Measuring the Effectiveness of Information Security Awareness Program

Abstract

Many researchers and experts in the information security field stress that the user is the weakest link in the chain when it comes to information security and security assets of an organization. The human error is still the key concept that might threaten and seriously damage assets of the organization. Consequently, the challenge for many (if not most) institutions and organizations today, is to improve the information security awareness of the end user. Identifying the program that best influences and improves the user’s knowledge, attitude, and behavior towards information security, is yet highly important. In order to identify this program, a method for assessing and measuring the effectiveness of information security awareness program is applied in this study. In the previous literature many methods for assessing and measuring the information security awareness are found,but there is not even one research found that shows effectiveness of the awareness program. Therefore, in this thesis a case study, and an experiment is realized in practice to examine, and represent the effectiveness of the information security awareness program. In this study information security awareness training is realized. The level of awareness among the participants in regard to information security is assessed and measured before and after the awareness training. The purpose of this is to let the effectiveness of the awareness training be highlighted, shown, and to find out to what extended it is effective. The methodology used to accomplish this task is: the online surveys and the interviews.