What is your password? : Assessing information security awareness among employees in an organisation

Abstract: The development of Information and Communication Technologies has opened up a large pool of possibilities for any and every business actor. These possibilities have brought up new vulnerabilities as well. Information security has become an inherent part of any organization. Companies and organizations invest significant amount of resources in IT security solutions, usually omitting the weakest link of the defense - the people. The research intended to study and evaluate the information security awareness level of employees in a public organization which preferred to remain anonymous. This study is based on a mixed-methods approach. A survey was built up and performed, basing on the interview of the employees and the IT Security Chief. The interview intended to give a general picture of the attitude, knowledge and behavior the employees towards information security and its constituent aspects. The results of the survey show that the information security awareness at this particular organization has an average performance based on the grading scale determined by the management of the company. Generally speaking, half of the information security focus areas show underdeveloped sense of awareness among employees, whereas the other focus areas are close to perfect. In terms of information security, the research indicates that there is a gap between the employees' theoretical condition and their day to day be-havior. In other words, the theoretical and practical preparation of the employees does not provide an appropriate information security awareness behavior. Some of the reasons for unsecure behavior were complex and sophisticated security designs including passwords; another problem was inherent in the work design which imposed the use of multiple systems and applications in the daily work. In the end, the research suggests some recommendations for improvement, as well as practices to sustain a desirable level of information security awareness level. The overall information security awareness program required immediate improvements in order to boost the positive attitude and behavior of employees towards information security, as well as enrich the knowledge of information security in general.