Information Security Awareness of TAFE South Australia Employees Research Proposal Hong Chan External Chaht01f 00069566 Supervisor: Dr Sameera Mubarak Bachelor of Information Technology (Honours) School of Computer and Information Science University of South Australia Submitted on 13th June 2011 1 Table of Contents Abstract ............................................................................................................................. ii 1 Introduction ................................................................................................................... 1 1.1 Partnership – TAFE South Australia .............................................................. 2 1.2 Researcher’s Personal Interest ........................................................................ 2 1.3 Potential Contributions ................................................................................... 2 1.4 Limitations ...................................................................................................... 2 1.5 Field of Thesis ................................................................................................ 3 1.6 Research Question .......................................................................................... 3 2 Literature Review .......................................................................................................... 4 2.1 Information Security ....................................................................................... 4 2.2 Employee Information Security Awareness ................................................... 5 2.3 Managerial Information Security Awareness ................................................. 6 2.4 Other Relevant Literature ............................................................................... 7 2.5 Assessing Information Security Awareness ................................................... 9 2.6 Literature Review Summary......................................................................... 10 3 Methodology................................................................................................................ 11 3.1 Research Design ........................................................................................... 11 3.2 Data Analysis ................................................................................................ 12 3.3 Expected Results .......................................................................................... 12 4 Ethics and Compliance ................................................................................................ 13 Reference ........................................................................................................................ 14 Project Schedule ............................................................................................................. 16 Trial Table of Contents ................................................................................................... 17 i Abstract Various literature and studies relating to information security emphasise the importance of information security awareness in maintaining any organisational wide security implementations or measures. It is also widely accepted that information security awareness is an important factor in a successful security plan, and should be properly assessed to suggest improvements. While it has been established that it is important for staff from within all levels of the organisation to have greater information security awareness, there is clearly a gap within current literature and studies in that there has been virtually no studies into information security awareness in an Australian context. It is proposed that this study will directly investigate and to assess the employee information security awareness in TAFE South Australia in order to provide much needed insight into the extent of information awareness levels in Australian organisations. If the gap in literature is any indication, then it is anticipated that awareness levels of TAFE South Australia employees will be low, thereby warranting the need to explore ways in improving information security awareness levels. ii 1 Introduction Due to advances in information technology and the resultant high accessibility of information by internal and external users, information security has become highly relevant and necessary for the survival of organisations (von Solms 1998; Cervone 2005; Thompson 2006). Failure to protect confidential an information may result in exorbitant costs in public liabilities, which may result in the ultimate downfall of an organisation. Many papers such as von Solms (1998) and Cervone (2005) have concluded that to counteract or to minimise the risk of information security breaches, it is important for an organisation to implement an information security plan or strategy. Further, Namjoo et al. (2008) suggested that preventative action by organisations usually take place after the occurrence of information security breaches. By the time an incident has taken place, it could be too late. It is better to be safe than sorry. In addition, organisations have an ethical and or legal responsibility to ensure that client confidential information is well protected. It is widely accepted within current literature that information security awareness is a key factor in contributing to a successful security strategy (Siponen & Vance 2010; Spears & Barki 2010; McFadzean, Ezingeard & Birchall 2007; Knapp et al. 2006; Mouratidis, Jahankhani & Nkhoma 2008; Hagen, Albrechtsen & Hovden 2008; Doherty, Anastasakis & Fulford 2009; Bulgurcu, Cavusoglu & Benbasat 2010; Namjoo et al. 2008). Further, there is a positive and direct relation between information security awareness and preventative action and thus improved security performance (Knapp et al. 2006), which suggests that employee security awareness assessment should be the starting point in developing or enhancing any security strategies. According to Bulgurcu, Cavusoglu & Benbasat (2010), information security awareness is an employee’s knowledge of information security concepts and his or her consciousness of the organisation’s information security measures or plans. Due to the apparent gap which exists in current literature in that studies in relation to organisational information security awareness in an Australian context are virtually nonexistent, this investigative study aims to assess the employee awareness levels of an Australian organisation. Assessment will be conducted using a vocabulary test based on Kruger, Drevin & Steyn (2010) which will be modified to suit the Australian context. The test will be delivered online and the resultant collected data will be analysed to determine employee assessment levels. 