ww.sciencedirect.com
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 2
Available online at w
ScienceDirect
journal homepage: www.elsevier .com/locate/cose
Determining employee awareness using theHuman Aspects of Information SecurityQuestionnaire (HAIS-Q)
Kathryn Parsons a,*, Agata McCormac a, Marcus Butavicius a,Malcolm Pattinson b, Cate Jerram b
aDefence Science and Technology Organisation (DSTO), 203L, PO Box 1500, Edinburgh, SA 5111, AustraliabBusiness School, University of Adelaide, Adelaide, SA 5005, Australia
a r t i c l e i n f o
Article history:
Received 18 November 2013
Received in revised form
17 December 2013
Accepted 23 December 2013
Keywords:
Information security
Security behaviours
Questionnaire design
Cyber security
Hybrid research
* Corresponding author. Tel.: þ61 8 7389 975E-mail addresses: kathryn.parsons@dsto.
[email protected] (M. ButavicJerram).
Please cite this article in press as: ParsonSecurity Questionnaire (HAIS-Q), Compu
0167-4048/$ e see front matter Crown Copyhttp://dx.doi.org/10.1016/j.cose.2013.12.003
a b s t r a c t
It is increasingly acknowledged that many threats to an organisation’s computer systems
can be attributed to the behaviour of computer users. To quantify these human-based
information security vulnerabilities, we are developing the Human Aspects of Informa-
tion Security Questionnaire (HAIS-Q). The aim of this paper was twofold. The first aim was
to outline the conceptual development of the HAIS-Q, including validity and reliability
testing. The second aim was to examine the relationship between knowledge of policy and
procedures, attitude towards policy and procedures and behaviour when using a work
computer. Results from 500 Australian employees indicate that knowledge of policy and
procedures had a stronger influence on attitude towards policy and procedure than self-
reported behaviour. This finding suggests that training and education will be more effec-
tive if it outlines not only what is expected (knowledge) but also provides an understanding
of why this is important (attitude). Plans for future research to further develop and test the
HAIS-Q are outlined.
Crown Copyright ª 2014 Published by Elsevier Ltd. All rights reserved.
1. Introduction
Many of the threats to an organisation’s computer systems
can be attributed to the behaviour of computer users. Hence,
information security threats cannot be prevented, avoided,
detected or eliminated by solely focusing on technological
solutions (Furnell et al., 2006; Herath and Rao, 2009; Vroom &
von Solms, 2004). Human behaviours that may put an orga-
nisation at risk include inadvertently or deliberately divulging
passwords to others, falling victim to phishing emails by
3; fax: þ61 8 7389 6328.defence.gov.au (K. Parsonius), malcolm.pattinson@
s K, et al., Determining eters & Security (2014), h
right ª 2014 Published by
clicking on embeddedweb site links, or inserting non-familiar
media into work or home computers.
To assess the extent to which an organisation’s informa-
tion systems are vulnerable to threats caused by risk-taking
behaviour of employees, our goal is to produce an empiri-
cally validated instrument, known as the Human Aspects of
Information Security Questionnaire (HAIS-Q). This tool could
be used to measure employee knowledge, attitude and
behaviour to provide management with a benchmark, which
could then be used to evaluate the effectiveness of different
information technology (IT) control strategies, or to track the
s), [email protected] (A. McCormac), marcus.adelaide.edu.au (M. Pattinson), [email protected] (C.
mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003
Elsevier Ltd. All rights reserved.
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 22
long-term security health of an organisation. The aim of this
paper is to outline the development of our HAIS-Q and to
examine the relationships between knowledge of policy and
procedures, attitude towards policy and procedures and
behaviour when using a work computer.
1.1. Previous information security surveys
A comprehensive review of previous information security
surveys has highlighted a gap in research. Although a number
of organisations (see, for example, Deloitte, 2011; Ernst and
Young, 2011; PricewaterhouseCoopers, 2013) conduct yearly
information security surveys, these surveys traditionally
collect information about security breaches and their impact
and do not seek to establish what users think, know or do
about information security issues. These surveys have also
been criticised for flaws in their methodologies, the design of
their questions, and their statistical reporting (Guillot and
Kennedy, 2007; Walsh, 2006). For example, Anderson et al.
(2012) suggest that these studies may suffer from response
effects and sampling bias, which could result in an under-
reporting of security issues. Furthermore, these surveys are
often sponsored by vendors with an interest in providing
specific solutions. This could cause conflictingmotives, which
could result in an over-reporting of certain security issues
(Anderson et al., 2012). Additionally, these surveys are usually
conducted solely with information security professionals, and
although this reveals important information regarding the
technologies and other safeguards in place within an organi-
sation, this does not necessarily represent the views or ex-
periences of the majority of computer users (Herath and Rao,
2009).
Many academic surveys of computer users that exist have
examined only one component of information security
awareness. For example, Stanton et al. (2005) ran a survey on
password-related behaviours, Mylonas et al. (2013) and
Mylonas et al. (2013) examinedmobile computing, and Furnell
et al. (2006) assessed users’ understanding of security features
within specific applications. Other academic surveys (e.g.,
Siponen et al., 2010; Herath and Rao, 2009) have examined
potentially influencing variables, such as normative beliefs or
intention to comply with policy. However, none of these sur-
veys attempt to determine the overall information security
awareness of employees.
There is also a growing body of literature that attempts to
apply existing behavioural models to the area of information
security. This includes models such as the Theory of Planned
Behaviour (Bulgurcu, 2008), the Health Belief Model (Ng et al.,
2009), the Protection Motivation Theory (Vance, 2010), the
General Deterrence Theory (Fan and Zhang, 2011) and the
KnowledgeeAttitudeeBehaviour (KAB) model (Kruger and
Kearney, 2006), originally developed in fields including
health, criminology and environmental psychology. Accord-
ing to Karjalainen (2011), many of these previous studies of
information security behaviour are focused solely on theory-
verification or validation, and therefore may present a
biased viewpoint of the area of interest. In other words,
because these studies only assess the variables in the theory
under investigation, other potentially important variables are
not considered. This is particularly important in the area of
Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h
information security because, as highlighted by Vroom and
von Solms (2004), employee behaviour is likely to be influ-
enced by many factors, including personality, the organisa-
tion and its culture.
Furthermore, there are many important differences be-
tween the field of information security and fields such as
health, criminology or environmental psychology. These
latter fields differ widely in regards to the ease of access and
comprehension of information, the consequences for action
or inaction, and the necessity to make decisions based on
unclear or contradictory information. For example, topics like
climate change and the health benefits or consequences of
certain foods have been widely debated, which means people
are faced with conflicting information, and the scientific
legitimacy of this information is not always clear. In contrast,
providing far less ambiguity, most organisations have an in-
formation security policy, either written or informal, which
indicates what is expected from employees.
