Appendix A and B
-
Upload
sherry-holland -
Category
Documents
-
view
11 -
download
0
Transcript of Appendix A and B
Appendix B - Consent Form
Project Title: Information Security Education and Awareness Program
Researcher: Sherry Holland
Faculty Sponsor: Dr. Steven Hess
Introduction:
You are being asked to take part in a research study being conducted by Sherry Holland
under the supervision of Dr. Steven Hess in the Department of Information Technology at
CalUniversity, California.
According to the research, information security has not kept up to the ever-changing
growth of the computer world. Some businesses do not partake in any type of education and
awareness program until there is some type of breach. It is time for all businesses regardless of
the size of their business or how many employees they have, to do whatever it takes to protect
both their information, and the information of their employees and customers. You have been
approached for an interview and questionnaire because you are the owner or higher official such
as a President or CEO of a business.
Purpose:
The goal of this effort is to determine if the proper education is the key to ensuring information
at smaller businesses are properly secured. Your responses will supplement written records
about whether or not the smaller businesses apply the same principles of supporting an
information security education and awareness programs as the smaller businesses and if this
keeps these businesses from being victims of a breach.
Page 2
Procedures:
The interview and questionnaire will take approximately one hour to complete. During the
interview, you will be asked questions from the questionnaire about information security at your
current place of employment.
Your responses will be transcribed and transformed into data for the research study. The results
will be combined with the results from other participants and will all be summarized into
different categories describing that item.
Risks and Benefits:
There are no know risks if you decide to participate in this research study, nor are there any costs
for participating in the study. The information you provide will help me understand how smaller
businesses protect their information and that of their employees, customers and suppliers. The
information collected may not benefit you directly, but what I learn from this study should
provide general benefits to teach those that are not aware of these vulnerabilities to learn how to
protect against them.
Confidentiality:
All collected data will remain anonymous. No one will be able to identify you; nor will anyone
be able to determine information about you.
Voluntary Participation:
Your participation in this interview is voluntary. Even if you decide to participate, you may
withdraw without penalty, or request confidentiality, at any point during the interview. You may
also choose not to answer specific questions or discuss certain subjects during the interview or to
ask that portions of our discussion used in the study.
Page 3
Contacts and Questions:
If you have any questions about this research project or interview, feel free to contact me at 252-
230-7281 or the faculty sponsor Dr. Steven Hess at [email protected].
The CalUniversity Institutional Review Board has reviewed my request to conduct this project.
If you have any concerns about your rights in this study, please contact __________ of the
CalUniversity IRB at __________ or email __________.
Statement of Consent:
I agree to participate in __________, and to the use of this __________ as described above.
[Signature block appears here.]
Page 4
Appendix A
Security Awareness in Organizations Survey Instrument
Demographic Information
1. Classify the type of organization.
☐Manufacturing ☐Consultant
☐Healthcare ☐Retail / Merchandising
☐Financial services ☐Legal
☐Educational ☐Utilities / Energy
☐Government ☐Accounting
☐Information Technology ☐Other Click or tap here to enter text.
2. Approximately how many employees are in the organization?
☐1-99 ☐300-399
☐100-199 ☐400-500
☐200-299 ☐Other
3. In what county / city are you located?
Click or tap here to enter text.
4. In what department do you work?
Click or tap here to enter text.
5. Does your job duties or responsibilities involve working with Information
Technology / Information Systems security, policies or user training?
☐Yes ☐No
6.Is your job a management position within the organization?
☐Yes ☐No
Page 5
Policies
7. Which security policies are in use? (Choose all that apply)☐Acceptable Use Policy (Internet, computers, etc.)
☐Anti-Virus Policy
☐Email Policy
☐Dial-In Policy
☐Email Retention Policy
☐Ethics Policy
☐Extranet Policy
☐Information Sensitivity Classification Policy
☐Remote Access Policy
☐Password Protection Policy
☐Incidence Reporting Policy
☐Risk Assessment Policy
☐Overall Information Security Program or Plan Policy
☐Physical Security Policy
☐Vendor Oversight Policy
☐Visitor Policy
☐Handheld, BYOD or IoT Policy
☐Patch Management Policy
☐Social Engineering Policy
☐Software Installation and Licensing Policy
☐Backup and Recovery Policy
☐Business Continuity Plan
Page 6
☐Disaster Recovery Plan
☐Do not know
☐No Policies
8. Who is part of the development team of information security policies?
☐Top Management ☐IS/IT Staff
☐All employees ☐Department Managers
☐IS/IT Steering Committee ☐IS/IT Security Personnel
☐Do Not Know ☐Other
9. When did you last review or read any of the security policies of the organization?
☐Less than 6 months ago ☐Between 6 months and one year
☐Between 1 to 2 years ago ☐Between 2 and 5 years ago
☐More than 5 years ago ☐I have never read any security policies
☐The organization does not have any security policies ☐Do Not Know
10. Rate how available the security policies from the organization are to you.
☐Easily available (copies, get emails, have intranet)
☐Somewhat available (ask HR for the policies)
☐Not easily available (do not know who to ask or where they are)
☐My organization does not have policies
11. In your opinion, are the security policies or your organization to restrict?
☐Yes, too restrictive ☐No, not too restrictive
☐My organization does not have policies
Training
12. Is security awareness training conducted in your organization?
Page 7
☐Yes ☐No ☐Do not know
13. Who attends the security awareness training? (Choose all that apply).
☐Administrative support ☐All personnel
☐IS/IT staff ☐Management
☐Other Click or tap here to enter text.
