the collective knowledge
of information security and its controls while training aims at
facilitating a more in-depth level of employee information
security understanding. An effective information security
Figure 2: Information security awareness process awareness and training programme seeks to explain proper
rules of behaviour when using the firm’s computer/information
systems. The programme communicates information security
The next step was to measure employees’ current level of policies and procedures that need to be followed. This must
the information security understanding so as to expose any precede and impose sanctions when noncompliance occurs
knowledge gaps. This needs assessment process highlighted [10].
the firm’s awareness and training needs. For example, in the
first iteration of the action research, the measurement revealed The BERR 2008 survey [2] suggests that the majority of
that employees did not have adequate understanding of firms rely upon written materials of some form. However,
password creation, safe Internet usage, viruses and firewalls, simply developing and circulating a policy, will not be
thus highlighting some topics for awareness training. These sufficient to foster appropriate understanding and behaviour.
results also justified to the firm’s management the need to Most companies use the traditional classroom style for
allocate resources towards information security awareness and awareness and training. However, this study seeks to apply the
training. The method for measuring employee awareness levels now widely used tried and tested e-learning concept to
was adapted from Kruger and Kearney’s [21] previous information security awareness and training. Jenkins et al [16]
research; the details of this method will follow in section 4.3. and Ricer et al [26] reported that there is no significant
difference between people who learn using a computer or the
The awareness levels during the first iteration were traditional classroom style in the short or long-term retention of
unsatisfactory and exposed the need for information security knowledge.
awareness campaigns and training. An e-learning based
awareness campaign was carried out. Its implementation and An e-learning system was used in this study instead of the
maintenance is discussed in detail in section 4.2. The conventional classroom style because it provides a
awareness level was measured again after the awareness configurable infrastructure that integrates learning material,
campaign and results showed that the knowledge gap was policies, and services into a single solution to quickly,
closing but the results were not yet satisfactory according to the effectively, and economically create and deliver awareness and

Authorized licensed use limited to: University of Johannesburg. Downloaded on October 07,2023 at 08:11:45 UTC from IEEE Xplore. Restrictions apply.
training content. E-Learning allows employees to train at their the measurement results. Measurement provides evidence of
own convenience, and learn at their own pace. It has also the campaign’s effectiveness and reveals where knowledge
proved to be cheaper than bringing everyone together, in terms gaps still exist. Measurements were not limited to a
of time and money. The next section therefore seeks to explain verification of whether the message was received by the target
how e-learning can be used as a tool for communicating and audience, but was to detect the effectiveness of the message,
testing information security awareness training. method, and behavioural change.
According to a survey by Richardson [31], 32% of the
respondents to a survey do not measure information awareness
4.2 Implementation method (E-Learning) in their firms. This is because there are no commonly agreed
and understood standard measurements of the effectiveness of
The information security awareness communication path information security awareness and training. Two distinctive
used was E-Learning. E-learning has grown tremendously over challenges are identified when developing a measuring tool and
the past several years as technology has been integrated into performing the actual measurements. These challenges are
education and training. E-learning may be defined as what to measure and how to measure it [12]; [21].
instruction delivered electronically via the Internet, intranets, or
multimedia platforms such as CD-ROM or DVD [35]. The 4.3.1 What to measure
literature review highlighted that research work on E-Learning
as a tool for information security awareness and training is still Kruger and Kearney [21] identified three components to be
in its infancy and that no such tool has been used to date in measured, namely what the employee knows (Knowledge),
SMEs. how they feel about the topic (Attitude) and what they do
(Behaviour).
The e-learning awareness and training program for this
study was designed and developed by the researcher with The attitude of employees towards information security is
assistance from a multimedia designer and a Web page important because unless they believe that information security
developer by using Macromedia Flash, Macromedia Dream is important, they are unlikely to work securely, irrespective of
Weaver, PDF, PowerPoint, Access, Gold wave, and Photoshop how much they know about security requirements. Knowledge
software in order to present the program material in a visual is important because even if an employee believes security is
and auditory format. This was presented in the form of a important, he or she cannot convert that intention into action
website containing information identified by the needs without the necessary knowledge and understanding. Finally,
assessment and most relevant information security topics. no matter what employees believe or know about information
Since information security is a diverse area with many topics, security, they will not have a positive impact on security unless
the importance of each topic varies from one firm to another they behave in a secure fashion. Figure 3 below shows how
depending on the nature of the risks faced so there is no enhanced security is achieved by correlating attitude,
universal information security awareness training. The website knowledge and behavior.
for training and awareness was constructed as follows:
Home Page: provides an introduction to information security
and the motive behind the training/ awareness. Employees
needed to be motivated as to why information security is
important. The home page then links to the awareness pages.
The Awareness Pages: these supply information on topical
issues and examples of breaches. These pages contain all the
information security information required by employees.
The Test/Exam Page: this was used as the data collection tool
for acquiring data from the employees which was used to
measure their information security awareness levels. Figure 3: Enhanced Security
All the pages had attractive information security pictures/video
clips/jokes in an effort to create a more relaxed e-learning
environment. 4.3.2 How to measure

