c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3

ava i lab le at www.sc ienced i rec t . com

journa l homepage : www.e lsev ie r . com/ loca te /cose

Information security awareness in higher education: Anexploratory study

Yacine Rezgui*, Adam Marks

School of Engineering, Queen’s Buildings, The Parade 4th, CF24 3AA, Salford, Cardiff, United Kingdom

a r t i c l e i n f o

Article history:

Received 18 December 2007

Received in revised form

23 June 2008

Accepted 22 July 2008

Keywords:

Information Security

Awareness

Higher Education

Conscientiousness

Human Factors

UAE

* Corresponding author.E-mail address: rezguiy@cardiff.ac.uk (Y.

0167-4048/$ – see front matter ª 2008 Elsevidoi:10.1016/j.cose.2008.07.008

a b s t r a c t

The research explores factors that affect information security awareness of staff, including

information systems decision makers, in higher education within the context of a devel-

oping country, namely the UAE. An interpretive case-study approach is employed using

multiple data gathering methods. The research reveals that factors such as conscien-

tiousness, cultural assumptions and beliefs, and social conditions affect university staff

behaviour and attitude towards work, in general, and information security awareness, in

particular. A number of recommendations are provided to initiate and promote IS security

awareness in the studied environment.

ª 2008 Elsevier Ltd. All rights reserved.

1. Introduction registration or financial systems can undermine universities’

Concerns for Information Systems (IS) security and confi-

dentiality in a university computer network environment

were expressed as early as 1975 (Kerievsky, 1976). Colleges

and universities have been a target for cyber attacks for two

main reasons (Katz, 2005): first, because of the vast amount

of computing power they possess; and second, because of the

open access they provide to their constituents and to the

public. University networking infrastructures are not only

designed to serve the needs of faculty, staff, and students,

but also to accommodate the needs of visitors, and

geographically distributed researchers sharing large quanti-

ties of data. While the nature of higher education requires

openness to the public and a continuous sharing of infor-

mation, a balance must be maintained to ensure that infor-

mation assets are not being put at risk or compromised.

Unauthorized grade changes and persistent problems with

Rezgui).er Ltd. All rights reserved

credibility and viability.

In this context, understanding IT security threats and

challenges facing higher education is essential to avoid

potential loss of university information and knowledge assets.

In less than three years, at the University of Texas at Austin’s

Business School, two major breaches have taken place. Nearly

200,000 electronic records have been illegally accessed,

including students’ social security numbers and biographical

material, alumni, and staff related data (Marks, 2007). On

March 11, 2005, in the University of California, Berkley, a laptop

was stolen from a restricted area of the graduate division

offices. The laptop was left unattended for a short period of

time. The stolen laptop contained the names and the associ-

ated social security numbers of 98,000 students (Marks, 2007).

In fact, experts in computer security agree that universities

are among the least IS secured environments. Only a fraction

of universities provide security and conduct awareness

.

c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3242

training. This is confirmed by a quantitative survey of 435

higher education institutions by EDUCAUSE (Updegrove and

Wishon, 2003). Only a third of the surveyed institutions had

security awareness training for students and staff (North et al.,

2006). Also, a recent study of the websites of 236 top-ranked

schools (Marklein, 2006) found that just 27% posted easy-

to-access policies on collection and use of personal informa-

tion. All the sites had at least one non-secure page with a data

collection form. In fact, a third of higher education institutions

have experienced a data loss or theft in 2006, in particular

grades and exam questions, with 9% reporting a loss or theft of

student personal information, which could affect millions of

university students (Piazza, 2006). A number of universities

now recommend building security awareness, training, and

education components for students and staff, and emphasize

that everyone needs to be aware of up-to-date IT threats so

they can apply the security lessons in the most effective way

(Piazza, 2006).

Students (aged 18–24 year olds) are high-risk and attractive

candidates for security attacks. This can be explained by the

fact that students are typically transient and have less credit

history than more established adults (Marks, 2007). A student

may receive a web postcard in an email, and inadvertently

installs a Trojan horse onto his system, becoming a victim of

a clever social engineering attack (Marks, 2007). In this context,

information technology experts in developed countries,

including the United States, are taking advantage of height-

ened awareness of public safety to urge college and university

officials to take steps to secure their campus computer

networks (Ronald, 2001). Universities today need to enforce

exposure of their usage policies in order to achieve better

results. Relying only on end users to read the policies is less

effective. Repeated exposure could increase user retention of

policies, thus increasing awareness (Cronan et al., 2006).

However, most IS security managers pay more attention to

technical issues and solutions such as firewalls, routers, and

intrusion detection software, while pay less focus on soft

issues such as the hazards caused by end users’ lack of IS

security awareness (Katz, 2005). Information security aware-

ness can be described as a state where users in an organiza-

tion are aware of their security mission (Siponen, 2000). We

can distinguish two categories of security awareness: frame-

work and content (Siponen, 2000). The former concerns

standardization, certification and measurement activities,

while the latter addresses the human and socio-cultural

aspects of information security awareness. Furthermore,

Puhakainen (2006) points out that 59 IS security awareness

approaches have been put forward by practitioners and

scholars. These approaches can be classified into two cate-

gories. Studies in the first category consider IS security

awareness to mean attracting users’ attention to IS security

issues (e.g., Hansche, 2001; Katsikas, 2000). Studies in the

second category regard IS security awareness as users’

understanding of IS security and, optimally, committing to it.

While IS security awareness is commonly recognized, the

number of studies that considers it in-depth is limited. This

may be attributed to (a) the non-technical nature of IS security

awareness (Siponen, 2000), and/or (b) its scope, as it falls

outside the traditional engineering and hard computer

science domains (Dunlop and Kling, 1991).

IS security awareness plays a significant role in the process

of the overall information security of any organization

(Thomson and von Solms, 1998; Straub and Welke, 1998). The

important role of the human factor in IS security has been

recognized by both the research community and IS security

practitioners (Parker, 1998, 1999; Siponen, 2000, 2001). As such,

users’ IS security awareness is reflected in their attitudinal

and behavioural patterns (Beatson, 1991; Lafleur, 1992; Gaunt,

1998, 2000; Hone and Eloff, 2002; Mitnick, 2002; Puhakainen,

2006). However, these attitudinal and behavioural features

have a socio-cultural and human dimension that need to be

analysed and understood to ensure full users’ commitment

and adherence to IS security regulations.

The number of scientific studies that consider IS security

awareness in developed countries, especially in higher

education environments, is very limited (Marks, 2007). The

situation is even more dire in the case of developing countries

where the socio-cultural environment combined with a lack of

resources and knowledge may present even more barriers to

promote IS security awareness. The proposed research

contributes to the body of knowledge by addressing these

identified gaps.

The research explores factors that affect information secu-

rity awareness of staff, including information systems decision

makers, in higher education within the context of a developing

country, the UAE. Related work is first given, followed by an

overview of the methodology that underpins the research. A

comprehensive analysis of the case-study results is provided,

followed by an in-depth discussion. Finally the paper concludes

with a set of recommendations to initiate and promote IS

security awareness in the studied environment.

2. Related work

There have been in recent years increased information secu-

rity considerations in organizations (Straub and Welke, 1998;

Schlienger and Teufel, 2003). This is mainly due to the fact that

information systems and the Internet are today used not only

by organizations to increase their competitiveness, but also by

criminals. This is becoming a trend in higher education

institutions that are experiencing an increase in security

threats and attacks (Marks, 2007).