14. Is the attendance of information security awareness training tracked or monitored?
☐Yes ☐No ☐Do not know
15. If security awareness training is not conducted in your organization, why not?
(Choose all that apply)
☐Insufficient financial resources
☐Insufficient skilled staff
☐Not a high priority for resources
☐Lack of management support / commitment
☐Lack of awareness by management
☐Difficulty in determining the value of information security
☐Believe end users are skilled and know how to use a computer
☐New hire initial training is sufficient
☐Attestation to appropriate IT-related policies is conducted at the point of being
hired
☐Other Click or tap here to enter text.
16. Is Information Security Awareness training mandatory?
☐Yes ☐No ☐Do not know
Page 8
17. What methods are utilized to deliver information security awareness training?
(Choose all that apply)
☐Face-to-Face training sessions ☐CD-ROM or DVD
☐Newsletters ☐Posters or Flyers
☐Videos ☐Email messages
☐Presentations or speakers ☐Mail stuffers
☐Display of catch slogans or bulletin boards ☐Monthly topic spotlight
☐Online training
☐OtherClick or tap here to enter text.
18. What are the topics that are covered in the Information Security Awareness training?
☐Acceptable Use Policy (Internet, computers, etc.)
☐Anti-Virus Policy
☐Email Policy
☐Dial-In Policy
☐Confidentiality
☐Email Retention Policy
☐Ethics Policy
☐Extranet Policy
☐Information Sensitivity Classification Policy
☐Remote Access Policy
☐Password Protection Policy
☐Incidence Reporting Policy
☐Risk Assessment Policy
Page 9
☐Overall Information Security Program or Plan Policy
☐Physical Security Policy
☐Vendor Oversight Policy
☐Visitor Policy
☐Handheld, BYOD or IoT Policy
☐Patch Management Policy
☐Social Engineering Policy
☐Spyware
☐Compliance
☐Identity Theft
☐Software Installation and Licensing Policy
☐Backup and Recovery Policy
☐Business Continuity Plan
☐Disaster Recovery Plan
☐Do not know
☐No Policies
19. Is the training designed or tailored to different groups or positions within the
organization?
☐Yes ☐No ☐Do not know
20. When did you last receive from your organization, any type of information security
awareness training?
☐Less than 6 months ago ☐Between 6 months and one year
☐Between 1 to 2 years ago ☐Between 2 and 5 years ago
Page 10
☐More than 5 years ago ☐I have never read any security policies
☐The organization does not have any security policies ☐Do Not Know
21. How often are training sessions offered each year?
☐Not at all ☐Once a year
☐Twice ☐Three to Five
☐Six to ten ☐Greater than 10
22. Is the training flexible enough to incorporate new issues or needs?
☐Yes ☐No ☐Do not know
23. Is input for topics solicited from management or end users?
☐Yes ☐No ☐Do not know
24. Is input for topics based on incidents or experiences?
☐Yes ☐No ☐Do not know
25. Does management agree on the topics?
☐Yes ☐No ☐Do not know
26. Who makes the final decision on the topics for each training session?
☐Administrative support ☐All personnel
☐IS/IT staff ☐Management
☐Other Click or tap here to enter text.
27. Who provides the training?
☐Speakers or presenters ☐Outsourced
☐IS/IT Security staff ☐Management
☐Other Click or tap here to enter text.
Page 11
28. Have you received information security awareness training regarding social
engineering?
☐Yes ☐No ☐Do not know
Compliance
29. Do you know the consequences for failing to comply with the security polices of the
organization?
☐Yes ☐No ☐My organization does not have policies
30. Are the consequences for failing to comply with the security policies of the
organization in a separate policy?
☐Yes, it is a separate policy
☐No, it is included as a statement within another policy
☐No, consequences are not stated in any policy
☐No, there are no consequences
☐Do not know
☐Other Click or tap here to enter text.
31. Are personnel required to sign off or attest to:
Reading Policies ☐Yes ☐No
Attending training ☐Yes ☐No
32. Are there penalties or consequences (disciplinary, monetary, etc.) for breaches of
security including social engineering?
☐Yes ☐No ☐Do not know
33. What methods are used to motivate the end users? (Chose all that apply)
☐Incentives and rewards for compliance
Page 12
☐Creative and diversified delivery methods
☐Strong security culture (importance placed on security)
☐Consequences or penalties for non-compliance
☐Other Click or tap here to enter text.