Although theories such as the Technology Acceptance
Model (TAM) have been shown to predict intention to use
security technologies (Davis, 1989; Mathieson, 1991) within an
organisational setting, this finding may not capture the
complexity of the problem. Essentially, much of the previous
research has not adequately considered the unique nature of
information security behaviour within an organisation. Em-
ployees work within a supported environment, where there
are often multiple levels of protection and colleagues to pro-
vide assistance. The organisational setting is also generally
supervisory, with potential monitoring of behaviour, and
often demonstrable culpability. In most cases, there are also
information technology (IT) personnel, who ensure that anti-
virus software is installed and appropriately updated, fire-
walls are adequately implemented, and information is regu-
larly backed-up. It is not necessary for most employees to
have a comprehensive understanding of how these technol-
ogies work. Employee behaviours that aremore likely to result
in information security breaches, such as not choosing a
strong password and opening suspicious email attachments,
are not necessarily associated with the adoption of a specific
technology (Ng et al., 2009).
1.2. Conceptual development of the HAIS-Q
In Parsons et al. (2013), we reported on the results of an in-
formation security study with three Australian government
organisations. This was the first stage of our development of
the HAIS-Q. Rather than focusing solely on theory-
verification, we used a hybrid methodology, incorporating
the inductive, exploratory approach recommended by
Karjalainen (2011). We use the term ‘hybrid’ to denote a blend
of qualitative and quantitative methods for gathering and
analysing data.
Interviews were conducted with senior management of
each organisation (qualitative data). The interviews revealed
that management were most concerned about human error,
as they felt security breaches weremore likely to be caused by
unawareness and naivety rather than maliciousness (Parsons
et al., in press). Since research confirms that human errors are
the most frequent cause of information security breaches
(Linginlal et al., 2009; Schultz, 2005; Wood and Banks, 1993),
mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 2 3
we aimed to investigate these behaviours. We developed an
exploratory (predominately quantitative) information secu-
rity survey, to further investigate information security issues,
and this initial survey was then completed by 203 employees
from the three government organisations.
This iterative process eventually yielded the hypothesis
that as computer users’ level of knowledge of information
security policy and procedures is raised, their attitude towards
information security policy and procedures improves, which
should translate into more risk-averse information security
behaviour. This process of change is sometimes referred to as
the KAB model (Baranowski et al., 2003; Khan et al., 2011;
Kruger and Kearney, 2006), and a refined and specific version
of this model is one component of the HAIS-Q.
There is disagreement in the literature regarding the use-
fulness or validity of the KAB model. For example, van der
Linden (2012) examined previous research in the area of
climate change and claimed there is “ample evidence” (p. 13) in
support of a significant relationship between environmental
knowledge and attitudes and behaviours. Bettinghaus (1986)
examined the model’s relevance to health promotion, and
concluded that there is a positive but small relationship be-
tween knowledge, attitude and behaviour. However, Kollmuss
and Agyeman (2002) criticised the model for being too ratio-
nalist, and Baranowski et al. (2003) examined its relevance in
the health field, and concluded that “scientific support for the
knowledge component of KAB models is weak” (p. 26S).
However, according to McGuire (1969), the problemwith the
KABmodel isnot the theoreticalmodel itself, but rather, theway
themodel is applied. Inmanycases, the conceptof knowledge is
not clearly specified (Baranowski et al., 2003). For example, in
regards to diet, knowledge could be assessed in respect to the
health outcomes of certain foods, how to find nutritional infor-
mation or how to best prepare food. Individual responses in
many of these areas would be strongly influenced by additional
factors, such as self-efficacy (e.g., the ability to cook)
(Baranowski et al., 2003). Essentially, the variables of interest
must be specified clearly and related to the other variables
associated with the overall process of behavioural change for
use of the KABmodel to be evaluated with integrity.
Table 1 e Examples of computer user behaviour (adapted from
Focus area Good behaviours (Deliberate) Neutral beh
Password
management
Always logging off when
computer unattended
Sharing user n
Email use Refusing email attachments
from unknown sources
Opening unsol
Internet use Using only authorised software Accessing dubi
Social networking
site (SNS) use
Not accessing social networking
websites during work time
Not considerin
consequences
Incident reporting Being vigilant in recognising and
approaching unauthorised personnel
Not reporting s
Mobile computing Sending work emails using only
secure networks
Leaving a work
Information
handling
Shredding or destroying sensitive
documents that need to be disposed
Leaving DVDs
contain sensiti
a work desk ov
Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h
1.3. The HAIS model and questionnaire
Our model abides by McGuire’s (1969) recommendation;
knowledge was conceptualised first, and specifically, as
‘knowledge of policy and procedures’. Within that refined
context, we reviewed several information security policies
and used the findings of our senior management interviews
and initial information security survey to develop specific
focus areas. These were designed to represent the areas of an
information security policy that are relevant to employers and
computer users and most prone to non-compliance.
From this process, we identified seven focus areas; these
are internet use, email use, social networking site use, pass-
word management (including locking workstations), incident
reporting, information handling and mobile computing. As
mentioned in Section 1.2, our senior management interviews
indicate that human errors are frequently responsible for in-
formation security breaches, and this is supported by the
literature (Linginlal et al., 2009; Schultz, 2005; Wood and
Banks, 1993). Hence, our questionnaire is primarily focused
on the behaviours shown in Table 1 as ‘Neutral Behaviours
(Accidental)’, which are associated with human errors. These
behaviours are not intended to harm the organisation or its
resources, and are instead associated with naivety or un-
awareness. These types of behaviours are referred to by
Stanton et al. (2005) as naıve mistakes. Their taxonomy,
depicted in Table 2, also highlights the relevance of expertise;
the types of behaviours that are the main focus of our ques-
tionnaire are those that require low expertise.
For each of our seven focus areas, we developed three
representative areas, which can be seen in Table 3. Aswith the
focus areas, these sub-areas were developed based on a re-
view of several information security policies and our in-
terviews with senior management to specifically represent
common human errors. For each of these representative
areas, we developed one specific knowledge statement, one
specific attitude statement and one specific behaviour state-
ment. For example, the following statements measure the
sub-area consequences of social networking sites (within the
social networking site use focus area):
Pattinson and Anderson, 2007; Parsons et al., in press).
aviours (Accidental) Bad behaviours (Deliberate)
ames and passwords Hacking into other people’s accounts
icited email attachments Creating and sending SPAM email
ous websites Downloading video content to a work
computer via peer-to-peer file sharing
g the negative
before posting on a SNS
Posting sensitive information about the
workplace on social networking sites
ecurity incidents Giving unauthorised personnel access to
authorised precincts
laptop unattended Configuring a wireless gateway that gives
unauthorised access to the company’s
network
or documents that
ve information on
ernight
Writing and disseminating malicious code
mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003
Table 3 e Focus areas with representative areas.
