Bridging the knowing-doing gap: the role of attitude in information security awareness

Bridging the knowing-doing gap: the role of attitude in information security awareness

Nykyaikaisten tietokoneiden ja työntekijöiden välisen konvergenssin yltyessä modernit tietojärjestelmät voidaan nähdä ennemmin sosioteknisinä kuin pelkästään teknisinä. Tämä kehitys ei ole jäänyt huomiotta hyökkääjiltä, jotka ovat alkaneet käyttää hyväkseen tietoturvallisuuden inhimillistä aspektia,...

Full description

Bibliographic Details
Main Author: Vilander, Jaakko
Other Authors: Informaatioteknologian tiedekunta, Faculty of Information Technology, Informaatioteknologia, Information Technology, Jyväskylän yliopisto, University of Jyväskylä
Format: Master's thesis
Language:eng
Published: 2021
Subjects:
information security
awareness
knowing-doing gap
Tietotekniikka
Mathematical Information Technology
602
noudattaminen
tietoturva
kyberturvallisuus
compliance
data security
cyber security
Online Access: https://jyx.jyu.fi/handle/123456789/76067
_version_ 1826225754900267008
author Vilander, Jaakko
author2 Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_facet Vilander, Jaakko Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä Vilander, Jaakko Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_sort Vilander, Jaakko
datasource_str_mv jyx
description Nykyaikaisten tietokoneiden ja työntekijöiden välisen konvergenssin yltyessä modernit tietojärjestelmät voidaan nähdä ennemmin sosioteknisinä kuin pelkästään teknisinä. Tämä kehitys ei ole jäänyt huomiotta hyökkääjiltä, jotka ovat alkaneet käyttää hyväkseen tietoturvallisuuden inhimillistä aspektia, sen vertauskuvallista ”heikointa lenkkiä”, kovennettujen teknisten järjestelmien sijaan, aiheuttaen samalla huomattavaa vahinkoa organisaatioille huolimatta mittavista investoinneista kyberturvallisuuteen. Näin ollen monet tämän päivän tietoturvapoikkeamista ovat joko puutteellisen tietoturvatietoisuuden omaavien tai vastoin parempaa tietoaan toimivien työntekijöiden suoraan aiheuttamia taikka välillisesti fasilitoimia. Tämä on synnyttänyt ajatuksen tietämisen ja tekemisen välisestä kuilusta (engl. knowing-doing gap). Tämä tutkimus tarkasteli tuota kuilua tiedon ja käyttäytymisen välillä, miksi työntekijät tieten tahtoen jättävät tietoturvaohjeita noudattamatta sekä asenteen roolia tuon kuilun ylittämisessä. Tutkimus toteutettiin verkkovälitteisenä kyselytutkimuksena käyttäen The Human Aspects of Information Security Questionnaire -kyselykaavaketta (HAIS-Q). Kyselyyn vastasi 287 henkilöä. Data analysoitiin käyttäen lineaariregressiota, mediaatioanalyysiä ja varianssianalyysiä. Tutkimuksen päätulokset indikoivat, että asenne on merkittävämpi tekijä käyttäytymisen kannalta kuin tieto. Mediaatioanalyysissä tulokset viittasivat siihen, että valtaosa tiedon vaikutuksesta käyttäytymiseen välittyy asenteen kautta. Siitä huolimatta, että tieto korreloi käyttäytymiseen, kuilua tiedon ja tekemisen välillä ei havaittu. Tästä huolimatta tulokset tarjoavat tietoturva¬-ammattilaisille yllykkeen keskittyä koulutuksessa ennemmin asenteiden vaalimiseen kuin tiedon karttuttamiseen. Tämän lisäksi tutkimusraportissa tarjotaan tieteellisesti perusteltuja selityksiä sille, miksi työntekijät poikkeavat ohjeista sekä suosituksia tietoturvatietoisuuden parantamiseksi, mitkä voivat niin ikään hyödyttää tietoturva-alan ammattilaisia heidän työssään. As the contemporary workers and computers converge, modern information systems tend to become sociotechnical rather than solely technical. This development has caught the eye of attackers who are now exploiting the human aspect, the proverbial “weakest link”, instead of the hardened technical aspects of information systems, causing organizations substantial loss despite investments in cyber security. Thus, many incidents today are either directly caused or indirectly facilitated by insiders who are either lacking in information security awareness or acting contrary to their knowledge. This has provoked the term the knowing-doing gap. This study examined that gap between knowledge and behaviour, why employees wilfully omit, and the role of attitude in bridging that gap. The study was conducted as a web-administered survey using the Human Aspects of Information Security Questionnaire (HAIS-Q), to which 287 participants responded. The data was analysed using linear regression, Baron-Kenny mediation, and comparison of means. The primary results indicated that attitude is a stronger determinant for behaviour than knowledge. In the mediation analysis, results suggested that most of the influence between knowledge and behaviour is mediated through attitude. However, although knowledge was weakly correlated with behaviour, the gap effect was inverse and did thus not support the existence of a knowing-doing gap. Nevertheless, the results provide an incentive for information security professionals to focus on fostering attitudes rather than only building knowledge. Furthermore, reasons to why employees omit secure behaviour and scientifically supported recommendations for improving information security awareness are presented, which may benefit professionals in their work.
