information security awareness in higher education: an exploratory study
TRANSCRIPT
c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3
ava i lab le at www.sc ienced i rec t . com
journa l homepage : www.e lsev ie r . com/ loca te /cose
Information security awareness in higher education: Anexploratory study
Yacine Rezgui*, Adam Marks
School of Engineering, Queen’s Buildings, The Parade 4th, CF24 3AA, Salford, Cardiff, United Kingdom
a r t i c l e i n f o
Article history:
Received 18 December 2007
Received in revised form
23 June 2008
Accepted 22 July 2008
Keywords:
Information Security
Awareness
Higher Education
Conscientiousness
Human Factors
UAE
* Corresponding author.E-mail address: [email protected] (Y.
0167-4048/$ – see front matter ª 2008 Elsevidoi:10.1016/j.cose.2008.07.008
a b s t r a c t
The research explores factors that affect information security awareness of staff, including
information systems decision makers, in higher education within the context of a devel-
oping country, namely the UAE. An interpretive case-study approach is employed using
multiple data gathering methods. The research reveals that factors such as conscien-
tiousness, cultural assumptions and beliefs, and social conditions affect university staff
behaviour and attitude towards work, in general, and information security awareness, in
particular. A number of recommendations are provided to initiate and promote IS security
awareness in the studied environment.
ª 2008 Elsevier Ltd. All rights reserved.
1. Introduction registration or financial systems can undermine universities’
Concerns for Information Systems (IS) security and confi-
dentiality in a university computer network environment
were expressed as early as 1975 (Kerievsky, 1976). Colleges
and universities have been a target for cyber attacks for two
main reasons (Katz, 2005): first, because of the vast amount
of computing power they possess; and second, because of the
open access they provide to their constituents and to the
public. University networking infrastructures are not only
designed to serve the needs of faculty, staff, and students,
but also to accommodate the needs of visitors, and
geographically distributed researchers sharing large quanti-
ties of data. While the nature of higher education requires
openness to the public and a continuous sharing of infor-
mation, a balance must be maintained to ensure that infor-
mation assets are not being put at risk or compromised.
Unauthorized grade changes and persistent problems with
Rezgui).er Ltd. All rights reserved
credibility and viability.
In this context, understanding IT security threats and
challenges facing higher education is essential to avoid
potential loss of university information and knowledge assets.
In less than three years, at the University of Texas at Austin’s
Business School, two major breaches have taken place. Nearly
200,000 electronic records have been illegally accessed,
including students’ social security numbers and biographical
material, alumni, and staff related data (Marks, 2007). On
March 11, 2005, in the University of California, Berkley, a laptop
was stolen from a restricted area of the graduate division
offices. The laptop was left unattended for a short period of
time. The stolen laptop contained the names and the associ-
ated social security numbers of 98,000 students (Marks, 2007).
In fact, experts in computer security agree that universities
are among the least IS secured environments. Only a fraction
of universities provide security and conduct awareness
.
c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3242
training. This is confirmed by a quantitative survey of 435
higher education institutions by EDUCAUSE (Updegrove and
Wishon, 2003). Only a third of the surveyed institutions had
security awareness training for students and staff (North et al.,
2006). Also, a recent study of the websites of 236 top-ranked
schools (Marklein, 2006) found that just 27% posted easy-
to-access policies on collection and use of personal informa-
tion. All the sites had at least one non-secure page with a data
collection form. In fact, a third of higher education institutions
have experienced a data loss or theft in 2006, in particular
grades and exam questions, with 9% reporting a loss or theft of
student personal information, which could affect millions of
university students (Piazza, 2006). A number of universities
now recommend building security awareness, training, and
education components for students and staff, and emphasize
that everyone needs to be aware of up-to-date IT threats so
they can apply the security lessons in the most effective way
(Piazza, 2006).
Students (aged 18–24 year olds) are high-risk and attractive
candidates for security attacks. This can be explained by the
fact that students are typically transient and have less credit
history than more established adults (Marks, 2007). A student
may receive a web postcard in an email, and inadvertently
installs a Trojan horse onto his system, becoming a victim of
a clever social engineering attack (Marks, 2007). In this context,
information technology experts in developed countries,
including the United States, are taking advantage of height-
ened awareness of public safety to urge college and university
officials to take steps to secure their campus computer
networks (Ronald, 2001). Universities today need to enforce
exposure of their usage policies in order to achieve better
results. Relying only on end users to read the policies is less
effective. Repeated exposure could increase user retention of
policies, thus increasing awareness (Cronan et al., 2006).
However, most IS security managers pay more attention to
technical issues and solutions such as firewalls, routers, and
intrusion detection software, while pay less focus on soft
issues such as the hazards caused by end users’ lack of IS
security awareness (Katz, 2005). Information security aware-
ness can be described as a state where users in an organiza-
tion are aware of their security mission (Siponen, 2000). We
can distinguish two categories of security awareness: frame-
work and content (Siponen, 2000). The former concerns
standardization, certification and measurement activities,
while the latter addresses the human and socio-cultural
aspects of information security awareness. Furthermore,
Puhakainen (2006) points out that 59 IS security awareness
approaches have been put forward by practitioners and
scholars. These approaches can be classified into two cate-
gories. Studies in the first category consider IS security
awareness to mean attracting users’ attention to IS security
issues (e.g., Hansche, 2001; Katsikas, 2000). Studies in the
second category regard IS security awareness as users’
understanding of IS security and, optimally, committing to it.
While IS security awareness is commonly recognized, the
number of studies that considers it in-depth is limited. This
may be attributed to (a) the non-technical nature of IS security
awareness (Siponen, 2000), and/or (b) its scope, as it falls
outside the traditional engineering and hard computer
science domains (Dunlop and Kling, 1991).
IS security awareness plays a significant role in the process
of the overall information security of any organization
(Thomson and von Solms, 1998; Straub and Welke, 1998). The
important role of the human factor in IS security has been
recognized by both the research community and IS security
practitioners (Parker, 1998, 1999; Siponen, 2000, 2001). As such,
users’ IS security awareness is reflected in their attitudinal
and behavioural patterns (Beatson, 1991; Lafleur, 1992; Gaunt,
1998, 2000; Hone and Eloff, 2002; Mitnick, 2002; Puhakainen,
2006). However, these attitudinal and behavioural features
have a socio-cultural and human dimension that need to be
analysed and understood to ensure full users’ commitment
and adherence to IS security regulations.
The number of scientific studies that consider IS security
awareness in developed countries, especially in higher
education environments, is very limited (Marks, 2007). The
situation is even more dire in the case of developing countries
where the socio-cultural environment combined with a lack of
resources and knowledge may present even more barriers to
promote IS security awareness. The proposed research
contributes to the body of knowledge by addressing these
identified gaps.
The research explores factors that affect information secu-
rity awareness of staff, including information systems decision
makers, in higher education within the context of a developing
country, the UAE. Related work is first given, followed by an
overview of the methodology that underpins the research. A
comprehensive analysis of the case-study results is provided,
followed by an in-depth discussion. Finally the paper concludes
with a set of recommendations to initiate and promote IS
security awareness in the studied environment.
2. Related work
There have been in recent years increased information secu-
rity considerations in organizations (Straub and Welke, 1998;
Schlienger and Teufel, 2003). This is mainly due to the fact that
information systems and the Internet are today used not only
by organizations to increase their competitiveness, but also by
criminals. This is becoming a trend in higher education
institutions that are experiencing an increase in security
threats and attacks (Marks, 2007).
