Mitigating Information Security Risks by Increasing User Security Awareness: A Case Study of an Information Security Awareness System

Organizations that lack security awareness can miss detecting many obvious security risks such as Trojans, phishing, viruses, and intellectual property theft in their daily activities. This lack of awareness can render sophisticated Internet security technologies useless and expose the organization to enormous risks. This paper adopts the systems development research methodology to investigate the security awareness needs of an insurance company that has an e-business presence. A pilot of a security awareness system was constructed for this investigative purpose. Various managers in the organization took part in the study. The pilot system was fine-tuned based on the usage experiences and feedback of participants. The findings indicate that the architecture of an information security awareness system needs to provide effective system management components that allow a system manager to customize the system interface in order to meet individual needs. In addition, the system itself needs to provide different functions such as an information portal, newsgroups, discussion forums, histories of security breach events, security awareness activities, and quality articles to facilitate the transmission of awareness concepts. The results of this study provide important lessons for organizations that plan to implement an effective information security awareness system.