基于HAIS-Q和ISO/IEC 27001:2013的模糊层次分析法的信息安全意识提升策略:以XYZ金融机构为例

Q3 Computer Science

CommIT Journal Pub Date : 2023-09-06 DOI:10.21512/commit.v17i2.8272

Yohan Adhi Styoutomo, Yova Ruldeviyani

{"title":"基于HAIS-Q和ISO/IEC 27001:2013的模糊层次分析法的信息安全意识提升策略:以XYZ金融机构为例","authors":"Yohan Adhi Styoutomo, Yova Ruldeviyani","doi":"10.21512/commit.v17i2.8272","DOIUrl":null,"url":null,"abstract":"XYZ financial institution is a government institution that receives and processes transaction reports from banks and remittances, so its data classification is very confidential. However, during the Work from Home (WFH) policy in the Covid-19 pandemic, XYZ financial institution has received many spam/phishing attacks. Hence, this incident shows that some employees need an awareness of information security. The research offers a different Information Security Awareness (ISA) questionnaire using the Human Aspects of the Information Security Questionnaire (HAIS-Q) and ISO/IEC 27001:2013 as focus areas. The research uses the theory of Knowledge, Attitude, and Behavior (KAB) to determine the dimensions that need improvement and priority ranking using Fuzzy Analytical Hierarchy Process (FAHP). Furthermore, the research conducts a Focus Group Discussion (FGD) to explore the root causes of employee behavior. The FGD results show that there are still employees who do not know about information security, such as password combinations and length, so limited knowledge affects employees’ attitudes and behaviors. The research results from 34 respondents show that the employees’ information security awareness level is in the moderate category (78.8%). They still need to increase their awareness of information security, especially in managing passwords, using email and the Internet, and reporting incidents. Recommendations have been prepared to improve the dimensions and areas that have yet to be categorized as good. In the future, the ISA questionnaire is expected to be used in other organizations.","PeriodicalId":31276,"journal":{"name":"CommIT Journal","volume":"40 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Information Security Awareness Raising Strategy Using Fuzzy AHP Method with HAIS-Q and ISO/IEC 27001:2013: A Case Study of XYZ Financial Institution\",\"authors\":\"Yohan Adhi Styoutomo, Yova Ruldeviyani\",\"doi\":\"10.21512/commit.v17i2.8272\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"XYZ financial institution is a government institution that receives and processes transaction reports from banks and remittances, so its data classification is very confidential. However, during the Work from Home (WFH) policy in the Covid-19 pandemic, XYZ financial institution has received many spam/phishing attacks. Hence, this incident shows that some employees need an awareness of information security. The research offers a different Information Security Awareness (ISA) questionnaire using the Human Aspects of the Information Security Questionnaire (HAIS-Q) and ISO/IEC 27001:2013 as focus areas. The research uses the theory of Knowledge, Attitude, and Behavior (KAB) to determine the dimensions that need improvement and priority ranking using Fuzzy Analytical Hierarchy Process (FAHP). Furthermore, the research conducts a Focus Group Discussion (FGD) to explore the root causes of employee behavior. The FGD results show that there are still employees who do not know about information security, such as password combinations and length, so limited knowledge affects employees’ attitudes and behaviors. The research results from 34 respondents show that the employees’ information security awareness level is in the moderate category (78.8%). They still need to increase their awareness of information security, especially in managing passwords, using email and the Internet, and reporting incidents. Recommendations have been prepared to improve the dimensions and areas that have yet to be categorized as good. In the future, the ISA questionnaire is expected to be used in other organizations.\",\"PeriodicalId\":31276,\"journal\":{\"name\":\"CommIT Journal\",\"volume\":\"40 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-09-06\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"CommIT Journal\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.21512/commit.v17i2.8272\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"Computer Science\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"CommIT Journal","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.21512/commit.v17i2.8272","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"Computer Science","Score":null,"Total":0}

引用次数: 0

摘要

XYZ金融机构是一家政府机构，接收和处理来自银行和汇款的交易报告，因此其数据分类是非常机密的。然而，在Covid-19大流行期间，在家工作(WFH)政策期间，XYZ金融机构收到了许多垃圾邮件/网络钓鱼攻击。因此，这次事件表明，一些员工需要有信息安全意识。该研究提供了一个不同的信息安全意识(ISA)问卷，使用信息安全问卷(HAIS-Q)和ISO/IEC 27001:2013作为重点领域。本研究运用知识、态度和行为理论(Knowledge, Attitude, and Behavior, KAB)确定需要改进的维度，并运用模糊层次分析法(FAHP)进行优先级排序。此外，本研究还通过焦点小组讨论(Focus Group Discussion, FGD)来探讨员工行为的根本原因。FGD结果显示，仍然有员工不了解信息安全，如密码组合和长度，有限的知识影响了员工的态度和行为。34名受访者的调查结果显示，员工的信息安全意识水平处于中等水平(78.8%)。他们仍然需要提高他们的信息安全意识，特别是在管理密码、使用电子邮件和互联网以及报告事件方面。已经提出了建议，以改进尚未归类为良好的方面和领域。将来，预计内部审查制度调查表将在其他组织中使用。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Information Security Awareness Raising Strategy Using Fuzzy AHP Method with HAIS-Q and ISO/IEC 27001:2013: A Case Study of XYZ Financial Institution

XYZ financial institution is a government institution that receives and processes transaction reports from banks and remittances, so its data classification is very confidential. However, during the Work from Home (WFH) policy in the Covid-19 pandemic, XYZ financial institution has received many spam/phishing attacks. Hence, this incident shows that some employees need an awareness of information security. The research offers a different Information Security Awareness (ISA) questionnaire using the Human Aspects of the Information Security Questionnaire (HAIS-Q) and ISO/IEC 27001:2013 as focus areas. The research uses the theory of Knowledge, Attitude, and Behavior (KAB) to determine the dimensions that need improvement and priority ranking using Fuzzy Analytical Hierarchy Process (FAHP). Furthermore, the research conducts a Focus Group Discussion (FGD) to explore the root causes of employee behavior. The FGD results show that there are still employees who do not know about information security, such as password combinations and length, so limited knowledge affects employees’ attitudes and behaviors. The research results from 34 respondents show that the employees’ information security awareness level is in the moderate category (78.8%). They still need to increase their awareness of information security, especially in managing passwords, using email and the Internet, and reporting incidents. Recommendations have been prepared to improve the dimensions and areas that have yet to be categorized as good. In the future, the ISA questionnaire is expected to be used in other organizations.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

CommIT Journal Computer Science-Computer Science (miscellaneous)

CiteScore

1.50

自引率

0.00%

发文量

审稿时长

16 weeks