ww.sciencedirect.com

c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 2

Available online at w

ScienceDirect

journal homepage: www.elsevier .com/locate/cose

Determining employee awareness using theHuman Aspects of Information SecurityQuestionnaire (HAIS-Q)

Kathryn Parsons a,*, Agata McCormac a, Marcus Butavicius a,Malcolm Pattinson b, Cate Jerram b

aDefence Science and Technology Organisation (DSTO), 203L, PO Box 1500, Edinburgh, SA 5111, AustraliabBusiness School, University of Adelaide, Adelaide, SA 5005, Australia

a r t i c l e i n f o

Article history:

Received 18 November 2013

Received in revised form

17 December 2013

Accepted 23 December 2013

Keywords:

Information security

Security behaviours

Questionnaire design

Cyber security

Hybrid research

* Corresponding author. Tel.: þ61 8 7389 975E-mail addresses: kathryn.parsons@dsto.

butavicius@dsto.defence.gov.au (M. ButavicJerram).

Please cite this article in press as: ParsonSecurity Questionnaire (HAIS-Q), Compu

0167-4048/$ e see front matter Crown Copyhttp://dx.doi.org/10.1016/j.cose.2013.12.003

a b s t r a c t

It is increasingly acknowledged that many threats to an organisation’s computer systems

can be attributed to the behaviour of computer users. To quantify these human-based

information security vulnerabilities, we are developing the Human Aspects of Informa-

tion Security Questionnaire (HAIS-Q). The aim of this paper was twofold. The first aim was

to outline the conceptual development of the HAIS-Q, including validity and reliability

testing. The second aim was to examine the relationship between knowledge of policy and

procedures, attitude towards policy and procedures and behaviour when using a work

computer. Results from 500 Australian employees indicate that knowledge of policy and

procedures had a stronger influence on attitude towards policy and procedure than self-

reported behaviour. This finding suggests that training and education will be more effec-

tive if it outlines not only what is expected (knowledge) but also provides an understanding

of why this is important (attitude). Plans for future research to further develop and test the

HAIS-Q are outlined.

Crown Copyright ª 2014 Published by Elsevier Ltd. All rights reserved.

1. Introduction

Many of the threats to an organisation’s computer systems

can be attributed to the behaviour of computer users. Hence,

information security threats cannot be prevented, avoided,

detected or eliminated by solely focusing on technological

solutions (Furnell et al., 2006; Herath and Rao, 2009; Vroom &

von Solms, 2004). Human behaviours that may put an orga-

nisation at risk include inadvertently or deliberately divulging

passwords to others, falling victim to phishing emails by

3; fax: þ61 8 7389 6328.defence.gov.au (K. Parsonius), malcolm.pattinson@

s K, et al., Determining eters & Security (2014), h

right ª 2014 Published by

clicking on embeddedweb site links, or inserting non-familiar

media into work or home computers.

To assess the extent to which an organisation’s informa-

tion systems are vulnerable to threats caused by risk-taking

behaviour of employees, our goal is to produce an empiri-

cally validated instrument, known as the Human Aspects of

Information Security Questionnaire (HAIS-Q). This tool could

be used to measure employee knowledge, attitude and

behaviour to provide management with a benchmark, which

could then be used to evaluate the effectiveness of different

information technology (IT) control strategies, or to track the

s), agata.mccormac@dsto.defence.gov.au (A. McCormac), marcus.adelaide.edu.au (M. Pattinson), cate.jerram@adelaide.edu.au (C.

mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003

Elsevier Ltd. All rights reserved.

c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 22

long-term security health of an organisation. The aim of this

paper is to outline the development of our HAIS-Q and to

examine the relationships between knowledge of policy and

procedures, attitude towards policy and procedures and

behaviour when using a work computer.

1.1. Previous information security surveys

A comprehensive review of previous information security

surveys has highlighted a gap in research. Although a number

of organisations (see, for example, Deloitte, 2011; Ernst and

Young, 2011; PricewaterhouseCoopers, 2013) conduct yearly

information security surveys, these surveys traditionally

collect information about security breaches and their impact

and do not seek to establish what users think, know or do

about information security issues. These surveys have also

been criticised for flaws in their methodologies, the design of

their questions, and their statistical reporting (Guillot and

Kennedy, 2007; Walsh, 2006). For example, Anderson et al.

(2012) suggest that these studies may suffer from response

effects and sampling bias, which could result in an under-

reporting of security issues. Furthermore, these surveys are

often sponsored by vendors with an interest in providing

specific solutions. This could cause conflictingmotives, which

could result in an over-reporting of certain security issues

(Anderson et al., 2012). Additionally, these surveys are usually

conducted solely with information security professionals, and

although this reveals important information regarding the

technologies and other safeguards in place within an organi-

sation, this does not necessarily represent the views or ex-

periences of the majority of computer users (Herath and Rao,

2009).

Many academic surveys of computer users that exist have

examined only one component of information security

awareness. For example, Stanton et al. (2005) ran a survey on

password-related behaviours, Mylonas et al. (2013) and

Mylonas et al. (2013) examinedmobile computing, and Furnell

et al. (2006) assessed users’ understanding of security features

within specific applications. Other academic surveys (e.g.,

Siponen et al., 2010; Herath and Rao, 2009) have examined

potentially influencing variables, such as normative beliefs or

intention to comply with policy. However, none of these sur-

veys attempt to determine the overall information security

awareness of employees.

There is also a growing body of literature that attempts to

apply existing behavioural models to the area of information

security. This includes models such as the Theory of Planned

Behaviour (Bulgurcu, 2008), the Health Belief Model (Ng et al.,

2009), the Protection Motivation Theory (Vance, 2010), the

General Deterrence Theory (Fan and Zhang, 2011) and the

KnowledgeeAttitudeeBehaviour (KAB) model (Kruger and

Kearney, 2006), originally developed in fields including

health, criminology and environmental psychology. Accord-

ing to Karjalainen (2011), many of these previous studies of

information security behaviour are focused solely on theory-

verification or validation, and therefore may present a

biased viewpoint of the area of interest. In other words,

because these studies only assess the variables in the theory

under investigation, other potentially important variables are

not considered. This is particularly important in the area of

Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h

information security because, as highlighted by Vroom and

von Solms (2004), employee behaviour is likely to be influ-

enced by many factors, including personality, the organisa-

tion and its culture.

Furthermore, there are many important differences be-

tween the field of information security and fields such as

health, criminology or environmental psychology. These

latter fields differ widely in regards to the ease of access and

comprehension of information, the consequences for action

or inaction, and the necessity to make decisions based on

unclear or contradictory information. For example, topics like

climate change and the health benefits or consequences of

certain foods have been widely debated, which means people

are faced with conflicting information, and the scientific

legitimacy of this information is not always clear. In contrast,

providing far less ambiguity, most organisations have an in-

formation security policy, either written or informal, which

indicates what is expected from employees.