Focus area Sub-areas
Password management Locking workstations
Password sharing
Choosing a good password
Email use Forwarding emails
Opening attachments
IT department level of responsibility
Internet use Installing unauthorised software
Accessing dubious websites
Inappropriate use of internet
Social networking
site (SNS) use
Amount of work time spent on SNS
Consequences of SNS
Posting about work on SNS
Incident reporting Reporting suspicious individuals
Reporting bad behaviour by colleagues
Reporting all security incidents
Mobile computing Physically securing personal
electronic devices
Sending sensitive information
via mobile networks
Checking work email via free network
Information handling Disposing of sensitive documents
Inserting DVDs/USB devices
Leaving sensitive material unsecured
Table 2 e Two factor taxonomy of security behaviours(adapted from Stanton et al. (2005)).a
Expertise Intentions Title Description
High Malicious Intentional
destruction
Behaviour requires technical
expertise together with a
strong intention to do harm
to the organisation’s IT and
resources.
Low Malicious Detrimental
misuse
Behaviour requires minimal
technical expertise but
nonetheless includes
intention to do harm through
annoyance, harassment, rule
breaking, etc.
High Neutral Dangerous
tinkering
Behaviour requires technical
expertise but no clear
intention to do harm to the
organisation’s IT and
resources.
Low Neutral Naıve
mistakes
Behaviour requires minimal
technical expertise and no
clear intention to do harm to
the organisation’s
information technology
and resources.
High Beneficial Aware
assurance
Behaviour requires technical
expertise together with a
strong intention to do good
by preserving and protecting
the organisation’s
information technology
and resources.
Low Beneficial Basic
hygiene
Behaviour requires no
technical expertise but
includes clear intention to
preserve and protect the
organisation’s IT
and resources.
a Reprinted from Computers & Security, 24, Stanton, Stam, Mas-
trangelo & Jolton, Analysis of end user behaviours, 124e133, 2005,
with permission from Elsevier.
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 24
� Knowledge: “I can’t be fired for something I have posted on a
social networking web site.”
� Attitude: “It is a bad idea to post things on social networking
web sites about my work that I wouldn’t say in a public place.”
� Behaviour: “I would consider the negative consequences to my
job before I post anything on social networking web sites.”
Three representative areas were chosen as this main-
tained a balance between the scientific need to obtain a
specific measure of the most important areas and the prac-
tical need to limit the length of the questionnaire. This
means the KAB component of the HAIS-Q consists of 63
specific statements. A five point Likert scale, rated from
Strongly Agree to Strongly Disagree, was used for all of the
items. These statements are more specific tests of the vari-
ables of interest than other information security surveys that
tend to measure information security in a very general
manner. For example, Siponen et al. (2010) tested an in-
dividual’s information security-related behaviour by asking
participants to respond to the statement “I comply with
Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h
information security policies” and their intention to comply with
the statement “I intend to comply with information security pol-
icies”. These items do not test specific knowledge, and are
potentially more prone to response bias.
It is important to highlight that the KAB statements
represent only one part of an overall conceptual model that is
being developed, tested and validated using a hybrid, explor-
atory, iterative approach.We believe the relationship between
knowledge, attitude and behaviour is influenced by many in-
dividual, intervention and organisational factors as shown in
Fig. 1. For example, psychological factors; training and semi-
nars attended; and an organisation’s information security
culture (Da Veiga and Eloff, 2010; Vroom& von Solms, 2004) all
have the potential to impact on the knowledge, attitude and
behaviour of employees. For this reason, the HAIS-Q includes
specific items to measure each of the factors depicted in Fig. 1
(e.g., organisational factors are measured via organisational
and security culture, subjective norms, rewards and punish-
ments). However, the assessment of the influence of these
factors on KAB and the different focus areas is part of a larger
project, which is beyond the scope of the current paper. Our
seven focus areas are displayed in Fig. 1 as separate, parallel
models because, to date, no research has investigated
whether knowledge, attitude and behaviour will be consistent
across the different information security policies and
procedures.
The aim of the current study is to examine the relation-
ships between knowledge of policy and procedures, attitude
towards policy and procedures and behaviour when using a
work computer. We are addressing this aim through the
following hypotheses:
� H1: Better knowledge of policy and procedures is associ-
ated with better attitude towards policy and procedures.
mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003
Fig. 1 e The Human Aspects of Information Security (HAIS) model.
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 2 5
� H2: Better attitude towards policy and procedures is asso-
ciated with self-reported behaviour that is more risk
averse.
� H3: Better knowledge of policy and procedures is associ-
ated with self-reported behaviour that is more risk averse.
This component of themodel is shown in Fig. 2, with labels
for the associated hypotheses.
2. Method
In line with our inductive, exploratory approach, the meth-
odology of this paper is presented in three phases. The first is
the pre-testing or validity phase, which was designed to
ascertain the internal, content and face validity of the HAIS-Q.
The second phase is a pilot study, which was conducted to
further refine and examine the reliability of the HAIS-Q. These
phases provided preliminary evidence of validity and reli-
ability in the HAIS-Q, and justified implementing the main
study, which is presented in phase three.
Fig. 2 e The KAB component of the HAIS Model.
Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h
2.1. Phase one e validity testing
Before commencing the main study, pre-testing techniques
were utilised to further test the validity and reliability of the
survey items. First, an expert in survey design was asked to
complete the survey, and a respondent debriefing was con-
ducted. In line with the technique described by DeMaio and
Rothbeg (1996), this expert was asked about their understand-
ing of terms, the clarity of directions and any other areas of
potential misunderstanding. Following this, cognitive testing,
which involvesa combinationof think-aloudandverbalprobing
(Draugalis et al., 2008; Fowler, 1995) was conducted with an
expert in information security. This required the expert to
complete the survey with researchers present and to verbalise
whatever came to mind while answering (Willis, 2004). Where
the researchers believed the think-aloud process had not suffi-
ciently described how the respondent understood, mentally
processed and answered survey items, probes were used to
obtainadditional information.The cognitiveprobesprovidedby
Collins (2003) were used as a guide. Collins (2003) included
general probes (e.g., “I noticed you hesitated before you answered e
what were you thinking about?”) along with probes to explore
comprehension (e.g., “What does the term X mean to you?”),
retrieval (e.g., “How did you remember that?”), confidence judge-
ment (e.g., “How sure of your answer are you?”), and response (e.g.,
“How did you feel about answering this question?”). The respondent
debriefing and cognitive testing helped to identify any unclear
items, which not only reduces measurement errors, therefore
increasing the internal validity of the survey, but also helps to
establish content and face validity.
