Strategy to Improve Employee Security Awareness at Information Technology Directorate Bank XYZ

Bank handles private information like customer financial transactions and personal data. There was a 63% increase in cyberattacks attempted against Bank XYZ in 2021, and 1,323 attempted attacks on corporate email Bank XYZ. Therefore, implementing security awareness training for all employees is crucial for Bank XYZ. The information security awareness program must be assessed to determine the program's efficiency and the level of information security awareness among employees. Therefore, this study assesses the information security awareness at Bank XYZ, especially the Information Technology (IT) Directorate using the Human Aspect of Information Security Questionnaire (HAIS-Q) method. The findings of this study revealed that employees at Bank XYZ in the information security work unit had a "Good" level of awareness. In contrast, the results from other IT work units were “Medium ”. Based on the assessment results, Bank XYZ's security awareness strategy recommendation is to align awareness content with information security policies and procedures, use a variety of media awareness, and focus on the "Internet Use" and "Information Handling" awareness areas. As a way of determining the achievement of information security Key Performance Indicators (KPI), security awareness measurement must be done regularly, for example, once a year.


Introduction
The Covid-19 pandemic has accelerated digital transformation and transformed people's habits. People now use digital banking to conduct financial transactions, e-commerce to shop, work remotely from anywhere, and study using online resources. This circumstance encourages the expansion of digitization in the financial sector, particularly in banking. The increasing digitization trend has increased cyberattacks, particularly against financial institutions. The impact of cyberattacks can result in losses for the bank and its customers. Social engineering, processing failure, hardware failure, internal fraud, and cyberattacks are all high-risk areas in banking, according to the Banking Sector Risk Profile Report 2020 published by The National Cyber and Crypto Agency (BSSN) [1]. Indonesia's banking regulator is the Financial Services Authority (OJK). According to OJK Regulation No.38 of 2016, banks are obligated to guarantee information security is adequately implemented in terms of technology, people, and processes in the use of information technology [2].
Information security is concerned with ensuring data confidentiality, integrity, and availability. Information security risks are intrinsically tied to the people involved in the business process. People are the weakest link in the information security chain [3]. Employees are the most dangerous threat to information security in a company because their actions can significantly affect an organization's information system [4]. As a result, it's critical to conduct an information security awareness program on a regular basis to raise employee awareness of information security. The information security awareness program is expected to increase employees' knowledge of information security policies and procedures, as well as their attitude toward following those policies and procedures, resulting in better information security behaviour [5].
The main objective of security awareness is to ensure that computer users are aware of the risks associated with using technology, as well as understanding and abiding by security policies and procedures [5]. An information security awareness program in the bank is a complex preventive control, which needs to be Bank XYZ is a state-owned company with a big asset base and many customers across Indonesia [7]. The digital transformation that Bank XYZ is undergoing increases the risks of cyberattacks on information assets and sensitive company data. As a response, Bank XYZ established a dedicated work unit under the Directorate of Digital and Information Technology responsible for managing information security. The primary responsibility of the information security work unit is to ensure the company's implementation of information security, including conducting an information security awareness program. Based on Bank XYZ's annual security monitoring report, in 2021 there was an increase in cyberattack attempts by 63% from the previous year and there were 1,323 attempted attacks on corporate emails that were successfully detected [8]. As a response, it's necessary to verify that Bank XYZ employees are aware with information security.
Bank XYZ has implemented an information security awareness program for all employees that is updated regularly and uses various media and topics depending on the bank's risk profile. Posters, e-learning, email, webinars, and podcasts are all utilized to raise media awareness. Bank XYZ also runs a phishing campaign on a regular basis to evaluate employee awareness of the phishing threat. It is necessary to measure the programs that have been implemented to assess the effectiveness of information security awareness and ensure employees' awareness of information security. Measuring employee knowledge, attitude, and behaviour in the context of information security implementation is one method that can be applied. The Human Aspects of Information Security Questionnaire (HAIS-Q) is a tool that uses the Knowledge Attitude Behaviour (KAB) model to measure information security awareness [5]. The results of the questionnaire will be combined with the results of utilizing the Analytical Hierarchy Process (AHP) approach to determine the priority of security awareness areas from seven different focus areas. AHP helps decision makers to find the most appropriate solution by structuring the problem and ensure that all criteria and alternatives have been identified [9]. Then the result will be compared to the results of the phishing campaign to verify the level of awareness.
Previous studies have measured security awareness using HAIS-Q, such as measuring security awareness with case studies on digital wallet users which show average level scores therefore there are still many leaks in digital wallet users [10]. The other research on measuring awareness using HAIS-Q is a case study of measuring awareness in government institutions [11], and a case study at the judicial commission of the Republic of Indonesia [12]. Research on measuring awareness in the foreign affairs ministry was conducted using the AHP method, which is different from other research [13]. The banking sector is currently vulnerable to cyberattacks. This research develops security awareness strategies at Bank XYZ because no prior research has ever developed security awareness strategies and measurements in Indonesian banking institutions. The reason why Bank XYZ was selected as a case study is that it is one of the biggest banks in Indonesia, has a large customer base, and has a digital banking application, making it vulnerable to cyberattacks.
This study will provide insight into how Bank XYZ has implemented information security awareness, particularly among employees in the Digital and Information Technology (IT) Directorate. Because the study validated the awareness value based on a phishing campaign, it differs from prior research. This assessment is conducted to determine the level of understanding of employees directly involved with IT, and more particularly, employees in the information security work unit who are responsible for managing information security. This study compares awareness levels between employees in information security work units and employees in other work units at the IT Directorate. Employees in the information security organization are required to have a higher level of awareness than other IT employees. A security awareness strategy is developed based on the assessment results, with the goal of improving employee awareness of information security implementation.

