Measuring information security awareness (ISA) is mostly done by the measurement of knowledge. However, knowledge does not allow any statement about actual behavior. Therefore, measurement techniques are required, that are focusing on the behavior of employees. We carried out a structured literature review as well as expert interviews in order to retrieve current requirements for metrics in theory and practice. Moreover, we show that the interviewees defined some more requirements than are available in literature. The goal of our research is, to create a performance measurement system (PMS) based on the integrated behavioral model (IBM). Therefore, we had to check if the different aspects of the IBM can be covered by existing metrics. Although many of the requirements can be fulfilled by current metrics, not all aspects of the IBM can be covered. Therefore, we need additional research to create a PMS that allows the evaluation of ISA in companies.
Fertig, Tobias; Schütz, Andreas Erwin; and Weber, Kristin, "Current Issues Of Metrics For Information Security Awareness" (2020). In Proceedings of the 28th European Conference on Information Systems (ECIS), An Online AIS Conference, June 15-17, 2020.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.