Full Text

Selected Papers from the South African Information Security Multi-Conference (SAISMC 2010)

Edited by Prof. Steven M. Furnell, Dr Nathan Clarke and Prof. Rossouw von Solms

1 Introduction

The aim of information security is to ensure business continuity and to minimize business damage by preventing and minimizing the impact of security incidents ([18] von Solms, 1998). In general, information security refers to the following three important aspects ([7] Pfleeger and Pfleeger, 2007):

Confidentiality . Computer-related assets are accessed by authorised parties only.

Integrity . Correctness of computer assets such as data; data cannot be modified by unauthorised parties.

Availability . Computer-related assets are accessible to authorised parties at appropriate times.

The protection of information assets usually relies on the success of information security plans and the implementation of various security controls as part of such a plan. Apart from the usual technical controls, there is also a huge dependence on human involvement, and this human factor in information security is directly related to human behavior and human knowledge. This means that humans involved in a security process need to possess the required knowledge about their security-related roles and thus need some form of education ([16] van Niekerk, 2005).

To address this need for educating people and making them aware of information security threats, organizations often make use of information security awareness programs. According to [1] Dhillon (1999), the user education, or awareness program, is singled out because increasing awareness of security issues is the most cost-effective control that an organization can implement. This implies that a certain financial investment is required to design and implement an information security awareness program. Such an investment can become significant and a well-lanned strategy is necessary to support the goals of an awareness campaign and to target those areas where specific needs exist. By understanding the various information security issues that might exist, it becomes possible to identify appropriate approaches that could be adopted to overcome information security awareness obstacles.

In this paper, a survey will be described which determines the feasibility of a vocabulary test to identify areas to focus on in an information security awareness program. The study is based on another study performed from an educational viewpoint where the mathematics vocabulary of school learners was evaluated in...