Research Methods
There are eight processes in this research, as illustrated in Figure 1: problem identification, studying literature, determining the research method, creating research instruments, collecting data, process & analyzing data, creating recommendations, and creating a conclusion.

Research Instruments
This research uses HAIS-Q as an information security awareness measurement tool for the employee at the IT Directorate of Bank XYZ. HAIS-Q has seven focus areas [5]. The information security awareness level will be calculated using distinct priorities and weights for each emphasis area. Determination of the weight of the focus area is carried out using the AHP method together This research uses a questionnaire based on the Human Aspects of Information Security Questionnaire (HAIS-Q) [5]. The questionnaire has 63 questions in English. The questions are organized into seven focus areas and sub-areas. This means that three questions are asked simultaneously for each sub-area, encompassing characteristics of knowledge (K), attitude (A), and behaviour (B). For example, the sub-section "using the same password" in the focus area "password management" consists of three consecutive questions, as shown in Table 1. The respondents chose an answer using a Likert Scale with a scale of 1 to 5, as shown in Table 2. This research uses an interview method with a group of specialists from Bank XYZ in complement to questionnaires. Senior managers from the Information Security work unit (ISC) of Bank XYZ's IT Directorate, who are responsible for information security governance, were interviewed. The purpose of the interview was to learn about the importance and weight of each focus area that is part of the information security awareness measurement. By comparing one focus area to another, the AHP method is used to determine weights. Table 3 displays the outcomes of this comparison.
Interviews with security specialists were also conducted to determine the risks and challenges that Bank XYZ encountered when implementing information security awareness. The execution of information security, particularly the information security awareness program at Bank XYZ, was also assessed through observations.