Based on recent studies (Whitman and Mattord, 2005), staff

errors are rated among the top threats to information assets in

organizations. It is essential to convince IS security staff of the

imperative need to enforce information security measures

(Pfleeger and Pfleeger, 2003). In fact, a single case of abuse can

cause more costs than the establishment of a security system

(Czernowalow, 2005). Enforcing security awareness through

education and training is hence paramount. It is essential to

ensure that all users are aware of information security threats

and concerns, and are equipped to support organizational

security policy in the course of their normal work (BS7799, 1999).

This section (a) discusses IS security and reviews current

legislation and procedures, (b) examines IS security research

with a focus on management issues, (c) discusses IS security

from a Human Computer Interaction (HCI) perspective, and

finally (d) reviews existing information security awareness

approaches.

c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3 243

2.1. IS security concepts, legislation and procedures

Information security is a broad subject that requires an adapted

definition. The literature refers to both ‘‘computer security’’

and ‘‘information systems security’’, as these two concepts

seem to be used interchangeably. According to (Ross, 1999),

computer security can be defined in terms of domains, func-

tions, and/or concepts. In terms of domains, computer security

can be categorized into physical security, operational security,

personnel security, systems security, and network security. In

terms of functional areas, computer security can be categorized

into risk avoidance, deterrence, prevention, detection, and

recovery. In terms of concepts, computer security can be cate-

gorized into confidentiality, integrity, authentication, access

control, non-repudiation, availability, and privacy. McDaniel

(1994) defines information security as the concepts, techniques,

technical measures, and administrative measures used to

protect information assets from deliberate or inadvertent

unauthorized acquisition, damage, disclosure, manipulation,

modification, loss, or use. In this context information security

can also be defined as preserving confidentiality, protecting

information from unauthorized use, assuring integrity and

accuracy, and making data available to authorized users on

a timely basis (Updegrove and Wishon, 2003).

IS security is strongly related to the concept of risk.

According to ISACA (2006), a risk is any event that may nega-

tively affect the accomplishment of business objectives. The

International Organization of Standardization (ISO) defines

risk as the potential that a given threat will exploit vulnera-

bilities of an asset or group of assets. The impact of relative

severity of the risk is proportional to the business value of the

loss or damage and to the estimated frequency of threat.

In general, the principal reasons for providing IS security

may include protection of resources, maintaining manage-

ment control, ensuring safety and integrity, implementing

policies and laws, and attaining operational advantages and

economies (Turn, 1986).

Security failures can be costly to any institution. Losses

may be suffered as a result of the failure or as a result of the

cost incurred for recovery, followed by more cost to secure

systems and prevent further failures. It is worth noting that

managers and employees also tend to think of IS security as

a second priority compared with their own efficiency or

effectiveness matters, because these have a direct and mate-

rial impact on the outcome of their work (ISACA, 2006). In fact,

security objectives cannot be met by technical and procedural

protection only; an educated security attitude of employees,

management, and external IT users and partners is also vital

to ensure effective IS security. A measurement of the

following elements can deliver a clear picture of where IS

security stands within an organization: senior management

commitment and support, policies and procedures in place,

clear organizational structure, security awareness and

education, monitoring and compliance, and incident handling

and response (ISACA, 2006).

Information security threats include Deliberate Software

Attacks, Technical Software Failure or Errors, Act of Human

Error or Failure, Deliberate Act of Espionage or Trespass,

Deliberate Act of Sabotage or Vandalism, Technical Hardware

Failure or Errors, Deliberate Act of Theft, Forces of Nature,

Compromises to Intellectual Property, Technological Obsoles-

cence, and Deliberate Act of Information Extortion (Whitman

and Mattord, 2005). Information security protection mecha-

nismsinclude Use ofPasswords, Media Backup, VirusProtection

Software, Employee Education, Audit Procedures, Consistent

Security Policy, Firewall, Violation Reporting, Auto Account

Logoff, Monitor Computer Usage, Publish Formal Standards,

ControlofWorkstations,Network IDS,Host IntrusionDetection,

and Ethics Training (Whitman and Mattord, 2005).

Legislation relating to IT is becoming more prolific, with

many countries enacting laws on issues such as copyrights

and software privacy, intellectual property and personal data.

This legislative pressure requires the implementation of

proper security policies and procedures (ISACA, 2006).

2.2. Management perspective of IS security

The vulnerability of organizations is increasing with the

advent of electronic commerce and open network architec-

tures (Barsanti, 1999). Better computer literacy, increased

computer user sophistication, and availability of advanced

software tools may also contribute to increased IS security

abuses in the future. Hence, management needs to pay more

attention to IS security issues (Dhillon and Backhouse, 2000;

Kankanhalli et al., 2003).

Management attention for IS security has been low

compared to other IS issues (Brancheau et al., 1996; Olnes,

1994). In a global information security survey of midsize and

large firms, less than 50% of the 459 CIOs and IT directors

polled said they had IT security awareness and training

programs for employees (Verton, 2002).

There are several plausible explanations for low manage-

ment concern about IS security (Straub, 1990; Kankanhalli

et al., 2003): (a) managers may make a deliberate decision to

invest little in IS security because they think the risk of IS

security abuses are low, (b) managers may be sceptical about

IS security effectiveness due to the difficulty in evaluating the

benefits, and (c) managers may lack knowledge about the

range of controls available to reduce IS security abuses. To

raise management involvement in IS security decisions, it is

important to convince managers about the benefits of IS

security efforts and let them know what kinds of IS security

measures are effective under what organizational circum-

stances (Kankanhalli et al., 2003).

As highlighted in Kankanhalli et al. (2003), previous studies

on IS security have focused on software for detecting IS

security abuses (Straub and Nance, 1988), measures for pre-

venting IS security abuses (Straub, 1990), perceptions of IS

security adequacy (Goodhue and Straub, 1991), and IS security

planning models for management decision-making (Straub

and Welke, 1998). With the exception of a few interpretive

studies (Backhouse and Dhillon, 1996; Baskerville, 1991;

Siponen, 2006; Puhakainen, 2006), these studies tend to

neglect organizational factors that may partially explain the

extent of IS security abuses.

2.3. IS Security in the context of HCI

Initial work on HCI has adopted a ‘‘human factors’’ approach

where individuals are reduced to being another system

c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3244

component with certain characteristics (such as limited

attention span, faulty memory, etc.) that need to be factored

into the design equation for the overall human–machine

system (Bannon, 1991; Kuutti, 1995). The HCI community has

then realized that this form of analysis of the human in his

interaction with a system de-emphasizes important issues in

work design, including individual motivation, membership in

a team or community of users, and the importance of the

setting in determining human action (Bannon, 1991). HCI has

evolved over the years by viewing the user more complexly, as

a human in a social system in which the computer plays an

increasingly important role (Karat and Karat, 2003). The need

for a multi-disciplinary approach has been acknowledged to

provide better ‘‘contextuality’’, involving the users and their

constructive relation with ‘‘systems’’ (Karat and Karat, 2003;

Kuutti, 1995). Moreover, HCI necessitates the development of

a general systems model so as to place the work in a wider

context (Diaper and Sanger, 2006; Rezgui, 2007).

It is important to contribute to HCI research by adopting

a holistic perspective where human, organizational, and

technical issues are given equal consideration, to provide

better contextuality and insight into factors influencing IS

security awareness. Also, while most related research is con-

ducted in developed countries, it is interesting and important

to consider HCI in the context of developing countries.

