Strategic Approach to Enhance Information Security Awareness at ABC Agency

  • Fandy Husaenul Hakim Universitas Indonesia
  • Muhammad Hafizhuddin Hilman Universitas Indonesia
  • Setiadi Yazid Universitas Indonesia
DOI: https://doi.org/10.29207/resti.v9i2.6218
Keywords: information security awareness, information security awareness strategies, Kruger approach, Human Aspect of Information Security Questionnaire (HAIS-Q), Analytic Hierarchy Process (AHP)

Abstract

Information security awareness (ISA) is crucial to an organization's cybersecurity strategy, particularly since employees are often the last defense against cyberattacks. Despite regular communication on cybersecurity threats, the ABC Agency has not evaluated the level of ISA among its employees, leaving a gap in understanding the effectiveness of its awareness programs. This is critical, as the agency handles highly confidential data that could be at risk of accidental or intentional leaks. The Kruger Approach and the Human Aspect of Information Security Questionnaire (HAIS-Q) were used in this study to measure the ISA levels of employees at the ABC Agency. We employed the Analytic Hierarchy Process (AHP) method to analyze data collected from 86 respondents. The findings indicate that ABC Agency employees demonstrate satisfactory ISA overall. However, the "Internet Use" dimension received a medium rating, underscoring the necessity for focused enhancements in this domain. These results underscore the importance of tailoring information security awareness programs to address specific weaknesses. We provide strategic recommendations to enhance the agency's cybersecurity posture. Furthermore, this study opens avenues for future research on ISA measurement across various public and private organizations.

Downloads

Download data is not yet available.

Author Biography

Fandy Husaenul Hakim, Universitas Indonesia

Interested in Computer Science and Cyber Security

References

A.-S. I, W. Yassin, N. Tabook, R. Ismail, and A. Ismail, “Determinants of Information Security Awareness and Behaviour Strategies in Public Sector Organizations among Employees,” International Journal of Advanced Computer Science and Applications, vol. 13, no. 8, 2022, doi: 10.14569/IJACSA.2022.0130855.

A. Skatova, R. McDonald, S. Ma, and C. Maple, “Unpacking privacy: Valuation of personal data protection,” PLoS One, vol. 18, no. 5, p. e0284581, May 2023, doi: 10.1371/journal.pone.0284581.

“UU No. 27 Tahun 2022.” Accessed: Oct. 21, 2024. [Online]. Available: https://peraturan.bpk.go.id/Details/229798/uu-no-27-tahun-2022

M. Neri et al., “Understanding information security awareness: evidence from the public healthcare sector,” Information & Computer Security, Aug. 2024, doi: 10.1108/ICS-04-2024-0094.

B. Alkhazi, M. Alshaikh, S. Alkhezi, and H. Labbaci, “Assessment of the Impact of Information Security Awareness Training Methods on Knowledge, Attitude, and Behavior,” IEEE Access, vol. 10, pp. 132132–132143, 2022, doi: 10.1109/ACCESS.2022.3230286.

W. P. Wong, H. C. Tan, K. H. Tan, and M.-L. Tseng, “Human factors in information leakage: mitigation strategies for information sharing integrity,” Industrial Management & Data Systems, vol. 119, no. 6, pp. 1242–1267, Jan. 2019, doi: 10.1108/IMDS-12-2018-0546.

Badan Siber dan Sandi Negara, “Lanskap Keamanan Siber Indonesia Tahun 2023,” 2024.

M. C. De Maggio, M. Mastrapasqua, M. Tesei, A. Chittaro, and R. Setola, “How to Improve the Security Awareness in Complex Organizations,” European Journal for Security Research, vol. 4, no. 1, pp. 33–49, 2019, doi: 10.1007/s41125-017-0028-2.

J. Abawajy, “User preference of cyber security awareness delivery methods,” Behaviour & Information Technology, vol. 33, no. 3, pp. 237–248, Mar. 2014, doi: 10.1080/0144929X.2012.708787.

M. Alshaikh, S. Maynard, A. Ahmad, and S. Chang, An Exploratory Study of Current Information Security Training and Awareness Practices in Organizations. 2018. doi: 10.24251/HICSS.2018.635.

M. M. Chumaera, Safitri, and M. A. Ayu, “Assessing Students’ Information Security Awareness through the Knowledge, Attitude, and Behavior Model,” in 2022 IEEE 8th International Conference on Computing, Engineering and Design (ICCED), Jul. 2022, pp. 1–6. doi: 10.1109/ICCED56140.2022.10010455.

P. K. Sari, Candiwan, and N. Trianasari, “Information security awareness measurement with confirmatory factor analysis,” in 2014 International Symposium on Technology Management and Emerging Technologies, 2014, pp. 218–223. doi: 10.1109/ISTMET.2014.6936509.

Nurbojatmiko, A. Fajar Firmansyah, Q. Aini, A. Saehudin, and S. Amsariah, “Information Security Awareness of Students on Academic Information System Using Kruger Approach,” in 2020 8th International Conference on Cyber and IT Service Management (CITSM), IEEE, Oct. 2020, pp. 1–7. doi: 10.1109/CITSM50537.2020.9268795.

Y. Gardenia and A. G. Gani, “Cybersecurity Awareness Model with Methods: Analytical Hierarchy Process and Structural Equation Model,” ICST Transactions on Scalable Information Systems, vol. 11, Aug. 2024, doi: 10.4108/eetsis.6931.