Although theories such as the Technology Acceptance

Model (TAM) have been shown to predict intention to use

security technologies (Davis, 1989; Mathieson, 1991) within an

organisational setting, this finding may not capture the

complexity of the problem. Essentially, much of the previous

research has not adequately considered the unique nature of

information security behaviour within an organisation. Em-

ployees work within a supported environment, where there

are often multiple levels of protection and colleagues to pro-

vide assistance. The organisational setting is also generally

supervisory, with potential monitoring of behaviour, and

often demonstrable culpability. In most cases, there are also

information technology (IT) personnel, who ensure that anti-

virus software is installed and appropriately updated, fire-

walls are adequately implemented, and information is regu-

larly backed-up. It is not necessary for most employees to

have a comprehensive understanding of how these technol-

ogies work. Employee behaviours that aremore likely to result

in information security breaches, such as not choosing a

strong password and opening suspicious email attachments,

are not necessarily associated with the adoption of a specific

technology (Ng et al., 2009).

1.2. Conceptual development of the HAIS-Q

In Parsons et al. (2013), we reported on the results of an in-

formation security study with three Australian government

organisations. This was the first stage of our development of

the HAIS-Q. Rather than focusing solely on theory-

verification, we used a hybrid methodology, incorporating

the inductive, exploratory approach recommended by

Karjalainen (2011). We use the term ‘hybrid’ to denote a blend

of qualitative and quantitative methods for gathering and

analysing data.

Interviews were conducted with senior management of

each organisation (qualitative data). The interviews revealed

that management were most concerned about human error,

as they felt security breaches weremore likely to be caused by

unawareness and naivety rather than maliciousness (Parsons

et al., in press). Since research confirms that human errors are

the most frequent cause of information security breaches

(Linginlal et al., 2009; Schultz, 2005; Wood and Banks, 1993),

mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003

c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 2 3

we aimed to investigate these behaviours. We developed an

exploratory (predominately quantitative) information secu-

rity survey, to further investigate information security issues,

and this initial survey was then completed by 203 employees

from the three government organisations.

This iterative process eventually yielded the hypothesis

that as computer users’ level of knowledge of information

security policy and procedures is raised, their attitude towards

information security policy and procedures improves, which

should translate into more risk-averse information security

behaviour. This process of change is sometimes referred to as

the KAB model (Baranowski et al., 2003; Khan et al., 2011;

Kruger and Kearney, 2006), and a refined and specific version

of this model is one component of the HAIS-Q.

There is disagreement in the literature regarding the use-

fulness or validity of the KAB model. For example, van der

Linden (2012) examined previous research in the area of

climate change and claimed there is “ample evidence” (p. 13) in

support of a significant relationship between environmental

knowledge and attitudes and behaviours. Bettinghaus (1986)

examined the model’s relevance to health promotion, and

concluded that there is a positive but small relationship be-

tween knowledge, attitude and behaviour. However, Kollmuss

and Agyeman (2002) criticised the model for being too ratio-

nalist, and Baranowski et al. (2003) examined its relevance in

the health field, and concluded that “scientific support for the

knowledge component of KAB models is weak” (p. 26S).

However, according to McGuire (1969), the problemwith the

KABmodel isnot the theoreticalmodel itself, but rather, theway

themodel is applied. Inmanycases, the conceptof knowledge is

not clearly specified (Baranowski et al., 2003). For example, in

regards to diet, knowledge could be assessed in respect to the

health outcomes of certain foods, how to find nutritional infor-

mation or how to best prepare food. Individual responses in

many of these areas would be strongly influenced by additional

factors, such as self-efficacy (e.g., the ability to cook)

(Baranowski et al., 2003). Essentially, the variables of interest

must be specified clearly and related to the other variables

associated with the overall process of behavioural change for

use of the KABmodel to be evaluated with integrity.

Table 1 e Examples of computer user behaviour (adapted from

Focus area Good behaviours (Deliberate) Neutral beh

Password

management

Always logging off when

computer unattended

Sharing user n

Email use Refusing email attachments

from unknown sources

Opening unsol

Internet use Using only authorised software Accessing dubi

Social networking

site (SNS) use

Not accessing social networking

websites during work time

Not considerin

consequences

Incident reporting Being vigilant in recognising and

approaching unauthorised personnel

Not reporting s

Mobile computing Sending work emails using only

secure networks

Leaving a work

Information

handling

Shredding or destroying sensitive

documents that need to be disposed

Leaving DVDs

contain sensiti

a work desk ov

Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h

1.3. The HAIS model and questionnaire

Our model abides by McGuire’s (1969) recommendation;

knowledge was conceptualised first, and specifically, as

‘knowledge of policy and procedures’. Within that refined

context, we reviewed several information security policies

and used the findings of our senior management interviews

and initial information security survey to develop specific

focus areas. These were designed to represent the areas of an

information security policy that are relevant to employers and

computer users and most prone to non-compliance.

From this process, we identified seven focus areas; these

are internet use, email use, social networking site use, pass-

word management (including locking workstations), incident

reporting, information handling and mobile computing. As

mentioned in Section 1.2, our senior management interviews

indicate that human errors are frequently responsible for in-

formation security breaches, and this is supported by the

literature (Linginlal et al., 2009; Schultz, 2005; Wood and

Banks, 1993). Hence, our questionnaire is primarily focused

on the behaviours shown in Table 1 as ‘Neutral Behaviours

(Accidental)’, which are associated with human errors. These

behaviours are not intended to harm the organisation or its

resources, and are instead associated with naivety or un-

awareness. These types of behaviours are referred to by

Stanton et al. (2005) as naıve mistakes. Their taxonomy,

depicted in Table 2, also highlights the relevance of expertise;

the types of behaviours that are the main focus of our ques-

tionnaire are those that require low expertise.

For each of our seven focus areas, we developed three

representative areas, which can be seen in Table 3. Aswith the

focus areas, these sub-areas were developed based on a re-

view of several information security policies and our in-

terviews with senior management to specifically represent

common human errors. For each of these representative

areas, we developed one specific knowledge statement, one

specific attitude statement and one specific behaviour state-

ment. For example, the following statements measure the

sub-area consequences of social networking sites (within the

social networking site use focus area):

Pattinson and Anderson, 2007; Parsons et al., in press).

aviours (Accidental) Bad behaviours (Deliberate)

ames and passwords Hacking into other people’s accounts

icited email attachments Creating and sending SPAM email

ous websites Downloading video content to a work

computer via peer-to-peer file sharing

g the negative

before posting on a SNS

Posting sensitive information about the

workplace on social networking sites

ecurity incidents Giving unauthorised personnel access to

authorised precincts

laptop unattended Configuring a wireless gateway that gives

unauthorised access to the company’s

network

or documents that

ve information on

ernight

Writing and disseminating malicious code

mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003

Table 3 e Focus areas with representative areas.