Data Collection
Data was collected using a questionnaire distributed through an online form. The questionnaire has been filled out start from November 1 until November 20, 2021, with the target of employees in the IT Directorate of Bank XYZ. The target respondents were determined using the Slovin formula [14], as in formula 1. There are 230 permanent employees with job positions ranging from supervisor to senior manager in the IT Directorate Bank XYZ. According to the formula's output, the minimum target sample respondents, who represent 6 IT work units, are 146 employees. Simple random sampling was used to choose this sample of responders since it is the least biased and provides the highest generalizability [15].
In addition, an interview process with a team of experts from the information security work unit was also conducted on November 22, 2021, to determine the priorities of the seven focus areas of awareness. Phishing simulation has been conducted from October 13 until October 30, 2021, with the target also including employees in the IT Directorate of Bank XYZ. Phishing simulation is sent to the employees using an opensource phishing simulation tool. This tool will record every employee that clicks the phishing link, submit data into the fake system or report this suspected email to the information security work unit.

Methods / Techniques for Analyzing Data Methods
Based on the results of interviews with a team of experts from the information security work unit, a comparison of the focus areas was carried out, and it was determined which one was more priority, and the priority scale was from 1 to 9. The priority scale was determined as described in Table 4. Experience and judgment slightly favour one element over another 5 Strong importance Experience and judgment strongly favour one element over another 7 Very strong importance One element is favoured very strongly over another is dominance is demonstrated in practice 9 Extreme importance The evidence favouring one element over another is of the highest possible order of affirmation.
The first step taken to get the awareness value through the HAIS-Q method is to identify questions that have positive meanings and questions that contain negative meanings (question sentences contain negative sentences). For each positive question, a score of 1 is given for an answer on a scale of 4 and 5 and a value of 0 for an answer on a scale of 1 to 3. On the other hand, for a negative question, a score of 1 is given for an answer with a scale of 1 and 2 and a value of 0 for an answer with a scale of 3 up to 5.
After scoring 1 and 0, the next step is to add up all the answers with the values 1 and 0 for each question. The results obtained are used as a percentage value by dividing the total number of respondents. This number becomes the value for one dimension of the sub-area.
To get the value of a focus area, then each value of the dimension in a focus area is multiplied by the weight of the dimension as defined by Kruger and Kearney in Table 5 [16]. The next step is to calculate the awareness value by multiplying the results for each focus area ( ) by the weight for each focus area ( ) that has been made with the expert team previously using the calculation formula 2 [16]: Based on the process of measuring the priority scale, weight is obtained for each focus with the results, which can be seen in Table 6. This weight will be used to calculate the awareness value from the results of the HAIS-Q questionnaire that has been distributed. The scores will be mapped into three levels, namely bad (bad), medium (medium), and good (good), which are based on the journal Kruger and Kearney [16] and can be seen in Figure 2. Each level of security awareness has different followups. For the awareness level, "Bad" means awareness of information security is still very low and requires a lot of improvement. For the awareness level, "Medium" means that awareness of information security is quite good, but there are still some things that need to be improved. Meanwhile, the "Good" awareness level means that awareness of security is very good. The follow-up needed may only be in the form of strengthening or reminding activities that can be carried out periodically or other activities aimed at improving awareness of information security.
This research also compares the awareness value between the work unit responsible for information security, namely the information security work unit and the other IT work unit. The purpose of this comparison is to find out whether there are differences in awareness levels between the information security work unit and other IT work units. The awareness level between the information security work unit and the other IT work unit should be the same because one of the duties and responsibilities of the information security work unit is to disseminate and strengthen awareness of information security, for example, by broadcasting posters regarding information security to all employees of Bank XYZ. If the results of the awareness between the information security work unit and other work units are very different, it means that there is still a lack in the dissemination of information security awareness to all employees of Bank XYZ. This can also be used as an evaluation material and input for the IT Directorate of Bank XYZ in measuring the performance of the

Results and Discussions
The results of the questionnaire were analyzed to determine the level of awareness, which was then validated using the phishing simulation results. Thereafter, the data is used to develop Bank XYZ's security awareness strategy.

