Information seems to be the most important assets to most organization and people nowadays. Irresponsible people willing to take whatever means they could in order to get the information for their own benefits. Threat to information is become a great concern to many people in this era of information age. Many problems regarding the threat attacked to information were issued day by days. The problems occur because of the lack of awareness in information security. Thus, there is a need to enhance people awareness towards information security. Security awareness should be established from the earlier stage to ensure good awareness to information security in the future. Thus, the best way is to start the awareness from the students' level. This is because they are the generation who will proceeds to the work field and maintain the organization's important information. Thus, students need to be warned in this issue. This study identified three factors that influence the awareness to information security which are (1) knowledge, (2) risk and (3) behavior. This study also suggested recommendations on how to increase awareness to information security.
KEYWORDS: Information; Information security; Information security awareness; Behavior; Knowledge; Risk
INTRODUCTION
Entering to the world of information age, information seems to be the most important asset for an organization and individual. Every business activities nowadays required the used of information. Realizing the importance of information, there is a need to secure the information. It is necessary to aware on information security, thus the knowledge of information security need to be developed since the earlier stage, which is at the student's level. Students, which are basically in the age between 18 and 24 year old, are at a high risk and most common candidates for security attacks. This is because considering the fact that students at this age are basically typically transient and have less experienced than more established adults (Marks, 2007) as cited by (Rezgui & Marks, 2008). Students, especially those who new to information technology will be more addicted to join and used various applications in the internet. This is such as Facebook, Yahoo Messenger, Twitter and etc. such application and technology allow people to communicate with everyone even though we do not know the person we connected with. Students were seen as among the most used of this kind of technology or social network. Through this technology, they communicate with new people and shared their information and activities. The question that arrived is, are the students aware on their information security? Thus this study will investigate the student's awareness on information security.
LITERATURE REVIEW
A threat is an object, person, or other entity that represents a constant danger to an asset (Whitman and Mattord, 2003). Threat may cause a lot of lose to the owner of the information. No matter what the information involves, whether it is customer records or confidential documentation, there are many threats that make information vulnerable (Gordon, 2002). Information security therefore needs to be implemented and managed within the organization to ensure that the information is keep safe and secure. However, implementing security protection alone will not ensure that our information is hundred percent safe. People themselves should aware to the possible threat that may attack their information. Human factor plays important role, especially to avoid human error factor for information security. For this reason, it is a necessary to create user's awareness. This is as supported by (Furnell, 2007) who proposed that one measure that could be considered in information security is to focus on a security-aware culture. Awareness on information security should be stressed since the earlier stages. Thus, the appropriate practice is to stress information security awareness at the student level. Early awareness on information security will help the student to maintain best practice of information security when they go for work in the future.
Awareness to information security was influenced by several factors. Several studies in this area have revealed the factors that influence awareness to information security. Takemura (2010) in his study found that workers will have higher recognition of countermeasures if they received education on information security. Siponen (2001) outlines various dimensions of information security awareness which includes organizational, general public, socio-political, computer ethical and institutional education dimensions. While Niekerk and Solms (2005) found that there are two dimensions to human factor in information security, which is knowledge, and cooperation or behavior. They also indicated that without an adequate level of user cooperation (behavior) and knowledge, many security techniques are liable to be misused or misinterpreted by users. Nurul Hidayah (2010) mentioned that behavior was derived from the fact that our behavior is a feedback mechanism for our attitudes while thoughtful. This is meant that our behavior reacted based on our thinking aspect. Albrechtsen (2006) which indicated that the main problem related to users' role in information security work is they were lack of motivation and knowledge regarding information security. Wang, Nan Xiao and Rao, H. R. (2010) in their study found that people were actively acquiring information security related knowledge when they are experiencing attacks. The finding was supported by the study conducted by Johnston and Warkentin (2010) who found that fear appeals also impact the end user behavioral intentions to comply with recommended individual acts of security. Aytes and Connolly (2003) in their study presented a research framework to investigate human behavior related to computer security. The framework proposed a model of user behavior which identifies factors that indicate user's perception of risk and the choice that affected based on the perception.
