Five Dimensions of Information Security Awareness MikkoT. Siponen University of Oulu, Department of Information Processing Science, Linnanmaa, 900014 Oulu University FINLAND. c-mail: Mikko.T.Siponen@oulu.fi, Telephone: +358 8 553 1984 Abstract Until the era of the information society, information security was a concern mainly for organizations whose line of business demanded a high degree of security. However, the growing use of information tedmology is affecting the status of information security so that it is gradually becoming an area that plays an important role in our everyday lives. As a result, information security issues should now be regarded on a par with other security issues. Using this asseliion as the point of departure, dfis paper outlines the dimensions of information security awareness, namely its organizational, gene~ public, socio-political, computer ethical and institutional education dimensions, along with the categories (or target groups) within each dimension. 1. I N T R O D U C T I O N The relevance of information security awareness is widely agreed upon among information security researchers (e.g. McLean, 1992 Spurling, 1995 Thompson & yon Solms, 1997 1998 Spurling, 1995 Straub & Welke, 1998). The concept of information security awareness is taken in the litera- ture to mean that users should he made aware ofsecuriry objectives (and further committed to them). Although information security awareness is com- monly recognized, there are only a fewsden~icstudies that consider it in any depth see Siponen (2000) for more on these. Pethaps this situation can be traced back to the non-technical nature of security awareness and related areas. The concept of awareness may have been not considered in greater depth because it ~:alls outside the scope of the traditional engineering and "hard" computer sciences (cf.. (Dunlop & Kling, 1993 Ehn, 1989). Even though researdlers interested in information security have recognized the significance of the awareness factor at the organizational level (organizational dimensions in the terminologyofthis paper), it is cutious that the/have failed to see its other dimensions. The information society has a powerful need to extend this organizational viewpoint, howevel. This paper is based on a belief that the concept of information security awareness, in addition to the olgani- zational viewpoint, should also constitute an integral part of the general knowledge of citizens in the information society In other words, anyone who regards information in any form as an important asset (e.g. starting from information that is regarded as private) should be aware of the possible threats related to it. Particularly due to the Intemet, the concern of widening the scope of security awareness is not made up out of the whole cloth. The Intemet is curlently largely a lawless zone, a playground for a wide variety of undesirable activities, a paradise for all sorts of criminals from drug dealers to terrorists and child abusers (Quirchmayr, 1997). Even some terrorist groups finance their activi- ties through extortion and blackmail (Strassman, 1997 Warren, 1998)-all these with the help of the Internet. Furthermore, the undesirable activities seem to be on the increase, at least partly because the current technological tendencies Favour misusers: costs are at a minimum, the necessary technology is available, the number of potential targets is increasing and the relevant know-how is easily transferable. As the general public commonly browses the Internet for different kinds ofselvices (e.g. shopping), a host of security issues have surfaced along with ethical problems (e.g. the use of cookies has raised informational privacy concerns). Some companies deem the current situation insecure and refrain from doing business on the lntemet (Quirchmayr, 1997), while other olganizations follow the n'end of electronic commerce with or withottt knowledge of the possible risks involved. On the other hand, the lack of control and global Interact laws encourages less scrupulous companies and a wide variety of criminals/abusers to practice their business on the net. According to Strassman (i 997), we also have to deal with organized govemmenrA penen~ation (including pel~onal data destruction and gathering). Moreover information security issues are no less significant in terms of risks than other aspects of normal/physical security, because of the role of information: A loss of information may imply other kinds of losses, from the loss of money and "loss of" informational privacy even to loss of life (consider fbr example, a hospital environment where all patient records are kept in electronic form). As we have seen, the Intemet seems to make"the fundamental dilemma of computer securi(' even mole acute. This dilemma arises from the fact that security-unaware users have a need for security but no expertise in such matters (Gollman, 1999 p. 9-10). Finall)~ for different reasons, alot of people see issues and aspects connected with information technology (IT) through lose-coloured spectacles, often blindly ignoring potential complications. For example, it seems that many companies, individuals and educational institutions think that it is important to increase technical IT skills, to use IT for ahnost every conceivable purpose and to advance the computerization of society in general. And often the main limits they see for such development are financial restrictions or lack of technical knowledge (which should therefore be increased)! Moreovei catch phraases such as"information revolution" or the names of particular programs (such as WordPeffect) have strong positive metaphorical associations, redolent of para- dise (Dunlop & Kling, 1992). In addition, IT is already embedded in our 24 Computers and Society, June 2001

everyday lives to the extent that we often fail to notice it (let alone realize the encapsulated security flaws). All these factors pave the way for misusers. As a result, even occasional net surfers should be aware of basic security issues. Organizational informational security awareness is not sufficient to satisfy the concerns of security-additional dimensions are needed and a proposal is out- lined in this paper. The main contribution and objective of this paper is to outline the varions dimensions of information security awareness and to explore certain key issues around these dimensions. Additionall F the categories (or target groups) in each dimension are distinguished. In other words, the scope of this paper is limited to setting up information security dimensions in terms of form and target groups by proposing a framework for awareness perspectives in order to raise certain issues and produce practical examples in the hope of inspiring further research and practical activities atound the topic. Concepttual analysis, in the terms of J~irvinen (1997), is used as the research approach. In order to justify the dimensions and categories proposed in this paper in the light of this conceptual analysis, a number of practical examples will be provided. The objective of this paper is not to put forward a state of the art collection of security flaws, however, but rather to use the examples to provide a justification for each dimension. Other equally impoitant issues, such as the content of security issues in each dimension (e.g. a list of particular actions that one should take or should not take), fall outside the scope of the present papel: An early version of this paper was presented in International Conference on Information Secm'ity (IFIP/Sec'98). This paper is dMded into four sections as follows. At the beginning of the second section the proposed information securitydimensions are outlined and each dimension of information security awareness is considered. The discus- sion on the 'organizational dimension' mainly summarises briefly what has been contributed already in the field. In the third section, selected implemen- tation issues are considered. Finally, the summary section highlights the key issues of the papel: 2. D I M E N S I O N S OF I N F O R M A T I O N SECURITY AWARENESS As mentioned earlier, the dimensions of security awareness are based on the bdiefthat awareness is an issue that everyone using any form of IT services, either directly or indirec@ particularly in an Internet environment, should bear in mind. It is possible that a wider knowledge of these awareness dimen- sions may have negative consequences if it is used to commit abuses (this may be true of all kinds of knowledge, of course), and this may be one reason why information is not shared equally among the parties mentioned bdow. In an attempt to formalize an essentially informal issue with various aspects into an understandable pattern, the dimensions of awareness may be classified as follows: Because of the informal nature of information security awareness, there may not be any exact and dear borders between these dimensions. Within the organizational dimension, for instance, we have to take into account issues that bdong to the general public dimension. Two very different characteristics ofinformafion security awareness have to be considered. The first relates to the division between descriptive and prescrip- five, as modified and simplified from the theory of universal prescriptivism by R.M. Hare (1952). The term prescriptive denotes here (only) intrinsic, ac- tion-guiding commitment to the objectives of awareness (e.g. securig guide- lines), while descriptive, albeit including some level of knowledge of informa- tion security may not indude such an action-guiding commitment to objec- tives. I&all~ the objective of the organizational dimension of informational security awareness, at least ftom the organizational point of view, is to achieve the stage ofprescfiptiveness, i.e. that users should be intrinsically committed to tile security objectives of the organization (Siponen, 2000). Odmr dimen- sions of information security awareness are classified as descriptive, as com- mitment to certain security norms may not be necessa W (see tim Discussion secfiou). Computers and Society, June 2001 25