Analysis of Measuring Information Security Awareness for Employees at Institution XYZ

Authors

  • Rachmat Bayu Permadi Universitas Indonesia
  • Kalamullah Ramli Universitas Indonesia

DOI:

https://doi.org/10.57152/malcom.v4i4.1453

Keywords:

Education, Information Security Awareness, Phishing, Simulation

Abstract

As a government institution in the field of civil servant management, XYZ Institution has data on 4.4 million Employees spread throughout Indonesia which needs to be maintained.  Based on the BSSN report, there has been a significant increase in potential threats in recent years and is expected to continue in 2024, one of which is the threat of Phishing. This research was conducted to measure the level of information security awareness (ISA) for employees at xyz institution. Phishing simulations and questionnaires are used to measure the level of ISA and how to provide ISA education so that it can increase the level of  ISA employees. Simulation results will be compared before and after the provision of ISA education. The results of providing education have a positive impact for employees. Simulation before providing education there were 65% of employees clicking on phishing urls and after education there was a decrease to 17%. While employees who were exposed to phishing before education were 33% and after education there was a decrease to 16%. In addition, the questionnaire filled out by 150 employees showed results with a value of 86.54%  for the level of ISA employee, which is in the good category

References

Perpres, “Presiden Republik Indonesia Peraturan Presiden Republik Indonesia tentang Badan Kepegawaian Negara,” Demogr. Res., pp. 4–7, 2013.

BKN, “Buku Statistik Aparatur Sipil Negara,” 2023. [Online]. Available: https://satudataasn.bkn.go.id/data-publication

BKN, “Peraturan Badan Kepegawaian Negara Republik Indonesia Nomor 13 Tahun 2022 Tentang Satu Data Bidang Aparatur Sipil Negara,” p. 282, 2022, [Online]. Available: https://www.bkn.go.id/unggahan/2023/02/PerBKN-Nomor-13-Tahun-2022.pdf

BKN, “Layanan - Badan Kepegawaian Negara (BKN RI),” BKN.go.id. Accessed: Feb. 05, 2024. [Online]. Available: https://www.bkn.go.id/layanan/

BSSN, “Lanskap Keamanan Siber Indonesia,” 2024. [Online]. Available: https://www.bssn.go.id/wp-content/uploads/2024/03/Lanskap-Keamanan-Siber-Indonesia-2023.pdf

B. C. Stahl, N. F. Doherty, and M. Shaw, “Information security policies in the UK healthcare sector: A critical evaluation,” Inf. Syst. J., vol. 22, no. 1, pp. 77–94, 2012, doi: 10.1111/j.1365-2575.2011.00378.x.

M. Siponen and A. Vance, “Neutralization: New insights into the problem of employee information systems security policy violations,” MIS Q. Manag. Inf. Syst., vol. 34, no. SPEC. ISSUE 3, pp. 487–502, 2010, doi: 10.2307/25750688.

A. Fadhil and S. Yazid, “Measurement of Employee Information Security Awareness: A Case Study of National Civil Service Agency,” Indones. J. Comput. Sci., vol. 12, no. 6, pp. 3581–3597, 2024, doi: 10.33022/ijcs.v12i6.3640.

W. Yeoh, H. Huang, W. S. Lee, F. Al Jafari, and R. Mansson, “Simulated Phishing Attack and Embedded Training Campaign,” J. Comput. Inf. Syst., vol. 62, no. 4, pp. 802–821, 2022, doi: 10.1080/08874417.2021.1919941.

Q. An, W. C. H. Hong, X. S. Xu, Y. Zhang, and K. Kolletar-Zhu, “How education level influences internet security knowledge, behaviour, and attitude: a comparison among undergraduates, postgraduates and working graduates,” Int. J. Inf. Secur., vol. 22, no. 2, pp. 305–317, Apr. 2023, doi: 10.1007/s10207-022-00637-z.

K. Parsons, D. Calic, M. Pattinson, M. Butavicius, A. McCormac, and T. Zwaans, “The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies,” Comput. Secur., vol. 66, pp. 40–51, 2017, doi: 10.1016/j.cose.2017.01.004.