34. What motivates you to comply with the security polices? (Choose all that apply)
☐Continual focus on security
☐Employee responsibility for information security
☐Peer pressure from others who follow procedures
☐Importance placed on information security
☐Penalties for non-compliance
☐Frequent communication between management and non-management
☐Friendly and pleasant work environment
☐Individual motivation
35. Which of the below are the most effective motivational strategies for compliance?
Rate these strategies in order of most effective being a 1 to least effective being a 10.
_____ Continual focus on security
_____ Employee responsibility for information security
_____ Peer pressure from others who follow procedures
_____ Importance placed on information security
_____ Penalties for non-compliance
_____ Frequent communication between management and non-management
_____ Friendly and pleasant work environment
_____ Individual motivation
Page 13
36. I follow all information security practices.
☐All the time ☐Frequently
☐Sometimes ☐Rarely
37. If requested, who would you give your network password to? (Choose all that apply)
☐Direct supervisor ☐Help desk support
☐Chief security officer ☐Co-worker
☐Internal auditor ☐External auditor
☐No One ☐None of the above
☐Network or System Administrator
Testing and Auditing
38. Are social engineering tests conducted in your organization?
☐Yes ☐No ☐Do not know
What type? Click or tap here to enter text.
39. If social engineering test are not conducted, why?
☐Lack of management support ☐Not a high priority
☐Lack of personnel ☐Lack of financial resources
☐Does not apply ☐Do not know
☐Other Click or tap here to enter text.
40. Are phishing tests conducted in your organization?
☐Yes ☐No ☐Do not know
What type? Click or tap here to enter text.
41. If phishing test are not conducted, why?
☐Lack of management support ☐Not a high priority
Page 14
☐Lack of personnel ☐Lack of financial resources
☐Does not apply ☐Do not know
☐Other Click or tap here to enter text.
42. Are audits conducted?
☐Yes ☐No ☐Do not know
Rate your level of agreement with each of the following:
Strongly Agree
Agree Do Not Agree or Disagree
Disagree Strongly Disagree
Not Applicable
43. Security awareness is
an ongoing focus.
☐ ☐ ☐ ☐ ☐ ☐
44. Security awareness
goals are clearly
identified.
☐ ☐ ☐ ☐ ☐ ☐
45. Security awareness
goals are clearly
communicated.
☐ ☐ ☐ ☐ ☐ ☐
46. The security awareness
message is repeated
often.
☐ ☐ ☐ ☐ ☐ ☐
47. I understand the
meaning of social
engineering.
☐ ☐ ☐ ☐ ☐ ☐
Page 15
48. I understand the
meaning of phishing.
☐ ☐ ☐ ☐ ☐ ☐
49. I am motivated to
follow all security
guidelines.
☐ ☐ ☐ ☐ ☐ ☐
50. I know who to report a
possible security breach
to.
☐ ☐ ☐ ☐ ☐ ☐
51. I know how to report a
possible security
breach.
☐ ☐ ☐ ☐ ☐ ☐
52. There is a security
culture, or shared belief
and behavior regarding
information security in
this organization.
☐ ☐ ☐ ☐ ☐ ☐
53. Computer security is a
concern for IT/IS
technical staff and not
the end users.
☐ ☐ ☐ ☐ ☐ ☐
54. Computer security is a
responsibility for IT/IS
technical staff and not
☐ ☐ ☐ ☐ ☐ ☐
Page 16
the end users.
55. All staff are required to
sign off on reading
information security
policies.
☐ ☐ ☐ ☐ ☐ ☐
56. I feel empowered to
make decisions
involving the security
of information and
technology.
☐ ☐ ☐ ☐ ☐ ☐
57. I would be able to
recognize a security
policy violation if I saw
one.
☐ ☐ ☐ ☐ ☐ ☐
58. I would like for my
organization to share
more information
regarding information
security training.
☐ ☐ ☐ ☐ ☐ ☐
59. Rate your level of
agreement: Security is
primarily a technical
issue.
☐ ☐ ☐ ☐ ☐ ☐
60. Rate your level of ☐ ☐ ☐ ☐ ☐ ☐
Page 17
agreement: People are
equally as important to
security as technology.
61. Computer security is an
important concern to
me.
☐ ☐ ☐ ☐ ☐ ☐
62. Information security is
an important concern to
me.
☐ ☐ ☐ ☐ ☐ ☐
63. Goals from achieving
security awareness are
assessed and measured.
☐ ☐ ☐ ☐ ☐ ☐
64. The security awareness
program effectiveness
is measured and
evaluated.
☐ ☐ ☐ ☐ ☐ ☐
65. There is assessment for
continuous improvement
of the security awareness
or information security
program.
☐ ☐ ☐ ☐ ☐ ☐
66. Polices are reviewed and
updated regularly.
☐ ☐ ☐ ☐ ☐ ☐
Page 18