User awareness and effectiveness of IT security.

Information Technology transformed the way people executed their tasks at work. With the information security policy and security technology in place, it was assumed that an organization would be secured and less vulnerable to security attacks. However, humans were more often than not the weakest li...

Full description

Saved in:
Bibliographic Details
Main Author: Fu, YongZhang.
Other Authors: Jin Cheon Na
Format: Theses and Dissertations
Language:English
Published: 2011
Subjects:
Online Access:http://hdl.handle.net/10356/46429
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
Description
Summary:Information Technology transformed the way people executed their tasks at work. With the information security policy and security technology in place, it was assumed that an organization would be secured and less vulnerable to security attacks. However, humans were more often than not the weakest link in the security defense line. Many organizations often overlooked the importance of monitoring employee’s behavior and setting their attitude and mindset right in dealing with security events. The research is to investigate user awareness and effectiveness of Information Technology security measures. The research target would be a Singapore-based Information Technology multi-national corporation. There are three research objectives. The first objective is to investigate the effectiveness of an organization information security policy with its employees. The second objective is to investigate the effectiveness of an organization security training and education program being offered to the employees. The last objective is to investigate the effectiveness of computer monitoring technology in an organization as a deterrent approach. The study data was collected using a survey questionnaire that was distributed to 100 personnel with 74% response rate from the same department of the organization. The study identifies four findings. Firstly, the use of security policies, security training and computer monitoring has an effect on perceived certainty of sanctions and perceived severity of sanctions. Secondly, human resource department of an organization is an important first line gateway to screen and assess the applicants’ moral values. Thirdly, Singapore’s government initiative to publish the computer misuse act and an organization information security policy are useful to create a deterrence effect on the employees. Lastly, punishment for any computer related crime proves to be useful in increasing awareness among employees. This research highlighted the importance of incorporating security policy, security training and security technologies as a three-layer approach to deter computer misuse intention. There was a relationship among policy readership, punishment and computer misuse intention. To enhance the defense against computer security incidents, organizations are encouraged to convince their employees to read and understand the organization information security policy and Singapore’s computer misuse act. I have identified one new finding which is that most of the engineers failed to understand the definition of phishing even though their work was highly related to computer usage. Security training is vital to update the employees with the latest security knowledge. Lastly, I have concluded that installing computer security technologies to monitor and keep track of employees’ behavior proved to be a well-spent investment to curb and deter future computer misuse intention.