D. S. Hermawan, F. Setiadi, and D. Oktaria, “Measurement Level of Information Security Awareness for Employees Using KAB Model with Study Case at XYZ Agency,” in 2022 1st International Conference on Software Engineering and Information Technology (ICoSEIT), 2022, pp. 174–179. doi: 10.1109/ICoSEIT55604.2022.10029989.

H. Ernita, Y. Ruldeviyani, D. Nurul Maftuhah, and R. Mulyadi, “Strategy to Improve Employee Security Awareness at Information Technology Directorate Bank XYZ,” Jurnal RESTI (Rekayasa Sistem dan Teknologi Informasi), vol. 6, no. 4, pp. 577–584, Aug. 2022, doi: 10.29207/resti.v6i4.4170.

A. Zulfia, R. Adawiyah, A. N. Hidayanto, and N. F. A. Budi, “Measurement of Employee Information Security Awareness Using the Human Aspects of Information Security Questionnaire (HAIS-Q): Case Study at PT. PQS,” in 2019 5th International Conference on Computing Engineering and Design (ICCED), 2019, pp. 1–5. doi: 10.1109/ICCED46541.2019.9161120.

Rosihan and A. N. Hidayanto, “Measurement of Employee Information Security Awareness: A Case Study at an Indonesian Correctional Institution,” in 2022 1st International Conference on Information System & Information Technology (ICISIT), Jul. 2022, pp. 318–323. doi: 10.1109/ICISIT54091.2022.9872988.

H. Kruger and W. Kearney, Measuring Information Security Awareness - A West Africa Gold Mining Environment Case. 2005.

H. A. Kruger and W. D. Kearney, “A prototype for assessing information security awareness,” Comput Secur, vol. 25, no. 4, pp. 289–296, 2006, doi: https://doi.org/10.1016/j.cose.2006.02.008.

A. Joshi, S. Kale, S. Chandel, and D. Pal, “Likert Scale: Explored and Explained,” Br J Appl Sci Technol, vol. 7, no. 4, pp. 396–403, Jan. 2015, doi: 10.9734/BJAST/2015/14975.

Sugiyono, Metode Penelitian Kuantitatif, Kualitatif, dan R&D. Bandung: Alfabeta, 2017.

N. M. Janna and H. HERIANTO, “Konsep Uji Validitas Dan Reliabilitas Dengan Menggunakan SPSS,” Jan. 22, 2021. doi: 10.31219/osf.io/v9j52.

K. Parsons, A. McCormac, M. Butavicius, M. Pattinson, and C. Jerram, “Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q),” Comput Secur, vol. 42, pp. 165–176, May 2014, doi: 10.1016/j.cose.2013.12.003.

T. L. Saaty, “How to make a decision: The analytic hierarchy process,” Eur J Oper Res, vol. 48, no. 1, pp. 9–26, Sep. 1990, doi: 10.1016/0377-2217(90)90057-I.

D. Panda, B. Kishore Mishra, and K. Sharma, “A Taxonomy on Man-in-the-Middle Attack in IoT Network,” in 2022 4th International Conference on Advances in Computing, Communication Control and Networking (ICAC3N), IEEE, Dec. 2022, pp. 1907–1912. doi: 10.1109/ICAC3N56670.2022.10074170.

D. Septianto, Lukas, and B. Mahawan, “USB Flash Drives Forensic Analysis to Detect Crown Jewel Data Breach in PT. XYZ (Coffee Shop Retail - Case Study),” in 2021 9th International Conference on Information and Communication Technology (ICoICT), IEEE, Aug. 2021, pp. 286–290. doi: 10.1109/ICoICT52021.2021.9527419.

S. Alder, “Updated NIST Password Guidelines Replace Complexity with Password Length,” The HIPAA Journal. Accessed: Nov. 27, 2024. [Online]. Available: https://www.hipaajournal.com/nist-password-guidelines-update-2024/

M. Kulkarni et al., “Mitigating Email Phishing: Analytical Framework, Simulation Models, and Preventive Measures,” in 2024 10th International Conference on Communication and Signal Processing (ICCSP), IEEE, Apr. 2024, pp. 1459–1464. doi: 10.1109/ICCSP60870.2024.10543325.

A. Kusumawati, “Information Security Awareness: Study on a Government Agency,” in 2018 International Conference on Sustainable Information Engineering and Technology (SIET), 2018, pp. 224–229. doi: 10.1109/SIET.2018.8693168.

Published
2025-04-19
How to Cite
Hakim, F. H., Hilman, M. H., & Yazid, S. (2025). Strategic Approach to Enhance Information Security Awareness at ABC Agency. Jurnal RESTI (Rekayasa Sistem Dan Teknologi Informasi), 9(2), 364 - 373. https://doi.org/10.29207/resti.v9i2.6218
Issue
Vol 9 No 2 (2025): April 2025
Section
Information Technology Articles

Copyright (c) 2025 Jurnal RESTI (Rekayasa Sistem dan Teknologi Informasi)

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Copyright in each article belongs to the author

  1. The author acknowledges that the RESTI Journal (System Engineering and Information Technology) is the first publisher to publish with a license Creative Commons Attribution 4.0 International License.
  2. Authors can enter writing separately, arrange the non-exclusive distribution of manuscripts that have been published in this journal into other versions (eg sent to the author's institutional repository, publication in a book, etc.), by acknowledging that the manuscript has been published for the first time in the RESTI (Rekayasa Sistem dan Teknologi Informasi) journal ;