1 1.1 Partnership – TAFE South Australia TAFE South Australia recognises the potential benefits of this study for the organisation and Australian organisations in general. Therefore TAFE South Australia has kindly agreed to take part in this study by allowing its employees to be the subjects for this research. TAFE South Australia is an agency of the Department for Further Education, Science and Technology (DFEEST) within the Government of South Australia. It is the largest provider of vocational education and training in South Australia. With over 2400 employees ranging from lecturing, administrative and management spread across 48 campuses around the State of South Australia (TAFE South Australia 2011), it is anticipated that the organisation will provide sufficient data for analysis to enable a conclusive finding for this research. 1.2 Researcher’s Personal Interest As a member of staff within TAFE South Australia, Hong Chan has first-hand experience in the workings of the organisation, particularly in relation to information security, where it is recognised through general observations that awareness is lacking. By empirically verifying this lack of awareness, the researcher hopes that this will provide a first step in ensuring TAFE South Australia’s information security readiness. 1.3 Potential Contributions It is anticipated that the result of this research will directly benefit TAFE South Australia by providing the organisation with a critical analysis of employee information security awareness, thereby providing a starting point in ensuring information security readiness. More importantly, very little has been done to assess information security awareness in Australian organisations. Therefore, this study will provide a much needed insight into security awareness in an Australian context. Finally, the vocabulary test used in this research has the potential to be utilised by Australian organisations to assess awareness levels. 1.4 Limitations Assessing awareness is only the first step in the process of ensuring information security, this study is limited in that it will not investigate how awareness can be improved. Further study is needed, and will be considered in the future. 2 1.5 Field of Thesis Information Security, Information Security Awareness, Information Assurance, Information Management. 1.6 Research Question This investigative study will utilise an information security vocabulary test to assess the employee and managerial information security awareness levels of TAFE South Australia in order to provide a starting point for developing or improving a security policy for TAFE South Australia, and to provide an insight into the information security readiness of TAFE South Australia or Australian organisations in general. The scope of this study is limited to the assessment of information security awareness and does not investigate techniques which could improve awareness, nor does the scope include developing information security policies or plans. 3 2 Literature Review The following sections provide a review of current literature relating to information security awareness and within the scope of this proposal. Firstly, literature providing background information will be briefly discussed. This is followed by the review of various studies which place emphasis on information security awareness. Finally a brief summary of the reviewed literature will be provided, explaining the justification for the need to investigate information security awareness in an Australian context. 2.1 Information Security The advent of the internet and electronic commerce has ensured that information security has become increasingly vital for modern organisations (von Solms, 1998). This is because the internet or intranets have allowed information to be easily accessible by external or internal sources. von Solms (1998) further stated that organisations need to ensure that a high level of information security is maintained in order to protect proprietary and confidential information. Further, Cervone (2005) stated that due to the increasing complexity of software, vulnerabilities of software are also increasing. Subsequently, security breaches will result. Of particular relevance to this proposed research is the obtaining of confidential information via illegal means. The liability to an organisation if this was to occur would financially cripple the organisation and may cause a public outcry. In order to minimise or to prevent information security breaches, an organisation must implement an information security preventative plan. Cervone (2005) identified three major areas in which a security plan should include. These were: Confidentiality, protecting information from unauthorised access; Integrity, protecting information from unauthorised alteration; and availability, providing access to information as required, when required. Thompson (2006) expanded further the importance of protecting information by discussing social engineering in the context of public libraries. According to Thompson (2006), “social engineering is the use of non-technical means to gain unauthorised access to information or computer systems”. Libraries contain a vast amount of personal information in their database and social engineering is clearly a major threat. TAFE South Australia or any other higher education