The employees participating in the study received an email Measuring such intangibles as Attitudes, Knowledge and
with instructions on how to use the awareness and training Behaviour is difficult. This study makes use of assessment tests
program including the link to the awareness and training for eliciting information from the employees.
website.
Online Surveys (assessment tests) Assessment tests enable
identification of broad trends [14]. An agreement scale was
4.3 Measuring information security awareness levels used to allow the employees to indicate degrees of agreement
with statements about security.
After the security awareness campaign was launched, it was
important to measure its success and draw conclusions from

Authorized licensed use limited to: University of Johannesburg. Downloaded on October 07,2023 at 08:11:45 UTC from IEEE Xplore. Restrictions apply.
 The assessment test had questions that seek to test for This weighting was verified with the Director and the
knowledge, attitude and behaviour. The following are Human Resources Manager of the firm who agreed that
examples of the questions that were asked: behaviour was the most important measure followed by
knowledge then lastly attitude. The results and importance
Example statement for test of knowledge: weights were processed in a spreadsheet application and the
Internet access on the firm’s systems is a corporate resource output was finally presented in the form of graphs and
and should be used for business purposes only. awareness maps as was done in Kruger and Kearney’s [21]
1.True 2. False 3. Do not know study. Figure 6 below shows the scale used to interpret the
level of awareness. Kruger and Kearney’s scale was slightly
Example statement to test attitude: modified to take into consideration recommendations by the
Laptops are usually covered with existing insurance cover so firms Director.
there is no special need to include them in security policies.
1. True 2. False 3. Do not know
Awareness Measurement (%)
Example statement to test behaviour:
Good 75
I am aware that one should never give one’s password to
somebody else – however, my work is of such a nature that I Average 60
do give my password from time to time to a colleague (only to
those I trust!). Poor 30
1. True 2. False 3. Do not know
Figure 6: Awareness level measurement [21]
V. DATA ANALYSIS AND RESULTS

The engineering firm where the action research was Due to paper length constraints a detailed discussion of the
conducted has 32 employees of whom 4 have no access to the outcomes of the research cannot be presented here; however,
firm’s computer resources. This left a sample size of 28 Figure 7 below summarises the results categorised by the
employees. knowledge, attitude and behaviour.

