appendix a and b

Appendix B - Consent Form

Project Title: Information Security Education and Awareness Program

Researcher: Sherry Holland

Faculty Sponsor: Dr. Steven Hess

Introduction:

You are being asked to take part in a research study being conducted by Sherry Holland

under the supervision of Dr. Steven Hess in the Department of Information Technology at

CalUniversity, California.

According to the research, information security has not kept up to the ever-changing

growth of the computer world. Some businesses do not partake in any type of education and

awareness program until there is some type of breach. It is time for all businesses regardless of

the size of their business or how many employees they have, to do whatever it takes to protect

both their information, and the information of their employees and customers. You have been

approached for an interview and questionnaire because you are the owner or higher official such

as a President or CEO of a business.

Purpose:

The goal of this effort is to determine if the proper education is the key to ensuring information

at smaller businesses are properly secured. Your responses will supplement written records

about whether or not the smaller businesses apply the same principles of supporting an

information security education and awareness programs as the smaller businesses and if this

keeps these businesses from being victims of a breach.

Procedures:

The interview and questionnaire will take approximately one hour to complete. During the

interview, you will be asked questions from the questionnaire about information security at your

current place of employment.

Your responses will be transcribed and transformed into data for the research study. The results

will be combined with the results from other participants and will all be summarized into

different categories describing that item.

Risks and Benefits:

There are no know risks if you decide to participate in this research study, nor are there any costs

for participating in the study. The information you provide will help me understand how smaller

businesses protect their information and that of their employees, customers and suppliers. The

information collected may not benefit you directly, but what I learn from this study should

provide general benefits to teach those that are not aware of these vulnerabilities to learn how to

protect against them.

Confidentiality:

All collected data will remain anonymous. No one will be able to identify you; nor will anyone

be able to determine information about you.

Voluntary Participation:

Your participation in this interview is voluntary. Even if you decide to participate, you may

withdraw without penalty, or request confidentiality, at any point during the interview. You may

also choose not to answer specific questions or discuss certain subjects during the interview or to

ask that portions of our discussion used in the study.

Contacts and Questions:

If you have any questions about this research project or interview, feel free to contact me at 252-

230-7281 or the faculty sponsor Dr. Steven Hess at [email protected].

The CalUniversity Institutional Review Board has reviewed my request to conduct this project.

If you have any concerns about your rights in this study, please contact __________ of the

CalUniversity IRB at __________ or email __________.

Statement of Consent:

I agree to participate in __________, and to the use of this __________ as described above.

[Signature block appears here.]

Appendix A

Security Awareness in Organizations Survey Instrument

Demographic Information

1. Classify the type of organization.

☐Manufacturing ☐Consultant

☐Healthcare ☐Retail / Merchandising

☐Financial services ☐Legal

☐Educational ☐Utilities / Energy

☐Government ☐Accounting

☐Information Technology ☐Other Click or tap here to enter text.

2. Approximately how many employees are in the organization?

☐1-99 ☐300-399

☐100-199 ☐400-500

☐200-299 ☐Other

3. In what county / city are you located?

Click or tap here to enter text.

4. In what department do you work?

Click or tap here to enter text.

5. Does your job duties or responsibilities involve working with Information

Technology / Information Systems security, policies or user training?

☐Yes ☐No

6.Is your job a management position within the organization?

☐Yes ☐No

Policies

7. Which security policies are in use? (Choose all that apply)☐Acceptable Use Policy (Internet, computers, etc.)

☐Anti-Virus Policy

☐Email Policy

☐Dial-In Policy

☐Email Retention Policy

☐Ethics Policy

☐Extranet Policy

☐Information Sensitivity Classification Policy

☐Remote Access Policy

☐Password Protection Policy

☐Incidence Reporting Policy

☐Risk Assessment Policy

☐Overall Information Security Program or Plan Policy

☐Physical Security Policy

☐Vendor Oversight Policy

☐Visitor Policy

☐Handheld, BYOD or IoT Policy

☐Patch Management Policy

☐Social Engineering Policy

☐Software Installation and Licensing Policy

☐Backup and Recovery Policy

☐Business Continuity Plan

☐Disaster Recovery Plan

☐Do not know

☐No Policies

8. Who is part of the development team of information security policies?

☐Top Management ☐IS/IT Staff

☐All employees ☐Department Managers

☐IS/IT Steering Committee ☐IS/IT Security Personnel

☐Do Not Know ☐Other

9. When did you last review or read any of the security policies of the organization?

☐Less than 6 months ago ☐Between 6 months and one year

☐Between 1 to 2 years ago ☐Between 2 and 5 years ago

☐More than 5 years ago ☐I have never read any security policies

☐The organization does not have any security policies ☐Do Not Know

10. Rate how available the security policies from the organization are to you.

☐Easily available (copies, get emails, have intranet)