Next, a pilot study was conducted, and the results were
examined to identify any remaining problematic items and to
establish the reliability of themain components of the survey.
2.2. Phase two e pilot study
One-hundred and twenty working Australians completed the
pilot version of the HAIS-Q. Participants were required to read
the information sheet and consent form, and were then asked
to complete the HAIS-Q. The questionnaire was completed
mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 26
online using the Qualtrics survey platform.1 Because the items
are based on computer use and adherence to information
security policy within an organisation, three exclusion criteria
were applied. These were employment status (participants
who responded with ‘Not employed’ were excluded), amount
of work time spent using a computer or portable device (par-
ticipants who responded with ‘No time at all’ were excluded)
and whether their organisation has an information security
policy (participants who responded with ‘No’ or ‘Unsure’ were
excluded). This ensured that all respondents worked within
an organisation with at least an informal policy or basic rules,
and had some work use of a computer or portable device.
Whilst we acknowledge that excluding participants who
responded with ‘Unsure’ may rule out those with very poor
security awareness, this was necessary, as the HAIS-Q mea-
sures knowledge of and attitude towards policy and proce-
dure. For the pilot study, no participants fit these three
criteria.
To ascertain data quality, responses were then examined
using the category of response bias known as content non-
responsivity, which describes responses made without regard
to the content of items (Nichols et al., 1989; Meade and Craig,
2012). This examination identified response patterns, inwhich
participants consistently chose the same answer (e.g.,
‘strongly disagree’). The HAIS-Q includes a total of 63 knowl-
edge, attitude and behaviour statements, and 10 personality
statements. Of the 63 statements, 29 are positively worded
and 34 are negatively worded, and each of the Big Five per-
sonality factors had a statement measuring the trait at one
end of the spectrum (e.g., extraversion) and a statement
measuring the opposing personality trait (e.g., introversion)
(Gosling et al., 2003). This means that participants who pro-
vide the same uniform response for all statements were
probably not answering with due care or attention. Responses
to these statements were examined for any evidence of uni-
formity, and cases where participants responded in an iden-
tical manner to 53 or more of the 63 statements or all 10 of the
personality statements were examined in detail. This identi-
fied seven suspicious cases. For example, one participant
responded with ‘strongly agree’ to all 63 statements and all 10
personality items, which suggests they choose the same op-
tionwithout considering their response. It was concluded that
these seven participants were not answering honestly, and
they were therefore excluded.
This left 113 valid responses, 53 of which were male and
60 female. Only 3% of participants were under 21 years of age.
Approximately a quarter (26%) were aged between 21 and 30,
and 37% were between 31 and 40 years of age. A further 12%
were aged between 41 and 50, 19% were aged between 51 and
60, and 4% were 61 years or older. Participants took an
average of 18 min and 5 s (SD ¼ 11 min and 24 s) to complete
the survey.
1 Qualtrics is a research software company that provides sur-vey data collection via a ‘panel’ of in excess of 6 million peoplewho have agreed to receive emails regarding research participa-tion. A closed, ‘by-invitation-only’ panel recruitment method wasutilised. More information on recruitment, privacy and panelincentives is available here: http://www.researchnow.com/en-US/Panels.aspx.
Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h
Consistentwith the technique utilised by Arachchilage and
Love (2013), Cronbach’s alpha was used as a measure of the
internal consistency of the survey. This refers to the degree to
which the items measure the same underlying construct, and
a reliable scale should have a Cronbach’s alpha coefficient
above 0.70 (Cronbach, 1951). As shown in Table 4, Cronbach’s
alpha coefficients for each of the three main constructs (i.e.,
knowledge of policy and procedure, attitude towards policy
and procedure and self-reported behaviour) all exceeded this
recommended value.
A series of Pearson productemoment correlations were
conducted to further assess the relationship between the
items used to create the three main constructs. An examina-
tion of the correlation matrices revealed that all items
significantly correlated at 0.3 or abovewith, on average, 40% of
the other items in that construct. The items with three or
fewer correlations at 0.3 or above with other items in the
construct were examined in detail to ensure they were clearly
worded and accurately measuring the item of interest.
This revealed 10 items that were subsequently altered.
Some of these items were deemed to be too complicated, and
it was thought that a simplification may prevent respondent
confusion. For example, the mobile computing statement
“Even if I am having trouble meeting a deadline, it is never
acceptable for me to send sensitive work documents via a mobile
phone network” was simplified to “It is a bad idea to send sen-
sitive work documents using a mobile phone”. Some of the altered
items included unclear terms. For example, the use of the
term ‘unknown origin’ in the information handling state-
ment “I must not insert a USB flash drive of unknown origin into
my work computer” was deemed to be unclear, and a more
specific example was used (i.e., “If I find a USB flash drive in a
public place like a car park, I must not insert it into my work
computer”).
Theresultsof therespondentdebriefing, cognitive testingand
pilot study provided preliminary evidence of validity and reli-
ability in theHAIS-Q, and justified implementing themainstudy.
2.3. Phase three e main study
2.3.1. ParticipantsIn themain study, 1073 Australians attempted the survey. The
same exclusion criteria employed in the pilot studywere used.
On this basis, 348 participants were excluded because they
were not employed, 67 because they spend ‘No time at all’
using a computer or portable device at work, and 138 partici-
pants were excluded because their organisation has no in-
formation security policy (53 responses) or theywere unsure if
their organisation has an information security policy (85 re-
sponses). Of the 520 remaining participants, a further 20 re-
sponses were excluded based on the same content
nonresponsivity criteria employed in the pilot study.
Table 4 e Cronbach’s alpha coefficients for the KABsurvey components in the pilot study.
Constructs Cronbach’s alpha
Knowledge of policy and procedures 0.875
Attitude towards policy and procedures 0.878
Self-reported behaviour 0.906
mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003
Table 5 e Percentage of sample in each industrycompared to Australian statistics (ABS, 2013).
Industry (ANZSICa) ABS (%) Sample (%)
Agriculture, forestry and fishing 3% 1%
Mining 2% 3%
Manufacturing 8% 4%
Electricity, gas and water and
waste services
1% 2%
Construction 9% 7%
Wholesale trade 4% 2%
Retail trade 11% 11%
Accommodation and food services 7% 4%
Transport, postal and warehousing 5% 5%
Information media and
telecommunications
2% 6%
Financial and insurance services 4% 7%
Rental, hiring and real estate services 2% 2%
Public administration and safety 6% 8%
Education and training 8% 10%
Health care and social assistance 12% 18%
Arts and recreation services 2% 2%
Other services 15% 7%
a Australian and New Zealand Standard Industrial Classification.