Based on recent studies (Whitman and Mattord, 2005), staff
errors are rated among the top threats to information assets in
organizations. It is essential to convince IS security staff of the
imperative need to enforce information security measures
(Pfleeger and Pfleeger, 2003). In fact, a single case of abuse can
cause more costs than the establishment of a security system
(Czernowalow, 2005). Enforcing security awareness through
education and training is hence paramount. It is essential to
ensure that all users are aware of information security threats
and concerns, and are equipped to support organizational
security policy in the course of their normal work (BS7799, 1999).
This section (a) discusses IS security and reviews current
legislation and procedures, (b) examines IS security research
with a focus on management issues, (c) discusses IS security
from a Human Computer Interaction (HCI) perspective, and
finally (d) reviews existing information security awareness
approaches.
c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3 243
2.1. IS security concepts, legislation and procedures
Information security is a broad subject that requires an adapted
definition. The literature refers to both ‘‘computer security’’
and ‘‘information systems security’’, as these two concepts
seem to be used interchangeably. According to (Ross, 1999),
computer security can be defined in terms of domains, func-
tions, and/or concepts. In terms of domains, computer security
can be categorized into physical security, operational security,
personnel security, systems security, and network security. In
terms of functional areas, computer security can be categorized
into risk avoidance, deterrence, prevention, detection, and
recovery. In terms of concepts, computer security can be cate-
gorized into confidentiality, integrity, authentication, access
control, non-repudiation, availability, and privacy. McDaniel
(1994) defines information security as the concepts, techniques,
technical measures, and administrative measures used to
protect information assets from deliberate or inadvertent
unauthorized acquisition, damage, disclosure, manipulation,
modification, loss, or use. In this context information security
can also be defined as preserving confidentiality, protecting
information from unauthorized use, assuring integrity and
accuracy, and making data available to authorized users on
a timely basis (Updegrove and Wishon, 2003).
IS security is strongly related to the concept of risk.
According to ISACA (2006), a risk is any event that may nega-
tively affect the accomplishment of business objectives. The
International Organization of Standardization (ISO) defines
risk as the potential that a given threat will exploit vulnera-
bilities of an asset or group of assets. The impact of relative
severity of the risk is proportional to the business value of the
loss or damage and to the estimated frequency of threat.
In general, the principal reasons for providing IS security
may include protection of resources, maintaining manage-
ment control, ensuring safety and integrity, implementing
policies and laws, and attaining operational advantages and
economies (Turn, 1986).
Security failures can be costly to any institution. Losses
may be suffered as a result of the failure or as a result of the
cost incurred for recovery, followed by more cost to secure
systems and prevent further failures. It is worth noting that
managers and employees also tend to think of IS security as
a second priority compared with their own efficiency or
effectiveness matters, because these have a direct and mate-
rial impact on the outcome of their work (ISACA, 2006). In fact,
security objectives cannot be met by technical and procedural
protection only; an educated security attitude of employees,
management, and external IT users and partners is also vital
to ensure effective IS security. A measurement of the
following elements can deliver a clear picture of where IS
security stands within an organization: senior management
commitment and support, policies and procedures in place,
clear organizational structure, security awareness and
education, monitoring and compliance, and incident handling
and response (ISACA, 2006).
Information security threats include Deliberate Software
Attacks, Technical Software Failure or Errors, Act of Human
Error or Failure, Deliberate Act of Espionage or Trespass,
Deliberate Act of Sabotage or Vandalism, Technical Hardware
Failure or Errors, Deliberate Act of Theft, Forces of Nature,
Compromises to Intellectual Property, Technological Obsoles-
cence, and Deliberate Act of Information Extortion (Whitman
and Mattord, 2005). Information security protection mecha-
nismsinclude Use ofPasswords, Media Backup, VirusProtection
Software, Employee Education, Audit Procedures, Consistent
Security Policy, Firewall, Violation Reporting, Auto Account
Logoff, Monitor Computer Usage, Publish Formal Standards,
ControlofWorkstations,Network IDS,Host IntrusionDetection,
and Ethics Training (Whitman and Mattord, 2005).
Legislation relating to IT is becoming more prolific, with
many countries enacting laws on issues such as copyrights
and software privacy, intellectual property and personal data.
This legislative pressure requires the implementation of
proper security policies and procedures (ISACA, 2006).
2.2. Management perspective of IS security
The vulnerability of organizations is increasing with the
advent of electronic commerce and open network architec-
tures (Barsanti, 1999). Better computer literacy, increased
computer user sophistication, and availability of advanced
software tools may also contribute to increased IS security
abuses in the future. Hence, management needs to pay more
attention to IS security issues (Dhillon and Backhouse, 2000;
Kankanhalli et al., 2003).
Management attention for IS security has been low
compared to other IS issues (Brancheau et al., 1996; Olnes,
1994). In a global information security survey of midsize and
large firms, less than 50% of the 459 CIOs and IT directors
polled said they had IT security awareness and training
programs for employees (Verton, 2002).
There are several plausible explanations for low manage-
ment concern about IS security (Straub, 1990; Kankanhalli
et al., 2003): (a) managers may make a deliberate decision to
invest little in IS security because they think the risk of IS
security abuses are low, (b) managers may be sceptical about
IS security effectiveness due to the difficulty in evaluating the
benefits, and (c) managers may lack knowledge about the
range of controls available to reduce IS security abuses. To
raise management involvement in IS security decisions, it is
important to convince managers about the benefits of IS
security efforts and let them know what kinds of IS security
measures are effective under what organizational circum-
stances (Kankanhalli et al., 2003).
As highlighted in Kankanhalli et al. (2003), previous studies
on IS security have focused on software for detecting IS
security abuses (Straub and Nance, 1988), measures for pre-
venting IS security abuses (Straub, 1990), perceptions of IS
security adequacy (Goodhue and Straub, 1991), and IS security
planning models for management decision-making (Straub
and Welke, 1998). With the exception of a few interpretive
studies (Backhouse and Dhillon, 1996; Baskerville, 1991;
Siponen, 2006; Puhakainen, 2006), these studies tend to
neglect organizational factors that may partially explain the
extent of IS security abuses.
2.3. IS Security in the context of HCI
Initial work on HCI has adopted a ‘‘human factors’’ approach
where individuals are reduced to being another system
c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3244
component with certain characteristics (such as limited
attention span, faulty memory, etc.) that need to be factored
into the design equation for the overall human–machine
system (Bannon, 1991; Kuutti, 1995). The HCI community has
then realized that this form of analysis of the human in his
interaction with a system de-emphasizes important issues in
work design, including individual motivation, membership in
a team or community of users, and the importance of the
setting in determining human action (Bannon, 1991). HCI has
evolved over the years by viewing the user more complexly, as
a human in a social system in which the computer plays an
increasingly important role (Karat and Karat, 2003). The need
for a multi-disciplinary approach has been acknowledged to
provide better ‘‘contextuality’’, involving the users and their
constructive relation with ‘‘systems’’ (Karat and Karat, 2003;
Kuutti, 1995). Moreover, HCI necessitates the development of
a general systems model so as to place the work in a wider
context (Diaper and Sanger, 2006; Rezgui, 2007).
It is important to contribute to HCI research by adopting
a holistic perspective where human, organizational, and
technical issues are given equal consideration, to provide
better contextuality and insight into factors influencing IS
security awareness. Also, while most related research is con-
ducted in developed countries, it is interesting and important
to consider HCI in the context of developing countries.