Focus area Sub-areas

Password management Locking workstations

Password sharing

Choosing a good password

Email use Forwarding emails

Opening attachments

IT department level of responsibility

Internet use Installing unauthorised software

Accessing dubious websites

Inappropriate use of internet

Social networking

site (SNS) use

Amount of work time spent on SNS

Consequences of SNS

Posting about work on SNS

Incident reporting Reporting suspicious individuals

Reporting bad behaviour by colleagues

Reporting all security incidents

Mobile computing Physically securing personal

electronic devices

Sending sensitive information

via mobile networks

Checking work email via free network

Information handling Disposing of sensitive documents

Inserting DVDs/USB devices

Leaving sensitive material unsecured

Table 2 e Two factor taxonomy of security behaviours(adapted from Stanton et al. (2005)).a

Expertise Intentions Title Description

High Malicious Intentional

destruction

Behaviour requires technical

expertise together with a

strong intention to do harm

to the organisation’s IT and

resources.

Low Malicious Detrimental

misuse

Behaviour requires minimal

technical expertise but

nonetheless includes

intention to do harm through

annoyance, harassment, rule

breaking, etc.

High Neutral Dangerous

tinkering

Behaviour requires technical

expertise but no clear

intention to do harm to the

organisation’s IT and

resources.

Low Neutral Naıve

mistakes

Behaviour requires minimal

technical expertise and no

clear intention to do harm to

the organisation’s

information technology

and resources.

High Beneficial Aware

assurance

Behaviour requires technical

expertise together with a

strong intention to do good

by preserving and protecting

the organisation’s

information technology

and resources.

Low Beneficial Basic

hygiene

Behaviour requires no

technical expertise but

includes clear intention to

preserve and protect the

organisation’s IT

and resources.

a Reprinted from Computers & Security, 24, Stanton, Stam, Mas-

trangelo & Jolton, Analysis of end user behaviours, 124e133, 2005,

with permission from Elsevier.

c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 24

� Knowledge: “I can’t be fired for something I have posted on a

social networking web site.”

� Attitude: “It is a bad idea to post things on social networking

web sites about my work that I wouldn’t say in a public place.”

� Behaviour: “I would consider the negative consequences to my

job before I post anything on social networking web sites.”

Three representative areas were chosen as this main-

tained a balance between the scientific need to obtain a

specific measure of the most important areas and the prac-

tical need to limit the length of the questionnaire. This

means the KAB component of the HAIS-Q consists of 63

specific statements. A five point Likert scale, rated from

Strongly Agree to Strongly Disagree, was used for all of the

items. These statements are more specific tests of the vari-

ables of interest than other information security surveys that

tend to measure information security in a very general

manner. For example, Siponen et al. (2010) tested an in-

dividual’s information security-related behaviour by asking

participants to respond to the statement “I comply with

Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h

information security policies” and their intention to comply with

the statement “I intend to comply with information security pol-

icies”. These items do not test specific knowledge, and are

potentially more prone to response bias.

It is important to highlight that the KAB statements

represent only one part of an overall conceptual model that is

being developed, tested and validated using a hybrid, explor-

atory, iterative approach.We believe the relationship between

knowledge, attitude and behaviour is influenced by many in-

dividual, intervention and organisational factors as shown in

Fig. 1. For example, psychological factors; training and semi-

nars attended; and an organisation’s information security

culture (Da Veiga and Eloff, 2010; Vroom& von Solms, 2004) all

have the potential to impact on the knowledge, attitude and

behaviour of employees. For this reason, the HAIS-Q includes

specific items to measure each of the factors depicted in Fig. 1

(e.g., organisational factors are measured via organisational

and security culture, subjective norms, rewards and punish-

ments). However, the assessment of the influence of these

factors on KAB and the different focus areas is part of a larger

project, which is beyond the scope of the current paper. Our

seven focus areas are displayed in Fig. 1 as separate, parallel

models because, to date, no research has investigated

whether knowledge, attitude and behaviour will be consistent

across the different information security policies and

procedures.

The aim of the current study is to examine the relation-

ships between knowledge of policy and procedures, attitude

towards policy and procedures and behaviour when using a

work computer. We are addressing this aim through the

following hypotheses:

� H1: Better knowledge of policy and procedures is associ-

ated with better attitude towards policy and procedures.

mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003

Fig. 1 e The Human Aspects of Information Security (HAIS) model.

c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 2 5

� H2: Better attitude towards policy and procedures is asso-

ciated with self-reported behaviour that is more risk

averse.

� H3: Better knowledge of policy and procedures is associ-

ated with self-reported behaviour that is more risk averse.

This component of themodel is shown in Fig. 2, with labels

for the associated hypotheses.

2. Method

In line with our inductive, exploratory approach, the meth-

odology of this paper is presented in three phases. The first is

the pre-testing or validity phase, which was designed to

ascertain the internal, content and face validity of the HAIS-Q.

The second phase is a pilot study, which was conducted to

further refine and examine the reliability of the HAIS-Q. These

phases provided preliminary evidence of validity and reli-

ability in the HAIS-Q, and justified implementing the main

study, which is presented in phase three.

Fig. 2 e The KAB component of the HAIS Model.

Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h

2.1. Phase one e validity testing

Before commencing the main study, pre-testing techniques

were utilised to further test the validity and reliability of the

survey items. First, an expert in survey design was asked to

complete the survey, and a respondent debriefing was con-

ducted. In line with the technique described by DeMaio and

Rothbeg (1996), this expert was asked about their understand-

ing of terms, the clarity of directions and any other areas of

potential misunderstanding. Following this, cognitive testing,

which involvesa combinationof think-aloudandverbalprobing

(Draugalis et al., 2008; Fowler, 1995) was conducted with an

expert in information security. This required the expert to

complete the survey with researchers present and to verbalise

whatever came to mind while answering (Willis, 2004). Where

the researchers believed the think-aloud process had not suffi-

ciently described how the respondent understood, mentally

processed and answered survey items, probes were used to

obtainadditional information.The cognitiveprobesprovidedby

Collins (2003) were used as a guide. Collins (2003) included

general probes (e.g., “I noticed you hesitated before you answered e

what were you thinking about?”) along with probes to explore

comprehension (e.g., “What does the term X mean to you?”),

retrieval (e.g., “How did you remember that?”), confidence judge-

ment (e.g., “How sure of your answer are you?”), and response (e.g.,

“How did you feel about answering this question?”). The respondent

debriefing and cognitive testing helped to identify any unclear

items, which not only reduces measurement errors, therefore

increasing the internal validity of the survey, but also helps to

establish content and face validity.

