Skip to main content

Advertisement

Springer Nature Link
Log in

Information Security Awareness practices: Omani Government Agencies as a case study

  • Published:
Education and Information Technologies Aims and scope Submit manuscript

Abstract

This paper aims at reviewing Information Security Awareness (ISA) practices in general and at Omani Government Agencies (OGA) in particular. It also explores the concerns and challenges that may affect their implementation, and the reasons why ISA practices remained problematic for more than a decade at the OGAs. To inform the aim of this research, the researchers employed a systematic process to review the publications that explored ISA practices in general and at OGAs in particular. As a sampling technique, the researchers created a research strategy to select relevant publications for the study. The grounded theory technique is adopted for data analysis since it provides an inductive and systematic interpretive approach to generate theoretical insights from the data. The review reveals that current ISA practices seem ineffective in meeting the needs of employees. Furthermore, a set of important ISA practices are either missing or undeveloped. The review also revealed the absence of a framework for the ISA process at OGAs. To the best of our knowledge, the present study is one of the first to conduct an in-depth review on ISA practices applied in general and at OGAs in particular. Therefore, this study contributed to the emerging field of information security by reviewing the current state of ISA practices. In addition, this research study contributed a comprehensive picture of sources dealing with vital issues of insider threats and human factors within OGAs that were indeed unclear and surrounded by various ambiguities in the past.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Explore related subjects

Discover the latest articles and news from researchers in related subjects, suggested using machine learning.

Data availability

The data is available to anyone for review.

References

  • Abawajy, J. (2014). User preference of cyber security awareness delivery methods. Behaviour & Information Technology, 33(3), 237–248.

    Article  MathSciNet  Google Scholar 

  • Al-Awadi, M. (2009). A study of employees’ attitudes towards organisational information security policies in the UK and Oman. University of Glasgow.

  • Al-Daeef, M. M., Basir, N., & Saudi, M. M. (2017). Security awareness training: A review. Lecture Notes in Engineering and Computer Science. Newswood Limited. https://oarep.usim.edu.my/jspui/handle/123456789/1880

  • Al-Harrasi, A., Shaikh, A. K., & Al-Badi, A. (2021). Towards protecting organisations’ data by preventing data theft by malicious insiders. International Journal of Organizational Analysis. https://doi.org/10.1108/IJOA-01-2021-2598

    Article  Google Scholar 

  • Al-Izki, F., & Weir, G.R. (2016). Management attitudes toward information security in omani public sector organisations. 2016 Cybersecurity and Cyberforensics Conference (CCC), 107–112.

  • Al-Kalbani, A. (2017). A compliance based framework for information security in e-government in Oman. RMIT University.

  • Al-Shanfari, I., Yassin, W., & Abdullah, R. (2020). Identify of factors affecting information security awareness and weight analysis process. International Journal of Engineering and Advanced Technology (IJEAT), 9(3), 534–542.

    Article  Google Scholar 

  • Alotaibi, M., & Alfehaid, W. (2018). Information security awareness: A review of methods, challenges and solutions. Proceedings of the ICITST-WorldCIS-WCST-WCICSS-2018, Cambridge, UK, 10–13.

  • Alshaikh, M., Maynard, S.B., Ahmad, A., & Chang, S. (2018). An Exploratory Study of Current Information Security Training and Awareness Practices in Organizations. Hawaii International Conference on System Sciences.

  • Alsowail, R. A., & Al-Shehari, T. (2021). A multi-tiered framework for insider threat prevention. Electronics, 10(9), 1005.

    Article  Google Scholar 

  • Alzubaidi, A. (2021). Measuring the level of cyber-security awareness for cybercrime in Saudi Arabia. Heliyon, 7(1), e06016.