Questionnaire Result Analysis
Research questionnaires were distributed online to the employee at the IT Directorate of Bank XYZ. The total number of respondents who filled out the questionnaire was 147 people from six work units under the IT Directorate. Statistical data of respondents can be seen in Table 7. The results of the measurement of the average information security awareness level of the IT Directorate of Bank XYZ employees can be seen in Table 8. The total score obtained is 83.46%. Based on the category of information security awareness level by Kruger and Kearney [16], the awareness of employees is at the "Good" level.
In addition, the results of the questionnaire were also grouped specifically to obtain the awareness level of the employees in the information security work unit in Table 9 and the awareness level of other IT employees in Table 10. The awareness level of employees in the information security work unit is already at the "Good" level, although there is still a focus on the Use of Internet area, which has a "Medium" level. Meanwhile, the awareness level of employees other than in the information security work unit is still at the "Medium" level, and there is a focus on the Use of the Internet area rated "Bad". The average total awareness value of each focus area in Table 8, Table 9, and

Phishing Simulation Result
The phishing simulation report result in Table 11 shows that only 4% of employees from IT Directorate Bank XYZ clicked a link in email phishing that was sent to the employee, and only 2% submitted data to the fake web phishing. It can be concluded that the awareness level in IT Directorate Bank XYZ in the "Good" level is valid.

Discussion
The bank is an industry that relies on customer trust. Banks manage customer data, so banks must secure customer data. The occurrence of data leakage can result in a loss of customer trust in the bank, which will ultimately have an impact on the bank's business. The following are recommendations for Bank XYZ's strategy to improve employee information security awareness based on measurement and observation that has been done in this research: • Focus Area Awareness The measurement results in the focus area "in use of the internet" has the lowest value, which means employees do not understand the risks of downloading files on a work computer, accessing dubious websites, and entering information on untrusted websites [5]. Based on observations that have been made in this research, Bank XYZ has not implemented restrictions on internet use in terms of technology, especially in the IT Directorate, so that internet usage activities can be carried out without limitations. Internet restrictions are only carried out at bank branch offices that are directly related to the transactional system and have a high risk. Therefore, an awareness program must be carried out to employees regarding the policy for using the internet, such as the policy about accessing websites and downloading files securely. Employees must make sure the website is secure, and the downloaded files do not contain malicious programs. Then employees must also be reminded not to enter information, either personal or company information, on an untrusted or not secure website.
The information must be carried out properly and following information security policies and procedures, both when processed, transferred, and when stored. Focus area information handling has a "Medium" awareness level. The employee still does not fully understand how to dispose and store of paper containing sensitive information and how to treat a removable media found in a public place [5]. The employee in the IT Directorate rarely use paper in doing their work; therefore, knowledge about how to treat hardcopy documents securely is low. Regarding the use of removable media, which is usually the entrance to ransomware, Bank XYZ has not restricted the use of removable media. However, Bank XYZ has already protected a PC or laptop by using antivirus software. This still poses a risk of cyberattack for the company because security in terms of technology is not yet optimal. Therefore, education and training for the employee in this focus area also need to be improved. The employee must understand how to manage information securely.
The very high risk of social engineering in the banking industry [1] also needs to be an additional focus area in raising awareness among employees. Social engineering uses psychological manipulation to trick victims into providing sensitive information.
Employees who understand how to secure information can avoid social engineering risks.