2.4. IS security awareness
Current IS security approaches can be classified into two
categories. Studies which consider IS security awareness to
mean attracting users’ attention to IS security issues (Han-
sche, 2001), or studies which consider IS security awareness to
mean users’ understanding of IS security and, optimally,
committing to it. According to (Furnell et al., 1996), the need to
promote IS security standards within an organization requires
IS security awareness training. Furnell also proposes that all
users should be aware of disciplinary actions resulting from
non-compliance with the organization’s IS security proce-
dures. Similarly, Denning (1999) argues that IS awareness
training and education is an essential part of defending IS
security. The awareness program should communicate to
users the organization’s IS security policies and make users
aware of the risks and potential losses. Martins and Eloff
(2002) take in consideration the user’s role when presenting
a model for implementing and enhancing the culture of IS
security. The model focuses on three levels of organizational
behaviour: the organizational level, the group level, and the
individual level. The model suggests that the organization’s IS
security culture must be improved by taking human behav-
iour into account. It also suggests that each user should be
informed, through IS security awareness, of his role in pro-
tecting information assets. Kovacich and Halibozek (2003)
discusse implementing a continuous IS security awareness
training program as part of the corporate asset protection
program. The program’s aim is to make the target users aware
of the need for asset protection practices, specific asset
protection requirements, and the consequences of unautho-
rized actions. Barman (2002) emphasizes the employee’s role
in adhering to IS policies by arguing that IS security awareness
training should be implemented in order to succeed in writing
and implementing organizational IS security policies. Bane-
rjee et al. (1998) argue that organizations should introduce IS
security awareness and make their ethical policy clear to their
employees and ensure that strong deterrents are in place.
Murray (1991) argues that the incompetence of users who
underestimate the dangers inherent in their actions represent
the biggest IS security problems. He also believes that an
efficient IS security awareness program can overcome this
problem. Gaunt (1998) argues that a successful organizational
IS security policy should incorporate clear definitions of user
responsibilities for IS security. He further states that the most
significant threat to the IS security in an organization is its
very own staff. The ISO/IEC standard 17799:2005 (second
edition), ‘‘Information technology – code of practice for IS
security management’’ (ISO, 2005) recommends that all
employees, whether existing or newly hired, receive job-
relevant awareness training in and regular updates on orga-
nizational IS security policies and procedures. In addition, the
study underlines the commitment of management as an
important factor impacting on users’ IS security awareness.
3. Methodology
The general aim of the research is to explore the levels of IS
security awareness of higher education institutions in the
UAE. The research addresses the following two main research
questions:
� What are the current IS ‘‘security’’ challenges and threats facing
universities within the context of a developing country?
� What are the levels of IS security awareness of higher education
Information Systems decision makers and staff in relation to these
challenges and threats?
An interpretive case-study approach is employed to
conduct the research. The case-study is represented through
Zayed University in the UAE. Zayed University was estab-
lished in 1998 by the federal government of the UAE to educate
UAE National women. The university receives its operation
funds from the federal government, and it does not require
students to pay tuition fees. The university has two separate
campuses one in Dubai and another in Abu Dhabi led by
a single administration in Dubai. It also has four sub-unit
education centres which offer a variety of educational courses
and degrees. The university focuses on education and
learning, while paying less focus to research. The number of
currently enrolled students is approximately 3000 students in
2007. The university is based on an international model of
higher education with the primary instruction language being
English. The great majority of the 700 staff members come
from the USA, Europe, and Australia. The university is orga-
nized academically into five colleges. Zayed University is IT
orientated and it offers several online services to students and
staff (Zayed University Web Site, 2007).
Data collection has taken place during different time
intervals to capture different phases of university operations.
The study used the Computer Service Department (CSD) as the
main unit of analysis as it is the main custodian of IS assets
and IS security within the University. According to Denzin and
c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3 245
Lincoln (2000), researchers ‘‘emphasize, describe, judge,
compare, portray, evoke images, and create for the reader or
listener, the sense of having been there’’. To achieve this, the
researchers employed a combination of quantitative (ques-
tionnaires) and qualitative (interviews, documentation, and
observation) techniques in order to portray a holistic view of
the participants and provide interpretive reflections. One of
the researcher’s employment with Zayed University granted
him greater insight and sensitivity to the context while exer-
cising privileged access to university resources. Such privi-
leges included access to infrastructure, materials, IT
resources, and personnel. Throughout the process of this
study, the researchers were sensitive to biases, by being aware
that there are multiple interpretations of reality (Merriam,
1988), hence the necessity of adopting an interpretive philo-
sophical stance for the research.
The overall data collection period extended from July 2006
through September 2007, during which time (a) observation
took place, (b) documents were collected, (c) questionnaires
distributed, and (d) interviews conducted. The interviews and
questionnaire data gathering instruments took place during
the academic year, while the documentation and observation
instruments were conducted on a continuous basis, including
during summer holidays. All ethical approvals to conduct the
research were obtained in advance. All participants were
informed of their right to decline to participate in this study.
They were also informed of their right to anonymity. The
nature, purpose, and objective of the study were clearly
explained to every participant. Brief details related to each
data gathering technique is given below:
� Questionnaire: for the quantitative component of this study,
the questionnaire method was selected. The questionnaire
was pre-tested by selected members in charge of IS from
different universities in the UAE. The sample for the study
included 45 CSD staff of Zayed University representing
different sub-units within the department. The sample was
based on systematic probability where at least one person
was chosen from each CSD sub-unit. The sample was
identified based on what was practical and relevant to the
study. The questionnaire process started by dispatching all
45 questionnaires to the sample; this was followed up by
reminder telephone calls. The response rate achieved was
97% with 43 completed questionnaire returned. The data
were coded and analysed using descriptive statistical anal-
ysis such as mean, percentage, and frequency.
� Interviews: seven IS personnel and IS decision makers at
Zayed University including two IS managers and the deputy
vice president of the university were solicited to participate
in a 30–60 minutes interview conducted by one of the
researchers (the one employed by Zayed). At least one
person from each CSD sub-unit was selected. Some of the
benefits of these interviews include: avoiding confusion or
miscommunication that might have taken place in the
questionnaire instrument; allowing the respondent to
provide more accurate and precise information regarding
the topic under investigation; allowing the researcher to ask
further complex and follow-up questions; and seek the
views and capture the perceptions of management staff in
relation to IS security.
� Direct observation: The role of the researcher employed at
Zayed as an observer varied during the study period. While
the researcher was a practitioner researcher on some
occasions, he was participant observer, complete partici-
pant, and complete observer at other times. Observation is
a time consuming process. The process started with the
commencement of this study in 2005 and lasted for nearly
three years. It initially started by being non-selective in
what the researcher observed, and it progressed and
advanced into focused observation on selective areas. The
main idea behind observation is to discover what people do
rather than what they say they do.
� Documents: a number of documents such as systems logs,
IDS reports, system manuals, training manuals, IS policies,
and similar type of documentations from Zayed University
were gathered and analysed to support the research find-
ings.
As stressed by Bonoma (1985), collecting different types of
data by different methods, from different sources, produces
a wider scope of coverage and results in a fuller picture of
the phenomena under study than would have been ach-
ieved otherwise. Problems of construct validity have been
addressed by the use of the variety of sources of information
described above. The development of converging lines of
inquiry in this manner is known as ‘‘triangulation’’, and is
generally considered as a process of using multiple
perceptions to clarify meaning and assess the validity of an
interpretation (Stake, 1995).
As an example of this, the collected documents provided
qualitative and quantitative information that helped build an
initial understanding of the problems, limitations, and
requirements of the higher education sector in the UAE, and
design the other research instruments, including the inter-
view guide and questionnaire. Pattern coding (Miles and
Huberman, 1994) is used to identify emergent themes,
patterns, or explanation suggested by qualitative information
gathered from the selected instruments. Pattern coding
reduces large amounts of data into a smaller number of
analytic units and helps structure the investigated issues. The
quantitative analysis (questionnaire) helped corroborate the
qualitative issues that emerged from the research. It is
important that the limits of this study be recognized. The
researcher relied on information that was publicly available or
given through questionnaire and interviews. It is always
possible that pertinent information might have been held for
commercial, strategic, or political reasons. The impact of
which has been anticipated through the development of
converging lines of inquiry (triangulation).