    Article  Google Scholar 

  • Ansari, M. F. (2022). A quantitative study of risk scores and the effectiveness of ai-based cybersecurity awareness training programs. International Journal of Smart Sensor and Adhoc Network, 3(3), 1. https://doi.org/10.47893/IJSSAN.2022.1212 Available at: https://www.interscience.in/ijssan/vol3/iss3/1

  • Atheer (2017). The Oman National CERT clarifies about the malicious ransomware. Atheerhttps://cutt.ly/xlDF4Xa. Accessed 17 Aug 2020

  • Atheer (2018a). Significant increase in WhatsApp penetration … and “Information Technology” clarifies the steps of prevention and recovery. Atheerhttps://cutt.ly/IlDGuTr. Accessed 16 Aug 2020 

  • Atheer (2018b). Monitor attempts at electronic blackmail in government institutions and the “Oman National CERT” warns. Atheerhttps://cutt.ly/jlDGgu0. Accessed 16 Aug 2020 

  • Atheer (2018c). What do the numbers say about the reality of electronic blackmail in the Sultanate during 2018. Atheerhttps://cutt.ly/AlDGmYN. Accessed 16 Aug 2020

  • Argote, L., McEvily, B., & Reagans, R. (2003). Introduction to the special issue on managing knowledge in organizations: creating, retaining, and transferring knowledge. Management Science, 49(4), v–viii.

    Article  Google Scholar 

  • Aydın, ÖM., & Chouseinoglou, O. (2013). Fuzzy assessment of health information system users’ security awareness. Journal of Medical Systems, 37(6), 1–13.

    Article  Google Scholar 

  • Bada, M., Sasse, A. M., & Nurse, J. R. (2019). Cyber security awareness campaigns: Why do they fail to change behaviour? arXiv preprint arXiv:1901.02672.

  • Bhattacherjee, A. (2012). Social science research: Principles, methods, and practices. Global Text Project. Available at https://digitalcommons.usf.edu/oa_textbooks/3

  • Chmura, J. (2017). Forming the awareness of employees in the field of information security. Journal of Positive Management, 8(1), 78–85.

    Article  Google Scholar 

  • Chowdhury, N., & Gkioulos, V. (2021). Cyber security training for critical infrastructure protection: a literature review. Computer Science Review, 40, 100361.

    Article  Google Scholar 

  • Daily, O. (2019). How do Omani government agencies and private companies address the threat of cyber-attacks? Oman Daily. omandaily.om/?p=729347.

  • Dalal, R. S., Howard, D. J., Bennett, R. J., Posey, C., Zaccaro, S. J., & Brummel, B. J. (2022). Organizational science and cybersecurity: abundant opportunities for research at the interface. Journal of Business and Psychology, 37(1), 1–29.

    Article  Google Scholar 

  • Education, M. (2017). An official statement on the penetration of the Sultanate of Oman educational portal. In.

  • ENISA (2010). The new users’ guide: How to raise information security awareness (EN). ENISA. https://cutt.ly/uxGpBOw. Accessed 3 Oct 2020

  • Georgiadou, A., Mouzakitis, S., Bounas, K., & Askounis, D. (2022). A cyber-security culture framework for assessing organization readiness. Journal of Computer Information Systems, 62(3), 452–462.

    Article  Google Scholar 

  • Ghazvini, A., & Shukur, Z. (2016). Awareness training transfer and information security content development for healthcare industry. International Journal of Advanced Computer Science and Applications, 7(5), 361–370.

    Article  Google Scholar 

  • Grobler, M., Gaire, R., & Nepal, S. (2021). User, usage and usability: redefining human centric cyber security. Frontiers in big Data, 4, 583723.

    Article  Google Scholar 

  • Gundu, T., & Flowerday, S. (2013). Ignorance to awareness: towards an information security awareness process. SAIEE Africa Research Journal, 104(2), 69–79.

    Article  Google Scholar 

  • Gundu, T., Flowerday, S., & Renaud, K. (2019). Deliver security awareness training, then repeat:{Deliver; Measure Efficacy}. 2019 conference on information communications technology and society (ICTAS).

  • Haney, J. , Jacobs, J. and Furman, S. (2022). Approaches and challenges of federal cybersecurity awareness programs. NIST Interagency/Internal Report (NISTIR). National Institute of Standards and Technology, Gaithersburg, MD, [online]. https://doi.org/10.6028/NIST.IR.8420A, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=934347

  • Hansche, S. (2001). Designing a security awareness program: part 1. Information Systems Security, 9(6), 1–9.