2.4. IS security awareness

Current IS security approaches can be classified into two

categories. Studies which consider IS security awareness to

mean attracting users’ attention to IS security issues (Han-

sche, 2001), or studies which consider IS security awareness to

mean users’ understanding of IS security and, optimally,

committing to it. According to (Furnell et al., 1996), the need to

promote IS security standards within an organization requires

IS security awareness training. Furnell also proposes that all

users should be aware of disciplinary actions resulting from

non-compliance with the organization’s IS security proce-

dures. Similarly, Denning (1999) argues that IS awareness

training and education is an essential part of defending IS

security. The awareness program should communicate to

users the organization’s IS security policies and make users

aware of the risks and potential losses. Martins and Eloff

(2002) take in consideration the user’s role when presenting

a model for implementing and enhancing the culture of IS

security. The model focuses on three levels of organizational

behaviour: the organizational level, the group level, and the

individual level. The model suggests that the organization’s IS

security culture must be improved by taking human behav-

iour into account. It also suggests that each user should be

informed, through IS security awareness, of his role in pro-

tecting information assets. Kovacich and Halibozek (2003)

discusse implementing a continuous IS security awareness

training program as part of the corporate asset protection

program. The program’s aim is to make the target users aware

of the need for asset protection practices, specific asset

protection requirements, and the consequences of unautho-

rized actions. Barman (2002) emphasizes the employee’s role

in adhering to IS policies by arguing that IS security awareness

training should be implemented in order to succeed in writing

and implementing organizational IS security policies. Bane-

rjee et al. (1998) argue that organizations should introduce IS

security awareness and make their ethical policy clear to their

employees and ensure that strong deterrents are in place.

Murray (1991) argues that the incompetence of users who

underestimate the dangers inherent in their actions represent

the biggest IS security problems. He also believes that an

efficient IS security awareness program can overcome this

problem. Gaunt (1998) argues that a successful organizational

IS security policy should incorporate clear definitions of user

responsibilities for IS security. He further states that the most

significant threat to the IS security in an organization is its

very own staff. The ISO/IEC standard 17799:2005 (second

edition), ‘‘Information technology – code of practice for IS

security management’’ (ISO, 2005) recommends that all

employees, whether existing or newly hired, receive job-

relevant awareness training in and regular updates on orga-

nizational IS security policies and procedures. In addition, the

study underlines the commitment of management as an

important factor impacting on users’ IS security awareness.

3. Methodology

The general aim of the research is to explore the levels of IS

security awareness of higher education institutions in the

UAE. The research addresses the following two main research

questions:

� What are the current IS ‘‘security’’ challenges and threats facing

universities within the context of a developing country?

� What are the levels of IS security awareness of higher education

Information Systems decision makers and staff in relation to these

challenges and threats?

An interpretive case-study approach is employed to

conduct the research. The case-study is represented through

Zayed University in the UAE. Zayed University was estab-

lished in 1998 by the federal government of the UAE to educate

UAE National women. The university receives its operation

funds from the federal government, and it does not require

students to pay tuition fees. The university has two separate

campuses one in Dubai and another in Abu Dhabi led by

a single administration in Dubai. It also has four sub-unit

education centres which offer a variety of educational courses

and degrees. The university focuses on education and

learning, while paying less focus to research. The number of

currently enrolled students is approximately 3000 students in

2007. The university is based on an international model of

higher education with the primary instruction language being

English. The great majority of the 700 staff members come

from the USA, Europe, and Australia. The university is orga-

nized academically into five colleges. Zayed University is IT

orientated and it offers several online services to students and

staff (Zayed University Web Site, 2007).

Data collection has taken place during different time

intervals to capture different phases of university operations.

The study used the Computer Service Department (CSD) as the

main unit of analysis as it is the main custodian of IS assets

and IS security within the University. According to Denzin and

c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3 245

Lincoln (2000), researchers ‘‘emphasize, describe, judge,

compare, portray, evoke images, and create for the reader or

listener, the sense of having been there’’. To achieve this, the

researchers employed a combination of quantitative (ques-

tionnaires) and qualitative (interviews, documentation, and

observation) techniques in order to portray a holistic view of

the participants and provide interpretive reflections. One of

the researcher’s employment with Zayed University granted

him greater insight and sensitivity to the context while exer-

cising privileged access to university resources. Such privi-

leges included access to infrastructure, materials, IT

resources, and personnel. Throughout the process of this

study, the researchers were sensitive to biases, by being aware

that there are multiple interpretations of reality (Merriam,

1988), hence the necessity of adopting an interpretive philo-

sophical stance for the research.

The overall data collection period extended from July 2006

through September 2007, during which time (a) observation

took place, (b) documents were collected, (c) questionnaires

distributed, and (d) interviews conducted. The interviews and

questionnaire data gathering instruments took place during

the academic year, while the documentation and observation

instruments were conducted on a continuous basis, including

during summer holidays. All ethical approvals to conduct the

research were obtained in advance. All participants were

informed of their right to decline to participate in this study.

They were also informed of their right to anonymity. The

nature, purpose, and objective of the study were clearly

explained to every participant. Brief details related to each

data gathering technique is given below:

� Questionnaire: for the quantitative component of this study,

the questionnaire method was selected. The questionnaire

was pre-tested by selected members in charge of IS from

different universities in the UAE. The sample for the study

included 45 CSD staff of Zayed University representing

different sub-units within the department. The sample was

based on systematic probability where at least one person

was chosen from each CSD sub-unit. The sample was

identified based on what was practical and relevant to the

study. The questionnaire process started by dispatching all

45 questionnaires to the sample; this was followed up by

reminder telephone calls. The response rate achieved was

97% with 43 completed questionnaire returned. The data

were coded and analysed using descriptive statistical anal-

ysis such as mean, percentage, and frequency.

� Interviews: seven IS personnel and IS decision makers at

Zayed University including two IS managers and the deputy

vice president of the university were solicited to participate

in a 30–60 minutes interview conducted by one of the

researchers (the one employed by Zayed). At least one

person from each CSD sub-unit was selected. Some of the

benefits of these interviews include: avoiding confusion or

miscommunication that might have taken place in the

questionnaire instrument; allowing the respondent to

provide more accurate and precise information regarding

the topic under investigation; allowing the researcher to ask

further complex and follow-up questions; and seek the

views and capture the perceptions of management staff in

relation to IS security.

� Direct observation: The role of the researcher employed at

Zayed as an observer varied during the study period. While

the researcher was a practitioner researcher on some

occasions, he was participant observer, complete partici-

pant, and complete observer at other times. Observation is

a time consuming process. The process started with the

commencement of this study in 2005 and lasted for nearly

three years. It initially started by being non-selective in

what the researcher observed, and it progressed and

advanced into focused observation on selective areas. The

main idea behind observation is to discover what people do

rather than what they say they do.

� Documents: a number of documents such as systems logs,

IDS reports, system manuals, training manuals, IS policies,

and similar type of documentations from Zayed University

were gathered and analysed to support the research find-

ings.

As stressed by Bonoma (1985), collecting different types of

data by different methods, from different sources, produces

a wider scope of coverage and results in a fuller picture of

the phenomena under study than would have been ach-

ieved otherwise. Problems of construct validity have been

addressed by the use of the variety of sources of information

described above. The development of converging lines of

inquiry in this manner is known as ‘‘triangulation’’, and is

generally considered as a process of using multiple

perceptions to clarify meaning and assess the validity of an

interpretation (Stake, 1995).

As an example of this, the collected documents provided

qualitative and quantitative information that helped build an

initial understanding of the problems, limitations, and

requirements of the higher education sector in the UAE, and

design the other research instruments, including the inter-

view guide and questionnaire. Pattern coding (Miles and

Huberman, 1994) is used to identify emergent themes,

patterns, or explanation suggested by qualitative information

gathered from the selected instruments. Pattern coding

reduces large amounts of data into a smaller number of

analytic units and helps structure the investigated issues. The

quantitative analysis (questionnaire) helped corroborate the

qualitative issues that emerged from the research. It is

important that the limits of this study be recognized. The

researcher relied on information that was publicly available or

given through questionnaire and interviews. It is always

possible that pertinent information might have been held for

commercial, strategic, or political reasons. The impact of

which has been anticipated through the development of

converging lines of inquiry (triangulation).

