nach oben

Education and Information Technologies

Erschienen in:

23.12.2022

Information Security Awareness practices: Omani Government Agencies as a case study

verfasst von: Malik Al-Shamli, Khalfan Zahran Al Hijji, Abdul Khalique Shaikh

Erschienen in: Education and Information Technologies | Ausgabe 7/2023

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

This paper aims at reviewing Information Security Awareness (ISA) practices in general and at Omani Government Agencies (OGA) in particular. It also explores the concerns and challenges that may affect their implementation, and the reasons why ISA practices remained problematic for more than a decade at the OGAs. To inform the aim of this research, the researchers employed a systematic process to review the publications that explored ISA practices in general and at OGAs in particular. As a sampling technique, the researchers created a research strategy to select relevant publications for the study. The grounded theory technique is adopted for data analysis since it provides an inductive and systematic interpretive approach to generate theoretical insights from the data. The review reveals that current ISA practices seem ineffective in meeting the needs of employees. Furthermore, a set of important ISA practices are either missing or undeveloped. The review also revealed the absence of a framework for the ISA process at OGAs. To the best of our knowledge, the present study is one of the first to conduct an in-depth review on ISA practices applied in general and at OGAs in particular. Therefore, this study contributed to the emerging field of information security by reviewing the current state of ISA practices. In addition, this research study contributed a comprehensive picture of sources dealing with vital issues of insider threats and human factors within OGAs that were indeed unclear and surrounded by various ambiguities in the past.

Vorheriger Artikel Instructors’ presence in instructional videos: A systematic review

Nächster Artikel Spatial mental imagery gap of student–studio lecturer and client–designer/architect by virtual reality and non-virtual reality

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Abawajy, J. (2014). User preference of cyber security awareness delivery methods. Behaviour & Information Technology, 33(3), 237–248.MathSciNetCrossRef

Al-Awadi, M. (2009). A study of employees’ attitudes towards organisational information security policies in the UK and Oman. University of Glasgow.

Al-Daeef, M. M., Basir, N., & Saudi, M. M. (2017). Security awareness training: A review. Lecture Notes in Engineering and Computer Science. Newswood Limited. https://oarep.usim.edu.my/jspui/handle/123456789/1880

Al-Harrasi, A., Shaikh, A. K., & Al-Badi, A. (2021). Towards protecting organisations’ data by preventing data theft by malicious insiders. International Journal of Organizational Analysis. https://doi.org/10.1108/IJOA-01-2021-2598CrossRef

Al-Izki, F., & Weir, G.R. (2016). Management attitudes toward information security in omani public sector organisations. 2016 Cybersecurity and Cyberforensics Conference (CCC), 107–112.

Al-Kalbani, A. (2017). A compliance based framework for information security in e-government in Oman. RMIT University.

Al-Shanfari, I., Yassin, W., & Abdullah, R. (2020). Identify of factors affecting information security awareness and weight analysis process. International Journal of Engineering and Advanced Technology (IJEAT), 9(3), 534–542.CrossRef

Alotaibi, M., & Alfehaid, W. (2018). Information security awareness: A review of methods, challenges and solutions. Proceedings of the ICITST-WorldCIS-WCST-WCICSS-2018, Cambridge, UK, 10–13.

Alshaikh, M., Maynard, S.B., Ahmad, A., & Chang, S. (2018). An Exploratory Study of Current Information Security Training and Awareness Practices in Organizations. Hawaii International Conference on System Sciences.

Alsowail, R. A., & Al-Shehari, T. (2021). A multi-tiered framework for insider threat prevention. Electronics, 10(9), 1005.CrossRef

Alzubaidi, A. (2021). Measuring the level of cyber-security awareness for cybercrime in Saudi Arabia. Heliyon, 7(1), e06016.CrossRef

Ansari, M. F. (2022). A quantitative study of risk scores and the effectiveness of ai-based cybersecurity awareness training programs. International Journal of Smart Sensor and Adhoc Network, 3(3), 1. https://doi.org/10.47893/IJSSAN.2022.1212 Available at: https://www.interscience.in/ijssan/vol3/iss3/1

Atheer (2017). The Oman National CERT clarifies about the malicious ransomware. Atheer. https://cutt.ly/xlDF4Xa. Accessed 17 Aug 2020

Atheer (2018a). Significant increase in WhatsApp penetration … and “Information Technology” clarifies the steps of prevention and recovery. Atheer. https://cutt.ly/IlDGuTr. Accessed 16 Aug 2020

Atheer (2018b). Monitor attempts at electronic blackmail in government institutions and the “Oman National CERT” warns. Atheer. https://cutt.ly/jlDGgu0. Accessed 16 Aug 2020

Atheer (2018c). What do the numbers say about the reality of electronic blackmail in the Sultanate during 2018. Atheer. https://cutt.ly/AlDGmYN. Accessed 16 Aug 2020

Argote, L., McEvily, B., & Reagans, R. (2003). Introduction to the special issue on managing knowledge in organizations: creating, retaining, and transferring knowledge. Management Science, 49(4), v–viii.CrossRef

Aydın, ÖM., & Chouseinoglou, O. (2013). Fuzzy assessment of health information system users’ security awareness. Journal of Medical Systems, 37(6), 1–13.CrossRef

Bada, M., Sasse, A. M., & Nurse, J. R. (2019). Cyber security awareness campaigns: Why do they fail to change behaviour? arXiv preprint arXiv:1901.02672.

