Information Security Awareness Programmes
Numerous theoretical instructional models have been proposed in order to understand and deliver information security awareness and education programmes. Kruger & Kearney (2006) created a framework to assess the levels of end user security awareness, measuring knowledge, attitude and behaviour, in order to identify programme content. Shaw, Chen, Harris & Huang (2009) investigated the effects of information richness, the information carrying capacity of media such as text, audio, streaming video, infographics and virtual reality, on security awareness levels, thus guiding the development of programme content. A different approach to material creation was proposed by Taylor (2013) who recommended focusing on a threat and the desired counter measure, presenting end users with real problems and solutions, though this approach is difficult to keep current in an ever-changing threat landscape.
Information Security Awareness for Home Users
While organisations are investing in technology and training to protect their systems and staff, home users are being left behind, becoming easier targets for criminals to exploit (Talib et al., 2010). Home users are often restricted by their financial resources, their motivation and their understanding of the current threat landscape (Horacio et al., 2010; Rao & Pati, 2012). Governments and other organisations have published advice, for home users, about staying safe online but this advice is typically generic advice and is more about awareness building rather than knowledge and skill building (Aldawood & Skinner, 2019; Anderson & Agarwal, 2010; Kaspersky & Furnell, 2014). Whilst the literature has shown there is a requirement for both knowledge and skill in order to create the confidence for self-efficacy (Chiu et al., 2006; Hu, 2010), this has been somewhat ignored, despite having been acknowledge as a requirement, by the UK Government (Coventry et al., 2014).
Criminals have historically targeted the elderly and, without the security measures found in a work environment, they are particularly vulnerable to cybercrime (E&T editorial staff, 2017). Outside of the workplace and without access to security training programs, most lose touch with current best practice and awareness of the latest threats and scams (Blackwood-Brown et al., 2019). More and more services are available online only so the elderly are being forced to adopt technology and the Internet in order to participate in today’s world (Britain thinks, 2015; Mouland, 2018).
Figures from The Crime Survey for England and Wales 2017-18, published by the Office for National Statistics Office in April 2019, showed 1 in 12 respondents aged 65 and older had been a victim of some type of fraud (Office for National Statistics, 2019). That figure, when adjusted to the population of England and Wales, suggests over 800,000 elderly people were victims of fraud during 2017. Action Fraud, recorded over 12,000 cases of online fraud which targeted people over 60, between April and September 2019 (Robinson, 2018).
Threat Landscape for Home Users
Home users are exposed to the same risks as businesses and therefore they need to consider numerous attack vectors (Thompson et al., 2017). This level of threat is almost impossible to protect against with limited technical resources, knowledge and skill (Kritzinger & von Solms, 2013; Urbanska et al., 2013).
Protecting the Home User
A review of information sites giving advice on staying safe online, was conducted which included government sites (National Cyber Security Centre, 2018), software vendor sites (10 Tips To Stay Safe Online | McAfee Blogs, n.d.; Keep your computer secure at home - Windows Help, n.d.; David Bowen, 2013) and educational sites (Secure Computing | Information Systems & Technology, n.d.; University of California, n.d.; University of Oxford, n.d.). From the review a list of the most common tasks to help secure home users and their systems was compiled and is shown below. This project will focus on developing educational materials for a number of these secure practices.
- Human Behaviour
- Use anti-virus software
- Install software updates and patches
- Treat emails with caution
- Use strong passwords
- Two Factor Authentication
- Use a VPN
- Do regular backups
- Be cautious when browsing the Internet
- Be suspicious of calls
Current Online Resources
Research suggests that existing Information Security Awareness portals lack efficacy due to poorly written and poorly presented content, often presenting a definition and benefits but failing to include the procedures required to achieve the desired outcome, therefore, precluding novice users from learning how to better protect themselves (Cook et al., 2011). This is exacerbated further for elderly novice users, who are often trying to retro fit technology into their lives (Cook et al., 2011). There is also a lack of trust in the information presented, as often, sites incorporate advertising and marketing information on the same page creating a perceived bias in the content (Kritzinger & von Solms, 2013).