4. Case-study fieldwork results
A number of categories emerged from the data analysis using
pattern coding techniques of qualitative analysis (Miles and
Huberman, 1994), aiming to assign units of meaning to the
descriptive or inferential information compiled from qualita-
tive data and to summarize segments of data. In order to
analyze the qualitative data of the interviews, three processes
were undertaken: creating interviews transcripts, generating
c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3246
pattern codes, and drawing a checklist matrix. The first
process involved converting all interviews into fully tran-
scribed (word-processed) qualitative data. The second stage
involved identifying patterns of data using iterative pattern
coding within the transcribed interviews. The process
involved assigning units of meaning to the descriptive or
inferential information compiled from the interviews tran-
scripts. A number of 23 data units have been identified and
listed in Table 1.
The data units identified as belonging to emerging data
patterns from the interviews were subsequently aggregated
into thematic groups as illustrated in Table 1. Each group was
given an initial ‘pattern code’ that describes it. These initial
pattern codes were refined through an iterative reading and
analysis process and resulted in the following nine pattern
codes: IS & Communication Systems Infrastructure; IS Goals
and Objectives; IS Security Threats and Solutions; IS Staff; IS
Laws, Legislations, Policies, and Procedures; IS Training
Sessions, Manuals, and Documentations; IS Check and Balance
Procedures; University Overall Vision, Goals, and Objectives;
University Environment and Culture. Results from the ques-
tionnaires were also analysed using statistical methods and
helped corroborate the qualitative issues that emerged from
the research. These categories are discussed below.
4.1. IS & Communication Systems Infrastructure
A significant portion of the university annual fund is allocated
to IS and communication activities. The data evidence
Table 1 – List of data units and thematic groups
Thematic group 1: Information Systems
Data Unit 1 Reliability of IS systems
Data Unit 2 Efficient of IS security technical and non-technical
solutions
Data Unit 3 Availability of competent IS security
designated staff
Data Unit 4 Comprehensive IS policy
Data Unit 5 IS legal regulations and requirements
Data Unit 6 IS business regulations and practices
Data Unit 7 IS communication channels
Data Unit 8 IS guidelines, standards, and procedures
Data Unit 9 Effective IS security policy
Data Unit 10 IS training sessions
Data Unit 11 IS manual and documentation
Data Unit 12 IS audit function
Data Unit 13 Enforcement and accountability procedures
Data Unit 14 IS goals and objectives
Data Unit 15 IS security technical and non-technical solutions
Data Unit 16 IS threats and solutions
Thematic group 2: general awareness
Data Unit 17 University overall vision, goals, and objectives
Data Unit 18 University environment and culture
Data Unit 19 University educational model
Thematic group 3: IS perceptions
Data Unit 20 University data
Data Unit 21 Responsibility of IS security
Data Unit 22 Overall level of satisfaction with IS security
Data Unit 23 Reasons for satisfaction/dissatisfaction
with IS security
gathered during this research portrays a very comparable IS
and communication systems infrastructure to many Western
higher education institutions. Zayed University requires every
student and faculty to have a laptop. Staff are provided with
the latest editions of PCs. Users (including students) have
access to email, Internet, Intranet, and other network
services. Similar to many Western universities, Zayed
University uses an ERP system for its student administration
and transaction management. The university is also equipped
with IP telephony system, video-conference facilities, and
state of the art classrooms.
Zayed University is dedicated to female students. The
influence of the conservative culture of the UAE, which
requires the preservation of values such as decency and
honour, has a substantial impact on how IS and communica-
tion infrastructure is setup as confirmed by one of the inter-
viewees from the university management staff: ‘‘We have the
obligation and moral responsibility to look after the education of our
female students based on our religious and cultural traditions . Our
regulations are designed in that respect.This is one of the top
priority of our university’’. In fact, while most Western univer-
sities are not fenced or restricted to outside access, Zayed
University is fenced and is not accessible to outsiders.
Students are required to scan their IDs to register their arrival
and departure to university premises. Students are not
allowed to leave the campus premises unless a written
permission by the guardian (usually the father) is obtained.
Students are also not allowed to use mobile phones while in
campus. Certain programs such as MSN and Yahoo are
blocked since they could facilitate and encourage students to
chat with strangers. These policies’ top concern is not the fear
of a threat to the network, but the fear of angering UAE fami-
lies by violating the religious and ancestral culture of the UAE.
While the availability of IS and communication infra-
structure may not be an issue, the utilization of these
resources is definitely a problem. Contrary to many Western
institutions, Zayed University did not have a need analysis
procedure. Most systems were selected based on the personal
experience of few decision makers or based on some form of
agreement with special vendors as reported by one inter-
viewee from the academic staff: ‘‘None of us (academics) are
consulted about the choice of the Information Systems that the
university acquires, despite this being our speciality area. Systems
are purchased based on management staff past experience and their
connections with software vendors. This is reflected in the incon-
sistent usage of the purchased systems’’. The university only uses
the Accounts Payable and the purchasing components of the
Sungard SCT Banner Finance system, while leaving the Bids,
Receiving, Store, Approvals, and Fixed Assets components of
the system unused. The Human Resources Information
system (HRIS) is only used for Human Resources and payroll
transactions, although it contains a budget development
model. Position control is not included. Students are not given
the ability to interact directly with the Banner student’s
module, instead registration and many other related admin-
istration functions are conducted directly by staff. Many
university departments use parallel systems. For example,
while the university’s HRIS should be the legal source for
vacation requests, many departments refer back to their own
MS Excel or MS Access system for vacation requests.
c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3 247
4.2. IS goals and objectives
The IS goals and objectives in Zayed University are not stated
in internal documentation nor on the university Intranet web
site. A statement by the help desk unit is the only exception.
Many of the questionnaire respondents could not identify the
goals and objectives of IS or the Computer Service Division
(CSD). This can be partly explained by the work structure of
Zayed’s employees who have in their majority a temporary 1–
3 years position contract as reported by one academic inter-
viewee from Algeria: ‘‘My main concern is to sustain my position.
I have been told that my two-years contract can be terminated at
anytime with short notice. Hence, my main concern is to make my
CV marketable by continuously publishing in leading journals’’. In
fact, academics and foreign administrators do not exhibit
a great concern about the university as they see their
employment with Zayed as more transitional than perma-
nent. It is interesting to note that while Zayed does not offer
online courses and online registration, 24% of the respondents
identified online courses and 27% of the respondents identi-
fied online application and registration as electronic services
offered by the university.
Locals, from the UAE, seem to adopt a self-sufficient
approach as they have been brought up in an environment
where they rely on expatriates for the various operations of
key institutions of the country. Also, university managers are
in their majority retired academics from Western universities.
They aspire to a quiet end of their career and do not seem to be
interested in taking up any challenge that can enhance the
status of the university.
4.3. IS security threats and solutions
In terms of security goals and objectives, the respondents
were asked to identify key security challenges faced by their
university (from a given list of common IS security chal-
lenges). Fifty-five percent of the respondents identified ‘pre-
venting denial of service’; 48% of the respondents identified
‘improving the network tractability’; 69% identified ‘ensuring
privacy and confidentiality’; 41% of the respondents identified
‘implementing higher levels of authentication mechanisms’; finally,
62% of the respondents identified ‘ensuring the integrity of data’
as key security challenges faced by Zayed. Unfortunately,
available systems documentation, manuals, and stated poli-
cies in Zayed University do not address IS security goals. Most
of the documentation addresses the issue of availability and
support. In fact, many of the respondents did not regard IS
security as a major concern. They also did not see themselves
as part of the solution. The IS security function in Zayed
University is not centralized or dedicated to a specific position.