• Content
Good security awareness programs should concentrate on reinforcing an organization's security policies, guidelines, and processes by disclosures of the required actions that employees should take in accordance with the security program [17]. Information security awareness must also be reviewed and updated regularly to remain relevant to the standards and regulations that apply in the industry. Security awareness and effective training programs explain how to behave (behaviour) are safe in handling information [18]. The information security awareness program is structured based on priority areas that have low values.
In designing security awareness programs, Banks and other information-centered organizations must create different concepts to reach all employees. The security awareness program must differentiate the roles of employees and the location of employees, such as head office employees and branch office employees. In addition, employees who handle critical information must receive a more intensive security awareness program [6]. Currently, security awareness content at Bank XYZ is the same for all employee roles.
• Media awareness The knowledge of employees in the IT Directorate regarding information security is very important because it is directly related to the management of IT. Therefore, the security awareness program for IT employees is a crucial thing and must be carried out routinely and intensively, such as by conducting training related to information security. A security awareness program should consist of a specific kind of awareness message or communication channel that is related to the personality of each employee [6].
Information security awareness training those employees receive at work and during work hours is the most important factor that affects employees' awareness level [19]. Multi-channel information security training with the variation of platforms and media such as an intranet, email, online videos, posters, and flyers affect the security awareness level. Companies should also develop a reward program for employees who participate in security training. This reward, for example, prizes for employees with the highest quiz score or employees who are the most active when participating in training [17]. Gamifying compliance and training in cyber security is one strategy that has gained popularity among businesses that are concerned about cyber security [20]. Another method is to organize a competition or hands-on activity involving information security policies, with a prize for the winner.
• Measurement Security awareness assessment is not something that is done just once. It must be done continuously to assess the level of understanding of employees and as a key performance indicator in the implementation of information security. Bank XYZ needs to evaluate why employees have not implemented information security, especially in the focus area of use of the internet and information handling, which have the lowest awareness score. Bank XYZ needs to apply penalties to employees who do not comply with the information security policies.
Information security awareness is only part of the overall implementation of information security, especially in the people aspect. Therefore, the development of information security in aspects of people, processes, and technology needs to be continuously carried out and improved. Bank XYZ needs to improve information security technology, especially in the focus area of use of the internet and information handling, which is still not optimal.
Employees' knowledge of information security policies and procedures greatly affects the knowledge, attitudes, and behaviour of employees towards information security policies and procedures, where the three will always be directly proportional. This shows that the higher the level of knowledge of an employee towards information security policies and procedures, their attitude towards information security policies and procedures will increase, and this will certainly result in much better information security behaviour.

Measurement of information security awareness level
based on the KAB model and using HAIS-Q at the IT Directorate of Bank XYZ has been successfully carried out. Measurement was made on the implementation of knowledge, attitude, and behaviour of employees in 7 focus areas consisting of password management, email usage, use of the internet, use of social media, mobile devices, information handling, and incident reporting.
Based on the results of this research, it was found that the total security awareness level of each focus area of the information security work unit (ISC) employee was higher than other employees in the IT Directorate of Bank XYZ. Based on the average value of the three types of employees in the IT Directorate of Bank XYZ, it can be concluded that employee information security awareness in the IT Directorate of Bank XYZ is at the "Good" level. The focus area on the use of the internet and information handling areas still has an awareness level of "Medium" and needs to be improved.
The strategy to increase employee information security awareness at the IT Directorate of Bank XYZ is to create a comprehensive security awareness program. Security awareness content must align with information security policies and must be provided with attractive and various programs and media. Focus area awareness on the use of the internet and information handling areas that have the lowest value should be improved by conducting education and training intensively. The employee must be socialized about the policy for using the internet, specifically the policy about accessing websites and downloading files from the internet. The employee also needs an awareness program about how to dispose of and store paper containing sensitive information and how to treat a removable media found in a public place.
The higher the level of knowledge of an employee towards information security policies and procedures, their attitude towards information security policies and procedures will increase, and this will certainly result in much better information security behaviour. Therefore, it is necessary to carry out an information security awareness program on a regular and ongoing basis, using different methods and media. The employee awareness assessment must be carried out periodically, for example, in an annual period, as a method to determine the achievement of the information security Key Performance Indicator (KPI).
It is necessary to conduct further research that measures the effectiveness of the type of media used on the value of security awareness. In addition, there is also a need to create a standard that can be used by the Financial Services Authority to assess the security awareness level of banking companies.