institutions face similar threats due to the vast amount of student information contained in their database. A major aspect of social engineering is that hackers prey on employee trust and emotion. That is, hackers will try to gain the trust of employees in order to obtain confidential information. Further, hackers will often use impersonation and pretend to be someone else in order to gain trust. Finally, Thompson (2006) suggested that apart from a well 4 implemented information security plan to prevent social engineering, employees play an active and important role. The starting point would be to ensure that employees have a high level of information security awareness, and this forms the basis for this proposed research. Bulgurcu, Cavusoglu & Benbasat (2010) defined information security awareness as an employee’s knowledge of information security and his or her consciousness of the organisation’s information security measures or plans. The following section will present relevant literature relating to information security awareness which is of importance to this proposal. 2.2 Employee Information Security Awareness Bulgurcu, Cavusoglu & Benbasat (2010) investigated employee rationality based behaviours, information security awareness, and their effects on information security compliance. The study was able to show that an employee’s intention to comply is greatly influenced by their attitude and their outcome beliefs. More importantly for the purpose of this research, the study found that an employee’s attitude and outcome beliefs are affected by their level of information security awareness. In other words, placing emphasis on information security awareness can positively affect employee attitudes and to encourage compliance. Siponen & Vance (2010) explained information security breaches by employees from a neutralization theory perspective. That is, the study concluded that employees who are responsible for any security breaches often justify or rationalise their actions using neutralization techniques. Neutralization is a concept borrowed from the field of psychology. The study was not directly related to information security awareness. However, Siponen & Vance (2010) did propose that policy awareness campaigns may be used to counteract the effects of neutralization thereby ensuring that security policies are adhered to, suggesting that further investigation into information security awareness is warranted. Spears & Barki (2010) explored the relationship between employee participation in risk management and internal security compliance. The study was able to conclude that employee participation in risk management greatly contributed to improved security control performance due to greater alignment between security risk management and the business environment, better policy development, and more importantly for the purpose of this research – greater information security awareness. While the study did not explore information security awareness as the main driver of a successful security policy, it did highlight information security awareness as a main contributor. 5 2.3 Managerial Information Security Awareness Most studies have so far explored the significance of information security awareness of employees in general. This section presents current literature which has identified the importance of managerial information security awareness. McFadzean, Ezingeard & Birchall (2007) identified the awareness of senior management as an important driver of effective security measures. The study argued that senior executives have a holistic view of the organisation and therefore have the power to affect change in the organisation through their roles as strategy implementers. It was found that board level perceptions and thereby information security awareness are positively related to the strategic activities of an organisation. Similar to McFadzean, Ezingeard & Birchall (2007), Knapp et al. (2006) also identified senior management as key players. The study found that senior management support is positively related to both an organisation’s security culture and the level of policy enforcement. While the study did not directly explore managerial information security awareness as a predictor of security performance, it does again highlight the importance of management involvement, thus the importance of managerial information security awareness in affecting an organisation’s information security readiness. Mouratidis, Jahankhani & Nkhoma (2008) aimed to study the differences in perception of network security between general management personnel and personnel who are responsible for actual network security. The study found that general managers do have different perspectives towards network security than personnel from the network security management. In particular, the effectiveness and efficiency of the network, control of security, security decision making process, and users of the network all showed significant perceptual differences. There is a clear lack of information security awareness within general management and as confirmed by McFadzean, Ezingeard & Birchall (2007), this could have a negative impact on the effectiveness of information security policies. Namjoo et al. (2008) further reinforced the importance of information security awareness levels of management by investigating the relationship between managerial information security awareness and action. The study was able to provide empirical support for a positive relationship between awareness and action. In other words, the higher the level of managerial information security awareness, the more likely the managers will take action in implementing preventative measures. The study suggested that preventative action usually occur after the fact. 6 That is, unless an actual information security breach has occurred, organisations usually take no action in adopting security measures. Like various similar studies, Namjoo et al. (2008) implied that by raising managerial information security awareness, information security performance could in fact improve information security performance. 