In the eyes of many respondents, IS security was synonymous
to network security. A number of respondents from CSD
reported that security threats faced in recent years included:
deliberate software attacks, technical software failure, act of
human error, deliberate act of espionage or trespass, delib-
erate act of sabotage, technical hardware failure, deliberate
act of theft, deliberate act of information extortion, techno-
logical obsolescence, and compromises of intellectual prop-
erty. In fact, based on their perceptions, IS security threats
were synonymous to external hacking as reported by 48% of
the respondents, while IS security solutions are considered to
be already provided through the IT procedures setup by CSD
as reported by one of its staff: ‘‘Our university is equipped with
the best security systems and we work hard to monitor external
attacks to our systems from hackers that originate from foreign
countries’’. The gathered evidence clearly illustrate how unin-
formed and unaware staff in general are regarding IS security
matters. In terms of existing solutions, interviewees reported
the use of one or more of the following approaches to defend
against the above IS security threats: password authentica-
tion, media backup, virus protection, firewalls, intrusion
detection and prevention tools, IS policies, audit procedures,
employee training and education, violation reporting, and
computer use monitoring.
Zayed university did not have a central point of contact
regarding IS security problems and matters. In fact, it was not
even clear who was in charge of IS security issues. The person
in charge of network security did not regularly meet with
other key IS security stakeholders such as the DBA who
handles database security or IS analysts who handle appli-
cations security. Zayed University appeared to adopt a reac-
tive rather than a proactive approach to IS security awareness.
4.4. IS staff
Almost 80% of the population and the workforce of the UAE
are comprised of foreign expatriates. Many of the expatriates
working in Zayed University come from North America and
Europe, and with them they bring valuable experience. They
come with the understanding that this is a temporary
contract. While some contracts are renewable, it is the feeling
that the job could expire at anytime and for any reason. This
discourages employees from pursuing long-term activities
and planning. In addition, while it is commonly recognized
that most jobs require a learning curve, the context of
temporary contract makes the return on investment more
difficult to attain. It also affects the overall job performance as
it replaces experienced employees with inexperienced ones
when contract is due.
With the exception of the help desk unit, IS staff in Zayed
University is hardly recognizable. CSD does not have a web
page providing IS staff member names, titles, location, contact
information, and speciality. Contact with the help desk may
be established by phone, email, and web page log. Other CSD
units including networking and software support are not
advertised. As a result, the university community is mainly
aware of the help desk function only. Most users usually visit
CSD when a need arises. Two things seem striking when
working with CSD staff, one is how lax they are regarding IS
security matters, and second how they made users feel like
they were doing them a favour not a service as reported by one
academic respondent: ‘‘every time I experience an IS problem, I
prefer to deal with it myself instead of asking support from IS staff.
This might end up taking me more time than expected resolving the
problem. But, I prefer this rather than asking IS people for a favour’’.
It could literally take days for a simple problem to be resolved
simply because no body wants to work on it. Trial and error
solutions are widely spread. IS staff is not governed by a policy
or law. CSD, again with the exception of the help desk unit,
does not have a mission statement.
c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3248
4.5. IS laws, legislations, policies, and procedures
It is interesting to note that 59% of the respondents were
under the assumption that the university IS policy is subject to
audit, while such thing does not exist in Zayed. In fact, only
24% of the respondents are aware that the university does not
have an IS policy. Also, the great majority (86%) did not know
who is in charge of IS security-related issues. The culture and
the religion of the UAE are the main sources of legislation in
the UAE. In fact, even though the country has a judiciary
system, culture may take precedent over the law sometime.
While many IS legislations have been established in the US
and the UK, and while many standards are heeded by agencies
and organizations, it was not until 2006 that the first two IS
legislations came into existence in the UAE. Both laws are
young, immature, incomprehensive, and not challenged;
however, it is a step in the right direction.
Zayed University does not have an IS policy, an IS security
policy, and made no effort to educate its users about the newly
issued laws. When asked, most respondents referred to the
one-page PC acceptable use policy as the university IS policy
as reported by one interviewee from the academic staff: ‘‘In my
previous university in Canada there used to be continuous training
and campaigning about the importance of security.I am surprised
about the immaturity of Zayed in that respect and this does not seem
to bother our managers’’.
The two IS laws issued in 2006 are to a big extent identical
to the IS laws issued in the state of Dubai in 2002. Since state
laws are not applicable to federal institutions, and since the
UAE does not support political participation, it was not until
Sheik Mohammed Bin Rashid was reigned as the prime
minister of the UAE that these two IS laws were made avail-
able at the federal level. Another reason that could be attrib-
uted to the issuance of these two laws is the upsurge of the
stock market in Dubai and Abu Dhabi that led many locals and
foreigners to join the stock market and use electronic
transactions.
4.6. IS training sessions, manuals, and documentations
A majority, 52%, of the respondents believe that Zayed has
manuals and documentation for its information systems. In
fact, based on the researchers’ investigation, it revealed that
the university has poor IS manuals and documentation.
Unfortunate but true, once hired, some of Zayed University
employees are expected to perform critical jobs with abso-
lutely no training and no documentation. Although, 66% of the
respondents believed the university to provide regular system
training to employees, the reality does not reflect respon-
dents’ assumption as confirmed by several interviewees and
the researchers through 2 years of observation. IS training is
barely practiced. The help desk unit provides office automa-
tion tools training from time to time. However, since the
university inception in 1998, the university did not offer
a single IS security training session. Recently, the help desk
unit added to its web page a list of ‘How to’ topics. The list
includes how to create a back up CD and how to archive
emails. It was not until recently that the university introduced
the strong password authentication mechanism.
4.7. IS check and balance procedures
Zayed University does not conduct external and/or internal IS
audit. The university internal audit is comprised of one
internal auditor and two state auditors overlooking mainly
financial operations. CSD did not conduct IS audit since
university inception. In fact, CSD did not have written IS
standards and procedures. This stance clearly illustrates the
status of IS security in Zayed University.
4.8. University overall vision, goals, and objectives
In spite of the fact that the goals and objectives of Zayed
University as an institution are stated in its Internet home
page, the majority of users were unaware of the university
goals and objectives. Most of the respondents believed that
the university offers online courses and that students register
online. More ironically, they believed that students pay their
tuition fees online. Many of the respondents were not aware
of the graduate work of Zayed University. This lack of
awareness could be attributed to the lack or inefficient
communication by management as reported by one inter-
viewee: ‘‘Management should ensure not only that employees are
aware of the main goals and objectives of the university, but also
ensure that these goals and objectives are aligned with department
goals and objectives’’.
4.9. University environment and culture
Zayed University uses a centralized management style. The
vice president and the provost are the main steering powers in
the university. Faculty and staff participation is very limited
as reported by one interviewee from CSD: ‘‘Decision-making in
relation to Information Systems and related issues is dictated by
university top management with no or limited consultation with
us. There is a clear lack of participation as we are seen as tempo-
rary employees with no strategic impact on university operations’’.
Since university operations are fully funded by the federal
government, government opinion is highly taken into
consideration. The university represents a prototype. Zayed
University majority of educators come from North America. In
addition to their educational experience, they bring with them
English as a native language, the latest of technology, Amer-
ican culture, and market value.
