The focus of this thesis is an action research project that analyses end-user information security awareness within the legal services domain, with a view to designing and validating a toolkit for improving security awareness programmes in organisations of a similar size and nature. Information security teams are created to defend the organisation from internal and external threat agents, but they face difficulties in addressing the multitude of threat vectors as well as conflicts between the organisation’s culture, business processes, and the emergence of ‘shadow I.T.’ services procured by non-I.T. staff. Information security awareness training describes the activities undertaken to educate employees about computer security topics and their responsibilities for keeping the organisation secure. Just how effective security awareness training is at protecting the organisation from threats can be difficult to gauge, and some training activities appear to be more effective than others. A hypothesis for establishing sustained information security protection in the legal domain was proposed and tested. Sustained protection means that the organisation would not suffer data breaches or other significant information security compromises. The Literature Review is split into three parts: Part I investigates current information security awareness research. Part II looks at literature in the context of information security threats facing organisations. Part III then investigates the research papers that are concerned with psychological factors that relate to information security awareness. Elements from the selected psychology theories were used to generate the content of six exercises that were undertaken in a large international law firm to evaluate the effectiveness of information security awareness training. The results of these exercises provided the basis for the security awareness toolkit. Confirmation of the effectiveness of the toolkit came from pre and post investigation metrics that were used to measure the improvements in employee security awareness, and the subsequent success in preventing security incidents throughout the organisation. The absence of any breach notifications or security compromise notifications to the legal regulator or media, by the law firm, ratifies the effectiveness of the security awareness toolkit. The contribution to science is a validated security awareness toolkit for the legal services domain.
|Date of Award
|Andrew Blyth (Supervisor), Iain Sutherland (Supervisor) & Huw Read (Supervisor)