2.4 Other Relevant Literature Hagen, Albrechtsen & Hovden (2008) studied the implementation of organisational security measures and to assess the effectiveness of such measures. The study was conducted using a survey in which data was collected from information security managers in various Norwegian organisations. It was discovered that many Norwegian organisations placed emphasis on the policies and procedures in implementing any measures, but placed very little emphasis on security awareness. The study also showed that awareness measures were the most effective of any security measures. As a consequence, the study showed an inverse relationship between the implementation of security measures and their effectiveness. In other words, it is important to place emphasis on security awareness as well as others when adopting security programs. Hagen, Albrechtsen & Hovden (2008) only investigated Norwegian organisations. However, due to the similar structures of western organisations (similar accounting practices, management hierarchies, information technology infrastructure etc.), it can be posited that Australian organisations are in a similar situation. Virtually no studies have explored information security awareness in Australian organisations, thereby justifying the need for this proposed research. According to Doherty, Anastasakis & Fulford (2009), ensuring the security of information has become extremely complex and challenging. This is more so for Universities because teaching and research activities are becoming more reliant on the availability, integrity and accuracy of computer based information. The study aimed to empirically study the structure or content of security policies for UK based Universities in order to fill the gap in the literature by critically examining the structure and content of these policies. The study found that due to the wide diversity of these policies, it was not possible to foster a coherent approach to security management. It also found that the range of issues being covered in such policies was surprisingly low, and reflects a highly techno-centric view rather than a user-centric view of information security management. This suggests that the user or staff information security awareness are not prominent nor considered in these policies. Again, while Doherty, Anastasakis & Fulford (2009) only explored UK based Universities, it can be posited that Australian higher education institutions such as TAFE South Australia may have similar attitudes, thereby further justifying the need to explore information security awareness in an Australian setting. 7 In another non-Australian context, Dzazali, Sulaiman & Zolait (2009) aimed to evaluate the maturity level of information security in the Malaysian Public Service. The study used convenience sampling and collected data from 970 individuals through a survey. It was revealed that spamming was the most prevalent (42%) followed by malicious codes (41%). Notably, it was found that 25% of incidents were from internal sources where as 11% were from external sources, with 49% being unknown sources. Findings on the maturity level showed that 61% of respondents were at level 3, followed by 21% at level 2. At the higher end, only 13% were at level 4 and a miniscule 1% were at level 5. The study did not directly study security awareness, but the finding that the internal related incidents were prevalent suggests that security awareness is a factor when taking into the account of other studies being discussed. While this study was conducted in relation to the Malaysian Public Sector, similar investigation could be adopted to investigate maturity levels of information security within the Australian Public Sector in which TAFE South Australia belongs to. Samy, Ahmad & Ismail (2010) was another study of information security within a noneducational industry in a non-Australian setting. The study aimed to investigate the various types of threats which exist for Malaysian healthcare information systems. The systems in question all belonged to government funded hospitals and data were collected from these hospitals. The study identified 22 types of threats according to major threat categories based on ISO27002. More importantly, the results showed that the most critical threat for these systems were power failure followed by human error. While power failure may be unavoidable, the human errors are not. Samy, Ahmad & Ismail (2010) stated that the human errors were due to a lack of awareness and good practice among staff. Similar to Samy, Ahmad & Ismail (2010), Williams (2008) studied the failure of the American health industry in recognising the seriousness of information security threats to patients and practice information. The study suggested that this failure is attributed to the lack of understanding of security concepts, underestimating potential threats and the difficulty in setting up security measures. In order to appreciate these factors, research into the general practitioner security practice and perceptions of security was undertaken. It was found that poor security measures implementation and a lack of knowledge were key factors. The results also showed that information security was overwhelmingly reliant on trusting staff and the computer systems themselves, rather than implementing an overall security policy, which the study recommended. While Samy, Ahmad, & Ismail (2010) and Williams (2008) both investigated information security in the context of the health industry from Malaysia and America respectively, it can be posited that Australian based higher education institutions face similar threats due to the large 8 amount of confidential and personal data relating to students which exist in their database, thus warranting further investigations. 