Article Preview
TopIntroduction
Human behaviors and attitudes come as a central factor in security, whether for computer, or a broader for information. When an attack is launched, the computer is used as an object or subject for such attack which is carried by a human. Personal computers and handheld devices are used almost by every person and hacking tools are available on the Internet to everyone whether as a computer expert or novice computer’s user which expands the information security threats. Information System is a set of software, hardware, data, people, and procedures that enable us to use information as a resource in the organization. Protecting information requires integrating four basic components into the process of building an information security model, which consists of policy, awareness, training/education, and technology (Wilson & Hash, 2003).
According to the 2010 annual report of the Saudi Communication and Information Technology Commission -CITC-, the 2010 has witnessed a significant growth of broadband penetration in the Kingdom with an average cumulative annual growth rate of about 123% per year during the past five years. In addition, the number of Internet users grew from around 1 million in 2001 to an estimated 11.4 million at the end of 2010; which corresponds to an average cumulative annual growth rate of around 31% over the ten year period 2001-2010. Internet penetration increased to 41% of the population by the end of 2010 (CITC, 2010). Such growth impacts the information security of the public and private organizations in Saudi Arabia.
Due to the importance of training for increasing the information security awareness, the National Institute of Standards and Technology -NIST, a USA based agency- has developed a security education, training and awareness program -SETA-, which is a control measure designed to reduce the internal incidences of accidental security breaches by employees. SETA aims to enhance security by improving awareness of the need to protect system resources, developing skills and knowledge so computer users can perform their jobs more securely, and building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems. The most important part of the SETA structure is security awareness program because it concerns all the employees of any organization; however, it is the least frequently implemented program. Figure 1 shows the structure of the SETA programs (Wilson & Hash, 2003). This structure is also, supported by a security assessment model proposed by Ang and others (Ang et al., 2007) in which eight constructs are presented, i.e., technology, finance, strategy, policy, culture, accessibility, confidentiality, vulnerability. As indicated in Figure 1, security awareness program is point of entry for all employees into the progression of IT security knowledge levels, and is aimed to keep information security at the forefront of the users’ minds at their work day-to-day to care about security. Keeping the goal of the information security awareness programs, such programs may be simple like promotional trinkets with motivational slogans, videotapes, emails, lectures, and posters or flyers etc.; however, these programs should be implemented efficiently to reduce the possible internal security accidents or failures.
Figure 1. The IT security learning continuum (adapted from Wilson & Hash, 2003)
Recently, in Saudi Arabia, the Saudi Communications and Information Technology Commission has established a Saudi Arabian Computer Emergency Response Team -CERT-SA- (CERT-SA, http://www.cert.gov.sa/), to increase the information security awareness level in the Kingdom of Saudi Arabia as the first statement in its mission. Although, CERT-SA is a forward step for information security awareness, more initiatives are needed with collaborations with the public and private sectors to spread awareness of the overwhelming and increasing information security threats to the Saudi organizations. Unfortunately, CITC’s report did not provide any study or statistics on the risks that face the communication and information technology market in Saudi Arabia to understand the size of the threats and cybercrimes facing the organizations in Saudi Arabia.