☐Somewhat available (ask HR for the policies)

☐Not easily available (do not know who to ask or where they are)

☐My organization does not have policies

11. In your opinion, are the security policies or your organization to restrict?

☐Yes, too restrictive ☐No, not too restrictive

☐My organization does not have policies

Training

12. Is security awareness training conducted in your organization?

☐Yes ☐No ☐Do not know

13. Who attends the security awareness training? (Choose all that apply).

☐Administrative support ☐All personnel

☐IS/IT staff ☐Management

☐Other Click or tap here to enter text.

14. Is the attendance of information security awareness training tracked or monitored?


15. If security awareness training is not conducted in your organization, why not?

(Choose all that apply)

☐Insufficient financial resources

☐Insufficient skilled staff

☐Not a high priority for resources

☐Lack of management support / commitment

☐Lack of awareness by management

☐Difficulty in determining the value of information security

☐Believe end users are skilled and know how to use a computer

☐New hire initial training is sufficient

☐Attestation to appropriate IT-related policies is conducted at the point of being

hired


16. Is Information Security Awareness training mandatory?


17. What methods are utilized to deliver information security awareness training?

(Choose all that apply)

☐Face-to-Face training sessions ☐CD-ROM or DVD

☐Newsletters ☐Posters or Flyers

☐Videos ☐Email messages

☐Presentations or speakers ☐Mail stuffers

☐Display of catch slogans or bulletin boards ☐Monthly topic spotlight

☐Online training

☐OtherClick or tap here to enter text.

18. What are the topics that are covered in the Information Security Awareness training?

☐Acceptable Use Policy (Internet, computers, etc.)

☐Anti-Virus Policy

☐Email Policy

☐Dial-In Policy

☐Confidentiality

☐Email Retention Policy

☐Ethics Policy

☐Extranet Policy

☐Information Sensitivity Classification Policy

☐Remote Access Policy

☐Password Protection Policy

☐Incidence Reporting Policy

☐Risk Assessment Policy

☐Overall Information Security Program or Plan Policy

☐Physical Security Policy

☐Vendor Oversight Policy

☐Visitor Policy

☐Handheld, BYOD or IoT Policy

☐Patch Management Policy

☐Social Engineering Policy

☐Spyware

☐Compliance

☐Identity Theft

☐Software Installation and Licensing Policy

☐Backup and Recovery Policy

☐Business Continuity Plan

☐Disaster Recovery Plan

☐Do not know

☐No Policies

19. Is the training designed or tailored to different groups or positions within the

organization?


20. When did you last receive from your organization, any type of information security

awareness training?

☐Less than 6 months ago ☐Between 6 months and one year

☐Between 1 to 2 years ago ☐Between 2 and 5 years ago

☐More than 5 years ago ☐I have never read any security policies

☐The organization does not have any security policies ☐Do Not Know

21. How often are training sessions offered each year?

☐Not at all ☐Once a year

☐Twice ☐Three to Five

☐Six to ten ☐Greater than 10

22. Is the training flexible enough to incorporate new issues or needs?


23. Is input for topics solicited from management or end users?


24. Is input for topics based on incidents or experiences?


25. Does management agree on the topics?


26. Who makes the final decision on the topics for each training session?

☐Administrative support ☐All personnel

☐IS/IT staff ☐Management


27. Who provides the training?

☐Speakers or presenters ☐Outsourced

☐IS/IT Security staff ☐Management


28. Have you received information security awareness training regarding social

engineering?


Compliance

29. Do you know the consequences for failing to comply with the security polices of the

organization?

☐Yes ☐No ☐My organization does not have policies

30. Are the consequences for failing to comply with the security policies of the

organization in a separate policy?

☐Yes, it is a separate policy

☐No, it is included as a statement within another policy

☐No, consequences are not stated in any policy

☐No, there are no consequences

☐Do not know


31. Are personnel required to sign off or attest to:

Reading Policies ☐Yes ☐No

Attending training ☐Yes ☐No

32. Are there penalties or consequences (disciplinary, monetary, etc.) for breaches of

security including social engineering?