4. Case-study fieldwork results

A number of categories emerged from the data analysis using

pattern coding techniques of qualitative analysis (Miles and

Huberman, 1994), aiming to assign units of meaning to the

descriptive or inferential information compiled from qualita-

tive data and to summarize segments of data. In order to

analyze the qualitative data of the interviews, three processes

were undertaken: creating interviews transcripts, generating

c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3246

pattern codes, and drawing a checklist matrix. The first

process involved converting all interviews into fully tran-

scribed (word-processed) qualitative data. The second stage

involved identifying patterns of data using iterative pattern

coding within the transcribed interviews. The process

involved assigning units of meaning to the descriptive or

inferential information compiled from the interviews tran-

scripts. A number of 23 data units have been identified and

listed in Table 1.

The data units identified as belonging to emerging data

patterns from the interviews were subsequently aggregated

into thematic groups as illustrated in Table 1. Each group was

given an initial ‘pattern code’ that describes it. These initial

pattern codes were refined through an iterative reading and

analysis process and resulted in the following nine pattern

codes: IS & Communication Systems Infrastructure; IS Goals

and Objectives; IS Security Threats and Solutions; IS Staff; IS

Laws, Legislations, Policies, and Procedures; IS Training

Sessions, Manuals, and Documentations; IS Check and Balance

Procedures; University Overall Vision, Goals, and Objectives;

University Environment and Culture. Results from the ques-

tionnaires were also analysed using statistical methods and

helped corroborate the qualitative issues that emerged from

the research. These categories are discussed below.

4.1. IS & Communication Systems Infrastructure

A significant portion of the university annual fund is allocated

to IS and communication activities. The data evidence

Table 1 – List of data units and thematic groups

Thematic group 1: Information Systems

Data Unit 1 Reliability of IS systems

Data Unit 2 Efficient of IS security technical and non-technical

solutions

Data Unit 3 Availability of competent IS security

designated staff

Data Unit 4 Comprehensive IS policy

Data Unit 5 IS legal regulations and requirements

Data Unit 6 IS business regulations and practices

Data Unit 7 IS communication channels

Data Unit 8 IS guidelines, standards, and procedures

Data Unit 9 Effective IS security policy

Data Unit 10 IS training sessions

Data Unit 11 IS manual and documentation

Data Unit 12 IS audit function

Data Unit 13 Enforcement and accountability procedures

Data Unit 14 IS goals and objectives

Data Unit 15 IS security technical and non-technical solutions

Data Unit 16 IS threats and solutions

Thematic group 2: general awareness

Data Unit 17 University overall vision, goals, and objectives

Data Unit 18 University environment and culture

Data Unit 19 University educational model

Thematic group 3: IS perceptions

Data Unit 20 University data

Data Unit 21 Responsibility of IS security

Data Unit 22 Overall level of satisfaction with IS security

Data Unit 23 Reasons for satisfaction/dissatisfaction

with IS security

gathered during this research portrays a very comparable IS

and communication systems infrastructure to many Western

higher education institutions. Zayed University requires every

student and faculty to have a laptop. Staff are provided with

the latest editions of PCs. Users (including students) have

access to email, Internet, Intranet, and other network

services. Similar to many Western universities, Zayed

University uses an ERP system for its student administration

and transaction management. The university is also equipped

with IP telephony system, video-conference facilities, and

state of the art classrooms.

Zayed University is dedicated to female students. The

influence of the conservative culture of the UAE, which

requires the preservation of values such as decency and

honour, has a substantial impact on how IS and communica-

tion infrastructure is setup as confirmed by one of the inter-

viewees from the university management staff: ‘‘We have the

obligation and moral responsibility to look after the education of our

female students based on our religious and cultural traditions . Our

regulations are designed in that respect.This is one of the top

priority of our university’’. In fact, while most Western univer-

sities are not fenced or restricted to outside access, Zayed

University is fenced and is not accessible to outsiders.

Students are required to scan their IDs to register their arrival

and departure to university premises. Students are not

allowed to leave the campus premises unless a written

permission by the guardian (usually the father) is obtained.

Students are also not allowed to use mobile phones while in

campus. Certain programs such as MSN and Yahoo are

blocked since they could facilitate and encourage students to

chat with strangers. These policies’ top concern is not the fear

of a threat to the network, but the fear of angering UAE fami-

lies by violating the religious and ancestral culture of the UAE.

While the availability of IS and communication infra-

structure may not be an issue, the utilization of these

resources is definitely a problem. Contrary to many Western

institutions, Zayed University did not have a need analysis

procedure. Most systems were selected based on the personal

experience of few decision makers or based on some form of

agreement with special vendors as reported by one inter-

viewee from the academic staff: ‘‘None of us (academics) are

consulted about the choice of the Information Systems that the

university acquires, despite this being our speciality area. Systems

are purchased based on management staff past experience and their

connections with software vendors. This is reflected in the incon-

sistent usage of the purchased systems’’. The university only uses

the Accounts Payable and the purchasing components of the

Sungard SCT Banner Finance system, while leaving the Bids,

Receiving, Store, Approvals, and Fixed Assets components of

the system unused. The Human Resources Information

system (HRIS) is only used for Human Resources and payroll

transactions, although it contains a budget development

model. Position control is not included. Students are not given

the ability to interact directly with the Banner student’s

module, instead registration and many other related admin-

istration functions are conducted directly by staff. Many

university departments use parallel systems. For example,

while the university’s HRIS should be the legal source for

vacation requests, many departments refer back to their own

MS Excel or MS Access system for vacation requests.

c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3 247

4.2. IS goals and objectives

The IS goals and objectives in Zayed University are not stated

in internal documentation nor on the university Intranet web

site. A statement by the help desk unit is the only exception.

Many of the questionnaire respondents could not identify the

goals and objectives of IS or the Computer Service Division

(CSD). This can be partly explained by the work structure of

Zayed’s employees who have in their majority a temporary 1–

3 years position contract as reported by one academic inter-

viewee from Algeria: ‘‘My main concern is to sustain my position.

I have been told that my two-years contract can be terminated at

anytime with short notice. Hence, my main concern is to make my

CV marketable by continuously publishing in leading journals’’. In

fact, academics and foreign administrators do not exhibit

a great concern about the university as they see their

employment with Zayed as more transitional than perma-

nent. It is interesting to note that while Zayed does not offer

online courses and online registration, 24% of the respondents

identified online courses and 27% of the respondents identi-

fied online application and registration as electronic services

offered by the university.

Locals, from the UAE, seem to adopt a self-sufficient

approach as they have been brought up in an environment

where they rely on expatriates for the various operations of

key institutions of the country. Also, university managers are

in their majority retired academics from Western universities.

They aspire to a quiet end of their career and do not seem to be

interested in taking up any challenge that can enhance the

status of the university.

4.3. IS security threats and solutions

In terms of security goals and objectives, the respondents

were asked to identify key security challenges faced by their

university (from a given list of common IS security chal-

lenges). Fifty-five percent of the respondents identified ‘pre-

venting denial of service’; 48% of the respondents identified

‘improving the network tractability’; 69% identified ‘ensuring

privacy and confidentiality’; 41% of the respondents identified

‘implementing higher levels of authentication mechanisms’; finally,

62% of the respondents identified ‘ensuring the integrity of data’

as key security challenges faced by Zayed. Unfortunately,

available systems documentation, manuals, and stated poli-

cies in Zayed University do not address IS security goals. Most

of the documentation addresses the issue of availability and

support. In fact, many of the respondents did not regard IS

security as a major concern. They also did not see themselves

as part of the solution. The IS security function in Zayed

University is not centralized or dedicated to a specific position.

