Advertisement

The Feasibility of Raising Information Security Awareness in an Academic Environment Using SNA

  • Rudi Serfontein
  • Lynette DrevinEmail author
  • Hennie Kruger
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 531)

Abstract

The human aspect is one of the key success factors in information security (InfoSec). Its impact on InfoSec is so significant that multiple studies have shown that a balanced approach combining technology and security awareness is needed in order to maintain the integrity of an organisation’s security. At present, one of the methods most often used to address InfoSec awareness is to develop security awareness programmes that can be used to educate its users within an organisation. This method has several drawbacks; however, as such programmes might not be comprehensive enough, or quick enough to address newer threats. It can furthermore lead to the users developing InfoSec fatigue, which renders most attempts at improving security awareness pointless. These problems are compounded by non-traditional organisational structures, such as those found in educational institutions, where both students and staff should be made aware of information security risks on a regular basis. In order to address the potential information security awareness problem at educational institutions, this paper investigates the feasibility of using Social Network Analysis (SNA) to improve existing security awareness programmes. Following a brief introduction to SNA, two illustrative examples are offered to show that SNA presents a viable option to improve programmes for raising information security awareness in an academic environment, by allowing for the effective selection of ideal target locations.

Keywords

Social network analysis Security awareness Security fatigue 

References

  1. 1.
    Shillair, R., Cotten, S.R., Tsai, H.S., Alhabash, S., LaRose, R., Rifon, N.J.: Online safety begins with you and me: convincing Internet users to protect themselves. Comput. Hum. Behav. 48, 199–207 (2015)CrossRefGoogle Scholar
  2. 2.
    Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., Jerram, C.: Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014)CrossRefGoogle Scholar
  3. 3.
    Soomro, Z.A., Shah, M.H., Ahmed, J.: Information security management needs more holistic approach: a literature review. Int. J. Inf. Manage. 36(2), 215–225 (2016)CrossRefGoogle Scholar
  4. 4.
    Rezgui, Y., Marks, A.: Information security awareness in higher education: an exploratory study. Comput. Secur. 27(7–8), 241–253 (2008).  https://doi.org/10.1016/j.cose.2008.07.008CrossRefGoogle Scholar
  5. 5.
    Byrne, Z.S., Dvorak, K.J., Peters, J.M., Ray, I., Howe, A., Sanchez, D.: From the user’s perspective: perceptions of risk relative to benefit associated with using the internet. Comput. Hum. Behav. 59, 456–468 (2016)CrossRefGoogle Scholar
  6. 6.
    Arachchilage, N.A.G., Love, S.: Security awareness of computer users: a phishing threat avoidance perspective. Comput. Hum. Behav. 38, 304–312 (2014)CrossRefGoogle Scholar
  7. 7.
    Aloul, F.A.: The need for effective information security awareness. J. Adv. Inf. Technol. 3(3), 176–183 (2012)Google Scholar
  8. 8.
    Chen, C.C., Medlin, B.D., Shaw, R.S.: A cross-cultural investigation of situational information security awareness programs. Inf. Manage. Comput. Secur. 16(4), 360–376 (2008)CrossRefGoogle Scholar
  9. 9.
    Thomson, M.E., von Solms, R.: Information security awareness: educating your users effectively. Inf. Manage. Comput. Secur. 6(4), 167–173 (1998)CrossRefGoogle Scholar
  10. 10.
    Siponen, M.T.: A conceptual foundation for organizational information security awareness. Inf. Manage. Comput. Secur. 8(1), 31–41 (2000)CrossRefGoogle Scholar
  11. 11.
    Kruger, H.A., Kearney, W.D.: A prototype for assessing information security awareness. Comput. Secur. 25(4), 289–296 (2006)CrossRefGoogle Scholar
  12. 12.