A number of studies have analysed Information Security Awareness portals showing that in order to meet user needs they should be available across all devices and platforms to maximise accessibility (Cook et al., 2011), written in simple non-technical language , be easy to use and should contain step-by-step tutorials (Chang et al., 2019). Furthermore, when considering the elderly, additional accessibility factors need to be considered which are related to age and age-related disabilities (Baker et al., 2002). Font size, font colour, background colour, contrast, language and context can significantly disadvantage the elderly in relation to accessing site content (Liang & Xue, 2010). Additionally, the educational resources must consciously include users with limited computing experience and be generationally appropriate so the information can be readily contextualised, creating the knowledge necessary to better protect themselves (Baker et al., 2002; U.S. Department of Health and Human Services & U.S. General Services Administration, 2006). When publishing the educational resources online, the material should be formatted into a series of pages, creating a logical linear information path through the material (Nielsen, 2015). Where a topic cannot be logically spilt into smaller pieces a single page, with scrolling, should be used (Attwell & Hughes, 2010). End user self-efficacy and good security practices will be themes that run throughout all the developed material (Broad, 2013).
The objective of this project is the creation of an online educational resource for the elderly residents of the Isle of Man where they can obtain advice, guidance and training on cybersecurity. Furthermore, the literature has shown that any improvements in the security awareness of the elderly could have a significant impact on reducing their risk from cybercrime.
10 Tips To Stay Safe Online | McAfee Blogs. (n.d.). https://www.mcafee.com/blogs/consumer/consumer-threat-notices/10-tips-stay-safe-online/
Aldawood, H., & Skinner, G. (2019). Educating and Raising Awareness on Cyber Security Social Engineering: A Literature Review. Proceedings of 2018 IEEE International Conference on Teaching, Assessment, and Learning for Engineering, TALE 2018, December, 62–68. https://doi.org/10.1109/TALE.2018.8615162
Anderson, C. L., & Agarwal, R. (2010). Practicing safe computing: A multimethod empirical examination of home computer user security behavioral intentions. MIS Quarterly: Management Information Systems. https://doi.org/10.2307/25750694
Attwell, G., & Hughes, J. (2010). Pedagogic Approaches to Using Technology for Learning: Literature Review. Skills for Learning Professionals, 1(September), 1–86.
Baker, D. W., Gazmararian, J. A., Sudano, J., Patterson, M., Parker, R. M., & Williams, M. v. (2002). Health literacy and performance on the Mini-Mental State Examination. Aging & Mental Health, 6(1), 22–29. https://doi.org/10.1080/13607860120101121
Blackwood-Brown, C., Levy, Y., & D’Arcy, J. (2019). Cybersecurity Awareness and Skills of Senior Citizens: A Motivation Perspective. Journal of Computer Information Systems, 1–12. https://doi.org/10.1080/08874417.2019.1579076
Britain thinks, A. U. (2015). Life Offline - What life is like for older people who don ’ t use the internet (Issue May).
Broad, J. (2013). System Development Life Cycle (SDLC). In Risk Management Framework (pp. 39–45). Elsevier. https://doi.org/10.1016/B978-1-59749-995-8.00005-3
Chang, J. J., Hildayah Binti Zahari, N. S., & Chew, Y. H. (2019). The design of social media mobile application interface for the elderly. 2018 IEEE Conference on Open Systems, ICOS 2018, 104–108. https://doi.org/10.1109/ICOS.2018.8632701
Chiu, C. M., Hsu, M. H., & Wang, E. T. G. (2006). Understanding knowledge sharing in virtual communities: An integration of social capital and social cognitive theories. Decision Support Systems. https://doi.org/10.1016/j.dss.2006.04.001
Cook, D., Szewczyk, P., & Sansurooah, K. (2011). Securing the Elderly : A Developmental Approach to Hypermedia Based Online Information Security for Senior Novice Computer Users. Proceedings of the 2nd International Cyber Resilience Conference. http://ro.ecu.edu.au/icr/19
Coventry, L., Briggs, P., Blythe, J., & Tran, M. (2014). Using behavioural insights to improve the public ’ s use of cyber security best practices improve the public ’ s use of cyber. In Project Report.