Nevertheless, the university tries to ensure that Western
culture does not interfere with UAE culture and religious
beliefs. While trying to get the best of both worlds, the
university tries to focus on commonalities and avoid differ-
ences. Most students wear Islamic clothing and do not freely
interact with male teachers unless within class context. This
creates a barrier for admin and technical staff to disseminate
and impose any technical regulation or procedure. In addition,
most students come from wealthy and privileged families. The
general feeling of staff, including academics and technical
employees, is not to upset these female students as the
consequences can be damaging for their careers as reported by
one academic staff: ‘‘I have been advised to be generous with my
marking style so that not to upset students who can have an influ-
ential role (through their parents) in deciding the future, including
c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3 249
renewal, of academic staff contracts’’. This contrasts with the
democratic environment of higher education in the West.
5. Discussion
Several common themes emerged from the different data
collection methods used in this study. While some of the
results are in line with findings from existing studies, such as
the study of the EDUCAUSE Centre for Applied Research
(Updegrove and Wishon, 2003), their recurrence within the
context of the studied environment suggests careful consid-
eration. While acknowledging that cultures, resources, and
technical environments compared to the West do vary; it is
also understood that no single reported security practice is
exclusive. In this section, we discuss the results and attempt
to answer the two research questions of the study.
The first research question sought to investigate the
different IS threats whether technical or not, faced by a typical
higher education institutions within the context of a devel-
oping country. The main challenge faced by Zayed is reflected
in the conflicting requirements of an educational model bor-
rowed from the west with the conservative environment,
rooted in deep cultural and religious beliefs, surrounding the
university. The findings of the study indicate that in general IS
threats were mostly similar to those reported in similar
investigations in developed countries (Updegrove and
Wishon, 2003). What tend to vary are the causes and sources
of these threats and ways in which these are perceived and
dealt with by university IS managers and staff. In general,
respondents reported that IS threats faced by their institution
may take the form of: a deliberate software attack, technical
software failure, act of human error, deliberate act of espio-
nage or trespass, deliberate act of sabotage, technical hard-
ware failure, deliberate act of theft, deliberate act of
information extortion, technological obsolescence, and
compromises of intellectual property. IS threats were gener-
ally perceived as external, caused by elements with no legiti-
mate access to university IS resources.
Similar to their counterparts in the West, interviewees
reported the use of one or more of the following approaches to
defend against the above IS security threats: passwords,
media backup, virus protection, firewalls, intrusion detection
and prevention tools, IS policies, audit procedures, employee
training and education, violation reporting, and computer use
monitoring. However, some of the above measures are not
well applied or are not reflected in the operations and prac-
tices of Zayed University, which tends to adopt a reactive
rather than proactive approach towards IS security threats.
The second research question sought to explore and assess
the levels of IS security awareness of IS personnel and deci-
sion makers within the examined higher education environ-
ment to the threats and challenges investigated in research
question one.
Interviewees reported that Zayed placed more emphasis
on external and technical threats than internal and non-
technical ones. The university suffers clear symptoms of the
lack of IS security awareness presented in the spread of acts of
user errors, software failures, social engineering problems,
and data leakage problems. In fact, the lack of application of IS
security awareness has a direct relationship with how the
university’s IS assets are viewed and valued. In addition, it
leads to the misalignment of IS goals and objectives with the
institution’s overall mission and strategic objectives.
While the lack of application of IS security awareness in
Zayed University emerges as one of the main cause behind IS
security ill practices, it could be attributed to unique elements
specific to the environment of UAE. First and foremost is the
lack and the immaturity of IS legislations in the UAE. The public
use of the Internet is only a few years old. Ill practices could also
be attributed to the distrust of computer and technology,
especially by older generation. The conservative culture and
customs of the UAE, especially of the older generations, do not
encourage the use of new technology. Computers and the
Internet are sometimes viewed as accessories to evil materials
and ideas. This can even be more difficult for female students
where interaction with the outside world is viewed as should
be limited and sometimes monitored. These views are slowly
fading away with the increased number of Internet
subscribers, and as the younger generations are becoming
more educated and interactive with computers. The govern-
ment has played a positive role in embracing technology use in
schools and universities in the last few years.
Another reason behind the perceived lack of IS security
awareness in the UAE is the nature of the employment
contracts. Although 80% of the UAE population and workforce
are comprised of foreign expatriates, the UAE does not offer its
residence a long-term perspective in terms of immigration or
naturalization status, resulting in serious problems of lack of
conscientiousness from staff. Conscientiousness here is
defined as a measure of goal-directed behaviour and amount
of control over impulses (Heinstrom, 2003). In fact, human
tendency towards improvement can be fostered through
conscientious human endeavour (Tracy and Tracy, 2000). This
implies that each individual must be included, not just to meet
his/her needs, but for the assets which they can offer the
community (Flora, 1997), and in our context Zayed University.
Hence, careless IS practices in Zayed may also be attributed to
the nature of employment in the UAE where the great
majority of employees (more than 80%) are based on tempo-
rary contractual agreements. For many IS managers and
university staff, this feeling of being a temporary employee
does not encourage long-term and ongoing activities such as
IS security planning and education.
It is interesting to note that findings of EDUCAUSE (Upde-
grove and Wishon, 2003) indicate that only 8% of the respon-
dents of the North American universities had zero
institutional IS security policy. Fifty-seven percent of the
respondents employed a password change mechanism with
a grace period of 90 days or less. Forty-five percent of the
respondents reported the use of incident–response proce-
dures. The EDUCAUSE findings also indicate that the IS
security function was often a charge of the director of
networking, IS chief security officer, or chief information
officer. Thirty-nine percent of the respondents indicated the
use of an IS awareness program in their institutions. Thirty
percent of the respondents reported the use of risk assess-
ment and audit procedures in their institutions. Existing acts
and legislation in the US necessitated a minimum level of IS
security awareness in higher education institutions. Zayed
c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3250
University did not have an IS security policy, audit procedures,
training sessions, training materials, and an IS security dedi-
cated function. Most of the surveyed individuals were unable
to identify or locate IS resources, training sessions, training
materials, existing policies, and IS staff. In fact, CSD did not
have a web page, comprehensive policies, and published
materials, with the exception of the help desk function, which
is attributed to the individual effort of the sub-unit manager. It
was found that the majority of interviewees had not changed
their password since they were hired more than eight years
ago. Those who had did so voluntarily. The university did not
have a comprehensive IS policy, IS security policy, central IS
security contact point, and it did not offer IS security training
or training materials to its employees or students.
Three main security awareness issues emerge from the
above discussion of the results and corroborate related studies
(Puhakainen, 2006):
� IS Security Awareness Training: according to the EDUCAUSE
study, higher education institutions with IS security
awareness training programs were considered more
successful and more advanced in IS security than institu-
tions without. Thirty-nine percent of the examined higher
education institutions in the US had an IS security aware-
ness program. Almost 50% of the examined institutions in
the US offered some form of IS security training program.
Many of these institutions also have a certified dedicated IS
security coordinator in place. Seventy-five percent of the
examined higher education institutions in the US viewed IS
security as one of the top three IT issues confronting higher
education. Although Zayed University is rich with IS
resources, it did not offer IS security training. This was
clearly reflected in the level of IS security awareness of
Zayed University IS users. Many of the respondents were
not acquainted with basic IS security practices including
how to change their passwords or how to back up their data.
Users shared their passwords. Operative, unlocked PCs were
sometimes left unattended. Laptops were not locked and
were left on display. Users were confused regarding the
existence of IS security policy although none of them have
seen one. Users were not aware of existing IS legislations.
They could not tell how to locate an IS staff member. Users
could not identify the university IS goals and objectives.
More importantly, users regarded university data as ‘of no
interest to them’.