Next, a pilot study was conducted, and the results were

examined to identify any remaining problematic items and to

establish the reliability of themain components of the survey.

2.2. Phase two e pilot study

One-hundred and twenty working Australians completed the

pilot version of the HAIS-Q. Participants were required to read

the information sheet and consent form, and were then asked

to complete the HAIS-Q. The questionnaire was completed

mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003

c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 26

online using the Qualtrics survey platform.1 Because the items

are based on computer use and adherence to information

security policy within an organisation, three exclusion criteria

were applied. These were employment status (participants

who responded with ‘Not employed’ were excluded), amount

of work time spent using a computer or portable device (par-

ticipants who responded with ‘No time at all’ were excluded)

and whether their organisation has an information security

policy (participants who responded with ‘No’ or ‘Unsure’ were

excluded). This ensured that all respondents worked within

an organisation with at least an informal policy or basic rules,

and had some work use of a computer or portable device.

Whilst we acknowledge that excluding participants who

responded with ‘Unsure’ may rule out those with very poor

security awareness, this was necessary, as the HAIS-Q mea-

sures knowledge of and attitude towards policy and proce-

dure. For the pilot study, no participants fit these three

criteria.

To ascertain data quality, responses were then examined

using the category of response bias known as content non-

responsivity, which describes responses made without regard

to the content of items (Nichols et al., 1989; Meade and Craig,

2012). This examination identified response patterns, inwhich

participants consistently chose the same answer (e.g.,

‘strongly disagree’). The HAIS-Q includes a total of 63 knowl-

edge, attitude and behaviour statements, and 10 personality

statements. Of the 63 statements, 29 are positively worded

and 34 are negatively worded, and each of the Big Five per-

sonality factors had a statement measuring the trait at one

end of the spectrum (e.g., extraversion) and a statement

measuring the opposing personality trait (e.g., introversion)

(Gosling et al., 2003). This means that participants who pro-

vide the same uniform response for all statements were

probably not answering with due care or attention. Responses

to these statements were examined for any evidence of uni-

formity, and cases where participants responded in an iden-

tical manner to 53 or more of the 63 statements or all 10 of the

personality statements were examined in detail. This identi-

fied seven suspicious cases. For example, one participant

responded with ‘strongly agree’ to all 63 statements and all 10

personality items, which suggests they choose the same op-

tionwithout considering their response. It was concluded that

these seven participants were not answering honestly, and

they were therefore excluded.

This left 113 valid responses, 53 of which were male and

60 female. Only 3% of participants were under 21 years of age.

Approximately a quarter (26%) were aged between 21 and 30,

and 37% were between 31 and 40 years of age. A further 12%

were aged between 41 and 50, 19% were aged between 51 and

60, and 4% were 61 years or older. Participants took an

average of 18 min and 5 s (SD ¼ 11 min and 24 s) to complete

the survey.

1 Qualtrics is a research software company that provides sur-vey data collection via a ‘panel’ of in excess of 6 million peoplewho have agreed to receive emails regarding research participa-tion. A closed, ‘by-invitation-only’ panel recruitment method wasutilised. More information on recruitment, privacy and panelincentives is available here: http://www.researchnow.com/en-US/Panels.aspx.

Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h

Consistentwith the technique utilised by Arachchilage and

Love (2013), Cronbach’s alpha was used as a measure of the

internal consistency of the survey. This refers to the degree to

which the items measure the same underlying construct, and

a reliable scale should have a Cronbach’s alpha coefficient

above 0.70 (Cronbach, 1951). As shown in Table 4, Cronbach’s

alpha coefficients for each of the three main constructs (i.e.,

knowledge of policy and procedure, attitude towards policy

and procedure and self-reported behaviour) all exceeded this

recommended value.

A series of Pearson productemoment correlations were

conducted to further assess the relationship between the

items used to create the three main constructs. An examina-

tion of the correlation matrices revealed that all items

significantly correlated at 0.3 or abovewith, on average, 40% of

the other items in that construct. The items with three or

fewer correlations at 0.3 or above with other items in the

construct were examined in detail to ensure they were clearly

worded and accurately measuring the item of interest.

This revealed 10 items that were subsequently altered.

Some of these items were deemed to be too complicated, and

it was thought that a simplification may prevent respondent

confusion. For example, the mobile computing statement

“Even if I am having trouble meeting a deadline, it is never

acceptable for me to send sensitive work documents via a mobile

phone network” was simplified to “It is a bad idea to send sen-

sitive work documents using a mobile phone”. Some of the altered

items included unclear terms. For example, the use of the

term ‘unknown origin’ in the information handling state-

ment “I must not insert a USB flash drive of unknown origin into

my work computer” was deemed to be unclear, and a more

specific example was used (i.e., “If I find a USB flash drive in a

public place like a car park, I must not insert it into my work

computer”).

Theresultsof therespondentdebriefing, cognitive testingand

pilot study provided preliminary evidence of validity and reli-

ability in theHAIS-Q, and justified implementing themainstudy.

2.3. Phase three e main study

2.3.1. ParticipantsIn themain study, 1073 Australians attempted the survey. The

same exclusion criteria employed in the pilot studywere used.

On this basis, 348 participants were excluded because they

were not employed, 67 because they spend ‘No time at all’

using a computer or portable device at work, and 138 partici-

pants were excluded because their organisation has no in-

formation security policy (53 responses) or theywere unsure if

their organisation has an information security policy (85 re-

sponses). Of the 520 remaining participants, a further 20 re-

sponses were excluded based on the same content

nonresponsivity criteria employed in the pilot study.

Table 4 e Cronbach’s alpha coefficients for the KABsurvey components in the pilot study.

Constructs Cronbach’s alpha

Knowledge of policy and procedures 0.875

Attitude towards policy and procedures 0.878

Self-reported behaviour 0.906

mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003

Table 5 e Percentage of sample in each industrycompared to Australian statistics (ABS, 2013).

Industry (ANZSICa) ABS (%) Sample (%)

Agriculture, forestry and fishing 3% 1%

Mining 2% 3%

Manufacturing 8% 4%

Electricity, gas and water and

waste services

1% 2%

Construction 9% 7%

Wholesale trade 4% 2%

Retail trade 11% 11%

Accommodation and food services 7% 4%

Transport, postal and warehousing 5% 5%

Information media and

telecommunications

2% 6%

Financial and insurance services 4% 7%

Rental, hiring and real estate services 2% 2%

Public administration and safety 6% 8%

Education and training 8% 10%

Health care and social assistance 12% 18%

Arts and recreation services 2% 2%

Other services 15% 7%

a Australian and New Zealand Standard Industrial Classification.