H. A. Kruger and W. D. Kearney, “A prototype for assessing information security awareness,” Comput. Secur., vol. 25, no. 4, pp. 289–296, 2006, doi: 10.1016/j.cose.2006.02.008.

W. Febriyani, D. Fathia, A. Widjajarto, and M. Lubis, “Security Awareness Strategy for Phishing Email Scams: A Case Study One of a Company in Singapore,” JOIV Int. J. Informatics Vis., vol. 7, no. 3, pp. 808–814, Sep. 2023, doi: 10.30630/joiv.7.3.2081.

C. M. R. da Silva, E. L. Feitosa, and V. C. Garcia, “Heuristic-based strategy for Phishing prediction: A survey of URL-based approach,” Comput. Secur., vol. 88, p. 101613, 2020, doi: 10.1016/j.cose.2019.101613.

F. Mouton, L. Leenen, and H. S. Venter, “Social engineering attack examples, templates and scenarios,” Comput. Secur., vol. 59, pp. 186–209, 2016, doi: 10.1016/j.cose.2016.03.004.

H. Abroshan, J. Devos, G. Poels, and E. Laermans, “Phishing Happens beyond Technology: The Effects of Human Behaviors and Demographics on Each Step of a Phishing Process,” IEEE Access, vol. 9, pp. 44928–44949, 2021, doi: 10.1109/ACCESS.2021.3066383.

L. Gamisch and D. Pöhn, “A Study of Different Awareness Campaigns in a Company,” in ACM International Conference Proceeding Series, Association for Computing Machinery, Aug. 2023. doi: 10.1145/3600160.3605006.

B. Alkhazi, M. Alshaikh, S. Alkhezi, and H. Labbaci, “Assessment of the Impact of Information Security Awareness Training Methods on Knowledge, Attitude, and Behavior,” IEEE Access, vol. 10, pp. 132132–132143, 2022, doi: 10.1109/ACCESS.2022.3230286.

E. Kritzinger, A. Da Veiga, and W. van Staden, “Measuring organizational information security awareness in South Africa,” Inf. Secur. J., vol. 32, no. 2, pp. 120–133, 2023, doi: 10.1080/19393555.2022.2077265.

E. Lachapele and M. Bislimi, “Iso/Iec 27002:2013,” Int. Organ. Stand., pp. 1–13, 2016, [Online]. Available: www.pecb.com

M. A. Rizal and B. Setiawan, “Information Security Awareness Literature Review: Focus Area for Measurement Instruments,” in Procedia Computer Science, Elsevier B.V., 2024, pp. 1420–1427. doi: 10.1016/j.procs.2024.03.141.

Y. Shin, K. Kim, J. J. Lee, and K. Lee, “Focusing on the Weakest Link: A Similarity Analysis on Phishing Campaigns Based on the ATT&CK Matrix,” Secur. Commun. Networks, vol. 2022, 2022, doi: 10.1155/2022/1699657.

Statistics Solutions, “Table of critical values: Pearson Correlation - Statistics solutions,” Statisticssolutions.com. Accessed: Apr. 18, 2024. [Online]. Available: https://www.statisticssolutions.com/free-resources/directory-of-statistical-analyses/pearsons-correlation-coefficient/table-of-critical-values-pearson-correlation/

C. Busschaert, I. De Bourdeaudhuij, V. Van Holle, S. F. M. Chastin, G. Cardon, and K. De Cocker, “Reliability and validity of three questionnaires measuring context-specific sedentary behaviour and associated correlates in adolescents, adults and older adults,” Int. J. Behav. Nutr. Phys. Act., vol. 12, no. 1, pp. 1–14, 2015, doi: 10.1186/s12966-015-0277-2.

H. Taherdoost, “Validity and Reliability of the Research Instrument; How to Test the Validation of a Questionnaire/Survey in a Research,” SSRN Electron. J., vol. 5, no. 3, pp. 28–36, 2018, doi: 10.2139/ssrn.3205040.

Downloads

Published

2024-07-31