Table 6 e Cronbach’s alpha coefficients for the KABsurvey components in the main study.
Constructs Cronbach’s alpha
Knowledge of policy and procedures 0.844
Attitude towards policy and procedures 0.884
Self-reported behaviour 0.918
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 2 7
This left 500 valid responses, with 51% of respondentsmale
and 49% female. Consistent with the results of the pilot study,
the sample represented a wide range of ages. Approximately
4% of participants were under 21 years of age; 29% were aged
between 21 and 30; 23% were aged between 31 and 40; 17%
were aged between 41 and 50; and 21% were between 51 and
60 years of age. A further 6% were 61 years or older.
Other participant demographics were examined to assess
whether our sample is representative of employed Austra-
lians. Participants’ responses to the question, “What is the in-
dustry sector of your employment?”were compared to Australian
Labour Market Statistics obtained by the Australian Bureau of
Statistics (2013). As shown in Table 5, the percentage of
employed Australians in each industry is very similar to the
percentage of respondents in each industry. This suggests
that our sample represents a range of employment types that
is similar to the wider Australian population.
Table 7 e Correlations for knowledge.
Focus area 1 2
1. Password management 1 e
2. Email use .352** 1
3. Internet use .326** .390**
4. Social networking site use .349** .483**
5. Mobile computing .377** .451**
6. Information handling .468** .553**
7. Incident reporting .402** .460**
Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h
The median time to complete the questionnaire was
23 min, with an average time of 37 min and 12 s (SD ¼ 97 min
and 40 s). This very large standard deviation was likely caused
by participants alternating survey completion with other
work; 6 respondents took in excess of five hours, and of these,
three required in excess of 10 h.
2.3.2. ProcedureIn line with the procedure utilised for the pilot study, partic-
ipants were required to read the information sheet and con-
sent form, and were then asked to complete the HAIS-Q.
Again, the questionnaire was completed online, using the
Qualtrics survey platform.
3. Results
As in the pilot study, Cronbach alpha was calculated for each
of the three main constructs as a measure of the internal
consistency of the survey items. As shown in Table 6, these
scores all exceeded the recommended cut-off value of 0.7,
which provides evidence of a high degree of reliability and
suggests the items in the scales are measuring the same un-
derlying construct.
To further test the relationship between the items used to
create the threemain constructs (i.e., knowledge of policy and
procedures, attitude towards policy and procedures and self-
reported behaviour) a series of Pearson productemoment
correlation coefficients were calculated. There was a signifi-
cant positive relationship between all variables, with corre-
lations ranging between .326 and .695, which indicates a
strong relationship, but does not indicate multicollinearity.
This therefore provides further support for the reliability of
the HAIS-Q, and provides justification for creating total
knowledge, attitude and behaviour scores, which can be used
to test hypotheses 1, 2 and 3. These correlations are shown in
Tables 7e9.
As noted in Section 1, the aim of the current paper is to test
the hypothesis that there is a significant positive relationship
between respondents’ knowledge of policy and procedures,
attitude towards policy and procedures and their behaviour
when using a work computer. This theory was tested using
path-analysis, which is a statistical technique for empirically
examining sets of relationships to test the fit of causalmodels,
and give estimates of their size and significance (Huang and
Liaw, 2005; Lleras, 2005). It involves using a multiple regres-
sion analysis for each of the endogenous variables in the
model (Huang and Liaw, 2005; Mathieu, 1988).
3 4 5 6 7
e e e e e
e e e e e
1 e e e e
.573** 1 e e e
.430** .413** 1 e e
.557** .580** .485** 1 e
.346** .392** .445** .427** 1
mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003
Table 8 e Correlations for attitude.
Focus area 1 2 3 4 5 6 7
1. Password management 1 e e e e e e
2. Email use .505** 1 e e e e e
3. Internet use .511** .444** 1 e e e e
4. Social networking site use .489** .528** .529** 1 e e e
5. Mobile computing .443** .566** .533** .527** 1 e e
6. Information handling .504** .530** .529** .578** .614** 1 e
7. Incident reporting .542** .543** .500** .515** .541** .541** 1
Table 9 e Correlations for behaviour.
Focus area 1 2 3 4 5 6 7
1. Password management 1 e e e e e e
2. Email use .550** 1 e e e e e
3. Internet use .602** .602** 1 e e e e
4. Social networking site use .556** .533** .664** 1 e e e
5. Mobile computing .612** .560** .638** .581** 1 e e
6. Information handling .648** .658** .680** .628** .695** 1 e
7. Incident reporting .594** .610** .579** .516** .580** .643** 1
**p < .001.
Fig. 3 e Findings in support of the KAB component of the
HAIS Model (**p < .01).
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 28
Themodel under evaluation has two endogenous variables
(viz., attitude and behaviour) and one exogenous variable (viz.,
knowledge). Hence, twomultiple regressions were conducted.
The first regression tested whether knowledge of policy and
procedure predicted attitude towards policy and procedures,
and produced an R squared of .659, which was statistically
significant (F(1,498) ¼ 960.77, p < .001). This means that a re-
spondent’s knowledge of policy and procedures predicted
approximately 66% of the variance in their attitude. The sec-
ond regression tested whether participants’ knowledge of
policy and procedures and attitude towards policy and pro-
cedures predicted their self-reported behaviour. This pro-
duced an R squared of .777, which was statistically significant
(F(2,497)¼ 863.44, p< .001). Both knowledge (b¼ .185, t¼ 5.097,
p < .001) and attitude (b ¼ .724, t ¼ 19.96, p < .001) were posi-
tively related to behaviour. These results indicate that
approximately 78% of the variance in self-reported behaviour
was accounted for by knowledge of policy and procedure and
attitude towards policy and procedure. These findings, which
provide support for our model, are depicted in Fig. 3.