When the information security awareness of the employees

was measured for the first time during needs assessment, only Knowledge Attitude Behaviour Total
21% (6 employees) passed with a score above 50%. The (30%) (20%) (50%) (100%)
number of employees passing on the second iteration
increased, this was due to the increase in knowledge. The Needs 12 11 22 45%
iteration 2 and 3 a huge majority of the employees passed the assessment (poor)
test. Figure 4 shows how many employees passed per iteration. Iteration 1 18 12 30 60%
Needs Iteration 1 Iteration 2 Iteration 3 (average)
assessment
Iteration 2 22 14 35 71%
Employees 6 (21%) 18 (64%) 24 (86%) 27 (96%) (average)
who passed
Iteration 3 25 15 38 78%
(good)
Figure 4: Employees passing awareness test
However the number of employees passing is not a true Figure 7: Results of three iterations of the information
reflection of the firms overall information security awareness security process
levels hence Kruger and Kearneys [21] method of analysing
data acquired through the measuring methods discussed in the
preceding sections was used. This method involved weighting The 78% awareness level was satisfactory and there was no
the three aspects being measured as follows (Figure 5): need for a forth iteration although it will be advisable to run the
Dimensions Weighting (%) program at least once a year as the skills and knowledge the
employees might become outdated.
Knowledge 30
It was possible to measure the effectiveness of information
Attitude 20 security awareness training by using the tools and methods
outlined by Kruger and Kearney [21]. These enabled the firm
Behaviour 50 to evaluate the extent to which awareness activities have
impacted on behaviour, attitude, and knowledge and therefore,
whether or not the initial training objectives have been met.
Figure 5: Awareness importance scale [21]

Authorized licensed use limited to: University of Johannesburg. Downloaded on October 07,2023 at 08:11:45 UTC from IEEE Xplore. Restrictions apply.
 VI. FINDINGS conducted. This is proven by the positive change in behaviour
This study revealed that having and implementing an observed during the iterations.
information security policy does not automatically guarantee Future research could focus on models and theories that
that all employees understand their role in ensuring the security assist in improving employee attitude as the behavioural
and safeguarding of information assets. It is therefore critical to intention model has proven to only be able to impact on
design and align an information security awareness campaign knowledge and behaviour and not the employees’ attitude.
to the information security policy’s high-level goals, objectives
and requirements.
The findings of the study support the Theory of Reasoned VIII. REFERENCES
Action (TRA) and the Protection Motivation Theory (PMT). [1] R.Willson & M. Siponen. “Overcoming the insider: reducing employee
Awareness campaigns were aimed at communicating the firm’s computer crime through situational crime prevention”, Communications
stance (subjective norm) on security, threat appraisal coping of the ACM. Vol 52, September 2009. NY, USA
appraisal and try to mould the employees’ attitude towards [2] BERR. “Information Security Breaches Survey” – Technical Report.
positive behavioural intention. The results showed that an Department for Business Enterprise & Regulatory Reform. April 2008.
URN 08/788.
increase in knowledge, made a positive change in attitude and
[3] M. Fishbein, and I. Ajzen. “Belief, attitude, intention, and behavior: An
behaviour. introduction to theory and research,” Massachusetts: Addison-Wesley,
However it was discovered that even though initially the 1975.
employees’ security knowledge levels were very low. They had [4] A. Da Veiga and J.H.P. Eloff. A “Framework and assessment instrument
for Information Security Culture,” Computers & Security, 29(2), 196-
a positive attitude towards securing the firms information asset; 207, March 2010
however, they did not have the skills and knowledge to help [5] S. Furnell. “Malicious or misinformed? Exploring a contributor to the
them behave in a secure manner. This also helps to advocate insider threat,” Computer Fraud & Security. Vol 2006(9), pp 8-12,