Looking at the earlier study, the researcher identified three factors that influence student's information security awareness. The factors were presented in a form of a theoretical framework as shown in figure 1.
Risk of unawareness to information security
Behavior
Information security awareness
Knowledge on information security
Figure 1: Theoretical framework for information security awareness
PROBLEM STATEMENT
Important and personal Information that is available will be better protected, controlled and save through the better practice of information security. Lack of knowledge and awareness of information security will bring negative impact to the owner of the information themselves. Unauthorized person might be able to access our personal or important information if we are less aware on information security. They can manipulate or take advantage of our information. They can use that information for their own benefits or degrading and humiliating others. There are many cases of information invasion being reported nowadays. As for example the case of Malay's popular actress, Ayu Raudah who claimed that her Facebook account had been invasion by unknown people (Utusan Malaysia, 2011). Thus, she now unable to access to her own Facebook account due to the changed password by the hacker and now the hacker used her Facebook account at will. Another cases reported was regarding a group of computer savvy youth who found guilty actively phishing through email and sometimes fake websites to lure the internet users until they provide their personal banking details, which are then manipulated to steal from the victims' accounts. Concerning to this issue, thus, it is important to keep aware on information security. However, not all people nowadays are aware on their information security while the knowledge and awareness of information security should be introduced since the earlier stage such as at the student phases.
Objectives of study
The research attempted to achieve the following goals:
to find out whether knowledge on information security influence student's awareness to information security.
to find out whether risk influence student's awareness to information security.
to find out whether behavior influence student's awareness to information security
Definition of terms
The following definitions are applied in this article:
Information refers to the characteristics of the output from a process and that information is being informative about the process and the input it self (Losee, 1998)
Security is a quality or state of being secure to be free from danger (Whitman and Mattord, 2003)
Information security awareness refers to "the degree of understanding of users about the importance of information security and their responsibilities and acts to exercise sufficient levels of information security control to protect the organization's data and networks" (Shaw et al., 2009)
Threat means an object, person, or other entity that represents a constant danger to an asset (Whitman and Mattord, 2003).
METHOD
Surveys can be divided into two broad categories which is the questionnaire and the interview (William, 2006). As for this research, a questionnaire was used as instrument to gather information from the respondents. The questionnaire was created based on detailed literature review in the area of information security. The questionnaire was distributed to 310 students from the faculty of Information Management, UiTM Shah Alam.
The researcher used simple random sampling as the sampling approach for this study. By using simple random sampling, every element in the population has a known and equal chance of being selected as a subject Sekaran (2006). Besides, Simple random sampling also has a least bias and offers the most generalizability.
The undergraduate students from all four programs which are Library management, Information system management, records management and resource center management of the faculty of Information Management were chosen as respondent for this research. The four programs consist of students from semester 1 until semester 6. The data were collected and analyzed using statistical software SPSS version 14.0 for windows.
FINDINGS OF THE STUDY
Demographic data of students
This section describes the demographic data of the respondents by gender, age, program and semester. Figure 1 shows that from all of the 310 respondents, 236 (76.1%) respondents were female while only 74 (23.9%) respondents were male. Majority of them which are169 respondents (54.5%) were from the age of 22-24. 127 (41.0%) were in the age of 19-21 while 11 (3.5%) were in the age of 25-27. only 3 (1.0%) respondents were greater than 27 years old. As for the respondent's program, majority of the respondent with 106 (34.2%) were from IM 220. 61 (19.7%) of the respondents were from IM221 while 61 (19.7%) were from IM222. The other 82 (26.5%) respondents were from IM223. As for the semester, majority of the respondents 101 (32.6%) were in semester 1. 28 (9.0%) respondents were in semester 2 and 27 (7.4%) respondents were in semester 3. Only 23 respondents were in semester 4 while for semester 5 and 6, consist with 68 (21.9%) and 63 (20.3%) respondents.