In the eyes of many respondents, IS security was synonymous

to network security. A number of respondents from CSD

reported that security threats faced in recent years included:

deliberate software attacks, technical software failure, act of

human error, deliberate act of espionage or trespass, delib-

erate act of sabotage, technical hardware failure, deliberate

act of theft, deliberate act of information extortion, techno-

logical obsolescence, and compromises of intellectual prop-

erty. In fact, based on their perceptions, IS security threats

were synonymous to external hacking as reported by 48% of

the respondents, while IS security solutions are considered to

be already provided through the IT procedures setup by CSD

as reported by one of its staff: ‘‘Our university is equipped with

the best security systems and we work hard to monitor external

attacks to our systems from hackers that originate from foreign

countries’’. The gathered evidence clearly illustrate how unin-

formed and unaware staff in general are regarding IS security

matters. In terms of existing solutions, interviewees reported

the use of one or more of the following approaches to defend

against the above IS security threats: password authentica-

tion, media backup, virus protection, firewalls, intrusion

detection and prevention tools, IS policies, audit procedures,

employee training and education, violation reporting, and

computer use monitoring.

Zayed university did not have a central point of contact

regarding IS security problems and matters. In fact, it was not

even clear who was in charge of IS security issues. The person

in charge of network security did not regularly meet with

other key IS security stakeholders such as the DBA who

handles database security or IS analysts who handle appli-

cations security. Zayed University appeared to adopt a reac-

tive rather than a proactive approach to IS security awareness.

4.4. IS staff

Almost 80% of the population and the workforce of the UAE

are comprised of foreign expatriates. Many of the expatriates

working in Zayed University come from North America and

Europe, and with them they bring valuable experience. They

come with the understanding that this is a temporary

contract. While some contracts are renewable, it is the feeling

that the job could expire at anytime and for any reason. This

discourages employees from pursuing long-term activities

and planning. In addition, while it is commonly recognized

that most jobs require a learning curve, the context of

temporary contract makes the return on investment more

difficult to attain. It also affects the overall job performance as

it replaces experienced employees with inexperienced ones

when contract is due.

With the exception of the help desk unit, IS staff in Zayed

University is hardly recognizable. CSD does not have a web

page providing IS staff member names, titles, location, contact

information, and speciality. Contact with the help desk may

be established by phone, email, and web page log. Other CSD

units including networking and software support are not

advertised. As a result, the university community is mainly

aware of the help desk function only. Most users usually visit

CSD when a need arises. Two things seem striking when

working with CSD staff, one is how lax they are regarding IS

security matters, and second how they made users feel like

they were doing them a favour not a service as reported by one

academic respondent: ‘‘every time I experience an IS problem, I

prefer to deal with it myself instead of asking support from IS staff.

This might end up taking me more time than expected resolving the

problem. But, I prefer this rather than asking IS people for a favour’’.

It could literally take days for a simple problem to be resolved

simply because no body wants to work on it. Trial and error

solutions are widely spread. IS staff is not governed by a policy

or law. CSD, again with the exception of the help desk unit,

does not have a mission statement.

c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3248

4.5. IS laws, legislations, policies, and procedures

It is interesting to note that 59% of the respondents were

under the assumption that the university IS policy is subject to

audit, while such thing does not exist in Zayed. In fact, only

24% of the respondents are aware that the university does not

have an IS policy. Also, the great majority (86%) did not know

who is in charge of IS security-related issues. The culture and

the religion of the UAE are the main sources of legislation in

the UAE. In fact, even though the country has a judiciary

system, culture may take precedent over the law sometime.

While many IS legislations have been established in the US

and the UK, and while many standards are heeded by agencies

and organizations, it was not until 2006 that the first two IS

legislations came into existence in the UAE. Both laws are

young, immature, incomprehensive, and not challenged;

however, it is a step in the right direction.

Zayed University does not have an IS policy, an IS security

policy, and made no effort to educate its users about the newly

issued laws. When asked, most respondents referred to the

one-page PC acceptable use policy as the university IS policy

as reported by one interviewee from the academic staff: ‘‘In my

previous university in Canada there used to be continuous training

and campaigning about the importance of security.I am surprised

about the immaturity of Zayed in that respect and this does not seem

to bother our managers’’.

The two IS laws issued in 2006 are to a big extent identical

to the IS laws issued in the state of Dubai in 2002. Since state

laws are not applicable to federal institutions, and since the

UAE does not support political participation, it was not until

Sheik Mohammed Bin Rashid was reigned as the prime

minister of the UAE that these two IS laws were made avail-

able at the federal level. Another reason that could be attrib-

uted to the issuance of these two laws is the upsurge of the

stock market in Dubai and Abu Dhabi that led many locals and

foreigners to join the stock market and use electronic

transactions.

4.6. IS training sessions, manuals, and documentations

A majority, 52%, of the respondents believe that Zayed has

manuals and documentation for its information systems. In

fact, based on the researchers’ investigation, it revealed that

the university has poor IS manuals and documentation.

Unfortunate but true, once hired, some of Zayed University

employees are expected to perform critical jobs with abso-

lutely no training and no documentation. Although, 66% of the

respondents believed the university to provide regular system

training to employees, the reality does not reflect respon-

dents’ assumption as confirmed by several interviewees and

the researchers through 2 years of observation. IS training is

barely practiced. The help desk unit provides office automa-

tion tools training from time to time. However, since the

university inception in 1998, the university did not offer

a single IS security training session. Recently, the help desk

unit added to its web page a list of ‘How to’ topics. The list

includes how to create a back up CD and how to archive

emails. It was not until recently that the university introduced

the strong password authentication mechanism.

4.7. IS check and balance procedures

Zayed University does not conduct external and/or internal IS

audit. The university internal audit is comprised of one

internal auditor and two state auditors overlooking mainly

financial operations. CSD did not conduct IS audit since

university inception. In fact, CSD did not have written IS

standards and procedures. This stance clearly illustrates the

status of IS security in Zayed University.

4.8. University overall vision, goals, and objectives

In spite of the fact that the goals and objectives of Zayed

University as an institution are stated in its Internet home

page, the majority of users were unaware of the university

goals and objectives. Most of the respondents believed that

the university offers online courses and that students register

online. More ironically, they believed that students pay their

tuition fees online. Many of the respondents were not aware

of the graduate work of Zayed University. This lack of

awareness could be attributed to the lack or inefficient

communication by management as reported by one inter-

viewee: ‘‘Management should ensure not only that employees are

aware of the main goals and objectives of the university, but also

ensure that these goals and objectives are aligned with department

goals and objectives’’.

4.9. University environment and culture

Zayed University uses a centralized management style. The

vice president and the provost are the main steering powers in

the university. Faculty and staff participation is very limited

as reported by one interviewee from CSD: ‘‘Decision-making in

relation to Information Systems and related issues is dictated by

university top management with no or limited consultation with

us. There is a clear lack of participation as we are seen as tempo-

rary employees with no strategic impact on university operations’’.

Since university operations are fully funded by the federal

government, government opinion is highly taken into

consideration. The university represents a prototype. Zayed

University majority of educators come from North America. In

addition to their educational experience, they bring with them

English as a native language, the latest of technology, Amer-

ican culture, and market value.