that indeed the risk the employees expose the firm to is September 2006.
genuinely unintentional but naïve mistakes as was revealed by [6] S. Furnell and K. Thompson. “From culture to disobedience:
the literature review. Recognising the varying user acceptance of IT security” Computer
Fraud & Security. Vol 2009, Issue 2, pp 5-10, February 2009.
The study has also discovered the need to run the process [7] J.L. Hale, B.J. Householder and K.L. Greene, K. L. The theory of
within 12 months as the information systems area is changing reasoned action. In J. P. Dillard, and M. Pfau, The persuasion handbook:
and so do the risk and security measures that need to be taken. Developments in theory and practice (pp. 259 – 286). Califonia:
It is also important to run the process for all new employees Thousand Oaks, 2003.
hired as it is best to initiate information security training and [8] S. Milne, P. Sheeran, S. Orbell. “Prediction and intervention in health-
awareness during new-hire orientation to establish the firm’s related behavior: a meta-analytic of protection motivation theory,”
Journal of Applied Social Psychology, Vol 30(1), pp 106-43, 2000.
commitment to security at an early stage of their employment.
[9] Y. Lee, K.R. Larsen. “Threat or coping appraisal: determinants of SMB
What is disappointing is that although knowledge increased executives’ decision to adopt anti-malware software,” European Journal
of Information Systems, Vol 18(2), pp 177-87, 2009.
dramatically during the iterations, the increase in attitude was
marginal. This is most likely because the employees have a [10] T.Herath and H.R. Rao. “Encouraging information security behaviors in
organizations: Role of penalties, pressures and perceived effectiveness,”
certain attitude towards the firm and this attitude cannot be Decision Support System, Vol 47, pp 154 – 165, 2009.
altered by information security awareness. Most probably [11] A. Bandura. “Social cognitive theory of self-regulation,” Organizational
looking at job satisfaction might be able to change employee Behavior and Human Decision Processes, Vol 50, pp 248-87, 1991.
attitude towards the firm. [12] G. Hinson, “Seven myths about information security metrics,” originally
published in ISSA Journal, July 2006, Accesed Feb. 2010, Available at:
VII. CONCLUSION http://www.noticebored.com/html/metrics.html
This paper was conceived against the backdrop of efforts [13] B. Bulgurcu, H. Cavusoglu and I. Benbasat. “Information security policy
compliance: an empirical study of rationality-based beliefs and
made by SME firms to protect their information assets. Firms information security awareness,” MIS Quarterly, Vol 34(3), pp 523-48,
usually procure technological tools to help them achieve 2010.
success on business fronts. [14] E. Hofstee. Literature Review. In constructing a good dissertation.
Johannesburg: EPE, 2006.
As an underlying theoretical background in the area, this
paper drew on two relevant theories which included [15] ISACA. (2009). An Introduction to the Business Model for Information
Security. California. Available from:
behavioural intention and persuasive theories i.e. Theory of http://www.isaca.org/AMTemplate.cfm?Section=Deliverables&Templat
Reasoned Action and Protection Motivation Theory. The e=/ContentManagement/ContentDisplay.cfm&ContentID=48017
research findings showed that information security awareness (Accessed 3 February 2010).
levels are greatly influenced by behavioural intentions. [16] S. Jenkins, R. Goal and D. Morrele. “Computer-assisted instruction
versus traditional lecture for medical student teaching of dermatology
The study has also been able to prove e-learning as an morphology: A randomized contol trial,” Journal of the American
effective type of learning just as the traditional classroom style Academy of Dermatology. Vol 59(2), pp 255í259, 2008.
of learning. [17] K. Miller. “Communications theories: perspectives, processes, and
contexts,” New York: McGraw-Hill, 2005.
In conclusion the model and process presented in this Paper [18] P.A. Rippetoe and R.W. Rogers. “Effects of components of protection
have been successfully validated by the action research motivation theory on adaptive and maladaptive coping with a health
threat,” Journal of Personnel Social Psychology . Vol 52, p 596, 1987.

