Dissertation: Assessing Information Security Awareness in Organizations (Dr. Tobias Fertig)

Abstract: Several reports about information security incidents in the last years show that the human factor is involved in over 80% of attack vectors. This is why employees have to be aware of their crucial role in protecting information within organizations. Awareness-raising measures are therefore often used to sensitize employees properly. However, organizations require support to increase Information Security Awareness (ISA) in a planned and targeted manner. Reviewing and evaluating the used awareness measures is an important aspect of increasing ISA within organizations. Suitable measuring and evaluation methods are required to verify the effectiveness and success of the applied sensitization measures. Therefore, the aim of this thesis is to provide organizations with measurement and assessment methods for ISA.

This thesis developed a Maturity Model (MM) in order to provide a suitable guideline for improving ISA in organizations. The MM can also be used to evaluate the current state of an organization. Since many MMs are criticized for not having a solid basis, this thesis made use of a scientific approach to develop the MM in a scientifically sound manner. The development of the MM is based on item response theory and a polytomous extension of the Rasch model paired with hierarchical cluster analysis. A survey was used to collect quantitative data to derive a definition for each level of the MM. Participants in the survey rated the current situation in their organizations, making the individual difficulty levels of the MM reflect the current skill level of the organizations. The MM was evaluated using a focus group with ISA experts and a workshop with potential end users. The resulting MM has five maturity levels in four different dimensions. Both the experts and the end users described the MM as practical and usable – even in its early stages. Nevertheless, further evaluations are needed to empirically support these personal impressions.

In order to also assess ISA in organizations based on quantitative measurements, suitable tools are required to record and visualize the measurement results. Both manual and automated approaches for measuring ISA were identified and developed. Different aspects of ISA such as knowledge and habits were considered. After testing different manual approaches, automation possibilities were examined. The automation is achieved with the help of a software-based measurement method. This software can be extended in the future for other aspects of ISA such as intention or salience. Both the MM and the software support organizations in improving their ISA accordingly.

This cumulative dissertation followed the design science research paradigm. The environment as well as the knowledge base are considered and used to develop artifacts. The MM and the measurement methods represent these artifacts. In order to contribute to the knowledge base, a total of seven papers have been published. These papers contain partial results of this dissertation. At the end of this thesis, all results are discussed in a common context and all findings are prepared for the next design science iteration. Finally, an operational concept is proposed to show how the previous results can already be used in practice.

Keywords: Information security awareness, maturity model

Reference: Fertig, T. (2023). Assessing Information Security Awareness in Organizations. Friedrich-Alexander-University Erlangen-Nuremberg.

Committee: Dirk Riehle (1st reader, Univ. Erlangen), Kristin Weber (2nd reader, TH Würzburg-Schweinfurt), Nicholas Müller (3rd reader, TU Chemnitz), Hans-Ulrich Prokosch (member, Univ. Erlangen), Mark Stamminger (chair, Univ. Erlangen).

PDF: Dissertation