    Ng, B., Kankanhalli, A., Xu, Y.: Studying users’ computer security behavior: a health belief perspective. Decis. Support Syst. 46(4), 815–825 (2009)CrossRefGoogle Scholar
  13. 13.
    Tsohou, A., Karyda, M., Kokolakis, S.: Analysing the role of cognitive and cultural biases in the internalization of information security policies: recommendations for information security awareness programs. Comput. Secur. 52, 128–141 (2015)CrossRefGoogle Scholar
  14. 14.
    Boksem, M.A.S., Tops, M.: Mental fatigue: costs and benefits. Brain Res. Rev. 59(1), 125–139 (2008).  https://doi.org/10.1016/j.brainresrev.2008.07.001CrossRefGoogle Scholar
  15. 15.
    van der Linden, D., Frese, M., Meijman, T.F.: Mental fatigue and the control of cognitive processes: effects on perseveration and planning. Acta Psychol. 113(1), 45–65 (2003).  https://doi.org/10.1016/S0001-6918(02)00150-6CrossRefGoogle Scholar
  16. 16.
    Furnell, S., Thomson, K.-L.: Recognising and addressing ‘security fatigue’. Comput. Fraud Secur. 2009(11), 7–11 (2009).  https://doi.org/10.1016/S1361-3723(09)70139-3CrossRefGoogle Scholar
  17. 17.
    Scott, J., Carrington, P.J.: The SAGE Handbook of Social Network Analysis, SAGE Publications (2011)Google Scholar
  18. 18.
    Fu, J., Sun, D., Chai, J., Xiao, J., Wang, S.: The “six-element” analysis method for the research on the characteristics of terrorist activities. Ann. Oper. Res. 234, 17–35 (2015)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Philips, E., Nurse, J., Goldsmith, M., Creese, S.: Applying social network analysis to security. In: Working Papers of the Sustainable Society Network, pp. 11–27 (2015)Google Scholar
  20. 20.
    Dang-Pham, D., Pittayachawan, S., Bruno, V.: Applications of social network analysis in behavioural information security research: concepts and empirical analysis. Comput. Secur. 68, 1–15 (2017)CrossRefGoogle Scholar
  21. 21.
    Armstrong, H.L., McCulloh, I.: Organizational risk using network analysis. In: Proceedings of South African Information Security Multi-Conference (2010)Google Scholar
  22. 22.
    Armstrong, H., Armstrong, C., McCulloh, I.: A Course Applying Network Analysis to Organizational Risk in Information Security (2010)Google Scholar
  23. 23.
    Whitman, M.E., Mattord, H.J.: Principles of Information Security. Cengage Learning (2011)Google Scholar
  24. 24.
    Clemente, F.M., Martins, F.M.L., Mendes, R.S.: Social network analysis applied to team sports analysis. SAST. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-25855-3CrossRefGoogle Scholar
  25. 25.
    Brin, S., Page, L.: The anatomy of a large-scale hypertextual web search engine. Comput. Netw. ISDN Syst. 30(1–7), 107–117 (1998)CrossRefGoogle Scholar
  26. 26.
    Freeman, L.C., Roeder, D., Mulholland, R.R.: Centrality in social networks: II. Experimental results. Soc. Netw. 2(2), 119–141 (1979)CrossRefGoogle Scholar
  27. 27.
    Hanneman, R.A., Riddle, M.: Introduction to Social Network Methods. University of California (2005)Google Scholar
  28. 28.
    Wasserman, S., Faust, K.: Social Network Analysis: Methods and Applications. Cambridge University Press, Cambridge (1994)CrossRefGoogle Scholar
  29. 29.
    Borgatti, S.P.: Centrality and network flow. Soc. Netw. 27, 55–71 (2005)CrossRefGoogle Scholar
  30. 30.
    Clancy, D.K., Collins, F.: Informal accounting information systems: some tentative findings. Account. Organ. Soc. 4(1–2), 21–30 (1979)CrossRefGoogle Scholar
  31. 31.
    MacDonald, S.: Informal information flow and strategy in the international firm. Int. J. Technol. Manage. 11(1–2), 219–232 (1996)Google Scholar
  32. 32.
    Duncombe, R., Heeks, R.: Enterprise across the digital divide: information systems and rural microenterprise in Botswana. J. Int. Dev. 14(1), 61–74 (2002)CrossRefGoogle Scholar
  33. 33.
    CASOS, “ORA-Lite” (2018). www.casos.cs.cmu.edu/projects/ora

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  1. 1.North-West UniversityPotchefstroomSouth Africa

Personalised recommendations