Figure 1: Demographic data of students
Factors that influencing information security awareness
Knowledge on information security
To test the student's knowledge in information security, few questions regarding information security were asked to the students. The result of the findings was shown in table 1. According to Sekaran (2006) mean with value 2.38 is considered as low and mean with value 3.12 considered as average while mean with value 3.47 and above is considered as enriched. The table shows that the mean for every element for knowledge on information security were considered as enriched. Thus, it means that most of the students have good knowledge on information security.
Table 1: The elements of knowledge on information security analysis
Element
Mean
Consider combination of number and password when constructing password
3.71
Password is confidential
3.50
Password should be change every 3-6 months
4.25
Email is private
4.32
Installing anti virus can protect laptop from being infected by viruses
4.22
Firewall can block unauthorized person/network from entering the network
4.29
Spyware is an attack to capture information/data in computer
4.39
Information security program can improve information security practice
4.41
Risk of unawareness to information security
To test whether risk influence students awareness to information security, the students were asked few questions which aimed to identify whether risk will influence students' awareness to information security. Table 2 shows the summary of the findings for the elements of risk of unawareness to information security. The mean were calculated for every element. Based on the statistic, all elements except the second element indicated mean value above 3.47 which are considered enriched. Most of the respondents become aware to information security because of the impact of the risk which influenced them to become more careful and aware to information security. However, when asked if the respondents have ever been harassed while online, the resulted mean was only average. It means, even though students have never experienced being harassed or become a victim of a threat, they were still aware to information security because of the effects of the risk that influenced others.
Table 2: The elements of risk of unawareness to information security analysis
Element
Mean
Always heard about problems regarding the risk of unprotected information
3.97
Have been harassed while online
3.11
Aware on information security after heard/ experienced the risk inconsequence of unprotected information
4.22
Will face big problem if someone hacked the account
4.17
People can manipulate information if they know the password
4.34
Take basic precaution to protect information
4.44
Install antivirus to protect information and device from virus attack
4.38
Avoid sharing password to others
4.46
Save copies of information at other location
4.11
Behavior
To test the students' behavior to information security, the students were asked several question which aimed to test students' behavior or act to information security. Table 3 below shows the summary of the findings for the elements of behavior to information security. The mean was calculated for every element. Based on the statistic, all elements indicated mean value above than 3.47 which is considered as enriched. Thus, most of the respondents were considered behave positively to information security.
Table 3: The elements of behavior to information security analysis
Element
Mean
Use the same password for everything that require password
4.17
Did not tell or share with anyone their password
4.28
Set password on mobile device
4.15
usually check for viruses before downloading
4.22
Ignore email from unknown people
4.36
Ensure email does not create a chain email situation
4.10
Installed reliable anti virus to protect laptop and information
4.44
Disconnect from the Internet when not using it
4.44
Overall awareness to information security
The table bellow shows the analysis of the elements for respondent's overall awareness to information security. As shown in the table, all elements for awareness scored high mean which were above 3.47. As for the first element which asked whether respondents aware on information security, the mean score were as high as 4.30 while for the second element, the mean score was 4.44. As for the last element, the mean score was also high with 4.21. Thus, it was considered that students were aware to information security.
Table 4: The elements of awareness to information security analysis
Element
Mean
Aware on their information security
4.30
Concern on the security of information
4.44
Applying security features to protect information
4.21
RECOMMENDATIONS
Based on the analyzed findings, few recommendations on how to improve information security awareness among students were put forward which could be used by any universities as guideline to increase security awareness among students.
Information security education / training
Information security was actually not only concern on the technical aspect of security but also concern on the human factors. Eminagaoglu, Ucar and Eren (2009) mentioned that when talking on the human factor, there are multiple controls which need to be focused on and majority will be related to training and education. The training should not only focus on training for technical security, but should also concern on information security awareness training and other related awareness campaigns become necessary for everyone.
Information security training or education is one of the most common ways in making people become aware to information security. Information security training usually tries to enhance people knowledge regarding information security. This includes the knowledge on threat to information and the best method to avoid the threats. Besides, security training and education also educate people on the good behavior and practice for better information security. As for example knowledge regarding password management, information privacy and confidentiality, physical security, using security features such as anti virus, firewall and etc.