This provides support for the hypotheses that better
knowledge of policy and procedures is associated with better
attitude towards policy and procedure, and better knowledge
and attitude towards policy and procedure are both associated
with self-reported behaviour that is more risk averse. How-
ever, we acknowledge that the support for our proposed
model does not discount the existence of other, competing
models (MacCallum et al., 1993). For instance, it is conceivable
that behaviour when using a work computer could, in fact,
influence an employee’s attitude towards policy and proce-
dure. This is because most information security vulnerabil-
ities are low-probability, high-consequence threats, and
evidence suggests that people tend to repeat behaviours that
are rewarded (Slovic et al., 1978; Thorndike, 1913). For
example, if a computer user violates policy and accesses
sensitive information from an unfamiliar wireless network,
the consequences if this information is intercepted may be
Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h
high, but the probability of interception is very low, and
hence, each experience of using an unfamiliar wireless
network without any negative consequences will reinforce or
reward that insecure behaviour, and may change an in-
dividual’s attitude towards that policy. Similarly, theremay be
cases where employees know an information security policy
and may believe that it is unnecessary or excessive, but they
may still do the right thing, even when their attitude towards
the instruction is poor. This may be due to other mediating
factors, such as the desire to keep one’s job. These alternate
models may describe the relationship between knowledge,
attitude and behaviour in rare cases, and will be examined in
future research. However, on balance, our model as depicted
in Fig. 3 best describes the majority of computer users, and
hence, has the best potential to explore further.
4. Limitations and future directions
This study provides preliminary evidence of a positive rela-
tionship between employees’ knowledge of policy and
mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 2 9
procedures, their attitude towards policy and procedures, and
their self-reported behaviour when using a work computer.
However, there are limitations, which will be addressed in
future studies.
4.1. The use of self-report
Many of the potential criticisms are associated with the fact
that the HAIS-Q is a self-report measure and the validity of
self-reports has been criticised (e.g., Spector, 1992; Frese and
Zapf, 1988). This criticism is centred largely on self-reported
behaviour, and there is little criticism of self-report to
measure knowledge or employees’ feelings about and per-
ceptions of their work environment (Spector, 1994). Hence,
this suggests the knowledge and attitude components of the
HAIS-Q are uncontroversial. Although there are good rea-
sons to be cautious of self-reported behaviour, Workman’s
(2007) study of social engineering found a correlation of
.89 between self-reported behaviour and objective measures
of behaviour (measured via the propensity to respond to a
phishing email). This means that approximately 80% of the
variance in behaviour could be explained by self-report, and
hence, the value of self-reported behaviour should not be
discounted.
Furthermore, when assessing the limitations of self-report,
it is important to consider that there are many issues associ-
ated with objective assessments of security behaviour. For
example, any measure of actual incidents is inadequate,
because penetrations into a system are not always detected,
and of those that are detected, many go unreported to protect
the reputation of the organisation involved (Kabay, 2002). In
addition, as explained in Section 3, information security vul-
nerabilities are low-probability, high consequence threats.
This means that poor information security behaviour rarely
results in an information security breach. Hence, given the
impracticality of obtaining an unbiased objective measure of
information security behaviour, self-reported behaviour is a
valid alternative.
The nature of our data collection should also allay the
criticisms of self-report. According to Donaldson and Grant-
Vallone (2002), there are four general factors that influence
whether a respondent will be influenced by self-report biases.
In the context of the HAIS-Q, this theory suggests that re-
spondents will have a motivation to bias their responses if
they:
1) Are violating information security policy (True State of
Affairs),
2) Are reporting on a highly sensitive construct (Sensitivity of
Construct),
3) Are predisposed to give socially desirable responses
(Dispositional Characteristics), and
4) Believe responding truthfully could lead to punishment
(Situational Characteristics)
Our data was collected online through a third party orga-
nisation (i.e., Qualtrics). The survey respondents were not
asked to provide their name or the name of their employer,
and were given additional assurances of confidentiality and
anonymity. This should remove any situational
Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h
characteristics that would lead people to give socially desir-
able answers, and should therefore reduce bias (Donaldson
and Grant-Vallone, 2002).
Furthermore, Spector (1994) argued that self-report studies
should not be dismissed as being an inferior methodology,
and instead, they can provide valuable data as an initial test of
hypotheses. At this stage, the HAIS-Q is still being tested,
refined and developed, and the self-report method is appro-
priate for this. In future work, the HAIS-Q will be further
validated with alternate measures of information security
awareness, including interviews, focus groups and co-worker
reports.
4.2. The use of Internet data collection
The results of this study may be limited by its use of Internet
based data collection. Literature suggests there are potential
problems associated with Internet data collection (Weigold
et al., 2013; Reips, 2002). For example, Meade and Craig
(2012) explained that the lack of a controlled setting could
result in environmental distraction and divided attention. The
large standard deviation (of over 97 min) in the time taken to
complete the HAIS-Q suggests that a minority of participants
may have been alternating survey completion with other
work. Furthermore, Johnson (2005) argued that the lack of
personalisation and social interaction with the researcher
may result in less accountability and more undesirable
response patterns. However, since aspects of the HAIS-Q are
potentially sensitive (e.g., participants are asked to report on
behaviours that would constitute policy violation), this
increased anonymitymay increase the likelihood of authentic
responses (Reips, 2002). The Internet data collection also al-
lows access to samples with a wider distribution of de-
mographic characteristics than would be possible from a local
sample (Reips, 2002). Finally, Weigold et al. (2013) compared
self-report survey-based paper-and-pencil and Internet data
collection methods and concluded that the methods are
generally equivalent.
4.3. Future studies
Future studies will examine the individual, organisational and
interventional factors, and determine whether these factors
have a statistically significant effect on the behaviour of em-
ployees and therefore on the security of an organisation’s
information systems. Future studies will also further develop
the HAIS-Q in line with the validation guidelines outlined by
Straub et al. (2004). For example, alternate measures of
knowledge, attitude and behaviour will allow us to assess the
construct validity of the HAIS-Q.
The questionnaire will also be implemented on employees
within known organisations, which will allow us to assess the
actual policies and procedures andmethods of trainingwithin
the organisation and how these influence the responses pro-
vided by employees. This will allow us to further test the
conclusion of this paper, that generic training courses that
only outline requirements will be less effective than con-
textualised training aimed at improving both knowledge and
understanding of policy and procedures.
mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 210
5. Discussion and conclusions
The purpose of this study was to outline the development and
initial reliability and validity testing of our HAIS-Q and to
establish whether there is a positive relationship between
respondents’ knowledge of policy and procedures, attitude
towards policy and procedures and their self-reported
behaviour when using a work computer. The data presented
in this study support this hypothesis, and provide support for
our model and questionnaire.
The results shown in Fig. 3 indicate that participants’
knowledge of policy and procedure and attitude towards
policy and procedure explain a significant amount of the
variance in participants’ self-reported behaviour. Interest-
ingly, however, the Beta (b) values reported in Fig. 3 indicate
that an employee’s knowledge of policy and procedures had a
far stronger influence on attitude towards policy and proce-
dure (b ¼ .812) than self-reported behaviour (b ¼ .185). This
suggests the effect of knowledge on behaviour is mediated by
attitude towards policy and procedure.