David Bowen. (2013). 6 Tips to Keep Your Home Computer Safe and Secure – Kaspersky Lab official blog. https://www.kaspersky.com/blog/6-tips-to-keep-your-home-computer-safe-and-secure/3071/
E&T editorial staff. (2017). The elderly most at risk from cyber-crime, report warns | E&T Magazine. E&T . https://eandt.theiet.org/content/articles/2017/01/the-elderly-most-at-risk-from-cyber-crime-report-warns/
Horacio, G., Caceres, R., & Teshigawara, Y. (2010). Security guideline tool for home users based on international standards. Information Management and Computer Security, 18(2), 101–123. https://doi.org/10.1108/09685221011048346
Hu, W. W. (2010). Self-efficacy and individual knowledge sharing. Proceedings - 3rd International Conference on Information Management, Innovation Management and Industrial Engineering, ICIII 2010. https://doi.org/10.1109/ICIII.2010.261
Kaspersky, E., & Furnell, S. (2014). A security education Q&A. Information Management & Computer Security, 22(2), 130–133. https://doi.org/10.1108/imcs-01-2014-0006
Keep your computer secure at home - Windows Help. (n.d.). https://support.microsoft.com/en-au/help/4092060/windows-keep-your-computer-secure-at-home
Khan, B. (2011). Effectiveness of information security awareness methods based on psychological theories. AFRICAN JOURNAL OF BUSINESS MANAGEMENT. https://doi.org/10.5897/ajbm11.067
Kritzinger, E., & von Solms, S. H. (2013). Home user security- from thick security-oriented home users to thin security- oriented home users. Proceedings of 2013 Science and Information Conference, SAI 2013.
Kruger, H. A., & Kearney, W. D. (2006). A prototype for assessing information security awareness. Computers and Security. https://doi.org/10.1016/j.cose.2006.02.008
Liang, H., & Xue, Y. (2010). Understanding security behaviors in personal computer usage: A threat avoidance perspective. Journal of the Association for Information Systems. https://doi.org/10.17705/1jais.00232
Mouland, J. (2018). The digital age: new approaches to supporting people in later life get online. In Centre for Ageing Better (Issue May). https://doi.org/10.31077/ageing.better.2018.05a
National Cyber Security Centre. (2018). Top tips for staying secure online. NCSC. https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online
Nielsen, J. (2015). Banish the Hamburger Menu, Adopt Pizza Menus. http://www.nngroup.com/articles/hamburger-menu-vs-pizza/
Office for National Statistics. (2019). The Crime Survey for England and Wales 2017-18. Office for National Statistics. https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/crimeinenglandandwales/yearendingdecember2018
Rao, U. H., & Pati, B. P. (2012). Study of internet security threats among home users. Proceedings of the 2012 4th International Conference on Computational Aspects of Social Networks, CASoN 2012, 217–221. https://doi.org/10.1109/CASoN.2012.6412405
Robinson, B. (2018). Reports of frauds on the elderly are “tip of iceberg.” https://www.bbc.co.uk/news/uk-45590333
Secure Computing | Information Systems & Technology. (n.d.). Retrieved January 3, 2020, from https://ist.mit.edu/secure
Shaw, R. S., Chen, C. C., Harris, A. L., & Huang, H. J. (2009). The impact of information richness on information security awareness training effectiveness. Computers and Education, 52(1), 92–100. https://doi.org/10.1016/j.compedu.2008.06.011
Talib, S., Clarke, N. L., & Furnell, S. M. (2010). An analysis of information security awareness within home and work environments. ARES 2010 - 5th International Conference on Availability, Reliability, and Security, 196–203. https://doi.org/10.1109/ARES.2010.27
Taylor, L. P. (2013). Addressing Security Awareness and Training. In FISMA Compliance Handbook. https://doi.org/10.1016/b978-0-12-405871-2.00009-9
Thompson, N., McGill, T. J., & Wang, X. (2017). “Security begins at home”: Determinants of home computer and mobile device security behavior. Computers and Security. https://doi.org/10.1016/j.cose.2017.07.003
University of California. (n.d.). Top 10 Secure Computing Tips | Information Security Office. Retrieved January 3, 2020, from https://security.berkeley.edu/resources/best-practices-how-to-articles/top-10-secure-computing-tips
University of Oxford. (n.d.). Staying secure. Retrieved January 3, 2020, from https://www.ox.ac.uk/students/life/it/secure?wssl=1
Urbanska, M., Roberts, M., Ray, I., Howe, A., & Byrne, Z. (2013). Accepting the inevitable: Factoring the user into home computer security. CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy. https://doi.org/10.1145/2435349.2435396
U.S. Department of Health and Human Services, & U.S. General Services Administration. (2006). Research-based Web design and usability guidelines.
Wilson, M., & Hash, J. (2003). Building an Information Technology Security Awareness and Training Program. In NIST Special Publication 800-50. http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
Wolf, M., Haworth, D., & Pietron, L. (2011). Measuring An Information Security Awareness Program. Review of Business Information Systems (RBIS). https://doi.org/10.19030/rbis.v15i3.5398