2.5 Assessing Information Security Awareness Since the proposed research is to assess information security awareness of TAFE South Australia employees, this section provides a review of literature which has directly used various methodologies in gauging awareness. This will provide an important basis for the proposed methodology for this research. Most of the literature reviewed so far has only briefly discussed employee or managerial information security awareness in their studies, or has only implicated, assumed or posited the importance of information security (Siponen & Vance 2010; Spears & Barki 2010; McFadzean, Ezingeard & Birchall 2007; Knapp et al. 2006; Mouratidis, Jahankhani & Nkhoma 2008; Hagen, Albrechtsen & Hovden 2008; Doherty, Anastasakis & Fulford 2009). Few studies have actually directly assessed information security awareness. In determining a positive relationship between information security awareness, employee rationality based behaviours and policy compliance, Bulgurcu, Cavusoglu & Benbasat (2010) included three simple questions in their questionnaire to gauge security awareness. These questions are: 1. I know the rules and regulations prescribed by the ISP of my organisation. 2. I understand the rules and regulations prescribed by the ISP of my organisation. 3. I know my responsibilities as prescribed in the ISP to enhance the IS security of my organisation. (Bulgurcu, Cavusoglu & Benbasat 2010) As can be seen, these questions are all directly relating to an organisation’s existing information security policy (ISP as stated in the questions) and do not involve gauging an employee’s awareness of information security concepts such as social engineering (Cervone 2005). While there are clear limitations to the methodology of Bulgurcu, Cavusoglu & Benbasat (2010), the study did provide a part example of how awareness can be gauged. Similarly, the study by Namjoo et al. (2008) looked at information security awareness of managers in determining its relationship and managerial action relating to prevention. Like Bulgurcu, Cavusoglu & Benbasat (2010), simple questions were used to gauge awareness. The questions were again limited in that they were only relevant in the context of an existing security policy. 9 Perhaps the most extensive tool for assessing information security awareness was proposed by Kruger, Drevin & Steyn (2010). Like many studies, Kruger, Drevin & Steyn (2010) acknowledged that an organisation’s survival necessitates a security program. Due to the importance of information security awareness in ensuring a successful plan, the study proposed that the starting point in developing a plan is to assess awareness levels of employees. The study aimed to examine the feasibility of an information security awareness test for employees, thereby identifying suitable topics to include in an information security awareness training program. It was found that the use of a vocabulary test to assess awareness levels is beneficial in gauging the awareness of employees. It is important to note however, that the test population used by the study were all University students rather than employees from an actual organisation. However, for the purpose of this proposed research, the vocabulary test proposed by Kruger, Drevin & Steyn (2010) will be modified to fit the Australian organisational context and will be used to assess awareness levels of TAFE South Australia employees. This will be further discussed in the methodology section of this proposal. 2.6 Literature Review Summary All studies reviewed above have identified information security as a key contributor of successful security plans or measures. There is a clear gap in the reviewed literature in that very little studies into information security awareness have been conducted for Australian organisations. As a matter of fact, during the search for literature in relation to this proposal, virtually nothing was found that were in an Australian context. This clearly justifies the importance of the research being proposed, the result of which could provide an insight into the awareness levels, and thus the information security readiness of Australian organisations. Further, it would provide a means to gauge awareness and thus identifying any aspects of information awareness requiring improvements to be included in a security training program or security policy. 10 3 Methodology This study is an investigative or case study. A questionnaire based on Kruger, Drevin & Steyn (2010) will be developed to assess information security awareness of TAFE South Australia employees. This questionnaire is to be delivered online (Web based) to ensure a greater reach, thus ensuring enough responses is obtained for a conclusive data analysis. 3.1 Research Design Based on the definition of Information security awareness by Bulgurcu, Cavusoglu & Benbasat (2010), the questionnaire will be based on two sections: 1. Questions relating to general information security concepts 2. Questions relating to the organisation’s security policy, similar to the three questions used by Bulgurcu, Cavusoglu & Benbasat (2010) It has not been finalised, but it is anticipated that section 1 questions will be based on generally accepted terminology relating to information security in order to gauge an employee’s general knowledge about information security. A tentative sample question is provided as follow: Sample multiple choice question – Spam is: (a) Another word for e-mail or electronic messages (b) A marketing technique (c) Any unsolicited electronic mail (d) All of the above (e) I don’t know (Kruger, Drevin & Steyn 2010) Again, the questions for section 2 has not been finalised, the questions will be relating to the organisation’s security strategy or plan in order to gauge the employee’s awareness of any existing strategy or plan. A tentative sample question is provided as follows: Sample section 2 question – Does your organisation have a security policy? (a) Yes (b) No (c) I don’t know In addition to the questions, respondents will be requested to provide their level within the organisation such as non-management, management and executive management. This will 11 enable the results to be split into demographic sections in which results could be compared against each demographical group. 