This has implications for training and education cam-
paigns, as it suggests that employers can be relatively confi-
dent that improving their employees’ knowledge of policy and
procedures will have a positive impact on both attitude to-
wards those policies and procedures and employee behaviour.
However, our results also indicate that generic courses that do
not attempt to influence attitude and instead simply lecture
on knowledge of policy and procedurewill be far less effective.
Instead, training should be contextualised and should use
case studies to improve both knowledge of what is expected
and also understanding ofwhy this is important (Brooke, 2006;
Parsons et al., 2010).
r e f e r e n c e s
Anderson R, Barton C, Bohme R, Clayton R, van Eeten MJG, Levi M,et al. Measuring the cost of cybercrime. In: 11th annualworkshop on the economics of information security, June,Berlin, Germany 2012.
Arachchilage NAG, Love S. A game design framework for avoidingphishing attacks. Comput Hum Behav 2013;29(3):706e14.
Australian Bureau of Statistics. Australian labour marketstatistics, July 2013; 2013. Canberra, Australia. (6105.0).
Baranowski T, Cullen KW, Nicklas T, Thompson D, Baranowski J.Are current health behavioral change models helpful inguiding prevention of weight gain efforts? Obes Res2003;11:23Se43S.
Bettinghaus EP. Health promotion and the knowledge-attitude-behavior continuum. Prev Med 1986;15(5):475e91.
Brooke SL. Using the case method to teach online classes:promoting Socratic dialogue and critical thinking skills. Int JTeach Learn High Educ 2006;18(2):142e9.
Bulgurcu B. The antecedents of information security policycompliance (MSc thesis). Canada: The University of BritishColumbia; 2008.
Collins D. Pretesting survey instruments: an overview of cognitivemethods. Qual Life Res 2003;12(3):229e38.
Cronbach LJ. Coefficient alpha and the internal structure of tests.Psychometrika 1951;16(3):297e334.
Da Veiga A, Eloff JHP. A framework and assessment instrument forinformation security culture. Comput Secur 2010;29:196e207.
Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h
Davis FD. Perceived usefulness, perceived ease of use, and useracceptance of information technology. MIS Quart1989;13(3):319e40.
Deloitte. Raising the bar: 2011 TMT global security study e keyfindings; 2011. Report published by Deloitte, 24 pp.
DeMaio TJ, Rothgeb JM. Cognitive interviewing techniques: in thelab and in the field. In: Schwartz N, Sudman S, editors.Answering questions: methodology for determining cognitiveand communicative processes in survey research. SanFrancisco: Jossey-Bass; 1996. pp. 177e95.
Donaldson SI, Grant-Vallone EJ. Understanding self-report bias inorganizational behavior research. J Bus Psychol2002;17(2):245e60.
Draugalis JR, Coons SJ, Plaza CM. Best practices for surveyresearch reports: a synopsis for authors and reviewers. Am JPharm Educ 2008;72(1). Article 11.
Ernst, Young. Into the cloud, out of the fog: Ernst & Young’s 2011global information security survey; 2011. Report published byErnst & Young.
Fan J, Zhang P. Study on e-government information misuse basedon General Deterrence Theory. In: 8th internationalconference on service systems and service management(ICSSSM), June, Tianjin 2011. pp. 1e6.
Fowler FJ. Improving survey questions: design and evaluationInApplied social research methods series, vol. 38. ThousandOaks, CA: Sage Publications, Incorporated; 1995.
Frese M, Zapf D. Methodological issues in the study of workstress: objective vs subjective measurement of work stressand the question of longitudinal studies. In: Cooper CL,Payne R, editors. Causes, coping and consequences of stress atwork. West Sussex, England: John Wiley; 1988. pp. 375e410.
Furnell S, Jusoh A, Katsabas D. The challenges of understandingand using security: a survey of end-users. Comput Secur2006;25(1):27e35.
Gosling SD, Rentfrow PJ, Swann WB. A very brief measure of theBig-Five personality domains. J Res Personality2003;37(6):504e28.
Guillot A, Kennedy S. Information security surveys: a review of themethodologies, the critics and a pragmatic approach to theirpurposes and usage. In: 5th Australian information securitymanagement conference, December, Perth, Australia 2007.
Herath T, Rao HR. Encouraging information security behaviors inorganizations: role of penalties, pressures and perceivedeffectiveness. Decis Support Syst 2009;47(2):154e65.
Huang HM, Liaw SS. Exploring users’ attitudes and intentionstoward the web as a survey tool. Comput Hum Behav2005;21(5):729e43.
Johnson JA. Ascertaining the validity of individual protocols fromWeb-based personality inventories. J Res Personality2005;39(1):103e29.
Kabay ME. Studies and surveys of computer crime. In:Bosworth S, Kabay ME, editors. Computer security handbook.4th ed. New York, NY: John Wiley & Sons, Inc; 2002.
Karjalainen M. Improving employees’ information systems (IS)security behaviour: toward a meta-theory of is security trainingand a new framework for understanding employees’ is securitybehaviour. PhD. Oulu: The University of Oulu; 2011 (A 579).
Khan B, Alghathbar KS, Nabi SI, Khan MK. Effectiveness ofinformation security awareness methods based onpsychological theories. Afr J Bus Manag 2011;5(26):10862e8.
Kollmuss A, Agyeman J. Mind the gap: why do people actenvironmentally and what are the barriers to pro-environmental behavior? Environ Educ Res 2002;8(3):239e60.
Kruger H, Kearney W. A prototype for assessing informationsecurity awareness. Comput Secur 2006;25(4):289e96.
Liginlal D, Sim I, Khansa L. How significant is human error as acause of privacy breaches? An empirical study and a frameworkfor error management. Comput Secur 2009;28:215e28.
mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 2 11
Lleras C. Path analysis. Encycl Soc Meas 2005;3:25e30.MacCallum RC, Wegener DT, Uchino BN, Fabrigar LR. The
problem of equivalent models in applications of covariancestructure analysis. Psychol Bull 1993;114(1):185e99.
Mathieson K. Predicting user intentions: comparing thetechnology acceptance model with the theory of plannedbehaviour. Inf Syst Res 1991;2(3):173e91.
Mathieu JE. A causal model of organizational commitment in amilitary training environment. J Vocat Behav1988;32(3):321e35.
McGuire WJ, editor. The nature of attitudes and attitude change,vol. 3. Reading, Mass: Addison-Wesley; 1969.
Meade AW, Craig SB. Identifying careless responses in surveydata. Psychol Meth 2012;17(3):437e55.
Mylonas A, Gritzalis D, Tsoumas B, Apostolopoulos T. Aqualitative metrics vector for the awareness of smartphonesecurity users. In: Proceedings of the 10th internationalconference on trust, privacy, and security in digital business.Springer; 2013a. pp. 173e84 (LNCS-8058).