Table 6 e Cronbach’s alpha coefficients for the KABsurvey components in the main study.

Constructs Cronbach’s alpha

Knowledge of policy and procedures 0.844

Attitude towards policy and procedures 0.884

Self-reported behaviour 0.918

c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 2 7

This left 500 valid responses, with 51% of respondentsmale

and 49% female. Consistent with the results of the pilot study,

the sample represented a wide range of ages. Approximately

4% of participants were under 21 years of age; 29% were aged

between 21 and 30; 23% were aged between 31 and 40; 17%

were aged between 41 and 50; and 21% were between 51 and

60 years of age. A further 6% were 61 years or older.

Other participant demographics were examined to assess

whether our sample is representative of employed Austra-

lians. Participants’ responses to the question, “What is the in-

dustry sector of your employment?”were compared to Australian

Labour Market Statistics obtained by the Australian Bureau of

Statistics (2013). As shown in Table 5, the percentage of

employed Australians in each industry is very similar to the

percentage of respondents in each industry. This suggests

that our sample represents a range of employment types that

is similar to the wider Australian population.

Table 7 e Correlations for knowledge.

Focus area 1 2

1. Password management 1 e

2. Email use .352** 1

3. Internet use .326** .390**

4. Social networking site use .349** .483**

5. Mobile computing .377** .451**

6. Information handling .468** .553**

7. Incident reporting .402** .460**

Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h

The median time to complete the questionnaire was

23 min, with an average time of 37 min and 12 s (SD ¼ 97 min

and 40 s). This very large standard deviation was likely caused

by participants alternating survey completion with other

work; 6 respondents took in excess of five hours, and of these,

three required in excess of 10 h.

2.3.2. ProcedureIn line with the procedure utilised for the pilot study, partic-

ipants were required to read the information sheet and con-

sent form, and were then asked to complete the HAIS-Q.

Again, the questionnaire was completed online, using the

Qualtrics survey platform.

3. Results

As in the pilot study, Cronbach alpha was calculated for each

of the three main constructs as a measure of the internal

consistency of the survey items. As shown in Table 6, these

scores all exceeded the recommended cut-off value of 0.7,

which provides evidence of a high degree of reliability and

suggests the items in the scales are measuring the same un-

derlying construct.

To further test the relationship between the items used to

create the threemain constructs (i.e., knowledge of policy and

procedures, attitude towards policy and procedures and self-

reported behaviour) a series of Pearson productemoment

correlation coefficients were calculated. There was a signifi-

cant positive relationship between all variables, with corre-

lations ranging between .326 and .695, which indicates a

strong relationship, but does not indicate multicollinearity.

This therefore provides further support for the reliability of

the HAIS-Q, and provides justification for creating total

knowledge, attitude and behaviour scores, which can be used

to test hypotheses 1, 2 and 3. These correlations are shown in

Tables 7e9.

As noted in Section 1, the aim of the current paper is to test

the hypothesis that there is a significant positive relationship

between respondents’ knowledge of policy and procedures,

attitude towards policy and procedures and their behaviour

when using a work computer. This theory was tested using

path-analysis, which is a statistical technique for empirically

examining sets of relationships to test the fit of causalmodels,

and give estimates of their size and significance (Huang and

Liaw, 2005; Lleras, 2005). It involves using a multiple regres-

sion analysis for each of the endogenous variables in the

model (Huang and Liaw, 2005; Mathieu, 1988).

3 4 5 6 7

e e e e e

e e e e e

1 e e e e

.573** 1 e e e

.430** .413** 1 e e

.557** .580** .485** 1 e

.346** .392** .445** .427** 1

mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003

Table 8 e Correlations for attitude.

Focus area 1 2 3 4 5 6 7

1. Password management 1 e e e e e e

2. Email use .505** 1 e e e e e

3. Internet use .511** .444** 1 e e e e

4. Social networking site use .489** .528** .529** 1 e e e

5. Mobile computing .443** .566** .533** .527** 1 e e

6. Information handling .504** .530** .529** .578** .614** 1 e

7. Incident reporting .542** .543** .500** .515** .541** .541** 1

Table 9 e Correlations for behaviour.

Focus area 1 2 3 4 5 6 7

1. Password management 1 e e e e e e

2. Email use .550** 1 e e e e e

3. Internet use .602** .602** 1 e e e e

4. Social networking site use .556** .533** .664** 1 e e e

5. Mobile computing .612** .560** .638** .581** 1 e e

6. Information handling .648** .658** .680** .628** .695** 1 e

7. Incident reporting .594** .610** .579** .516** .580** .643** 1

**p < .001.

Fig. 3 e Findings in support of the KAB component of the

HAIS Model (**p < .01).

c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 28

Themodel under evaluation has two endogenous variables

(viz., attitude and behaviour) and one exogenous variable (viz.,

knowledge). Hence, twomultiple regressions were conducted.

The first regression tested whether knowledge of policy and

procedure predicted attitude towards policy and procedures,

and produced an R squared of .659, which was statistically

significant (F(1,498) ¼ 960.77, p < .001). This means that a re-

spondent’s knowledge of policy and procedures predicted

approximately 66% of the variance in their attitude. The sec-

ond regression tested whether participants’ knowledge of

policy and procedures and attitude towards policy and pro-

cedures predicted their self-reported behaviour. This pro-

duced an R squared of .777, which was statistically significant

(F(2,497)¼ 863.44, p< .001). Both knowledge (b¼ .185, t¼ 5.097,

p < .001) and attitude (b ¼ .724, t ¼ 19.96, p < .001) were posi-

tively related to behaviour. These results indicate that

approximately 78% of the variance in self-reported behaviour

was accounted for by knowledge of policy and procedure and

attitude towards policy and procedure. These findings, which

provide support for our model, are depicted in Fig. 3.

This provides support for the hypotheses that better

knowledge of policy and procedures is associated with better

attitude towards policy and procedure, and better knowledge

and attitude towards policy and procedure are both associated

with self-reported behaviour that is more risk averse. How-

ever, we acknowledge that the support for our proposed

model does not discount the existence of other, competing

models (MacCallum et al., 1993). For instance, it is conceivable

that behaviour when using a work computer could, in fact,

influence an employee’s attitude towards policy and proce-

dure. This is because most information security vulnerabil-

ities are low-probability, high-consequence threats, and

evidence suggests that people tend to repeat behaviours that

are rewarded (Slovic et al., 1978; Thorndike, 1913). For

example, if a computer user violates policy and accesses

sensitive information from an unfamiliar wireless network,

the consequences if this information is intercepted may be

Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h

high, but the probability of interception is very low, and

hence, each experience of using an unfamiliar wireless

network without any negative consequences will reinforce or

reward that insecure behaviour, and may change an in-

dividual’s attitude towards that policy. Similarly, theremay be

cases where employees know an information security policy

and may believe that it is unnecessary or excessive, but they

may still do the right thing, even when their attitude towards

the instruction is poor. This may be due to other mediating

factors, such as the desire to keep one’s job. These alternate

models may describe the relationship between knowledge,

attitude and behaviour in rare cases, and will be examined in

future research. However, on balance, our model as depicted

in Fig. 3 best describes the majority of computer users, and

hence, has the best potential to explore further.