Bhattacherjee, A. (2012). Social science research: Principles, methods, and practices. Global Text Project. Available at https://digitalcommons.usf.edu/oa_textbooks/3

Chmura, J. (2017). Forming the awareness of employees in the field of information security. Journal of Positive Management, 8(1), 78–85.CrossRef

Chowdhury, N., & Gkioulos, V. (2021). Cyber security training for critical infrastructure protection: a literature review. Computer Science Review, 40, 100361.CrossRef

Daily, O. (2019). How do Omani government agencies and private companies address the threat of cyber-attacks? Oman Daily. omandaily.om/?p=729347.

Dalal, R. S., Howard, D. J., Bennett, R. J., Posey, C., Zaccaro, S. J., & Brummel, B. J. (2022). Organizational science and cybersecurity: abundant opportunities for research at the interface. Journal of Business and Psychology, 37(1), 1–29.CrossRef

Education, M. (2017). An official statement on the penetration of the Sultanate of Oman educational portal. In.

ENISA (2010). The new users’ guide: How to raise information security awareness (EN). ENISA. https://cutt.ly/uxGpBOw. Accessed 3 Oct 2020

Georgiadou, A., Mouzakitis, S., Bounas, K., & Askounis, D. (2022). A cyber-security culture framework for assessing organization readiness. Journal of Computer Information Systems, 62(3), 452–462.CrossRef

Ghazvini, A., & Shukur, Z. (2016). Awareness training transfer and information security content development for healthcare industry. International Journal of Advanced Computer Science and Applications, 7(5), 361–370.CrossRef

Grobler, M., Gaire, R., & Nepal, S. (2021). User, usage and usability: redefining human centric cyber security. Frontiers in big Data, 4, 583723.CrossRef

Gundu, T., & Flowerday, S. (2013). Ignorance to awareness: towards an information security awareness process. SAIEE Africa Research Journal, 104(2), 69–79.CrossRef

Gundu, T., Flowerday, S., & Renaud, K. (2019). Deliver security awareness training, then repeat:{Deliver; Measure Efficacy}. 2019 conference on information communications technology and society (ICTAS).

Haney, J. , Jacobs, J. and Furman, S. (2022). Approaches and challenges of federal cybersecurity awareness programs. NIST Interagency/Internal Report (NISTIR). National Institute of Standards and Technology, Gaithersburg, MD, [online]. https://doi.org/10.6028/NIST.IR.8420A, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=934347

Hansche, S. (2001). Designing a security awareness program: part 1. Information Systems Security, 9(6), 1–9.CrossRef

Hassandoust, F., & Techatassanasoontorn, A. A. (2020). Understanding users’ information security awareness and intentions: a full nomology of protection motivation theory. Cyber influence and cognitive threats (pp. 129–143). Elsevier.

Hassanzadeh, M., Jahangiri, N., & Brewster, B. (2014). A conceptual framework for information security awareness, assessment, and training. Emerging Trends in ICT Security (pp. 99–110). Elsevier.

ITA. (n.d). e.Oman Booklet. ITA. https://cutt.ly/MlDGMaw. Accessed 8 Sept 2020

ITA. (2013). Saltant of Oman Progress Report on the Information Society 2003–2013. ITA. https://cutt.ly/C0RT9Mk. Accessed 10 Sept 2020

ITA. (2017). Cybersecurity Governance Guidelines. ITA. https://cutt.ly/C0RT9Mk. Accessed 10 Sept 2020

ITA. (2019). Information Technology Authority Annual Report 2018. ITA. https://cutt.ly/C0RT9Mk. Accessed 15 Sept 2020

ITA. (2008). ITA Information Security Policy Manual. ITA. https://www.ea.gov.om/media/jpnfz4ys/security-policy.pdf?csrt=205645110090536941. Accessed 20 Sept 2020

ITA. (2020). Information Technology Authority Annual Report 2019. ITA. https://cutt.ly/C0RT9Mk. Accessed 15 Sept 2020

Jacobs, J. L., Haney, J. M., & Furman, S. M. (2022, July). Measuring the Effectiveness of US Government Security Awareness Programs: A Mixed-Methods Study. Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022) 8th Workshop on Security Information Workers (WSIW 2022). This workshop aims to develop and stimulate discussion about security information workers., Boston, MA, US.