3.2 Data Analysis Each questions will be given an arbitrary score (yet to be determined) for the purpose of performing qualitative analysis using descriptive statistics. 3.3 Expected Results It is anticipated that like Anastasakis & Fulford (2009), an educational institution like TAFE South Australia has a very low level of employee information security awareness. If this is to be proven so, then further studies into how awareness can be improved will be suggested. 12 4 Ethics and Compliance The University of South Australia is bound by the Australian Code for Responsible Conduct of Research and the National Statement on Ethical Conduct in Human Research. Due to the human involvement required in this study, an application for approval will be submitted to the University’s Human Research Ethics Committee before any human interactions will take place. In addition, verbal permission has already been obtained from TAFE South Australia to interact with employees and to deliver appropriate questions to the employees, and to obtain relevant data in relation to TAFE South Australia and its employees. However, as required by the University of South Australia, written approval will be requested from the authorising body of TAFE South Australia before any data collection or human interaction will take place. Finally, the online questionnaire to be delivered as part of this study may involve gathering information relating to psychological condition or collection of personal data and as required by the University, the Insurance for Research Projects and Health Sciences Fieldwork form will be submitted to the Human Research Ethics Committee to ensure that the project is covered by insurance. 13 Reference Bulgurcu, B, Cavusoglu, H & Benbasat, I 2010, ‘Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness,’ MIS Quarterly, vol. 34, no. 3, pp. 523-A7. Cervone, F 2005, ‘Understanding The Big Picture So You Can Plan For Network Security,’ Computers in Libraries, vol. 25, no. 3, pp. 10- 15. Doherty, NF, Anastasakis, L & Fulford, H 2009, ‘The information security policy unpacked: A critical study of the content of university policies,’ International Journal of Information Management, vol. 29, no. 6, pp. 449-457. Dzazali, S, Sulaiman, A & Zolait, AH 2009, ‘Information security landscape and maturity level: Case study of Malaysian Public Service (MPS) organizations,’ Government Information Quarterly, vol. 24, no. 4, pp. 584-593. Hagen, JM, Albrechtsen, E & Hovden, J 2008, ‘Implementation and effectiveness of organizational information security measures,’ Information Management & Computer Security, vol. 16, no. 4, pp. 377-397. Knapp, KJ, Marshall, TE, Rainer, RK, & Ford, FN 2006, ‘Information security: management's effect on culture and policy,’ Information Management & Computer Security, vol. 14, no. 1, pp. 24-36. Kruger, H, Drevin, L & Steyn, T 2010, ‘A vocabulary test to assess information security awareness,’ Information Management & Computer Security, vol. 18, no. 5, pp. 316-327. McFadzean, E, Ezingeard, J & Birchall, D 2007, ‘Perception of risk and the strategic impact of existing IT on information security strategy at board level,’ Online Information Review, vol. 31, no. 5, pp. 622-660. Mouratidis, H, Jahankhani, H & Nikhoma, MZ 2008, ‘Management versus security specialists: an empirical study on security related perceptions,’ Information Management & Computer Security, vol. 16, no. 2, pp. 187-205. Namjoo, C, Kim, D, Goo, J & Whitemore, A 2008, ‘Knowing is doing: An empirical validation of the relationship between managerial information security awareness and action,’ Information Management & Computer Security, vol. 16, no. 5, pp. 484-501. Samy, NG, Ahmad, R & Ismail, Z 2010, ‘Security threats categories in healthcare information systems,’ Health Informatics Journal, vol. 16, no. 3, pp. 201-209. Siponen, M & Vance, A 2010, ‘Neutralization: New Insights Into The Problem Of Employee Information Systems Security Policy Violations,’ MIS Quarterly, vol. 34, no. 3, pp. 487-A12. 14 Spears, JL & Barki, H 2010, ‘User Participation in Information Systems Security Risk Management,’ MIS Quarterly, vol. 34, no. 3, pp. 503-A5. TAFE South Australia 2011, TAFE South Australia, Adelaide, viewed 12 June 2011, <http://www.tafe.sa.edu.au/about-tafesa.aspx>. Thompson, STC 2006, ‘Helping the Hacker? Library Information, Security, and Social Engineering,’ Information Technology & Libraries, vol. 25, no. 4, pp. 222-225. von Solms, R 1998, ‘Information Security Management (1): Why Information Security is so Important,’ Information Management & Computer Security, vol. 6, no. 4, pp. 174-177. Williams, PAH 2008, ‘When trust defies common security sense’ Health Informatics Journal, vol. 14, no. 3, pp. 211-221. 15 Project Schedule Task Deadline Status Supervisor's Acceptance (Dr Sameera Mubarak) Literature Search Annotated Bibliography Extended Abstract Research Proposal Submit Application to Ethics Committee Obtain Written Authorisation from TAFE SA Submit Project Insurance Form Finalise questionnaire Transfer Questionnaire to Web Platform Begin Thesis Draft Begin Data Collection Further Literature Search Data Analysis Summarise Findings Project Review and Thesis Draft Complete Thesis March April April May June June June June July July August September September October October October November Completed Completed Completed Completed Completed Commenced Commenced Commenced Commenced Waiting Waiting Waiting Waiting Waiting Waiting Waiting Waiting 16 Trial Table of Contents Abstract 1 Introduction 1.1 Partnership – TAFE South Australia 1.2 Researcher’s Personal Interest 1.3 Potential Contributions 1.4 Limitations 1.5 Field of Thesis 1.6 Research Question 2 Literature Review 2.1 Information Security 2.2 Employee Information Security Awareness 2.3 Managerial Information Security Awareness 2.4 Other Relevant Literature 2.5 Assessing Information Security Awareness 2.6 Literature Review Summary 3 Methodology 3.1 Research Design 3.2 Data Analysis 4 Results 5 Conclusion 6 Recommendations Reference 17