4. Limitations and future directions

This study provides preliminary evidence of a positive rela-

tionship between employees’ knowledge of policy and

mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003

c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 2 9

procedures, their attitude towards policy and procedures, and

their self-reported behaviour when using a work computer.

However, there are limitations, which will be addressed in

future studies.

4.1. The use of self-report

Many of the potential criticisms are associated with the fact

that the HAIS-Q is a self-report measure and the validity of

self-reports has been criticised (e.g., Spector, 1992; Frese and

Zapf, 1988). This criticism is centred largely on self-reported

behaviour, and there is little criticism of self-report to

measure knowledge or employees’ feelings about and per-

ceptions of their work environment (Spector, 1994). Hence,

this suggests the knowledge and attitude components of the

HAIS-Q are uncontroversial. Although there are good rea-

sons to be cautious of self-reported behaviour, Workman’s

(2007) study of social engineering found a correlation of

.89 between self-reported behaviour and objective measures

of behaviour (measured via the propensity to respond to a

phishing email). This means that approximately 80% of the

variance in behaviour could be explained by self-report, and

hence, the value of self-reported behaviour should not be

discounted.

Furthermore, when assessing the limitations of self-report,

it is important to consider that there are many issues associ-

ated with objective assessments of security behaviour. For

example, any measure of actual incidents is inadequate,

because penetrations into a system are not always detected,

and of those that are detected, many go unreported to protect

the reputation of the organisation involved (Kabay, 2002). In

addition, as explained in Section 3, information security vul-

nerabilities are low-probability, high consequence threats.

This means that poor information security behaviour rarely

results in an information security breach. Hence, given the

impracticality of obtaining an unbiased objective measure of

information security behaviour, self-reported behaviour is a

valid alternative.

The nature of our data collection should also allay the

criticisms of self-report. According to Donaldson and Grant-

Vallone (2002), there are four general factors that influence

whether a respondent will be influenced by self-report biases.

In the context of the HAIS-Q, this theory suggests that re-

spondents will have a motivation to bias their responses if

they:

1) Are violating information security policy (True State of

Affairs),

2) Are reporting on a highly sensitive construct (Sensitivity of

Construct),

3) Are predisposed to give socially desirable responses

(Dispositional Characteristics), and

4) Believe responding truthfully could lead to punishment

(Situational Characteristics)

Our data was collected online through a third party orga-

nisation (i.e., Qualtrics). The survey respondents were not

asked to provide their name or the name of their employer,

and were given additional assurances of confidentiality and

anonymity. This should remove any situational

Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h

characteristics that would lead people to give socially desir-

able answers, and should therefore reduce bias (Donaldson

and Grant-Vallone, 2002).

Furthermore, Spector (1994) argued that self-report studies

should not be dismissed as being an inferior methodology,

and instead, they can provide valuable data as an initial test of

hypotheses. At this stage, the HAIS-Q is still being tested,

refined and developed, and the self-report method is appro-

priate for this. In future work, the HAIS-Q will be further

validated with alternate measures of information security

awareness, including interviews, focus groups and co-worker

reports.

4.2. The use of Internet data collection

The results of this study may be limited by its use of Internet

based data collection. Literature suggests there are potential

problems associated with Internet data collection (Weigold

et al., 2013; Reips, 2002). For example, Meade and Craig

(2012) explained that the lack of a controlled setting could

result in environmental distraction and divided attention. The

large standard deviation (of over 97 min) in the time taken to

complete the HAIS-Q suggests that a minority of participants

may have been alternating survey completion with other

work. Furthermore, Johnson (2005) argued that the lack of

personalisation and social interaction with the researcher

may result in less accountability and more undesirable

response patterns. However, since aspects of the HAIS-Q are

potentially sensitive (e.g., participants are asked to report on

behaviours that would constitute policy violation), this

increased anonymitymay increase the likelihood of authentic

responses (Reips, 2002). The Internet data collection also al-

lows access to samples with a wider distribution of de-

mographic characteristics than would be possible from a local

sample (Reips, 2002). Finally, Weigold et al. (2013) compared

self-report survey-based paper-and-pencil and Internet data

collection methods and concluded that the methods are

generally equivalent.

4.3. Future studies

Future studies will examine the individual, organisational and

interventional factors, and determine whether these factors

have a statistically significant effect on the behaviour of em-

ployees and therefore on the security of an organisation’s

information systems. Future studies will also further develop

the HAIS-Q in line with the validation guidelines outlined by

Straub et al. (2004). For example, alternate measures of

knowledge, attitude and behaviour will allow us to assess the

construct validity of the HAIS-Q.

The questionnaire will also be implemented on employees

within known organisations, which will allow us to assess the

actual policies and procedures andmethods of trainingwithin

the organisation and how these influence the responses pro-

vided by employees. This will allow us to further test the

conclusion of this paper, that generic training courses that

only outline requirements will be less effective than con-

textualised training aimed at improving both knowledge and

understanding of policy and procedures.

mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003

c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 210

5. Discussion and conclusions

The purpose of this study was to outline the development and

initial reliability and validity testing of our HAIS-Q and to

establish whether there is a positive relationship between

respondents’ knowledge of policy and procedures, attitude

towards policy and procedures and their self-reported

behaviour when using a work computer. The data presented

in this study support this hypothesis, and provide support for

our model and questionnaire.

The results shown in Fig. 3 indicate that participants’

knowledge of policy and procedure and attitude towards

policy and procedure explain a significant amount of the

variance in participants’ self-reported behaviour. Interest-

ingly, however, the Beta (b) values reported in Fig. 3 indicate

that an employee’s knowledge of policy and procedures had a

far stronger influence on attitude towards policy and proce-

dure (b ¼ .812) than self-reported behaviour (b ¼ .185). This

suggests the effect of knowledge on behaviour is mediated by

attitude towards policy and procedure.

This has implications for training and education cam-

paigns, as it suggests that employers can be relatively confi-

dent that improving their employees’ knowledge of policy and

procedures will have a positive impact on both attitude to-

wards those policies and procedures and employee behaviour.