Nevertheless, the university tries to ensure that Western

culture does not interfere with UAE culture and religious

beliefs. While trying to get the best of both worlds, the

university tries to focus on commonalities and avoid differ-

ences. Most students wear Islamic clothing and do not freely

interact with male teachers unless within class context. This

creates a barrier for admin and technical staff to disseminate

and impose any technical regulation or procedure. In addition,

most students come from wealthy and privileged families. The

general feeling of staff, including academics and technical

employees, is not to upset these female students as the

consequences can be damaging for their careers as reported by

one academic staff: ‘‘I have been advised to be generous with my

marking style so that not to upset students who can have an influ-

ential role (through their parents) in deciding the future, including

c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3 249

renewal, of academic staff contracts’’. This contrasts with the

democratic environment of higher education in the West.

5. Discussion

Several common themes emerged from the different data

collection methods used in this study. While some of the

results are in line with findings from existing studies, such as

the study of the EDUCAUSE Centre for Applied Research

(Updegrove and Wishon, 2003), their recurrence within the

context of the studied environment suggests careful consid-

eration. While acknowledging that cultures, resources, and

technical environments compared to the West do vary; it is

also understood that no single reported security practice is

exclusive. In this section, we discuss the results and attempt

to answer the two research questions of the study.

The first research question sought to investigate the

different IS threats whether technical or not, faced by a typical

higher education institutions within the context of a devel-

oping country. The main challenge faced by Zayed is reflected

in the conflicting requirements of an educational model bor-

rowed from the west with the conservative environment,

rooted in deep cultural and religious beliefs, surrounding the

university. The findings of the study indicate that in general IS

threats were mostly similar to those reported in similar

investigations in developed countries (Updegrove and

Wishon, 2003). What tend to vary are the causes and sources

of these threats and ways in which these are perceived and

dealt with by university IS managers and staff. In general,

respondents reported that IS threats faced by their institution

may take the form of: a deliberate software attack, technical

software failure, act of human error, deliberate act of espio-

nage or trespass, deliberate act of sabotage, technical hard-

ware failure, deliberate act of theft, deliberate act of

information extortion, technological obsolescence, and

compromises of intellectual property. IS threats were gener-

ally perceived as external, caused by elements with no legiti-

mate access to university IS resources.

Similar to their counterparts in the West, interviewees

reported the use of one or more of the following approaches to

defend against the above IS security threats: passwords,

media backup, virus protection, firewalls, intrusion detection

and prevention tools, IS policies, audit procedures, employee

training and education, violation reporting, and computer use

monitoring. However, some of the above measures are not

well applied or are not reflected in the operations and prac-

tices of Zayed University, which tends to adopt a reactive

rather than proactive approach towards IS security threats.

The second research question sought to explore and assess

the levels of IS security awareness of IS personnel and deci-

sion makers within the examined higher education environ-

ment to the threats and challenges investigated in research

question one.

Interviewees reported that Zayed placed more emphasis

on external and technical threats than internal and non-

technical ones. The university suffers clear symptoms of the

lack of IS security awareness presented in the spread of acts of

user errors, software failures, social engineering problems,

and data leakage problems. In fact, the lack of application of IS

security awareness has a direct relationship with how the

university’s IS assets are viewed and valued. In addition, it

leads to the misalignment of IS goals and objectives with the

institution’s overall mission and strategic objectives.

While the lack of application of IS security awareness in

Zayed University emerges as one of the main cause behind IS

security ill practices, it could be attributed to unique elements

specific to the environment of UAE. First and foremost is the

lack and the immaturity of IS legislations in the UAE. The public

use of the Internet is only a few years old. Ill practices could also

be attributed to the distrust of computer and technology,

especially by older generation. The conservative culture and

customs of the UAE, especially of the older generations, do not

encourage the use of new technology. Computers and the

Internet are sometimes viewed as accessories to evil materials

and ideas. This can even be more difficult for female students

where interaction with the outside world is viewed as should

be limited and sometimes monitored. These views are slowly

fading away with the increased number of Internet

subscribers, and as the younger generations are becoming

more educated and interactive with computers. The govern-

ment has played a positive role in embracing technology use in

schools and universities in the last few years.

Another reason behind the perceived lack of IS security

awareness in the UAE is the nature of the employment

contracts. Although 80% of the UAE population and workforce

are comprised of foreign expatriates, the UAE does not offer its

residence a long-term perspective in terms of immigration or

naturalization status, resulting in serious problems of lack of

conscientiousness from staff. Conscientiousness here is

defined as a measure of goal-directed behaviour and amount

of control over impulses (Heinstrom, 2003). In fact, human

tendency towards improvement can be fostered through

conscientious human endeavour (Tracy and Tracy, 2000). This

implies that each individual must be included, not just to meet

his/her needs, but for the assets which they can offer the

community (Flora, 1997), and in our context Zayed University.

Hence, careless IS practices in Zayed may also be attributed to

the nature of employment in the UAE where the great

majority of employees (more than 80%) are based on tempo-

rary contractual agreements. For many IS managers and

university staff, this feeling of being a temporary employee

does not encourage long-term and ongoing activities such as

IS security planning and education.

It is interesting to note that findings of EDUCAUSE (Upde-

grove and Wishon, 2003) indicate that only 8% of the respon-

dents of the North American universities had zero

institutional IS security policy. Fifty-seven percent of the

respondents employed a password change mechanism with

a grace period of 90 days or less. Forty-five percent of the

respondents reported the use of incident–response proce-

dures. The EDUCAUSE findings also indicate that the IS

security function was often a charge of the director of

networking, IS chief security officer, or chief information

officer. Thirty-nine percent of the respondents indicated the

use of an IS awareness program in their institutions. Thirty

percent of the respondents reported the use of risk assess-

ment and audit procedures in their institutions. Existing acts

and legislation in the US necessitated a minimum level of IS

security awareness in higher education institutions. Zayed

c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3250

University did not have an IS security policy, audit procedures,

training sessions, training materials, and an IS security dedi-

cated function. Most of the surveyed individuals were unable

to identify or locate IS resources, training sessions, training

materials, existing policies, and IS staff. In fact, CSD did not

have a web page, comprehensive policies, and published

materials, with the exception of the help desk function, which

is attributed to the individual effort of the sub-unit manager. It

was found that the majority of interviewees had not changed

their password since they were hired more than eight years

ago. Those who had did so voluntarily. The university did not

have a comprehensive IS policy, IS security policy, central IS

security contact point, and it did not offer IS security training

or training materials to its employees or students.

Three main security awareness issues emerge from the

above discussion of the results and corroborate related studies

(Puhakainen, 2006):

� IS Security Awareness Training: according to the EDUCAUSE

study, higher education institutions with IS security

awareness training programs were considered more

successful and more advanced in IS security than institu-

tions without. Thirty-nine percent of the examined higher

education institutions in the US had an IS security aware-

ness program. Almost 50% of the examined institutions in

the US offered some form of IS security training program.

Many of these institutions also have a certified dedicated IS

security coordinator in place. Seventy-five percent of the

examined higher education institutions in the US viewed IS

security as one of the top three IT issues confronting higher

education. Although Zayed University is rich with IS

resources, it did not offer IS security training. This was

clearly reflected in the level of IS security awareness of

Zayed University IS users. Many of the respondents were

not acquainted with basic IS security practices including

how to change their passwords or how to back up their data.

Users shared their passwords. Operative, unlocked PCs were

sometimes left unattended. Laptops were not locked and

were left on display. Users were confused regarding the

existence of IS security policy although none of them have

seen one. Users were not aware of existing IS legislations.

They could not tell how to locate an IS staff member. Users

could not identify the university IS goals and objectives.

More importantly, users regarded university data as ‘of no

interest to them’.

� IS Security Awareness Campaigning: the help desk sub-unit in

Zayed University is the only unit of CSD with mission and

goals advertised to IS users. The advertisement and cam-

paigning of IS-related legislation can serve as a deterrent

tool. It can also be used as a tool to increase user awareness

and compliance. Users should be able to identify whom to

contact in case of need. The advertising of this information

can speed up the reporting of IS security-related issues.