    Article  Google Scholar 

  • Hassandoust, F., & Techatassanasoontorn, A. A. (2020). Understanding users’ information security awareness and intentions: a full nomology of protection motivation theory. Cyber influence and cognitive threats (pp. 129–143). Elsevier.

  • Hassanzadeh, M., Jahangiri, N., & Brewster, B. (2014). A conceptual framework for information security awareness, assessment, and training. Emerging Trends in ICT Security (pp. 99–110). Elsevier.

  • ITA. (n.d). e.Oman Booklet. ITA. https://cutt.ly/MlDGMaw. Accessed 8 Sept 2020 

  • ITA. (2013). Saltant of Oman Progress Report on the Information Society 2003–2013. ITA. https://cutt.ly/C0RT9Mk. Accessed 10 Sept 2020

  • ITA. (2017). Cybersecurity Governance Guidelines. ITA. https://cutt.ly/C0RT9Mk. Accessed 10 Sept 2020

  • ITA. (2019). Information Technology Authority Annual Report 2018. ITA. https://cutt.ly/C0RT9Mk. Accessed 15 Sept 2020

  • ITA. (2008). ITA Information Security Policy Manual. ITA. https://www.ea.gov.om/media/jpnfz4ys/security-policy.pdf?csrt=205645110090536941. Accessed 20 Sept 2020

  • ITA. (2020). Information Technology Authority Annual Report 2019. ITA. https://cutt.ly/C0RT9Mk. Accessed 15 Sept 2020

  • Jacobs, J. L., Haney, J. M., & Furman, S. M. (2022, July). Measuring the Effectiveness of US Government Security Awareness Programs: A Mixed-Methods Study. Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022) 8th Workshop on Security Information Workers (WSIW 2022). This workshop aims to develop and stimulate discussion about security information workers., Boston, MA, US.

  • Kalhoro, S., Rehman, M., Ponnusamy, V., & Shaikh, F. B. (2021). Extracting key factors of cyber hygiene behaviour among software engineers: a systematic literature review. Ieee Access: Practical Innovations, Open Solutions, 9, 99339–99363.

    Article  Google Scholar 

  • Khan, B., Alghathbar, K. S., Nabi, S. I., & Khan, M. K. (2011). Effectiveness of information security awareness methods based on psychological theories. African Journal of Business Management, 5(26), 10862–10868.

    Google Scholar 

  • Khandkar, S. H. (2009). Open coding. University of Calgary, 23, 2009.

  • Khando, K., Gao, S., Islam, S. M., & Salman, A. (2021). Enhancing employees information security awareness in private and public organisations: a systematic literature review. Computers & Security, 106, 102267.

    Article  Google Scholar 

  • Korpela, K. (2015). Improving cyber security awareness and training programs with data analytics. Information Security Journal: A Global Perspective, 24(1–3), 72–77.

    Google Scholar 

  • Kritzinger, E., & Smith, E. (2008). Information security management: an information security retrieval and awareness model for industry. Computers & Security, 27(5–6), 224–231.

    Article  Google Scholar 

  • Kruger, H.A., & Kearney, W.D. (2005). Measuring Information Security Awareness - A West Africa Gold Mining Environment Case. ISSA.

  • Labuschagne, W. A., & Veerasamy, N. (2017). Metrics for smart security awareness. European Conference on Cyber Warfare and Security.

  • Lawrence, J., & Tar, U. (2013). The use of grounded theory technique as a practical tool for qualitative data collection and analysis. Electronic Journal of Business Research Methods, 11(1), 29–40.

    Google Scholar 

  • Lebek, B., Uffen, J., Neumann, M., & Hohler, B. (2013). Towards a needs assessment process model for security, education, training and awareness programs: an Action Design Research Study. ECIS. Available at https://cutt.ly/d0RUD7N

  • Liu, L., Han, M., Wang, Y., & Zhou, Y. (2018). Understanding data breach: A visualization aspect. International Conference on Wireless Algorithms, Systems, and Applications.