first_indexed 2021-05-31T20:00:56Z
format Pro gradu
free_online_boolean 1
fullrecord [{"key": "dc.contributor.advisor", "value": "Woods, Naomi", "language": "", "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.author", "value": "Vilander, Jaakko", "language": "", "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.date.accessioned", "value": "2021-05-31T06:38:37Z", "language": null, "element": "date", "qualifier": "accessioned", "schema": "dc"}, {"key": "dc.date.available", "value": "2021-05-31T06:38:37Z", "language": null, "element": "date", "qualifier": "available", "schema": "dc"}, {"key": "dc.date.issued", "value": "2021", "language": "", "element": "date", "qualifier": "issued", "schema": "dc"}, {"key": "dc.identifier.uri", "value": "https://jyx.jyu.fi/handle/123456789/76067", "language": null, "element": "identifier", "qualifier": "uri", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Nykyaikaisten tietokoneiden ja ty\u00f6ntekij\u00f6iden v\u00e4lisen konvergenssin yltyess\u00e4 modernit tietoj\u00e4rjestelm\u00e4t voidaan n\u00e4hd\u00e4 ennemmin sosioteknisin\u00e4 kuin pelk\u00e4st\u00e4\u00e4n teknisin\u00e4. T\u00e4m\u00e4 kehitys ei ole j\u00e4\u00e4nyt huomiotta hy\u00f6kk\u00e4\u00e4jilt\u00e4, jotka ovat alkaneet k\u00e4ytt\u00e4\u00e4 hyv\u00e4kseen tietoturvallisuuden inhimillist\u00e4 aspektia, sen vertauskuvallista \u201dheikointa lenkki\u00e4\u201d, kovennettujen teknisten j\u00e4rjestelmien sijaan, aiheuttaen samalla huomattavaa vahinkoa organisaatioille huolimatta mittavista investoinneista kyberturvallisuuteen. N\u00e4in ollen monet t\u00e4m\u00e4n p\u00e4iv\u00e4n tietoturvapoikkeamista ovat joko puutteellisen tietoturvatietoisuuden omaavien tai vastoin parempaa tietoaan toimivien ty\u00f6ntekij\u00f6iden suoraan aiheuttamia taikka v\u00e4lillisesti fasilitoimia. T\u00e4m\u00e4 on synnytt\u00e4nyt ajatuksen tiet\u00e4misen ja tekemisen v\u00e4lisest\u00e4 kuilusta (engl. knowing-doing gap).\nT\u00e4m\u00e4 tutkimus tarkasteli tuota kuilua tiedon ja k\u00e4ytt\u00e4ytymisen v\u00e4lill\u00e4, miksi ty\u00f6ntekij\u00e4t tieten tahtoen j\u00e4tt\u00e4v\u00e4t tietoturvaohjeita noudattamatta sek\u00e4 asenteen roolia tuon kuilun ylitt\u00e4misess\u00e4. Tutkimus toteutettiin verkkov\u00e4litteisen\u00e4 kyselytutkimuksena k\u00e4ytt\u00e4en The Human Aspects of Information Security Questionnaire -kyselykaavaketta (HAIS-Q). Kyselyyn vastasi 287 henkil\u00f6\u00e4. Data analysoitiin k\u00e4ytt\u00e4en lineaariregressiota, mediaatioanalyysi\u00e4 ja varianssianalyysi\u00e4.\nTutkimuksen p\u00e4\u00e4tulokset indikoivat, ett\u00e4 asenne on merkitt\u00e4v\u00e4mpi tekij\u00e4 k\u00e4ytt\u00e4ytymisen kannalta kuin tieto. Mediaatioanalyysiss\u00e4 tulokset viittasivat siihen, ett\u00e4 valtaosa tiedon vaikutuksesta k\u00e4ytt\u00e4ytymiseen v\u00e4littyy asenteen kautta. Siit\u00e4 huolimatta, ett\u00e4 tieto korreloi k\u00e4ytt\u00e4ytymiseen, kuilua tiedon ja tekemisen v\u00e4lill\u00e4 ei havaittu. T\u00e4st\u00e4 huolimatta tulokset tarjoavat tietoturva\u00ac-ammattilaisille yllykkeen keskitty\u00e4 koulutuksessa ennemmin asenteiden vaalimiseen kuin tiedon karttuttamiseen. T\u00e4m\u00e4n lis\u00e4ksi tutkimusraportissa tarjotaan tieteellisesti perusteltuja selityksi\u00e4 sille, miksi ty\u00f6ntekij\u00e4t poikkeavat ohjeista sek\u00e4 suosituksia tietoturvatietoisuuden parantamiseksi, mitk\u00e4 voivat niin ik\u00e4\u00e4n hy\u00f6dytt\u00e4\u00e4 tietoturva-alan ammattilaisia heid\u00e4n ty\u00f6ss\u00e4\u00e4n.", "language": "fi", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.abstract", "value": "As the contemporary workers and computers converge, modern information systems tend to become sociotechnical rather than solely technical. This development has caught the eye of attackers who are now exploiting the human aspect, the proverbial \u201cweakest link\u201d, instead of the hardened technical aspects of information systems, causing organizations substantial loss despite investments in cyber security. Thus, many incidents today are either directly caused or indirectly facilitated by insiders who are either lacking in information security awareness or acting contrary to their knowledge. This has provoked the term the knowing-doing gap.