� IS Security Awareness Campaigning: the help desk sub-unit in
Zayed University is the only unit of CSD with mission and
goals advertised to IS users. The advertisement and cam-
paigning of IS-related legislation can serve as a deterrent
tool. It can also be used as a tool to increase user awareness
and compliance. Users should be able to identify whom to
contact in case of need. The advertising of this information
can speed up the reporting of IS security-related issues.
However, none of these were reported in Zayed. Many
Universities in the US include references to IS-related
legislations including the Computer Fraud and Abuse Act
and the Computer Security Act. No reference to the newly
issued IS-related legislation was found in Zayed University.
It has never used campaigning to promote IS security
awareness.
� IS Security Awareness Reward and Punishment: there was
a clear lack in Zayed of an awareness program that incor-
porates reward for compliance with IS security instructions
and incorporates punishment for violating IS security
instructions. The University does not offer an IS security
breach statement. A security policy is a concise statement
by the university to establish goals, and to communicate the
information value, protection responsibilities, and organi-
zational commitment. IS security policies need not only to
be communicated to users, but also to be enforced. It is
interesting to note that only 8% of the examined higher
education institutions in the US had no form of IS security
policy.
In order to assess the effectiveness of the measures in
place and perform adjustments as necessary, and to establish
reward and punishment, IS check and balance procedures
should be implemented. Although lower than expected, 45%
of the examined higher education institutions in the US
reported the existence of incident–response systems, while
30% reported the use of risk assessment and audit procedures.
Zayed University also possesses an incident–response system,
but does not perform any type of IS auditing.
While the authors agree with the (Puhakainen, 2006)
application of training, campaigning, and reward and
punishment as effective tools in achieving IS security aware-
ness, they believe that the combined use of the three IS
security awareness approaches will yield better results than
the independent use of these approaches. In fact, Puhakainen
states that the three IS security awareness approaches
(training, campaigning, reward and punishment) can be used
independently. However, Sims and Lorenzi (1992) have argued
that there is a need for an appropriate balance between the
use of punishment and reward.
The authors believe that the absence of one of the three
above approaches significantly weakens the effectiveness of
the other two. Gathered data suggest that improper or insuffi-
cient IS security training may make it more difficult for insti-
tutions to hold users to the desired IS security behaviour.
Similarly, improper or insufficient IS security campaigning and
advertising may leave users to their own interpretations and
conceptions regarding the use of IS and IS security. While
campaigning IS security best practices is important, it is equally
important to campaign and advertise regular and upcoming IS
security training sessions and training materials. Finally, the
lack of reinforcement measures in the form of punishments
and/or rewards may cast doubt over the commitment and
seriousness of the institution. An institution should not reward
or punish IS security behaviour, if it did not communicate the
proper way of conduct. Creating policies alone is not enough,
policies are not effective if they are not published, communi-
cated, and understood by those expected to follow them.
6. Conclusion
Environments and their setup play a major role in influencing
IS security awareness. These are reflected in existing legisla-
tions, policies, procedures, standards, the nature of the working
environment, and how data and computers are viewed.
c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3 251
Zayed University is the first experiment to establish
a technology-based public university with an advanced
higher education model similar to the model in North
America. Growing pains are expected, and maturity with
time is attainable. During this study, the first two federal
laws pertaining to IS security were issued in the UAE. The
laws address specific aspects of cyber crimes and electronic
trading. With the number of connected users increasing
every day in the UAE, the number of cyber crimes is
expected to increase. So as the complexity and maturity of
the IS legal system in the UAE.
Based on gathered sources of evidence, the authors believe
that the following recommendations are not only necessary to
establish IS security awareness, but also to establish mutual
understanding of IS security in the context of Zayed:
� Review and resolve the employment and contractual status
of staff. Address employees’ employment concerns and
establish trust and cohesiveness across the various schools
and sections of the university.
� Establish IS security policies and procedures. Policies need
to be tailored to Zayed’s and more generally the UAE’s
environment. They also need to be achievable, clear, and
easy-to-understand.
� Campaign IS security awareness best practices and adver-
tise IS security training sessions and materials. It is also
important that these messages reach as many users and
allow enough time for users to participate.
� Train users on IS security best practices to increase their
awareness. Training should be regular. Basic level training
should be mandatory for all users. It is also recommended
that training should be included in the induction program
for new hires and new students. The establishment of
training ensures that users are informed and can be
accounted liable for IS misconduct. It is also important that
the message and materials of IS training are the same
regardless of who the trainer is.
� Practice reward and punishment. It is important to monitor
performance, and advertise reward and punishment of IS
conduct or misconduct. This is necessary not only for
reinforcement, but also to illustrate the level of commit-
ment of the organization to it’s IS security.
� Carry out continuous evaluation and readjustment. Evalu-
ation of the effectiveness of the adopted IS security
approaches, and application of adjustment is necessary to
achieve the main aim.
It is highly expected that with time, use, and maturity, the
status of IS security awareness will significantly improve in
the higher education sector in the UAE. While it is important
to establish IS security awareness in higher education, a viable
system of higher education is a definite pre-requisite.
Acknowledgement
The authors would like to thank the two anonymous referees
for the useful comments and suggestions made. The authors
alone are responsible for any errors and omissions.
r e f e r e n c e s
Backhouse J, Dhillon G. Structures of responsibility and securityof information systems. European Journal of InformationSystems 1996;5(1):2–9.
Banerjee D, Cronan TP, Jones TW. Modeling IT ethics: a study insituational ethics. MIS Quarterly 1998;22(1):31–60.
Barman S. Writing IS security policies. Indianapolis: New RidersPublishing; 2002.
Bannon LJ. From human factors to human actors: the role ofpsychology and human–computer interaction studies insystem design. In: Greenbaum J, Kyng M, editors. Design atwork: cooperative design of computer systems. Hillsdale:Erlbaum; 1991. p. 25–44.
Barsanti C. Modern network complexity needs comprehensivesecurity. Security 1999;36(7):65–8.
Baskerville R. Risk analysis: an interpretive feasibility tool injustifying information systems security. European Journal ofInformation Systems 1991;1:121–30.
Beatson JG. Security – a personnel issue. The importance ofpersonnel attitudes and security education. In: Dittrich K,Rautakivi S, Saari J, editors. Computer security andinformation integrity. Amsterdam: Elsevier SciencePublishers; 1991. p. 29–38.
Bonoma TV. Case research in marketing: opportunities,problems, and a process. Journal of Marketing Research 1985;22:199–208.
Brancheau JC, Janz BD, Wetherbe JC. Key issues in informationsystems management: 1994–95 SIM Delphi results. MISQuarterly 1996;20(2):225–42.
BS7799. Code of practice for information security management.UK: British Standards Institute; 1999.
Cronan TP, Foltz B, Jones TW. Piracy, computer crime, and ISmisuse at the university. Communications of the ACM 2006;49(6):84–90.
Czernowalow M. Lack of policy causes IT risks. Available from:ITWEB, <http://www.itweb.co.za> [accessed 15.07.05].
Denning DE. Information warfare and security. USA: ACM Press;1999.
Denzin NK, Lincoln YS. The handbook of qualitative research. 2nded. London: SAGE Publishing; 2000.
Dhillon G, Backhouse J. Information system securitymanagement in the new millennium. Communications of theACM 2000;43(7):125–8.
Diaper D, Sanger C. Tasks for and tasks in human-computerinteraction. Interacting with Computers 2006;18(2):117–38.
Dunlop C, Kling R. Social relationships in electronic communities.In: Computerization and controversy: value conflicts andsocial choices. San Diego, CA: Academic Press Professional,Inc.; 1991.
Flora C. Building social capital: the importance ofentrepreneurial social infrastructure. Rural DevelopmentNews 1997;21(2):1–3.