However, none of these were reported in Zayed. Many

Universities in the US include references to IS-related

legislations including the Computer Fraud and Abuse Act

and the Computer Security Act. No reference to the newly

issued IS-related legislation was found in Zayed University.

It has never used campaigning to promote IS security

awareness.

� IS Security Awareness Reward and Punishment: there was

a clear lack in Zayed of an awareness program that incor-

porates reward for compliance with IS security instructions

and incorporates punishment for violating IS security

instructions. The University does not offer an IS security

breach statement. A security policy is a concise statement

by the university to establish goals, and to communicate the

information value, protection responsibilities, and organi-

zational commitment. IS security policies need not only to

be communicated to users, but also to be enforced. It is

interesting to note that only 8% of the examined higher

education institutions in the US had no form of IS security

policy.

In order to assess the effectiveness of the measures in

place and perform adjustments as necessary, and to establish

reward and punishment, IS check and balance procedures

should be implemented. Although lower than expected, 45%

of the examined higher education institutions in the US

reported the existence of incident–response systems, while

30% reported the use of risk assessment and audit procedures.

Zayed University also possesses an incident–response system,

but does not perform any type of IS auditing.

While the authors agree with the (Puhakainen, 2006)

application of training, campaigning, and reward and

punishment as effective tools in achieving IS security aware-

ness, they believe that the combined use of the three IS

security awareness approaches will yield better results than

the independent use of these approaches. In fact, Puhakainen

states that the three IS security awareness approaches

(training, campaigning, reward and punishment) can be used

independently. However, Sims and Lorenzi (1992) have argued

that there is a need for an appropriate balance between the

use of punishment and reward.

The authors believe that the absence of one of the three

above approaches significantly weakens the effectiveness of

the other two. Gathered data suggest that improper or insuffi-

cient IS security training may make it more difficult for insti-

tutions to hold users to the desired IS security behaviour.

Similarly, improper or insufficient IS security campaigning and

advertising may leave users to their own interpretations and

conceptions regarding the use of IS and IS security. While

campaigning IS security best practices is important, it is equally

important to campaign and advertise regular and upcoming IS

security training sessions and training materials. Finally, the

lack of reinforcement measures in the form of punishments

and/or rewards may cast doubt over the commitment and

seriousness of the institution. An institution should not reward

or punish IS security behaviour, if it did not communicate the

proper way of conduct. Creating policies alone is not enough,

policies are not effective if they are not published, communi-

cated, and understood by those expected to follow them.

6. Conclusion

Environments and their setup play a major role in influencing

IS security awareness. These are reflected in existing legisla-

tions, policies, procedures, standards, the nature of the working

environment, and how data and computers are viewed.

c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3 251

Zayed University is the first experiment to establish

a technology-based public university with an advanced

higher education model similar to the model in North

America. Growing pains are expected, and maturity with

time is attainable. During this study, the first two federal

laws pertaining to IS security were issued in the UAE. The

laws address specific aspects of cyber crimes and electronic

trading. With the number of connected users increasing

every day in the UAE, the number of cyber crimes is

expected to increase. So as the complexity and maturity of

the IS legal system in the UAE.

Based on gathered sources of evidence, the authors believe

that the following recommendations are not only necessary to

establish IS security awareness, but also to establish mutual

understanding of IS security in the context of Zayed:

� Review and resolve the employment and contractual status

of staff. Address employees’ employment concerns and

establish trust and cohesiveness across the various schools

and sections of the university.

� Establish IS security policies and procedures. Policies need

to be tailored to Zayed’s and more generally the UAE’s

environment. They also need to be achievable, clear, and

easy-to-understand.

� Campaign IS security awareness best practices and adver-

tise IS security training sessions and materials. It is also

important that these messages reach as many users and

allow enough time for users to participate.

� Train users on IS security best practices to increase their

awareness. Training should be regular. Basic level training

should be mandatory for all users. It is also recommended

that training should be included in the induction program

for new hires and new students. The establishment of

training ensures that users are informed and can be

accounted liable for IS misconduct. It is also important that

the message and materials of IS training are the same

regardless of who the trainer is.

� Practice reward and punishment. It is important to monitor

performance, and advertise reward and punishment of IS

conduct or misconduct. This is necessary not only for

reinforcement, but also to illustrate the level of commit-

ment of the organization to it’s IS security.

� Carry out continuous evaluation and readjustment. Evalu-

ation of the effectiveness of the adopted IS security

approaches, and application of adjustment is necessary to

achieve the main aim.

It is highly expected that with time, use, and maturity, the

status of IS security awareness will significantly improve in

the higher education sector in the UAE. While it is important

to establish IS security awareness in higher education, a viable

system of higher education is a definite pre-requisite.

Acknowledgement

The authors would like to thank the two anonymous referees

for the useful comments and suggestions made. The authors

alone are responsible for any errors and omissions.

r e f e r e n c e s

Backhouse J, Dhillon G. Structures of responsibility and securityof information systems. European Journal of InformationSystems 1996;5(1):2–9.

Banerjee D, Cronan TP, Jones TW. Modeling IT ethics: a study insituational ethics. MIS Quarterly 1998;22(1):31–60.

Barman S. Writing IS security policies. Indianapolis: New RidersPublishing; 2002.

Bannon LJ. From human factors to human actors: the role ofpsychology and human–computer interaction studies insystem design. In: Greenbaum J, Kyng M, editors. Design atwork: cooperative design of computer systems. Hillsdale:Erlbaum; 1991. p. 25–44.

Barsanti C. Modern network complexity needs comprehensivesecurity. Security 1999;36(7):65–8.

Baskerville R. Risk analysis: an interpretive feasibility tool injustifying information systems security. European Journal ofInformation Systems 1991;1:121–30.

Beatson JG. Security – a personnel issue. The importance ofpersonnel attitudes and security education. In: Dittrich K,Rautakivi S, Saari J, editors. Computer security andinformation integrity. Amsterdam: Elsevier SciencePublishers; 1991. p. 29–38.

Bonoma TV. Case research in marketing: opportunities,problems, and a process. Journal of Marketing Research 1985;22:199–208.

Brancheau JC, Janz BD, Wetherbe JC. Key issues in informationsystems management: 1994–95 SIM Delphi results. MISQuarterly 1996;20(2):225–42.

BS7799. Code of practice for information security management.UK: British Standards Institute; 1999.

Cronan TP, Foltz B, Jones TW. Piracy, computer crime, and ISmisuse at the university. Communications of the ACM 2006;49(6):84–90.

Czernowalow M. Lack of policy causes IT risks. Available from:ITWEB, <http://www.itweb.co.za> [accessed 15.07.05].

Denning DE. Information warfare and security. USA: ACM Press;1999.

Denzin NK, Lincoln YS. The handbook of qualitative research. 2nded. London: SAGE Publishing; 2000.

Dhillon G, Backhouse J. Information system securitymanagement in the new millennium. Communications of theACM 2000;43(7):125–8.

Diaper D, Sanger C. Tasks for and tasks in human-computerinteraction. Interacting with Computers 2006;18(2):117–38.

Dunlop C, Kling R. Social relationships in electronic communities.In: Computerization and controversy: value conflicts andsocial choices. San Diego, CA: Academic Press Professional,Inc.; 1991.

Flora C. Building social capital: the importance ofentrepreneurial social infrastructure. Rural DevelopmentNews 1997;21(2):1–3.

Furnell SM, Gaunt PN, Holben RF, Sanders PW, Stockel CT,Warren MJ. Assessing staff attitudes towards informationsecurity in a European healthcare establishment. MedicalInformatics 1996;21(2):105–12.