\nThis study examined that gap between knowledge and behaviour, why employees wilfully omit, and the role of attitude in bridging that gap. The study was conducted as a web-administered survey using the Human Aspects of Information Security Questionnaire (HAIS-Q), to which 287 participants responded. The data was analysed using linear regression, Baron-Kenny mediation, and comparison of means.\nThe primary results indicated that attitude is a stronger determinant for behaviour than knowledge. In the mediation analysis, results suggested that most of the influence between knowledge and behaviour is mediated through attitude. However, although knowledge was weakly correlated with behaviour, the gap effect was inverse and did thus not support the existence of a knowing-doing gap. Nevertheless, the results provide an incentive for information security professionals to focus on fostering attitudes rather than only building knowledge. Furthermore, reasons to why employees omit secure behaviour and scientifically supported recommendations for improving information security awareness are presented, which may benefit professionals in their work.", "language": "en", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Submitted by Paivi Vuorio (paelvuor@jyu.fi) on 2021-05-31T06:38:37Z\nNo. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Made available in DSpace on 2021-05-31T06:38:37Z (GMT). No. of bitstreams: 0\n Previous issue date: 2021", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.format.extent", "value": "111", "language": "", "element": "format", "qualifier": "extent", "schema": "dc"}, {"key": "dc.format.mimetype", "value": "application/pdf", "language": null, "element": "format", "qualifier": "mimetype", "schema": "dc"}, {"key": "dc.language.iso", "value": "eng", "language": null, "element": "language", "qualifier": "iso", "schema": "dc"}, {"key": "dc.rights", "value": "In Copyright", "language": "en", "element": "rights", "qualifier": null, "schema": "dc"}, {"key": "dc.subject.other", "value": "information security", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "awareness", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "knowing-doing gap", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.title", "value": "Bridging the knowing-doing gap: the role of attitude in information security awareness", "language": "", "element": "title", "qualifier": null, "schema": "dc"}, {"key": "dc.type", "value": "master thesis", "language": null, "element": "type", "qualifier": null, "schema": "dc"}, {"key": "dc.identifier.urn", "value": "URN:NBN:fi:jyu-202105313312", "language": "", "element": "identifier", "qualifier": "urn", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Pro gradu -tutkielma", "language": "fi", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Master\u2019s thesis", "language": "en", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Informaatioteknologian tiedekunta", "language": "fi", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Faculty of Information Technology", "language": "en", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Informaatioteknologia", "language": "fi", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Information Technology", "language": "en", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "Jyv\u00e4skyl\u00e4n yliopisto", "language": "fi", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "University of Jyv\u00e4skyl\u00e4", "language": "en", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Tietotekniikka", "language": "fi", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Mathematical Information