Kalhoro, S., Rehman, M., Ponnusamy, V., & Shaikh, F. B. (2021). Extracting key factors of cyber hygiene behaviour among software engineers: a systematic literature review. Ieee Access: Practical Innovations, Open Solutions, 9, 99339–99363.CrossRef

Khan, B., Alghathbar, K. S., Nabi, S. I., & Khan, M. K. (2011). Effectiveness of information security awareness methods based on psychological theories. African Journal of Business Management, 5(26), 10862–10868.

Khandkar, S. H. (2009). Open coding. University of Calgary, 23, 2009.

Khando, K., Gao, S., Islam, S. M., & Salman, A. (2021). Enhancing employees information security awareness in private and public organisations: a systematic literature review. Computers & Security, 106, 102267.CrossRef

Korpela, K. (2015). Improving cyber security awareness and training programs with data analytics. Information Security Journal: A Global Perspective, 24(1–3), 72–77.

Kritzinger, E., & Smith, E. (2008). Information security management: an information security retrieval and awareness model for industry. Computers & Security, 27(5–6), 224–231.CrossRef

Kruger, H.A., & Kearney, W.D. (2005). Measuring Information Security Awareness - A West Africa Gold Mining Environment Case. ISSA.

Labuschagne, W. A., & Veerasamy, N. (2017). Metrics for smart security awareness. European Conference on Cyber Warfare and Security.

Lawrence, J., & Tar, U. (2013). The use of grounded theory technique as a practical tool for qualitative data collection and analysis. Electronic Journal of Business Research Methods, 11(1), 29–40.

Lebek, B., Uffen, J., Neumann, M., & Hohler, B. (2013). Towards a needs assessment process model for security, education, training and awareness programs: an Action Design Research Study. ECIS. Available at https://cutt.ly/d0RUD7N

Liu, L., Han, M., Wang, Y., & Zhou, Y. (2018). Understanding data breach: A visualization aspect. International Conference on Wireless Algorithms, Systems, and Applications.

Maeyer, D. D. (2007). Setting up an effective information security awareness programme. ISSE/SECURE 2007 Securing Electronic business processes (pp. 49–58). Springer.

Mammadov, T., Rahman, N. A., & Mohd, M. F. (2021). Establishment of a method to measure the awareness of OIC-CERT Members. OIC-CERT Journal of Cyber Security. Available at https://www.oic-cert.org/en/journal/vol-3-issue-1/establishment-of-a-method-to-measure-the.html#.Y52wS3ZBy3A

Manifavas, C., Fysarakis, K., Rantos, K., & Hatzivasilis, G. (2014). DSAPE–dynamic security awareness program evaluation. International Conference on Human Aspects of Information Security, Privacy, and Trust.

Mavroeidi, A., Kitsiou, A., & Kalloniatis, C. (2021). Gamification: a necessary element for designing privacy training programs. In (Ed.), The Role of Gamification in Software Development Lifecycle. IntechOpen. https://doi.org/10.5772/intechopen.97420

Mejias, R. J., & Balthazard, P. A. (2014). A model of information security awareness for assessing information security risk for emerging technologies. Journal of Information Privacy and Security, 10(4), 160–185.CrossRef

McCormac, A., Calic, D., Parsons, K., Zwaans, T., Butavicius, M., & Pattinson, M. (2016). Test-retest reliability and internal consistency of the human aspects of Information Security Questionnaire (HAIS-Q).

MTC (2019). MTC Conducts Cybersecurity awareness “Train the Trainer” Workshop. Retrieved April 14 from https://cutt.ly/slDJxoJ

Nikel, F. H., & Amaechi, A. O. (2022). An assessment of employee knowledge, awareness, attitude towards organizational cybersecurity in cameroon. Network and Communication Technologies. Available at https://ccsenet.org/journal/index.php/nct/article/view/0/46794

Nobles, C. (2018). Botching human factors in cybersecurity in business organizations. HOLISTICA–Journal of Business and Public Administration, 9(3), 71–88.CrossRef

Ntwali, B. (2021). Investigating the relationship between learning styles and delivery methods in Information Security Awareness Programs (Master’s thesis, Faculty of Commerce).

Nzailu, A., & Nepali, R. K. (2015). A prototype for continuous security awareness in financial institutions. MWAIS 2015 Proceedings 1. https://aisel.aisnet.org/mwais2015/1

Observer, O. (2017). Beware of ransomware, Oman takes precautions. Oman Observer. https://omanobserver.om/beware-of-ransomware/. Accessed 8 Oct 2020 from

Omar, N. S., Foozy, C. F. M., Hamid, I. R. A., Hafit, H., Arbain, A. F., & Shamala, P. (2021, May). Malware awareness tool for internet safety using gamification techniques. In Journal of Physics: Conference Series (Vol.1874, No. 1, p.012023). IOP Publishing.

