The Information Security Awareness of Bank Employees

This paper presents research that assessed the Information Security Awareness (ISA) of employees of an Australian bank and compared these results with an identical survey of the Australian general workforce. The objective of this study was to establish a form of construct validity, specifically known-groups validity, of the Human Aspects of Information Security Questionnaire (HAIS-Q). For the purposes of this study, ISA is a measure of an employee’s knowledge of, and attitude towards, their organisation’s Information Security (InfoSec) policies and procedures. This study used a web-based survey research method by utilising modules of the HAIS-Q. Individual knowledge and attitude were assessed for 198 bank employees and 500 general workforce participants. Seven InfoSec focus areas were evaluated: password management, email management, internet use, social media use, mobile computing, information handling and incident reporting. It was found that the levels of ISA for bank employees were approximately 20% better than those for the general workforce, in all InfoSec focus areas. Factors that may have contributed to this conclusive result are discussed and include social desirability bias; fear of reprisal; InfoSec education and in-house training.