Furnell SM, Gaunt PN, Holben RF, Sanders PW, Stockel CT,Warren MJ. Assessing staff attitudes towards informationsecurity in a European healthcare establishment. MedicalInformatics 1996;21(2):105–12.
Gaunt N. Installing an appropriate IS security policy inhospitals. International Journal of Medical Informatics 1998;49(1):131–4.
Gaunt N. Practical approaches to creating a security culture.International Journal of Medical Informatics 2000;60(2):151–7.
Goodhue DL, Straub DW. Security concerns of system users:a study of perceptions of the adequacy of security.Information and Management 1991;20(1):13–27.
Hansche S. Designing a security awareness program: part I.Information System Security 2001;10(1):14–22.
c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3252
Heinstrom J. Five personality dimensions and their influence oninformation behaviour. Information Research 2003;9(1):165.
Hone K, Eloff JHP. What makes an effective information securitypolicy? Network Security 2002;6:14–6.
Information Systems Audit and Control Association. Informationsystems auditing manual. ISACA; 2006.
International Organization for Standardization. ISO/IEC 17799,information technology – code of practice for IS securitymanagement. 2nd ed. ISO; 2005.
Kankanhalli A, Teo HK, Tan BCY, Wei KK. An integrative study ofinformation systems security effectiveness. InternationalJournal of Information Management 2003;23:139–54.
Karat J, Karat CM. The evolution of user-centered focus in thehuman computer interaction field. IBM Systems Journal 2003;42(4):532–41.
Katsikas SK. Health care management and information systemsecurity: awareness, training or education? InternationalJournal of Medical Informatics 2000;60(2):129–35.
Katz, FH. The effect of a university information security survey oninstructing methods in information security. In: Proceedingsof the second annual conference on information securitycurriculum development; 2005. p. 43–8.
Kerievsky B. Security and confidentiality in a university computernetwork. ACM SIGUCCS Newsletter Archive 1976;6(3):9–11.New York, NY: ACM.
Kovacich GL, Halibozek EP. The Manager’s handbook for corporatesecurity: establishing and managing a successful assetsprotection program. USA: Butterworth-Heinemann; 2003.
Kuutti K. Activity theory as a potential framework for humancomputer interaction research. Context and consciousness:activity theory and human computer interaction. Cambridge:MIT Press; 1995.
Lafleur LM. Training as part of a security awareness program.Computer Control Quarterly 1992;10(4):4–11.
Marklein MB. The new learning curve: technological security. USAToday, http://www.usatoday.com/tech/news/computersecurity/hacking/2006-08-01-college-security_x.htm 2006 [accessed20.06.08].
Martins A, Eloff JHP. IS security Culture. Proceedings of IFIPTC-11 17th International Conference on IS security (SEC2002).2002.
Marks A. Exploring universities’ information systems securityawareness in a changing higher education environment:a comparative case study research. PhD thesis, University ofSalford; 2007.
Merriam SB. Case study research in education. A qualitativeapproach. San Francisco: Jossey-Bass, Inc.; 1988. p. 246.
McDaniel G. IBM dictionary of computing. New York: McGraw-Hill, Inc; 1994. p. 1.
Miles MB, Huberman AM. Qualitative data analysis, an expandedsource book. Beverly Hills: Sage; 1994.
Mitnick KD. The art of deception: controlling the human elementof security. USA: Wiley Publishing; 2002.
Murray B. Running corporate and national security awarenessprograms. In: Proceedings of the IFIP TC11 seventhinternational conference on IS security 1991; p. 203–7.
North MM, Roy G, North SM, Computer security ethics awarenessin university environments: a challenge for management ofinformation systems. In: Proceedings of the 44th annualsoutheast regional conference (ACMSE) 2006, Melbourne,Florida, March 10–12, p. 434–9.
Olnes J. Development of security policies. Computers andSecurity 1994;13(8):628–36.
Parker DB. Fighting computer crime: a new framework forprotecting information. USA: John Wiley & Sons; 1998.
Parker DB. Security motivation, the mother of all controls,must precede awareness. Computer Security Journal 1999;15(4):15–23.
Pfleeger CP, Pfleeger SL. Security in computing. 3rd ed. PrenticeHall; 2003.
Piazza P. Security goes to school. Security Management 2006;50(12):46–51. Arlington.
Puhakainen P, A design theory for information securityawareness. PhD thesis, University of Oulu; 2006.
Rezgui Y. Exploring virtual team-working effectiveness in theconstruction sector. Interacting with Computers 2007;19:96–112.
Ronald R. Ringing the alarm on campus computer security. BlackIssues in Higher Education 2001;18(20):50–1.
Ross ST. Unix systems security tools. The McGraw-HillCompanies; 1999, p. 444. ISBN-10: 0079137881; ISBN-13: 978-0079137883.
Schlienger T, Teufel S. Information security culture – fromanalysis to change. South African Computer Journal 2003;31:46–52.
Sims HP, Lorenzi P. The new leadership paradigm, social learningand cognition in organizations. Newbury Park: SagePublications; 1992.
Siponen MT. A conceptual foundation for organizationalinformation security awareness. Information Management &Computer Security 2000;8(1):31–41.
Siponen MT. Five dimensions of information security awareness.Computers and Society 2001;31(2):24–9.
Siponen M. Information security standards focus on the existenceof process, not its content. Communications of the ACM 2006;49(8):97–100.
Stake RE. The art of case study research. Thousand Oaks: Sage;1995.
Straub DW. Effective IS security: an empirical study. InformationSystems Research 1990;1(3):255–76.
Straub DW, Nance WD. Uncovering and disciplining computerabuse: organizational responses and options. InformationAge, ISSN: 0261-4103: 1988;10(3):151–6.
Straub DW, Welke RJ. Coping with systems risk: security planningmodels for management decision making. MIS Quarterly 1998;22(4):441–69.
Tracy PD, Tracy MB, A conceptual framework of social capital andcivil society: the re-emergence of John Dewey. In: Proceedingsof the international research conference on social security,Helsinki; 2000, p. 2–15.
Thomson ME, von Solms R. IS security awareness: educating yourusers effectively. Information Management & ComputerSecurity 1998;6(4):167–73.
Turn R. Security and privacy requirements in computing. In:Proceedings of 1986 ACM fall joint computer conference. IEEEComputer Press; 1986. p. 1106–14.
Updegrove D, Wishon G. Computers and network security inhigher education. EDUCAUSE 2003.
Verton D. Disaster recovery planning still lags. Computer World2002;36(14):10.
Whitman ME, Mattord HJ. Principles of information security. 2nded. Thomson; 2005.
Zayed University Web Site – home page. Available from: www.zu.ac.ae [accessed 20.06.08].
Y. Rezgui is a Professor in Engineering informatics at Cardiff
University. He was the founding director of the Informatics
Research Institute at Salford University, a leading centre in
InformationSystems. He has led over 15 national and European
multi-disciplinary research projects. He conducts research in
areas related to software engineering (including service-
oriented architectures), information and knowledge manage-
ment (centred on the use of Ontology), collaborative working,
and virtual enterprises. He has over 100-refereed publications
in the above areas, which appeared in international journals
c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3 253
such as Knowledge Engineering Review, Journal of Operational
Research Society, Information Sciences, and Interacting with
Computers.
A. Marks holds a PhD in Information Security from Univer-
sity of Salford. He is an information systems auditor and an
Oracle Certified Associate with over ten years experience
in software management and development in higher
education. He is currently the full time manager of the
Financial Information Systems in Zayed University in Dubai,
UAE where he took a leading role in the development and
deployment of several infrastructure information systems
projects, leading all of the human and organizational aspects
including the validation and testing of the solution, with
a prominent role in the requirements capture and modelling
phases.