IGNORANCE TO AWARENESS: TOWARDS AN INFORMATION SECURITY AWARENESS PROCESS

With most employees in small and medium enterprise (SME) engineering firms now having access to their own personal workstations, the need for information security management to safeguard against loss/alteration or theft of the firms' important information has increased. These SMEs tend to be more concerned with vulnerabilities from external threats, although industry research suggests that a substantial proportion of security incidents originate from insiders within the firm. Hence, physical preventative measures such as antivirus software and firewalls are proving to solve only part of the problem as the employees using them lack adequate information security knowledge. This tends to expose a firm to risks and costly mistakes made by naive/uninformed employees. This paper presents an information security awareness process that seeks to cultivate positive security behaviours using a behavioural intention model based on the Theory of Reasoned Action, the Protection Motivation Theory and the Behaviourism Theory. The process and model have been refined, tested through action research at an SME engineering firm in South Africa, and the findings are presented and discussed in this paper.