Enhancing employees information security awareness in private and public organisations: A systematic literature review

https://doi.org/10.1016/j.cose.2021.102267Get rights and content
Under a Creative Commons license
open access

Abstract

Preserving the confidentiality, integrity and availability (CIA) of an organisation's sensitive information systems assets against attacks and threats is a challenge in this digital age. Organisations worldwide make huge investments in information security technological countermeasures. Nonetheless, organisations in many cases fail to protect their information assets as they rely mainly on technical solutions which are not contextually compatible and sufficient. As a matter of fact, a significant number of organisational information security incidents are due to the exploitation of human elements that directly and/or indirectly cause the majority of security incidents. Therefore, employees’ information security awareness (ISA) becomes one of the critical aspects of protection against undesirable information security behaviours. However, to date, there is limited synthesised knowledge about methods for enhancing ISA and integrated insights on factors affecting employees’ ISA levels. This study, therefore, provides a systematic review of the literature on ISA and puts forward a state-of-the-art collection of ISA methods and factors for enhancing employees’ ISA within both private and public sector organisations. The results indicate that various methods and factors are used to enhance employees’ ISA in organisations. Theoretical models and gamification are the methods widely used in both private and public organisations, whereas the constructivist approach and violation detections are some of the methods used only in private organisations. Furthermore, this study offers some insights into the latest trends in ISA content development methods and factors, and fosters good ISA practice by disseminating information and knowledge amongst Information Security professionals to help them build an overarching ISA development programme in their organisations.

Keywords

Information security awareness
Literature review
Private organisations
Public organisations
Information Security Management
Awareness methods
Awareness factors

Cited by (0)

Khando Khando obtained his M.Sc. in Information Security Management in 2020 from Örebro University, Sweden. His-research interest includes information security awareness.

Shang Gao is an Associate Professor of Informatics at Örebro University, Sweden. He obtained his Ph.D. in Information Systems in 2011 from Norwegian University of Science and Technology, Norway. His-research interests include mobile information systems, technology diffusion, information security management, information systems modelling, and requirement engineering. He has published more than 70 refereed papers in journals, books and archival proceedings since 2006.

M. Sirajul Islam is an Associate Professor in information systems at the Informatics unit of Örebro University School of Business, Sweden. Siraj is specialized in teaching and research in the areas of e-government, information and communications technology for development (ICT4D), and education with a special interest in marginalized communities in developing regions. He is teaching both at the bachelor and master levels. He has also been involved with some journal editorial/review committees and international conferences relevant to ICT4D and e-government.

Ali Salman obtained his M.Sc. in Information Security Management in 2020 from Örebro University, Sweden. His-research interest includes information security awareness.