Strategy to Improve Employee Security Awareness at Information Technology Directorate Bank XYZ
Bank handles private information like customer financial transactions and personal data. There was a 63% increase in cyberattacks attempted against Bank XYZ in 2021, and 1,323 attempted attacks on corporate email Bank XYZ. Therefore, implementing security awareness training for all employees is crucial for Bank XYZ. The information security awareness program must be assessed to determine the program's efficiency and the level of information security awareness among employees. Therefore, this study assesses the information security awareness at Bank XYZ, especially the Information Technology (IT) Directorate using the Human Aspect of Information Security Questionnaire (HAIS-Q) method. The findings of this study revealed that employees at Bank XYZ in the information security work unit had a "Good" level of awareness. In contrast, the results from other IT work units were “Medium”. Based on the assessment results, Bank XYZ's security awareness strategy recommendation is to align awareness content with information security policies and procedures, use a variety of media awareness, and focus on the "Internet Use" and "Information Handling" awareness areas. As a way of determining the achievement of information security Key Performance Indicators (KPI), security awareness measurement must be done regularly, for example, once a year.
BSSN, “The National Cyber and Crypto Agency - Risk Profile Banking Sector,” 2020. [Online]. Available: https://cloud.bssn.go.id/s/2kr268f6FHPAYoZ#pdfviewer.
OJK, “Financial Services Authority Number 38 of 2016 Concerning Risk Management in the Use of Information Technology,” 2016, [Online]. Available: https://www.ojk.go.id/id/kanal/perbankan/regulasi/peraturan-ojk/Documents/Pages/POJK-tentang-Penerapan-Manajemen-Risiko-dalam-Penggunaan-Teknologi-Informasi-Oleh-Bank-Umum/POJK MRTI.pdf.
Z. (Justin) Zhang, W. He, W. Li, and M. Abdous, “Cybersecurity awareness training programs: a cost–benefit analysis framework,” Ind. Manag. Data Syst., vol. 121, no. 3, pp. 613–636, 2021, doi: 10.1108/IMDS-08-2020-0462.
N. A. A. Md Azmi, A. P. Teoh, A. Vafaei-Zadeh, and H. Hanifah, “Predicting information security culture among employees of telecommunication companies in an emerging market,” Inf. Comput. Secur., vol. 29, no. 5, pp. 866–882, 2021, doi: 10.1108/ICS-02-2021-0020.
K. Parsons, D. Calic, M. Pattinson, M. Butavicius, A. McCormac, and T. Zwaans, “The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies,” Comput. Secur., vol. 66, pp. 40–51, 2017, doi: 10.1016/j.cose.2017.01.004.
S. Bauer, E. W. N. Bernroider, and K. Chudzikowski, “Prevention is better than cure! Designing information security awareness programs to overcome users’ non-compliance with information security policies in banks,” Comput. Secur., vol. 68, no. May 2018, pp. 145–159, 2017, doi: 10.1016/j.cose.2017.04.009.
PT.Bank XYZ, “Anual Report Bank XYZ 2021,” 2021.
PT.Bank XYZ, “Cyber Attack Trend Bank XYZ , Annual Report 2021.” 2021.
E. Mu and M. Pereyra-Rojas, Practical Decision Making using Super Decisions v3 : An Introduction to the Analytic Hierarchy Process. 2018.
A. L. Fadhilah, Y. Ruldeviyani, R. Prakoso, and K. F. Arisya, “Measurement of Information Security Awareness Level: A Case Study of Digital Wallet Users,” IOP Conf. Ser. Mater. Sci. Eng., vol. 1077, no. 1, p. 012003, 2021, doi: 10.1088/1757-899x/1077/1/012003.
E. A. Puspitaningrum, F. T. Devani, V. Q. Putri, A. N. Hidayanto, Solikin, and I. C. Hapsari, “Measurement of employee information security awareness: Case study at a government institution,” Proc. 3rd Int. Conf. Informatics Comput. ICIC 2018, pp. 1–6, 2018, doi: 10.1109/IAC.2018.8780571.
M. S. Mahardika, A. N. Hidayanto, P. A. Paramartha, L. D. Ompusunggu, R. Mahdalina, and F. Affan, “Measurement of employee awareness levels for information security at the center of analysis and information services judicial commission Republic of Indonesia,” Adv. Sci. Technol. Eng. Syst., vol. 5, no. 3, pp. 501–509, 2020, doi: 10.25046/aj050362.
Y. Normandia, L. Kumaralalita, A. N. Hidayanto, W. S. Nugroho, and M. R. Shihab, “Measurement of Employee Information Security Awareness Using Analytic Hierarchy Process (AHP): A Case Study of Foreign Affairs Ministry,” 2018 Int. Conf. Comput. Eng. Des., pp. 52–56, 2018, doi: 10.1109/ICCED.2018.00020.
T. P. Ryan, Sample Size Determination and Power. 2013.
U. Sekaran and R. Bougie, “Research Methods for Business (7th Edition),” 2016, [Online]. Available: www.wileypluslearningspace.com.
H. A. Kruger and W. D. Kearney, “A prototype for assessing information security awareness,” Comput. Secur., vol. 25, no. 4, pp. 289–296, 2006, doi: 10.1016/j.cose.2006.02.008.
W. He and Z. Zhang, “Enterprise cybersecurity training and awareness programs: Recommendations for success,” J. Organ. Comput. Electron. Commer., vol. 29, no. 4, pp. 249–257, 2019, doi: 10.1080/10919392.2019.1611528.
M. Nieles and K. Dempsey, “NIST Special Publication 800-12 Revision 1, An Introduction to Information Security,” NIST Spec. Publ., pp. 1–101, 2017, [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf.
M. Pattinson, M. Butavicius, K. Parsons, and A. Mccormac, “Managing information security awareness at an Australian bank : a comparative study,” vol. 25, no. 2, pp. 181–189, 2017, doi: 10.1108/ICS-03-2017-0017.
G. Kemper, “Improving employees’ cyber security awareness,” Comput. Fraud Secur., vol. 2019, no. 8, pp. 11–14, 2019, doi: 10.1016/S1361-3723(19)30085-5.
Copyright (c) 2022 Jurnal RESTI (Rekayasa Sistem dan Teknologi Informasi)
This work is licensed under a Creative Commons Attribution 4.0 International License.
Copyright in each article belongs to the author
- The author acknowledges that the RESTI Journal (System Engineering and Information Technology) is the first publisher to publish with a license Creative Commons Attribution 4.0 International License.
- Authors can enter writing separately, arrange the non-exclusive distribution of manuscripts that have been published in this journal into other versions (eg sent to the author's institutional repository, publication in a book, etc.), by acknowledging that the manuscript has been published for the first time in the RESTI (Rekayasa Sistem dan Teknologi Informasi) journal ;