Assessing information security attitudes: a comparison of two studies

The purpose of this paper is to report on the use of two studies that assessed the attitudes of typical computer users. The aim of the research was to compare a self-reporting online survey with a set of one-on-one repertory grid technique interviews. More specifically, this research focussed on participant attitudes toward naive and accidental information security behaviours.

In the first study, 23 university students responded to an online survey within a university laboratory setting that captured their attitudes toward behaviours in each of seven focus areas. In the second study, the same students participated in a one-on-one repertory grid technique interview that elicited their attitudes toward the same seven behaviours. Results were analysed using Spearman correlations.

There were significant correlations for three of the seven behaviours, although attitudes relating to password management, use of social networking sites, information handling and reporting of security incidents were not significantly correlated.

The small sample size (n = 23) and the fact that participants were not necessarily representative of typical employees, may have impacted on the results.

This study contributes to the challenge of developing a reliable instrument that will assess individual InfoSec awareness. Senior management will be better placed to design intervention strategies, such as training and education of employees, if individual attitudes are known. This, in turn, will reduce risk-inclined behaviour and a more secure organisation.

The literature review indicates that this study addresses a genuine gap in the research.