Mylonas A, Kastania A, Gritzalis D. Delegate the smartphoneuser? Security awareness in smartphone platforms. ComputSecur 2013b;34:47e66.
Ng B-Y, Kankanhalli A, Xu Y. Studying users’ computer securitybehavior: a health belief perspective. Decis Support Syst2009;46:815e25.
Nichols DS, Greene RL, Schmolck P. Criteria for assessinginconsistent patterns of item endorsement on the MMPI:rationale, development and empirical trials. J Clin Psychol1989;45:239e50.
Parsons K, McCormac A, Butavicius M, Ferguson L. Human factorsand information security: individual, culture and securityenvironment; 2010. Report published by Defence Science andTechnology Organisation, DSTO-TR-2484, 45 pp.
Parsons K, McCormac A, Pattinson M, Butavicius M, Jerram C. Astudy of information security awareness in Australiangovernment organisations. Inf Manag Comput Secur 2014. inpress.
Parsons K, McCormac A, Pattinson M, Butavicius M, Jerram C. Ananalysis of information security vulnerabilities at threeAustralian government organisations. In: Proceedings of theEuropean information security multi-conference (EISMC 2013),Lisbon, Portugal. UK: Plymouth University; 2013.
Pattinson MR, Anderson G. How well are information risks beingcommunicated to your computer end-users? Inf ManagComput Secur 2007;15(5):362e71.
PricewaterhouseCoopers. Changing the game e key findings fromthe global state of information security survey 2013; 2013.Report published by PricewaterhouseCoopers.
Reips U. Standards for Internet-based experimenting. Exp Psychol2002;49(4):243e56.
Schultz E. The human factor in security. Comput Secur2005;24(6):425e6.
Siponen M, Pahnila S, Mahmood MA. Compliance withinformation security policies: an empirical investigation.Computer 2010;43(2):64e71.
Slovic P, Fischhoff B, Lichtenstein S. Accident probabilities andseat belt usage: a psychological perspective. Accid Anal Prev1978;10(4):281e5.
Spector PE. A consideration of the validity and meaning of self-report measures of job conditions. In: Cooper CL, Robertson IT,editors. International review of industrial and organizationalpsychology: 1992. West Sussex, England: John Wiley; 1992.pp. 123e51.
Spector PE. Using self-report questionnaires in OB research: acomment on the use of a controversial method. J Organ Behav1994;15(5):385e92.
Stanton JM, Stam KR, Mastrangelo P, Jolton J. Analysis of end usersecurity behaviors. Comput Secur 2005;24(2):124e33.
Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h
Straub D, Boudreau M, Gefen D. Validation guidelines for ISpositivist research. Commun Assoc Inf Syst2004;13:380e427.
Thorndike EL. The psychology of learning. New York: TeachersCollege; 1913.
van der Linden S. Understanding and achieving behaviouralchange: towards a new model for communicating informationabout climate change. In: International workshop onpsychological and behavioural approaches to understandingand governing sustainable Tourism Mobility, Freiburg,Germany 2012.
Vance A. Why do employees violate is security policies? Insightsfrom multiple theoretical perspectives. PhD. Oulu: TheUniversity of Oulu; 2010 (A 563).
Vroom C, von Solms R. Towards information security behaviouralcompliance. Comput Secur 2004;23(3):191e8.
Walsh C. CSI/FBI Survey considered harmful. RetrievedNovember, 2012, from, http://www.emergentchaos.com/archives/2006/07/csifbi_survey_considered.html; 2006.
Weigold A, Weigold IK, Russell EJ. Examination of the equivalenceof self-report survey-based paper-and-pencil and Internetdata collection methods. Psychol Meth 2013;18(1):53e70.
Willis GB. Cognitive interviewing: a tool for improvingquestionnaire design. Thousand Oaks, CA: Sage; 2004.
Wood CC, Banks WW. Human error: an overlooked butsignificant information security problem. Comput Secur1993;12:51e60.
Workman M. Gaining access with social engineering: anempirical study of the threat. Inf Syst Secur J2007;16:315e31.
Kathryn Parsons is a research scientist with the Human and SocialModelling and Analysis Discipline in National Security & Intelli-gence, Surveillance & Reconnaissance Division (NSID) of theDefence Science and Technology Organisation (DSTO), where herresearch involves applying psychological principles to humanfactors and organisational problems in areas such as informationsecurity, intelligence analysis and national security. Shecompleted a Master of Psychology (Organisational and HumanFactors) at the University of Adelaide in 2005. She is an organ-isational psychologist and Adjunct Lecturer within the School ofPsychology at the University of Adelaide.
Agata McCormac joined DSTO in 2006. She is a research scientistwith the Human and Social Modelling and Analysis Discipline inNSID where her work focuses on applying cognitive and percep-tual psychology principles to solve organisational problems. Shewas awarded a Master of Psychology (Organisational and HumanFactors) at the University of Adelaide in 2005. She is registered asan organisational psychologist with the Psychology Board ofAustralia and holds an Adjunct Lecturer position within theSchool of Psychology at the University of Adelaide.
Dr. Marcus Butavicius is a senior research scientist with theHuman and Social Modelling and Analysis Discipline in NSID. Hejoined DSTO in 2001 where he investigated the role of simulationin training, theories of human reasoning and the analysis of bio-metric technologies. In 2002, he completed a PhD in Psychology atthe University of Adelaide on mechanisms of visual objectrecognition. In 2003 he joined the Intelligence, Surveillance andReconnaissance Division where his work focused on data visual-isation, decision-making, information security and interfacedesign. He is also a Visiting Research Fellow in the PsychologyDepartment at the University of Adelaide.
Dr. Malcolm Pattinson is a Research Fellow in the Business Schoolof The University of Adelaide and an Information Security
mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003
c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 212
Consultant. He has been lecturing and researching in the area ofinformation security for more than 20 years. His current researchfocuses on the human aspects of information security and he iswidely published in this area. He has been an active member ofthe Adelaide Chapter of ISACA for more than 15 years and has thecertifications CISA, CISM and CGEIT. He is also a Member IFIP TC-11 Working Group 11.12, Human Aspects of Information Security& Assurance (HAISA).
Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h
Dr. Cate Jerram is an academic with the University of AdelaideBusiness School. She is the Lecturer-in-Charge of the Qualita-tive Methods course for Higher Degree Research students andthe primary educator in NVivo10 training for the University ofAdelaide Graduate Centre. Cate has Higher Research Degrees inBusiness Information Systems, Knowledge Management andOrganisational Change, and Adult (and Tertiary) Education, andhas published in all these disciplines.
mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003