Information security awareness at work

Many employees, and bosses come to that, ignore or are unaware of the security issues surround the advent of cloud computing and web 2.0 activities. The ability to successfully transfer data, information and knowledge constitutes an important organizational capability to compete at the global level, but it has to be done securely and with self-awareness otherwise security breaches, hacks, denial of service and such will become the norm. The security-breach stories of Sony, PayPal, Amazon and countless others over the last few years have been widely reported. Could they have been avoided?

Michael Harvey of the University of Mississippi and Roberto Mejias of Arizona State University (US) do not necessarily have the answer, but they do believe that while organizations have attempted to bolster their security measures they often fail to get the strategic information out to employees. Previous research has shown that the implementation of information security awareness (ISA) programs across an organization can often mitigate cyber-attack.

Such programs would give employees guidance on what is deemed acceptable IT use in terms of using their own software on organizational machines, transporting data and equipment to and from the workplace, using (or rather not using) third-party sites that might represent a security risk. Conversely, perhaps an ISA might even force IT departments to upgrade out of date and insecure software where systems have left organizations vulnerable because they are stuck on old versions of operating systems, web browsers, or forced to run software that requires software frameworks that repeatedly succumb to security attacks. Think Internet Explorer 6, Adobe, Java etc etc…all commonly installed on legacy systems.

“The concept of ISA refers to a state of knowledge where employees are aware of the potentially negative impacts of malicious IT attacks upon their organizations,” the team states. “ISA has also been defined as the degree to which employees understand the importance of information security, the appropriate levels of security required and their individual responsibilities in protecting the organization’s informational resources,” they add.

Viruses, worms, Trojan horses, DoS attacks, botnets, zombies, keyloggers, foreign USB drives, malware-infected web sites, hoax viruses, social engineering, industrial espionage …the list goes on. With the counterattack being antivirus software, firewalls, encrypted data, strong passwords, intrusion detection and the ISA that makes all members of the organization at all levels aware of the issues and the potential ways to ameliorate them.

“Knowledgeable global organizations are increasingly developing ISA programs as a cost-effective deterrent to the breaching of their strategic information resources,” the team concludes. Unfortunately, not all organizations are knowledgeable and we can expect to see ongoing attacks in the future against which such organizations will inevitably fail to protect themselves.

Research Blogging Icon Harvey M. (2012). A case for information security awareness (ISA) programs to protect global information, innovation and knowledge resources, Int. J. Transitions and Innovation Systems, 2 (3/4) 302-324. DOI:

Author: David Bradley

Freelance science journalist, author of Deceived Wisdom. Photographer and musician.