33. What methods are used to motivate the end users? (Chose all that apply)

☐Incentives and rewards for compliance

☐Creative and diversified delivery methods

☐Strong security culture (importance placed on security)

☐Consequences or penalties for non-compliance


34. What motivates you to comply with the security polices? (Choose all that apply)

☐Continual focus on security

☐Employee responsibility for information security

☐Peer pressure from others who follow procedures

☐Importance placed on information security

☐Penalties for non-compliance

☐Frequent communication between management and non-management

☐Friendly and pleasant work environment

☐Individual motivation

35. Which of the below are the most effective motivational strategies for compliance?

Rate these strategies in order of most effective being a 1 to least effective being a 10.

_____ Continual focus on security

_____ Employee responsibility for information security

_____ Peer pressure from others who follow procedures

_____ Importance placed on information security

_____ Penalties for non-compliance

_____ Frequent communication between management and non-management

_____ Friendly and pleasant work environment

_____ Individual motivation

36. I follow all information security practices.

☐All the time ☐Frequently

☐Sometimes ☐Rarely

37. If requested, who would you give your network password to? (Choose all that apply)

☐Direct supervisor ☐Help desk support

☐Chief security officer ☐Co-worker

☐Internal auditor ☐External auditor

☐No One ☐None of the above

☐Network or System Administrator

Testing and Auditing

38. Are social engineering tests conducted in your organization?


What type? Click or tap here to enter text.

39. If social engineering test are not conducted, why?

☐Lack of management support ☐Not a high priority

☐Lack of personnel ☐Lack of financial resources

☐Does not apply ☐Do not know


40. Are phishing tests conducted in your organization?


What type? Click or tap here to enter text.

41. If phishing test are not conducted, why?

☐Lack of management support ☐Not a high priority

☐Lack of personnel ☐Lack of financial resources

☐Does not apply ☐Do not know


42. Are audits conducted?


Rate your level of agreement with each of the following:

Strongly Agree

Agree Do Not Agree or Disagree

Disagree Strongly Disagree

Not Applicable

43. Security awareness is

an ongoing focus.

☐ ☐ ☐ ☐ ☐ ☐

44. Security awareness

goals are clearly

identified.

☐ ☐ ☐ ☐ ☐ ☐

45. Security awareness

goals are clearly

communicated.

☐ ☐ ☐ ☐ ☐ ☐

46. The security awareness

message is repeated

often.

☐ ☐ ☐ ☐ ☐ ☐

47. I understand the

meaning of social

engineering.

☐ ☐ ☐ ☐ ☐ ☐

48. I understand the

meaning of phishing.

☐ ☐ ☐ ☐ ☐ ☐

49. I am motivated to

follow all security

guidelines.

☐ ☐ ☐ ☐ ☐ ☐

50. I know who to report a

possible security breach

to.

☐ ☐ ☐ ☐ ☐ ☐

51. I know how to report a

possible security

breach.

☐ ☐ ☐ ☐ ☐ ☐

52. There is a security

culture, or shared belief

and behavior regarding

information security in

this organization.

☐ ☐ ☐ ☐ ☐ ☐

53. Computer security is a

concern for IT/IS

technical staff and not

the end users.

☐ ☐ ☐ ☐ ☐ ☐

54. Computer security is a

responsibility for IT/IS

technical staff and not

☐ ☐ ☐ ☐ ☐ ☐

the end users.

55. All staff are required to

sign off on reading

information security

policies.

☐ ☐ ☐ ☐ ☐ ☐

56. I feel empowered to

make decisions

involving the security

of information and

technology.

☐ ☐ ☐ ☐ ☐ ☐

57. I would be able to

recognize a security

policy violation if I saw

one.

☐ ☐ ☐ ☐ ☐ ☐

58. I would like for my

organization to share

more information

regarding information

security training.

☐ ☐ ☐ ☐ ☐ ☐

59. Rate your level of

agreement: Security is

primarily a technical

issue.

☐ ☐ ☐ ☐ ☐ ☐

60. Rate your level of ☐ ☐ ☐ ☐ ☐ ☐

agreement: People are

equally as important to

security as technology.

61. Computer security is an

important concern to

me.

☐ ☐ ☐ ☐ ☐ ☐

62. Information security is

an important concern to

me.

☐ ☐ ☐ ☐ ☐ ☐

63. Goals from achieving

security awareness are

assessed and measured.

☐ ☐ ☐ ☐ ☐ ☐

64. The security awareness

program effectiveness

is measured and

evaluated.

☐ ☐ ☐ ☐ ☐ ☐

65. There is assessment for

continuous improvement

of the security awareness

or information security

program.

☐ ☐ ☐ ☐ ☐ ☐

66. Polices are reviewed and

updated regularly.

☐ ☐ ☐ ☐ ☐ ☐

appendix a and b

Documents