Pahlavanpour, O. (2022). Gamification within information security awareness programs. A systematic mapping study (Dissertation). Retrieved from http://urn.kb.se/resolve?urn=urn:nbn:se:oru:diva-99904

Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., & Zwaans, T. (2017). The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Computers & Security, 66, 40–51.CrossRef

Phelps, R., Fisher, K., & Ellis, A. (2007). Effective literature searching. Organizing and managing your research (pp. 128–149). SAGE Publications, Ltd. https://doi.org/10.4135/9781849209540.n7

Portal, O. (2012). Information Security Awareness Program for Government Institutions. Retrieved April 25 from https://cutt.ly/XlDJ78w

Portal, O. (n.d.) (Ed.). Chief Information Office (CIO). Retrieved September 8 from https://cutt.ly/LlDGSCb

Rantos, K., Fysarakis, K., & Manifavas, C. (2012). How effective is your security awareness program? An evaluation methodology. Information Security Journal: A Global Perspective, 21(6), 328–345.

Razaque, A., Al Ajlan, A., Melaoune, N., Alotaibi, M., Alotaibi, B., Dias, I., & Zhao, C. (2021). Avoidance of cybersecurity threats with the deployment of a web-based blockchain-enabled cybersecurity awareness system. Applied Sciences, 11(17), 7880.CrossRef

Sahi, S. K. (2017). A study of wannacry ransomware attack. International Journal of Engineering Research in Computer Science and Engineering (IJERCSE), 4(9), 5–7.

Sari, P. K., & Trianasari, N. (2014). Information security awareness measurement with confirmatory factor analysis. 2014 International Symposium on Technology Management and Emerging Technologies.

Stewart, G. & Lacey, D. (2012) Death by a thousand facts: Criticising the technocratic approach to information security awareness. Information Management & Computer Security, 20(1), 29–38. https://doi.org/10.1108/09685221211219182

Strauss, A., & Juliet, C. (2008). Basics of Qualitative Research (3rd ed.): Techniques and Procedures for Developing Grounded Theory https://doi.org/10.4135/9781452230153

Subramanian, S., CISA, S., & Agrawal, U. (2021). Nudging our way to successful Information Security Awareness. ISACA. Available at https://www.isaca.org/resources/isaca-journal/issues/2021/volume-1/nudging-our-way-to-successful-information-security-awareness

Tolah, A., Furnell, S. M., & Papadaki, M. (2021). An empirical analysis of the information security culture key factors framework. Computers & Security, 108, 102354.CrossRef

Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2010). Aligning security awareness with information systems security management. Journal of Information System Security, 6(1), 36–54.

Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2015). Managing the introduction of information security awareness programmes in organisations. European Journal of Information Systems, 24(1), 38–58.CrossRef

Uchendu, B., Nurse, J. R., Bada, M., & Furnell, S. (2021). Developing a cyber security culture: current practices and future needs. Computers & Security, 109, 102387.CrossRef

Wiley, A., McCormac, A., & Calic, D. (2020). More than the individual: examining the relationship between culture and information security awareness. Computers & Security, 88, 101640.CrossRef

Wilson, M., & Hash, J. (2003). Building an information technology security awareness and training program. NIST Special Publication, 800(50), 1–39.

Zani, A.A., Norman, A.A., & Ghani, N.B. (2018). A Review of Security Awareness Approach: Ensuring Communal Learning. PACIS.

Zhen, J., Dong, K., Xie, Z., & Chen, L. (2022). Factors influencing employees’ information security awareness in the telework environment. Electronics, 11(21), 3458. https://doi.org/10.3390/electronics11213458

Titel: Information Security Awareness practices: Omani Government Agencies as a case study
verfasst von: Malik Al-Shamli
Khalfan Zahran Al Hijji
Abdul Khalique Shaikh
Publikationsdatum: 23.12.2022
Verlag: Springer US
Erschienen in: Education and Information Technologies / Ausgabe 7/2023
Print ISSN: 1360-2357
Elektronische ISSN: 1573-7608
DOI: https://doi.org/10.1007/s10639-022-11513-7

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Weitere Artikel der Ausgabe 7/2023

Student-teachers’ sense of belonging in collaborative online learning

Impact on social capital and learning engagement due to social media usage among the international students in the U.S.

Acceptance of and self-regulatory practices in online learning and their effects on the participation of Hong Kong secondary school students in online learning

Towards intelligent E-learning systems

Teachers’ and school administrators’ perceptions of emergency distance education

The impact of chatbots using concept maps on correction outcomes–a case study of programming courses

Premium Partner