Technology", "language": "en", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "yvv.contractresearch.funding", "value": "0", "language": "", "element": "contractresearch", "qualifier": "funding", "schema": "yvv"}, {"key": "yvv.contractresearch.initiative", "value": "student", "language": "", "element": "contractresearch", "qualifier": "initiative", "schema": "yvv"}, {"key": "dc.type.coar", "value": "http://purl.org/coar/resource_type/c_bdcc", "language": null, "element": "type", "qualifier": "coar", "schema": "dc"}, {"key": "dc.rights.accesslevel", "value": "openAccess", "language": null, "element": "rights", "qualifier": "accesslevel", "schema": "dc"}, {"key": "dc.type.publication", "value": "masterThesis", "language": null, "element": "type", "qualifier": "publication", "schema": "dc"}, {"key": "dc.subject.oppiainekoodi", "value": "602", "language": "", "element": "subject", "qualifier": "oppiainekoodi", "schema": "dc"}, {"key": "dc.subject.yso", "value": "noudattaminen", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "tietoturva", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "kyberturvallisuus", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "compliance", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "data security", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "cyber security", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.format.content", "value": "fulltext", "language": null, "element": "format", "qualifier": "content", "schema": "dc"}, {"key": "dc.rights.url", "value": "https://rightsstatements.org/page/InC/1.0/", "language": null, "element": "rights", "qualifier": "url", "schema": "dc"}, {"key": "dc.type.okm", "value": "G2", "language": null, "element": "type", "qualifier": "okm", "schema": "dc"}]
id jyx.123456789_76067
language eng
last_indexed 2025-02-18T10:54:27Z
main_date 2021-01-01T00:00:00Z
main_date_str 2021
online_boolean 1
online_urls_str_mv {"url":"https:\/\/jyx.jyu.fi\/bitstreams\/555c8f8d-435f-4dbf-921d-6593b8240097\/download","text":"URN:NBN:fi:jyu-202105313312.pdf","source":"jyx","mediaType":"application\/pdf"}
publishDate 2021
record_format qdc
source_str_mv jyx
spellingShingle Vilander, Jaakko Bridging the knowing-doing gap: the role of attitude in information security awareness information security awareness knowing-doing gap Tietotekniikka Mathematical Information Technology 602 noudattaminen tietoturva kyberturvallisuus compliance data security cyber security
title Bridging the knowing-doing gap: the role of attitude in information security awareness
title_full Bridging the knowing-doing gap: the role of attitude in information security awareness
title_fullStr Bridging the knowing-doing gap: the role of attitude in information security awareness Bridging the knowing-doing gap: the role of attitude in information security awareness
title_full_unstemmed Bridging the knowing-doing gap: the role of attitude in information security awareness Bridging the knowing-doing gap: the role of attitude in information security awareness
title_short Bridging the knowing-doing gap: the role of attitude in information security awareness
title_sort bridging the knowing doing gap the role of attitude in information security awareness
title_txtP Bridging the knowing-doing gap: the role of attitude in information security awareness
topic information security awareness knowing-doing gap Tietotekniikka Mathematical Information Technology 602 noudattaminen tietoturva kyberturvallisuus compliance data security cyber security
topic_facet 602 Mathematical Information Technology Tietotekniikka awareness compliance cyber security data security information security knowing-doing gap kyberturvallisuus noudattaminen tietoturva
url https://jyx.jyu.fi/handle/123456789/76067 http://www.urn.fi/URN:NBN:fi:jyu-202105313312
work_keys_str_mv AT vilanderjaakko bridgingtheknowingdoinggaptheroleofattitudeininformationsecurityawareness

Similar Items