Gaunt N. Installing an appropriate IS security policy inhospitals. International Journal of Medical Informatics 1998;49(1):131–4.

Gaunt N. Practical approaches to creating a security culture.International Journal of Medical Informatics 2000;60(2):151–7.

Goodhue DL, Straub DW. Security concerns of system users:a study of perceptions of the adequacy of security.Information and Management 1991;20(1):13–27.

Hansche S. Designing a security awareness program: part I.Information System Security 2001;10(1):14–22.

c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3252

Heinstrom J. Five personality dimensions and their influence oninformation behaviour. Information Research 2003;9(1):165.

Hone K, Eloff JHP. What makes an effective information securitypolicy? Network Security 2002;6:14–6.

Information Systems Audit and Control Association. Informationsystems auditing manual. ISACA; 2006.

International Organization for Standardization. ISO/IEC 17799,information technology – code of practice for IS securitymanagement. 2nd ed. ISO; 2005.

Kankanhalli A, Teo HK, Tan BCY, Wei KK. An integrative study ofinformation systems security effectiveness. InternationalJournal of Information Management 2003;23:139–54.

Karat J, Karat CM. The evolution of user-centered focus in thehuman computer interaction field. IBM Systems Journal 2003;42(4):532–41.

Katsikas SK. Health care management and information systemsecurity: awareness, training or education? InternationalJournal of Medical Informatics 2000;60(2):129–35.

Katz, FH. The effect of a university information security survey oninstructing methods in information security. In: Proceedingsof the second annual conference on information securitycurriculum development; 2005. p. 43–8.

Kerievsky B. Security and confidentiality in a university computernetwork. ACM SIGUCCS Newsletter Archive 1976;6(3):9–11.New York, NY: ACM.

Kovacich GL, Halibozek EP. The Manager’s handbook for corporatesecurity: establishing and managing a successful assetsprotection program. USA: Butterworth-Heinemann; 2003.

Kuutti K. Activity theory as a potential framework for humancomputer interaction research. Context and consciousness:activity theory and human computer interaction. Cambridge:MIT Press; 1995.

Lafleur LM. Training as part of a security awareness program.Computer Control Quarterly 1992;10(4):4–11.

Marklein MB. The new learning curve: technological security. USAToday, http://www.usatoday.com/tech/news/computersecurity/hacking/2006-08-01-college-security_x.htm 2006 [accessed20.06.08].

Martins A, Eloff JHP. IS security Culture. Proceedings of IFIPTC-11 17th International Conference on IS security (SEC2002).2002.

Marks A. Exploring universities’ information systems securityawareness in a changing higher education environment:a comparative case study research. PhD thesis, University ofSalford; 2007.

Merriam SB. Case study research in education. A qualitativeapproach. San Francisco: Jossey-Bass, Inc.; 1988. p. 246.

McDaniel G. IBM dictionary of computing. New York: McGraw-Hill, Inc; 1994. p. 1.

Miles MB, Huberman AM. Qualitative data analysis, an expandedsource book. Beverly Hills: Sage; 1994.

Mitnick KD. The art of deception: controlling the human elementof security. USA: Wiley Publishing; 2002.

Murray B. Running corporate and national security awarenessprograms. In: Proceedings of the IFIP TC11 seventhinternational conference on IS security 1991; p. 203–7.

North MM, Roy G, North SM, Computer security ethics awarenessin university environments: a challenge for management ofinformation systems. In: Proceedings of the 44th annualsoutheast regional conference (ACMSE) 2006, Melbourne,Florida, March 10–12, p. 434–9.

Olnes J. Development of security policies. Computers andSecurity 1994;13(8):628–36.

Parker DB. Fighting computer crime: a new framework forprotecting information. USA: John Wiley & Sons; 1998.

Parker DB. Security motivation, the mother of all controls,must precede awareness. Computer Security Journal 1999;15(4):15–23.

Pfleeger CP, Pfleeger SL. Security in computing. 3rd ed. PrenticeHall; 2003.

Piazza P. Security goes to school. Security Management 2006;50(12):46–51. Arlington.

Puhakainen P, A design theory for information securityawareness. PhD thesis, University of Oulu; 2006.

Rezgui Y. Exploring virtual team-working effectiveness in theconstruction sector. Interacting with Computers 2007;19:96–112.

Ronald R. Ringing the alarm on campus computer security. BlackIssues in Higher Education 2001;18(20):50–1.

Ross ST. Unix systems security tools. The McGraw-HillCompanies; 1999, p. 444. ISBN-10: 0079137881; ISBN-13: 978-0079137883.

Schlienger T, Teufel S. Information security culture – fromanalysis to change. South African Computer Journal 2003;31:46–52.

Sims HP, Lorenzi P. The new leadership paradigm, social learningand cognition in organizations. Newbury Park: SagePublications; 1992.

Siponen MT. A conceptual foundation for organizationalinformation security awareness. Information Management &Computer Security 2000;8(1):31–41.

Siponen MT. Five dimensions of information security awareness.Computers and Society 2001;31(2):24–9.

Siponen M. Information security standards focus on the existenceof process, not its content. Communications of the ACM 2006;49(8):97–100.

Stake RE. The art of case study research. Thousand Oaks: Sage;1995.

Straub DW. Effective IS security: an empirical study. InformationSystems Research 1990;1(3):255–76.

Straub DW, Nance WD. Uncovering and disciplining computerabuse: organizational responses and options. InformationAge, ISSN: 0261-4103: 1988;10(3):151–6.

Straub DW, Welke RJ. Coping with systems risk: security planningmodels for management decision making. MIS Quarterly 1998;22(4):441–69.

Tracy PD, Tracy MB, A conceptual framework of social capital andcivil society: the re-emergence of John Dewey. In: Proceedingsof the international research conference on social security,Helsinki; 2000, p. 2–15.

Thomson ME, von Solms R. IS security awareness: educating yourusers effectively. Information Management & ComputerSecurity 1998;6(4):167–73.

Turn R. Security and privacy requirements in computing. In:Proceedings of 1986 ACM fall joint computer conference. IEEEComputer Press; 1986. p. 1106–14.

Updegrove D, Wishon G. Computers and network security inhigher education. EDUCAUSE 2003.

Verton D. Disaster recovery planning still lags. Computer World2002;36(14):10.

Whitman ME, Mattord HJ. Principles of information security. 2nded. Thomson; 2005.

Zayed University Web Site – home page. Available from: www.zu.ac.ae [accessed 20.06.08].

Y. Rezgui is a Professor in Engineering informatics at Cardiff

University. He was the founding director of the Informatics

Research Institute at Salford University, a leading centre in

InformationSystems. He has led over 15 national and European

multi-disciplinary research projects. He conducts research in

areas related to software engineering (including service-

oriented architectures), information and knowledge manage-

ment (centred on the use of Ontology), collaborative working,

and virtual enterprises. He has over 100-refereed publications

in the above areas, which appeared in international journals

c o m p u t e r s & s e c u r i t y 2 7 ( 2 0 0 8 ) 2 4 1 – 2 5 3 253

such as Knowledge Engineering Review, Journal of Operational

Research Society, Information Sciences, and Interacting with

Computers.

A. Marks holds a PhD in Information Security from Univer-

sity of Salford. He is an information systems auditor and an

Oracle Certified Associate with over ten years experience

in software management and development in higher

education. He is currently the full time manager of the

Financial Information Systems in Zayed University in Dubai,

UAE where he took a leading role in the development and

deployment of several infrastructure information systems

projects, leading all of the human and organizational aspects

including the validation and testing of the solution, with

a prominent role in the requirements capture and modelling

phases.