Authorized licensed use limited to: University of Johannesburg. Downloaded on October 07,2023 at 08:11:45 UTC from IEEE Xplore. Restrictions apply.
[19] E. Johnson. “Security Awareness: Switch to a better program,” Network [32] C. Russell. “Security Awareness - Implementing an Effective Strategy,”
Security. Vol 2006, pp 15-18, 2006. SANS Institute, InfoSec Reading Room, 2002.
[20] M.E. Kabay. Improving Information Assurance Education Key to [33] R.K. Sarkar. “Assessing insider threats to information security using
Improving Secure(ity) Management. Journal of Network and Systems technical, behavioural and organisational measures,” Information
Management. Vol 13, pp . 247-251, 2005. Security Technical Report. Vol 15(15), pp 112-133, August 2010.
[21] H.A. Kruger and W.D. Kearney. “A Prototype for assessing information [34] B.Schneier. Schneier on Security. New Jersey: John Wiley & Sons,
security awareness,” Computers & Security. Vol 25, pp 289 – 296, 2006. 2008.
[22] R.L. Krutz and D.V. Rusell. The CISP Prep Guide. New York: John [35] K.L. Smart and J.J Cappel. “Students' perceptions of online learning: A
Willey & Sons, 2001. comparative study,” Journal of Information Technology Education. Vol
[23] K. Miller. Communications theories: perspectives, processes, and 5, pp 201í202, 2006.
contexts. New York: McGraw-Hill, 2005. [36] C. Pechmann, G. Zhao, M. Goldberg and E.T. Reibling ET. “What to
[24] I. Ajzen. “The theory of planned behavior”. Organizational Behavior convey in antismoking advertisements of adolescents: the use of
and Human Decision Processes. Vol 50(2), pp 179-211, 1991. protection motivation theory to identify effective message themes,”
Journal of Marketing. Vol 6, pp. 1-18, 2003.
[25] R. Power. “CSI/FBI Computer Crime and Security,” Computer Security
Journal, Vol 17 , pp 7-30, 2002. [37] J. Van Niekerk and R. von Solms. “Organisational Learning Models for
Information Security,” Peer reviewed Proceedings of the ISSA 2004
[26] R.E. Ricer, A.T. Filak, and J Short. “Does a high tech (computerized, enabling tomorrow conference 30 June – 2 July 2004, Gallagher Estate,
animated, PowerPoint) presentation increase retention of material Midrand.
compared to a low tech (black on clear overheads) presentation?”
Journal of Teaching and Learning in Medicine. Vol 17(2), pp107í111, [38] J. Van Niekerk and R. von Solms. Information Security Culture: a
2005. management perspective. Computers & Security. Vol 29, pp 476-86,
2010.
[27] C.L. Anderson and R. Agarwal. “Practicing safe computing: a
multimethod empirical examination of home computer user security [39] H. William. “Methods and techniques of implementing a security
behavioral intentions,” MIS Quarterly. Vol 34, pp 613-43, 2010. awareness program”. SANS Institute, InfoSec Reading Room, 2002.
[28] R. Rogers. Cognitive and physiological processes in fear-based attitude [40] I.M.Y. Woon, G.W. Tan and R.T. Low. “A protection motivation theory
change: a revised theory of protection motivation. In: J. Cacioppo, R. approach to home wireless security”. In: D. Avison, D.Galletta and J.I.
Petty, editors. Social psychophysiology: a sourcebook. New York: DeGross, editors. Proceedings of the 26th International Conference on
Guilford Press, pp. 153-76, 1983. Information Systems, In Las Vegas, December 11-14, pp. 367-380;
USA; 2005.
[29] J.L. Hale, B.J. Householder and K.L. Greene. The theory of reasoned
action. In J.P. Dillard & M. Pfau (Eds.), The persuasion handbook: [41] M. Workman, H.H. Bommer and D. Straub. “Security lapses and the
Developments in theory and practice (pp. 259–286). Thousand Oaks, omission of information security measures: a threat control model and
CA: Sage, 2003. empirical test,” Computers in Human Behavior. Vol 24, pp 816, 2008.
[30] S. Pahnila, M. Siponen and A. Mahomood. “Employees’ behavior [42] P.A.H. William. In a ‘trusting’ environment, everyone is responsible for
towards IS security policy compliance,” Proceedings of the 40th Hawaii information security. Information Security Technical report. Vol 13, pp
International Conference on System Sciences, January, pp 3-6, Los 207 – 215, 2008.
Alamitos, CA; 2007. [43] P. Ifinedo. “Understanding information systems security policy
[31] R. Richardson. CSI Computer Crime & Security Survey. CSI, 2008. compliance: An integration of the theory of planned behavior and the
Available from: protection motivation theory,” Computers & Security. Vol 31, pp 83-85,
http://www.cse.msstate.edu/~cse6243/readings/CSIsurvey2008.pdf 2012.
(Accessed 14 December 2009).

Authorized licensed use limited to: University of Johannesburg. Downloaded on October 07,2023 at 08:11:45 UTC from IEEE Xplore. Restrictions apply.