  • Maeyer, D. D. (2007). Setting up an effective information security awareness programme. ISSE/SECURE 2007 Securing Electronic business processes (pp. 49–58). Springer.

  • Mammadov, T., Rahman, N. A., & Mohd, M. F. (2021). Establishment of a method to measure the awareness of OIC-CERT Members. OIC-CERT Journal of Cyber Security. Available at https://www.oic-cert.org/en/journal/vol-3-issue-1/establishment-of-a-method-to-measure-the.html#.Y52wS3ZBy3A

  • Manifavas, C., Fysarakis, K., Rantos, K., & Hatzivasilis, G. (2014). DSAPE–dynamic security awareness program evaluation. International Conference on Human Aspects of Information Security, Privacy, and Trust.

  • Mavroeidi, A., Kitsiou, A., & Kalloniatis, C. (2021). Gamification: a necessary element for designing privacy training programs. In (Ed.), The Role of Gamification in Software Development Lifecycle. IntechOpen. https://doi.org/10.5772/intechopen.97420

  • Mejias, R. J., & Balthazard, P. A. (2014). A model of information security awareness for assessing information security risk for emerging technologies. Journal of Information Privacy and Security, 10(4), 160–185.

    Article  Google Scholar 

  • McCormac, A., Calic, D., Parsons, K., Zwaans, T., Butavicius, M., & Pattinson, M. (2016). Test-retest reliability and internal consistency of the human aspects of Information Security Questionnaire (HAIS-Q).

  • MTC (2019). MTC Conducts Cybersecurity awareness “Train the Trainer” Workshop. Retrieved April 14 from https://cutt.ly/slDJxoJ

  • Nikel, F. H., & Amaechi, A. O. (2022). An assessment of employee knowledge, awareness, attitude towards organizational cybersecurity in cameroon. Network and Communication Technologies. Available at https://ccsenet.org/journal/index.php/nct/article/view/0/46794

  • Nobles, C. (2018). Botching human factors in cybersecurity in business organizations. HOLISTICA–Journal of Business and Public Administration, 9(3), 71–88.

    Article  Google Scholar 

  • Ntwali, B. (2021). Investigating the relationship between learning styles and delivery methods in Information Security Awareness Programs (Master’s thesis, Faculty of Commerce).

  • Nzailu, A., & Nepali, R. K. (2015). A prototype for continuous security awareness in financial institutions. MWAIS 2015 Proceedings 1. https://aisel.aisnet.org/mwais2015/1

  • Observer, O. (2017). Beware of ransomware, Oman takes precautions. Oman Observerhttps://omanobserver.om/beware-of-ransomware/. Accessed 8 Oct 2020 from

  • Omar, N. S., Foozy, C. F. M., Hamid, I. R. A., Hafit, H., Arbain, A. F., & Shamala, P. (2021, May). Malware awareness tool for internet safety using gamification techniques. In Journal of Physics: Conference Series (Vol.1874, No. 1, p.012023). IOP Publishing.

  • Pahlavanpour, O. (2022). Gamification within information security awareness programs. A systematic mapping study (Dissertation). Retrieved from http://urn.kb.se/resolve?urn=urn:nbn:se:oru:diva-99904

  • Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., & Zwaans, T. (2017). The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Computers & Security, 66, 40–51.

    Article  Google Scholar 

  • Phelps, R., Fisher, K., & Ellis, A. (2007). Effective literature searching. Organizing and managing your research (pp. 128–149). SAGE Publications, Ltd. https://doi.org/10.4135/9781849209540.n7

  • Portal, O. (2012). Information Security Awareness Program for Government Institutions. Retrieved April 25 from https://cutt.ly/XlDJ78w

  • Portal, O. (n.d.) (Ed.). Chief Information Office (CIO). Retrieved September 8 from https://cutt.ly/LlDGSCb

  • Rantos, K., Fysarakis, K., & Manifavas, C. (2012). How effective is your security awareness program? An evaluation methodology. Information Security Journal: A Global Perspective, 21(6), 328–345.