However, our results also indicate that generic courses that do

not attempt to influence attitude and instead simply lecture

on knowledge of policy and procedurewill be far less effective.

Instead, training should be contextualised and should use

case studies to improve both knowledge of what is expected

and also understanding ofwhy this is important (Brooke, 2006;

Parsons et al., 2010).

r e f e r e n c e s

Anderson R, Barton C, Bohme R, Clayton R, van Eeten MJG, Levi M,et al. Measuring the cost of cybercrime. In: 11th annualworkshop on the economics of information security, June,Berlin, Germany 2012.

Arachchilage NAG, Love S. A game design framework for avoidingphishing attacks. Comput Hum Behav 2013;29(3):706e14.

Australian Bureau of Statistics. Australian labour marketstatistics, July 2013; 2013. Canberra, Australia. (6105.0).

Baranowski T, Cullen KW, Nicklas T, Thompson D, Baranowski J.Are current health behavioral change models helpful inguiding prevention of weight gain efforts? Obes Res2003;11:23Se43S.

Bettinghaus EP. Health promotion and the knowledge-attitude-behavior continuum. Prev Med 1986;15(5):475e91.

Brooke SL. Using the case method to teach online classes:promoting Socratic dialogue and critical thinking skills. Int JTeach Learn High Educ 2006;18(2):142e9.

Bulgurcu B. The antecedents of information security policycompliance (MSc thesis). Canada: The University of BritishColumbia; 2008.

Collins D. Pretesting survey instruments: an overview of cognitivemethods. Qual Life Res 2003;12(3):229e38.

Cronbach LJ. Coefficient alpha and the internal structure of tests.Psychometrika 1951;16(3):297e334.

Da Veiga A, Eloff JHP. A framework and assessment instrument forinformation security culture. Comput Secur 2010;29:196e207.

Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h

Davis FD. Perceived usefulness, perceived ease of use, and useracceptance of information technology. MIS Quart1989;13(3):319e40.

Deloitte. Raising the bar: 2011 TMT global security study e keyfindings; 2011. Report published by Deloitte, 24 pp.

DeMaio TJ, Rothgeb JM. Cognitive interviewing techniques: in thelab and in the field. In: Schwartz N, Sudman S, editors.Answering questions: methodology for determining cognitiveand communicative processes in survey research. SanFrancisco: Jossey-Bass; 1996. pp. 177e95.

Donaldson SI, Grant-Vallone EJ. Understanding self-report bias inorganizational behavior research. J Bus Psychol2002;17(2):245e60.

Draugalis JR, Coons SJ, Plaza CM. Best practices for surveyresearch reports: a synopsis for authors and reviewers. Am JPharm Educ 2008;72(1). Article 11.

Ernst, Young. Into the cloud, out of the fog: Ernst & Young’s 2011global information security survey; 2011. Report published byErnst & Young.

Fan J, Zhang P. Study on e-government information misuse basedon General Deterrence Theory. In: 8th internationalconference on service systems and service management(ICSSSM), June, Tianjin 2011. pp. 1e6.

Fowler FJ. Improving survey questions: design and evaluationInApplied social research methods series, vol. 38. ThousandOaks, CA: Sage Publications, Incorporated; 1995.

Frese M, Zapf D. Methodological issues in the study of workstress: objective vs subjective measurement of work stressand the question of longitudinal studies. In: Cooper CL,Payne R, editors. Causes, coping and consequences of stress atwork. West Sussex, England: John Wiley; 1988. pp. 375e410.

Furnell S, Jusoh A, Katsabas D. The challenges of understandingand using security: a survey of end-users. Comput Secur2006;25(1):27e35.

Gosling SD, Rentfrow PJ, Swann WB. A very brief measure of theBig-Five personality domains. J Res Personality2003;37(6):504e28.

Guillot A, Kennedy S. Information security surveys: a review of themethodologies, the critics and a pragmatic approach to theirpurposes and usage. In: 5th Australian information securitymanagement conference, December, Perth, Australia 2007.

Herath T, Rao HR. Encouraging information security behaviors inorganizations: role of penalties, pressures and perceivedeffectiveness. Decis Support Syst 2009;47(2):154e65.

Huang HM, Liaw SS. Exploring users’ attitudes and intentionstoward the web as a survey tool. Comput Hum Behav2005;21(5):729e43.

Johnson JA. Ascertaining the validity of individual protocols fromWeb-based personality inventories. J Res Personality2005;39(1):103e29.

Kabay ME. Studies and surveys of computer crime. In:Bosworth S, Kabay ME, editors. Computer security handbook.4th ed. New York, NY: John Wiley & Sons, Inc; 2002.

Karjalainen M. Improving employees’ information systems (IS)security behaviour: toward a meta-theory of is security trainingand a new framework for understanding employees’ is securitybehaviour. PhD. Oulu: The University of Oulu; 2011 (A 579).

Khan B, Alghathbar KS, Nabi SI, Khan MK. Effectiveness ofinformation security awareness methods based onpsychological theories. Afr J Bus Manag 2011;5(26):10862e8.

Kollmuss A, Agyeman J. Mind the gap: why do people actenvironmentally and what are the barriers to pro-environmental behavior? Environ Educ Res 2002;8(3):239e60.

Kruger H, Kearney W. A prototype for assessing informationsecurity awareness. Comput Secur 2006;25(4):289e96.

Liginlal D, Sim I, Khansa L. How significant is human error as acause of privacy breaches? An empirical study and a frameworkfor error management. Comput Secur 2009;28:215e28.

mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003

c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 2 11

Lleras C. Path analysis. Encycl Soc Meas 2005;3:25e30.MacCallum RC, Wegener DT, Uchino BN, Fabrigar LR. The

problem of equivalent models in applications of covariancestructure analysis. Psychol Bull 1993;114(1):185e99.

Mathieson K. Predicting user intentions: comparing thetechnology acceptance model with the theory of plannedbehaviour. Inf Syst Res 1991;2(3):173e91.

Mathieu JE. A causal model of organizational commitment in amilitary training environment. J Vocat Behav1988;32(3):321e35.

McGuire WJ, editor. The nature of attitudes and attitude change,vol. 3. Reading, Mass: Addison-Wesley; 1969.

Meade AW, Craig SB. Identifying careless responses in surveydata. Psychol Meth 2012;17(3):437e55.

Mylonas A, Gritzalis D, Tsoumas B, Apostolopoulos T. Aqualitative metrics vector for the awareness of smartphonesecurity users. In: Proceedings of the 10th internationalconference on trust, privacy, and security in digital business.Springer; 2013a. pp. 173e84 (LNCS-8058).

Mylonas A, Kastania A, Gritzalis D. Delegate the smartphoneuser? Security awareness in smartphone platforms. ComputSecur 2013b;34:47e66.

