You are here: Home Contents V6 N1 V6N1_Tsohou.html
Personal tools

Aligning Security Awareness with Information Systems Security Management



Full text

Journal of Information System Security
Volume 6, Number 1 (2010)
Pages 3654
ISSN 1551-0123
Aggeliki Tsohou — University of the Aegean,, Greece
Maria Karyda — University of the Aegean, Greece
Spyros Kokolakis — University of the Aegean, Greece
Evangelos Kiountouzis — Athens University of Economics and Business, Greece
Information Institute Publishing, Washington DC, USA




This paper explores the way information security awareness connects to the overall information security management framework it serves. To date, the formulation of security awareness initiatives has tended to ignore the important relationship with the overall security management context, and vice versa. In this paper we show that the two processes can be aligned so as to ensure that awareness activities serve the security management strategy and that security management exploits the benefits of an effective awareness effort. To do so, we analyze the processes of security awareness and security management using a process analysis framework and we explore their interactions.The identification of these interactions results in making us able to place awareness in a security management framework instead of viewing it as an isolated security mechanism.




Information Systems Security Management, Security Awareness, Process Analysis, ISO/IEC 27001




Crowston, K. (2000). 'Process as theory in information systems research'. IFIP WG 8.2 International Conference: The Social and Organizational Perspective on Research and Practice in Information Technology, June 9-11. Aalborg, Denmark.

CSI (2008), 'CSI Computer Crime and Security Survey2008',, 15 July 2009.

Davenport, T. and Short, J. (1990), "The New Industrial Engineering: Information Technology and Business Process Redesign," Sloan Management Review, Summer 1990: 11-27.

Drevin, L., Kruger, H.A., and Steyn T. (2007), "Value-focused assessment of ICT security awareness in an academic environment," Computers & Security, 26 (1): 36-43.

ENISA (2008), 'A new Users' Guide: How to Raise Information Security Awareness, , 15 July 2009.

Everett, C. (2006), "Security Awareness: switch to a better program," Network Security, 2006 (2): 15-18.

Furnell, S.M., Bryant, P., and Phippen, A.D. (2007), "Assessing the security perceptions of personal Internet users," Computers & Security, 26 (5): 410-417.

Hansche, S. (2001), "Designing a Security Awareness Program (I)," Information Systems Security, 9(6): 14-23.

ISO/IEC 27001 (2005), 'Information technology - Security techniques - Information security management systems - requirements', International Standards Association.

ISO/IEC 27002 (2005), 'Information technology -- Security techniques -- Code of practice for information security management', International Standards Association.

ISO/IEC 27005 (2008), 'Information technology - Security techniques - Information security risk management', International Standards Association.

Katzenstein, G. and Lerch, F. (2000), "Beneath the surface of organizational processes: a social representation framework for business process redesign," ACM Transactions on Information Systems, 18 (4): 383-422.

Malone, T. W. and Crowston, K. (1994), "The interdisciplinary study of coordination," Computing Surveys, 26 (1): 87-119.

NIST Special Publication 800-100 (2006), 'Information Security Handbook: A Guide for Managers', National Institute of Standards and Technology,, 15 July 2009.

NIST Special Publication 800-30 (2002), 'Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology', National Institute of Standards and Technology,, 15 July 2009.

NIST Special Publication 800-50 (2003), 'Building an Information Technology Security Awareness and Training Program', National Institute of Standards and Technology,, 15 July 2009.

Okenyi, P. O. and Owens, T. J. (2007), "On the Anatomy of Human Hacking," Information Systems Security, 16 (6): 302-314.

Peltier, T. R. (2005), "Implementing an Information Security Awareness Program," Information Systems Security, 14 (2): 37- 48.

Power, R. and Forte, D. (2006), "Case Study: a bold new approach to awareness and education, and how it met an ignoble fate," Computer Fraud & Security, 2006 (5): 7-10.

Spurling, P. (1995), "Promoting security awareness and commitment," Information Management and Computer Security, 3(2): 20-26.

Vroom, C. and von Solms, R. (2002). 'A Practical Approach to Information Security Awareness in the Organization'. IFIP TC11 17th International Conference on Information Security: Visions and Perspectives, May 7-9, Cairo, Egypt.