Information security actually is a people issue, rather than a technical one. No matter how advance the security features that we used, the security of the information cannot be ensure hundred percent safe. This is because, the people them self should aware to what threat may attack them and what should they do to avoid the threat. Installing antivirus alone will not hundred percent ensure that we are being protected, the anti virus will not perform well if the software was already out dated. Sometimes people installing anti virus but usually forget to update it within required period which makes the software not able to detect the threat effectively. Thus, people them salve should aware on this issue. This was agreed by Wood (1995) which stated that even the best information security technology solution will fail if the people who involved do not give support to it. Thus, there is a need to conduct a security training to educated and in directly change the students' behavior towards information security.
Aggressive advertisement / approach on information security
Advertisement is one of an appropriate ways to catch people hearts. Advertising is a form of communication which used to persuade the targeted people to take some action to the product, services or ideas. Advertisement which tent to disseminate information or knowledge to people will change the people behavior in response to the information given from the advertisement. Thus, in order to change the student's behavior to information security, there is a need to run an advertisement to make the student aware to information security.
As for this study, it was suggested that an appropriate ways to promote information security awareness is by using media that the students can reach. This is for example, by creating posters and posting them in various areas of the campus. These posters would address issues such as good password management and practices. Other than that, brochures and pamphlets that stress the use of good information security practices also can makes students become aware of safety concerns and tips good practice in information security. Posting informative articles in the University publications about good information security practices can also be considered to promote information security awareness among students.
Other alternatives to promote awareness among students can be done through the internet. The university can consider posting information related to information security in the university's portal. A section related to information security can be added in the portals and the information may introduce the students to the possible threat to information security and how to protect them selves from the threat. Besides, this section may give information on a good practice on information security such as password management, email management and other security features. Advertisement through internet is one of the best ways to attract youth attention. This is because, youth is among of the most frequent user of the internet. Thus, the possibility to catch the youth attention through internet will be higher as compared to posting advertisement through newspaper or journals.
RESEARCH CONTRIBUTION
The student is the persons who will be the next workers in any organization in the future. There are the one who will manage all the business information in an organization. They are the persons who will take the responsibilities to ensure the maintenance of the information. To take these responsibilities, student should be aware to information security awareness. This can be done by enriched them with the knowledge on information security so that the students' behavior to information security can be improved before they move to the work field.
This study has discovered the factors that influence students' awareness to information security which are risk, behavior and knowledge. The framework for this study can be used as references for any program which aimed to enhance student's awareness to information security. As for example, future information security training program can include the factors that have been discovered in this study as guideline for the training. As for example, training can be focused on improving student's knowledge on information security so that the students' awareness to information security can be improved. Besides, the training can stress on the risk that may occur if students not aware to information security.
RESEARCH LIMITATION
Even though this research being able to be completed successfully and have accomplished the research objectives, the study was restricted due to some limitations which are mainly related to the sample of this study. The sample of this study was taken from a single faculty which is the faculty of information management, UiTM. The respondent's views that used for this study was limited because the study only used one faculty as sample. Thus, for future study, it was suggested to take sample from various faculties so that we can see differentiation on student's views regarding information security. Student from different faculty may have different ides or views on information security.
Other than that, the limitation on literature in this study is also a constraint to this study. There are many literatures regarding information security and information security awareness being published until nowadays. However, in term of information security awareness among students, there were only few literatures published. Due to this limitation, it was difficult for the researcher to find literature as references to support the justification for this study. Thus, it was hoped that through the distribution of this study, it will encourage other researchers to conduct a study on this topic.
CONCLUSION
Information security awareness is not a new issue in this era of information age. However, continuous studies need to be done in order to create awareness on the issues of information security and find best solution on how to make people aware to this issue. Considering the differentiation on people group of age, lifestyle, environment and so on, different approach must be undertaken to make people aware to information security. Security is actually in everyone minds but not everyone understands how to apply security in the context of their work. The study has contributed to the identifying of factors that could make people aware to information security especially the students. This finding can be used for future research or instrument to make people aware to information. However, it is not an easy thing to change people habit, thus the people them selves should change from unaware become aware and continuously implement best practice in information security.