Ng B-Y, Kankanhalli A, Xu Y. Studying users’ computer securitybehavior: a health belief perspective. Decis Support Syst2009;46:815e25.

Nichols DS, Greene RL, Schmolck P. Criteria for assessinginconsistent patterns of item endorsement on the MMPI:rationale, development and empirical trials. J Clin Psychol1989;45:239e50.

Parsons K, McCormac A, Butavicius M, Ferguson L. Human factorsand information security: individual, culture and securityenvironment; 2010. Report published by Defence Science andTechnology Organisation, DSTO-TR-2484, 45 pp.

Parsons K, McCormac A, Pattinson M, Butavicius M, Jerram C. Astudy of information security awareness in Australiangovernment organisations. Inf Manag Comput Secur 2014. inpress.

Parsons K, McCormac A, Pattinson M, Butavicius M, Jerram C. Ananalysis of information security vulnerabilities at threeAustralian government organisations. In: Proceedings of theEuropean information security multi-conference (EISMC 2013),Lisbon, Portugal. UK: Plymouth University; 2013.

Pattinson MR, Anderson G. How well are information risks beingcommunicated to your computer end-users? Inf ManagComput Secur 2007;15(5):362e71.

PricewaterhouseCoopers. Changing the game e key findings fromthe global state of information security survey 2013; 2013.Report published by PricewaterhouseCoopers.

Reips U. Standards for Internet-based experimenting. Exp Psychol2002;49(4):243e56.

Schultz E. The human factor in security. Comput Secur2005;24(6):425e6.

Siponen M, Pahnila S, Mahmood MA. Compliance withinformation security policies: an empirical investigation.Computer 2010;43(2):64e71.

Slovic P, Fischhoff B, Lichtenstein S. Accident probabilities andseat belt usage: a psychological perspective. Accid Anal Prev1978;10(4):281e5.

Spector PE. A consideration of the validity and meaning of self-report measures of job conditions. In: Cooper CL, Robertson IT,editors. International review of industrial and organizationalpsychology: 1992. West Sussex, England: John Wiley; 1992.pp. 123e51.

Spector PE. Using self-report questionnaires in OB research: acomment on the use of a controversial method. J Organ Behav1994;15(5):385e92.

Stanton JM, Stam KR, Mastrangelo P, Jolton J. Analysis of end usersecurity behaviors. Comput Secur 2005;24(2):124e33.

Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h

Straub D, Boudreau M, Gefen D. Validation guidelines for ISpositivist research. Commun Assoc Inf Syst2004;13:380e427.

Thorndike EL. The psychology of learning. New York: TeachersCollege; 1913.

van der Linden S. Understanding and achieving behaviouralchange: towards a new model for communicating informationabout climate change. In: International workshop onpsychological and behavioural approaches to understandingand governing sustainable Tourism Mobility, Freiburg,Germany 2012.

Vance A. Why do employees violate is security policies? Insightsfrom multiple theoretical perspectives. PhD. Oulu: TheUniversity of Oulu; 2010 (A 563).

Vroom C, von Solms R. Towards information security behaviouralcompliance. Comput Secur 2004;23(3):191e8.

Walsh C. CSI/FBI Survey considered harmful. RetrievedNovember, 2012, from, http://www.emergentchaos.com/archives/2006/07/csifbi_survey_considered.html; 2006.

Weigold A, Weigold IK, Russell EJ. Examination of the equivalenceof self-report survey-based paper-and-pencil and Internetdata collection methods. Psychol Meth 2013;18(1):53e70.

Willis GB. Cognitive interviewing: a tool for improvingquestionnaire design. Thousand Oaks, CA: Sage; 2004.

Wood CC, Banks WW. Human error: an overlooked butsignificant information security problem. Comput Secur1993;12:51e60.

Workman M. Gaining access with social engineering: anempirical study of the threat. Inf Syst Secur J2007;16:315e31.

Kathryn Parsons is a research scientist with the Human and SocialModelling and Analysis Discipline in National Security & Intelli-gence, Surveillance & Reconnaissance Division (NSID) of theDefence Science and Technology Organisation (DSTO), where herresearch involves applying psychological principles to humanfactors and organisational problems in areas such as informationsecurity, intelligence analysis and national security. Shecompleted a Master of Psychology (Organisational and HumanFactors) at the University of Adelaide in 2005. She is an organ-isational psychologist and Adjunct Lecturer within the School ofPsychology at the University of Adelaide.

Agata McCormac joined DSTO in 2006. She is a research scientistwith the Human and Social Modelling and Analysis Discipline inNSID where her work focuses on applying cognitive and percep-tual psychology principles to solve organisational problems. Shewas awarded a Master of Psychology (Organisational and HumanFactors) at the University of Adelaide in 2005. She is registered asan organisational psychologist with the Psychology Board ofAustralia and holds an Adjunct Lecturer position within theSchool of Psychology at the University of Adelaide.

Dr. Marcus Butavicius is a senior research scientist with theHuman and Social Modelling and Analysis Discipline in NSID. Hejoined DSTO in 2001 where he investigated the role of simulationin training, theories of human reasoning and the analysis of bio-metric technologies. In 2002, he completed a PhD in Psychology atthe University of Adelaide on mechanisms of visual objectrecognition. In 2003 he joined the Intelligence, Surveillance andReconnaissance Division where his work focused on data visual-isation, decision-making, information security and interfacedesign. He is also a Visiting Research Fellow in the PsychologyDepartment at the University of Adelaide.

Dr. Malcolm Pattinson is a Research Fellow in the Business Schoolof The University of Adelaide and an Information Security

mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003

c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 212

Consultant. He has been lecturing and researching in the area ofinformation security for more than 20 years. His current researchfocuses on the human aspects of information security and he iswidely published in this area. He has been an active member ofthe Adelaide Chapter of ISACA for more than 15 years and has thecertifications CISA, CISM and CGEIT. He is also a Member IFIP TC-11 Working Group 11.12, Human Aspects of Information Security& Assurance (HAISA).

Please cite this article in press as: Parsons K, et al., Determining eSecurity Questionnaire (HAIS-Q), Computers & Security (2014), h

Dr. Cate Jerram is an academic with the University of AdelaideBusiness School. She is the Lecturer-in-Charge of the Qualita-tive Methods course for Higher Degree Research students andthe primary educator in NVivo10 training for the University ofAdelaide Graduate Centre. Cate has Higher Research Degrees inBusiness Information Systems, Knowledge Management andOrganisational Change, and Adult (and Tertiary) Education, andhas published in all these disciplines.

mployee awareness using the Human Aspects of Informationttp://dx.doi.org/10.1016/j.cose.2013.12.003