    Google Scholar 

  • Razaque, A., Al Ajlan, A., Melaoune, N., Alotaibi, M., Alotaibi, B., Dias, I., & Zhao, C. (2021). Avoidance of cybersecurity threats with the deployment of a web-based blockchain-enabled cybersecurity awareness system. Applied Sciences, 11(17), 7880.

    Article  Google Scholar 

  • Sahi, S. K. (2017). A study of wannacry ransomware attack. International Journal of Engineering Research in Computer Science and Engineering (IJERCSE), 4(9), 5–7.

    Google Scholar 

  • Sari, P. K., & Trianasari, N. (2014). Information security awareness measurement with confirmatory factor analysis. 2014 International Symposium on Technology Management and Emerging Technologies.

  • Stewart, G. & Lacey, D. (2012) Death by a thousand facts: Criticising the technocratic approach to information security awareness. Information Management & Computer Security, 20(1), 29–38. https://doi.org/10.1108/09685221211219182

  • Strauss, A., & Juliet, C. (2008). Basics of Qualitative Research (3rd ed.): Techniques and Procedures for Developing Grounded Theory https://doi.org/10.4135/9781452230153

  • Subramanian, S., CISA, S., & Agrawal, U. (2021). Nudging our way to successful Information Security Awareness. ISACA. Available at https://www.isaca.org/resources/isaca-journal/issues/2021/volume-1/nudging-our-way-to-successful-information-security-awareness

  • Tolah, A., Furnell, S. M., & Papadaki, M. (2021). An empirical analysis of the information security culture key factors framework. Computers & Security, 108, 102354.

    Article  Google Scholar 

  • Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2010). Aligning security awareness with information systems security management. Journal of Information System Security, 6(1), 36–54.

    Google Scholar 

  • Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2015). Managing the introduction of information security awareness programmes in organisations. European Journal of Information Systems, 24(1), 38–58.

    Article  Google Scholar 

  • Uchendu, B., Nurse, J. R., Bada, M., & Furnell, S. (2021). Developing a cyber security culture: current practices and future needs. Computers & Security, 109, 102387.

    Article  Google Scholar 

  • Wiley, A., McCormac, A., & Calic, D. (2020). More than the individual: examining the relationship between culture and information security awareness. Computers & Security, 88, 101640.

    Article  Google Scholar 

  • Wilson, M., & Hash, J. (2003). Building an information technology security awareness and training program. NIST Special Publication, 800(50), 1–39.

    Google Scholar 

  • Zani, A.A., Norman, A.A., & Ghani, N.B. (2018). A Review of Security Awareness Approach: Ensuring Communal Learning. PACIS.

  • Zhen, J., Dong, K., Xie, Z., & Chen, L. (2022). Factors influencing employees’ information security awareness in the telework environment. Electronics, 11(21), 3458. https://doi.org/10.3390/electronics11213458

Download references

Author information

Authors and Affiliations

  1. Department of Information Studies, Sultan Qaboos University, Muscat, Oman

    Malik Al-Shamli & Khalfan Zahran Al Hijji

  2. Department of Information Systems, Sultan Qaboos University, Muscat, Oman

    Abdul Khalique Shaikh

Authors
  1. Malik Al-Shamli
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Khalfan Zahran Al Hijji
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Abdul Khalique Shaikh
    View author publications

    You can also search for this author inPubMed Google Scholar

Contributions

All authors contributed to the study conception and design. The tasks of literature search, data analysis and manuscript drafting and revision were split between the authors. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Malik Al-Shamli.

Ethics declarations

Conflict of interest

There are no conflicting or competing interests to publish this research. The researchers give consent to publish.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Al-Shamli, M., Al Hijji, K.Z. & Shaikh, A.K. Information Security Awareness practices: Omani Government Agencies as a case study. Educ Inf Technol 28, 8571–8605 (2023). https://doi.org/10.1007/s10639-022-11513-7

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10639-022-11513-7

Keywords