The development and evaluation of an information security awareness capability model: linking ISO/IEC 27002 controls with awareness importance, capability and risk

摘要: This research examines the role that awareness has on effectiveness of information security within an organisation. There is a lack understanding as to what appropriate level for controls across Without required importance and demonstrated capability, organisation may not be able to determine whether knowledge poses related risks. This study refers Awareness Importance how important is, or influential in success process control. For example, when crossing busy street it would aware oncoming traffic before crossing. also Capability capable person when faced with decision. It relates comprehension current situation and, crosses street, are they capable of comprehending traffic? capability will influence successful crossing be. Risk gap that results from amount (Awareness Importance) being greater than actually displayed Capability. This motivated by primary question 'to what extent does relationship between and predict the risks associated organisation’s state their controls?' suggests by identifying potential risks posed any gap, likely improvements posture organisations could achieved. There little empirical influences controls. Furthermore, scant been conducted on how effective these education training programs organisational awareness. Moreover, do raise perception, decision-making individuals relation threats? In bridging this literature builds tests theoretical framework model combines aspects ISO/IEC 27002 standard with theories risk management. The resultant (ISACM). In first phase research, survey data was collected professionals order establish benchmark Importance rating each 39 main categories control objectives standard. These ratings, established three stakeholder groups (IT staff, senior management, end users) organisations, formed component study’s ISACM. second survey, theory guided development instrument capture used two separate populations measure users against top 10 determined one. Phase calculate third ISACM, Awareness - gap (Importance) demonstrated (Capability). This extends existing contributing approach measuring security awareness organisation, thus identifying risks. key findings illustrate of information differs control, depending which stakeholder involved. Finally, calculates Awareness Risk, allowing where sufficient; well lacking present risks. The researcher concludes developed assist gaps specific security control ISACM provide better exists and where exist due lower desirable levels subsequently allow invest the appropriate areas unacceptable exist.