Information Security Awareness Levels of TAFE South Australia Employees Hong Chan Bachelor of IT ( Honours ) Supervisor: Dr Sameera Mubarak
Outline Background Information Research Question Methodology Results Conclusion
Information Security Confidentiality – prevent unauthorised access Integrity – accuracy and correctness Availability – authorised access when needed Ensure business continuity Minimise damage and liability Ethical and legal responsibility Information security plans or policies are needed, usually consist of technical controls Background Information
Information Security Awareness – Human Aspects Employee knowledge of information security concepts Management knowledge of information security concepts Consciousness of security plans Literature suggests positive relationship between awareness and security plan success. Should be included in plans. Background Information
TAFE South Australia Largest vocational education provider in SA 2400 employees across over 50 campuses Suitable for this research All aspects of the business are conducted using information systems. Holds vast amount of confidential student data. Recently implemented new student information system Background Information
Motivation for Research Gap in literature Australian Context Personal interest as an employee Background Information
Potential Contributions Directly benefit TAFE SA Finalised report (thesis) to be given to TAFE SA Provide insight into other similar Australian Organisations Background Information
To gain an insight into the information security awareness levels of TAFE SA Employees in order to identify areas that need improvement Does not look into improving awareness through “best practices” Research Question
Online Questionnaire Knowledge of concepts = Awareness of threats Behavioural questions = Employee actions which may cause breaches Consciousness of policies’ existence Quantitative Methods Used Tabulated percentages Methodology
Population: 2400 staff Sample: 308 responses 13% of entire organisation responded Demographics Management ( 19% ) General Staff (81%) Mushroom ?? Results
Knew what Phishing is Knew what Spam is Results YesNo Management32%68% General Employees23%77% YesNo Management78%22% General Employees87%13%
Has clicked on unknown links embedded in external third party s Knew what Social Engineering is Results YesNo Management24%76% General Employees16%84% YesNo Management78%22% General Employees73%27%
Knew what a strong password should be Has given away passwords or logged someone in Questionnaire may have prompted ICT’s action ?? Results YesNo Management64%36% General Employees66%34% YesNo Management56%44% General Employees52%48%
Has left computer unlocked and unattended Used appropriate methods for password storage Results YesNo Management73%27% General Employees78%22% YesNo Management68%32% General Employees65%35%
Knew the importance of data/information integrity Has amended data without due process Results YesNo Management93%7% General Employees91%9% YesNo Management7%93% General Employees8%92%
Has discussed work related issues on social networking sites Very few research into this topic, that is, social media can be a source of data/information leakage Results YesNo Management7%93% General Employees8%92%
Awareness of existence of information security policy Awareness of existence of password policy Results YesNo Management59%41% General Employees37%63% YesNo Management41%59% General Employees31%69%
TAFE SA needs improvements Passwords given to colleagues Leaving computers unlocked and unattended Lack of awareness of policies Conclusion
Limitations TAFE SA’s Chief Executive’s disapproval of question “Social Engineering” is an ambiguous term Conclusion
Future Research How awareness can be improved Explore adoption of awareness programs Look into Including awareness as part of an overall security strategy Conclusion
My Telstra Story Potential for malicious acts is huge!
Thank You Tip: If you work fulltime, do not commence a research degree. I am actually 19 but I look 40. -Hong Chan