The development and evaluation of an information security awareness capability model: linking ISO/IEC 27002 controls with awareness importance, capability and risk

The development and evaluation of an information security awareness capability model: linking ISO/IEC 27002 controls with awareness importance, capability and risk

This research examines the role that awareness has on the effectiveness of information security within an organisation. There is a lack of understanding as to
what is an appropriate level of awareness for information security controls across an organisation. Without understanding the required awareness importance and
demonstrated awareness capability, an organisation may not be able to determine whether a lack of knowledge poses information security related risks.

This study refers to Awareness Importance as how important awareness is, or how influential awareness is, in the success of a process or control. For example, when
crossing a busy street it would be important to be aware of oncoming traffic before crossing. This study also refers to Awareness Capability as how aware or capable a person is when faced with a decision. It relates to the comprehension of a current situation and, for example, before a person crosses a street, are they aware or capable
of comprehending the situation of the oncoming traffic? This capability will influence how successful the street crossing would be. Awareness Risk is the gap
that results from the required amount of awareness (Awareness Importance) being greater than that actually being displayed (Awareness Capability.

This research is motivated by the primary question of 'to what extent does the relationship between awareness importance and awareness capability predict the
risks associated with an organisation’s current state of information security awareness of their information security controls?' This study suggests that by
identifying the potential risks posed by any awareness gap, it is likely that improvements to the capability and posture of information security in organisations could be achieved.

There is little empirical research on how awareness influences the effectiveness of information security controls. Furthermore, scant research has been conducted on
how successful or effective these education and training programs are on organisational awareness. Moreover, do they raise the perception, comprehension and decision-making of individuals and organisations in relation to potential threats? In bridging this literature gap, this current research builds and tests a theoretical framework and model that combines aspects of ISO/IEC 27002 standard with
theories of situation awareness and risk management. The resultant model is an information security awareness capability model (ISACM).

In the first phase of this research, survey data was collected from information security professionals in order to establish a benchmark Awareness Importance
rating for each of the 39 main security categories and their associated control objectives in the ISO/IEC 27002 standard. These ratings, established for three
stakeholder groups (IT staff, senior management, end users) within organisations, formed the first component of this study’s ISACM. In the second phase survey, situation awareness theory guided the development of an Awareness Capability instrument to capture the second component of ISACM. This instrument was used to survey two separate populations to measure awareness capability of end users against the top 10 security categories of Awareness Importance determined in phase one. Phase two survey data was used to calculate the third component of the ISACM,
Awareness Risk - the gap between required awareness (Importance) and demonstrated awareness (Capability).

This research extends existing literature by contributing an approach and empirical model for measuring the required importance and capability of information security
awareness within an organisation, thus identifying potential information security risks. The key findings illustrate that the required importance of awareness of
information security controls differs from control to control, and differs depending on which stakeholder is involved. Finally, the study’s model calculates Awareness
Risk, allowing organisations to establish where awareness is sufficient; as well as where awareness is lacking and likely to present risks.

The researcher concludes that the model developed will assist organisations in identifying awareness gaps and associated risks for specific information security
control objectives across an organisation. ISACM will provide a better understanding of the level of information security awareness that exists in an organisation and
where risks exist due to lower than desirable levels of awareness of information security controls. This will subsequently allow organisations to invest in the
appropriate areas where unacceptable levels of risk exist.