Information Security

USERS – THE MOST VULNERABLE SYSTEM

REFERENCING DATA AS A CURRENCY

A dissertation submitted in partial fulfillment of the requirements of

Master of Science in Information Technology

Chrichtian A. Neal Amity Online Distance Learning

amityonline.com mcnealious@yahoo.com Amity University, Noida
+231 886 562431 October 14, 2017
 CERTIFICATE

This is to certify that this is a bona fide record of the project work done
satisfactorily at Uttar Pradesh by Chrichtian A. Neal [MSc A1922816023(el)].

This report or similar report on this topic has not been submitted for any other
examination and does not form part of any other course undergone by the
candidate.

Date: October 14, 2017

Signature of Project Guide:

Sanjay Kumar Dubey

2
 Abstract

Interconnectivity has driven our world into the Information Age, and our dependency
on information is not just business-driven, but survival as well. The existence of the
modern man relies on one’s and zero’s, but without control, this need could be
mismanaged and lead to unpleasant outcomes. As it is at the moment, Information
Security is lagging in keeping up with the rising challenges due to higher demands and
growing knowledge of the users.

Consumers and producers of today’s information are unaware that data is the new
global currency, and this trend is a threat to the confidentiality, integrity, and
availability of information. The rise to have different computer systems work together
is also a problem due to complexities of these various systems. This research invests
into analyzing and understanding from a users’ perspective on data (or information)
value and creating a financial definition of data to help improve Information Security
awareness programs have a better impact on users’ behavior.

Conducting a case study across four corporate institutions heavily dependent on

information technology portrays an awareness gap in the attitude of the users.
Ironically, the users by their actions do not see information as valuable as money. The
recommendation proposed by the author is that user awareness programs redefine
data’s meaning to meet a monetary standard so that the users will remember data in a
different dimension.

Keywords: Information Security, Information Technology, IT Security, Users System,

Users Awareness, threat, risk, information, data, currency, money.

i
 Acknowledgement

At the end of it all, Namaste.

I have attained so much experience over some fifteen years as I continually work in
the area of Information Technology, and along the way, I came across a lot of events
that led me to choose this topic. My fervent gratitude, despite the most annoying
situations and demanding users. Looking back at those moments, I can only smile in
appreciation because I have learned a lot.

I wish to extend thank to all of my colleagues of the same career who have helped me
in many ways, and to those users of the many organizations partaking in this
research.

Special recognition goes to Chetan Petal for his guide and support during the phase
of this research.

Finally, much gratitude and respect to my little editor, my nine-year-old daughter

(Chrichanna) who has been spotting out omission errors in my work. I tried to be
busy, but she managed to take out time with me nevertheless.

Ubuntu!

ii
 Table of Contents

Abstract ............................................................................................................................................... i
Acknowledgement ............................................................................................................................ ii
1. Introduction ........................................................................................................................... 6
1.1 Background ..................................................................................................................... 7
1.2 Objectives ...................................................................................................................... 10
1.3 Problem Definition ....................................................................................................... 10
1.4 Aim of Research ........................................................................................................... 10
1.5 Research Questions ...................................................................................................... 11
1.6 Targeted Audience........................................................................................................ 12
1.7 Delimitations ................................................................................................................. 12
1.8 Limitation ...................................................................................................................... 13
1.9 Ethical Issue .................................................................................................................. 13
2. Review of Literature .......................................................................................................... 14
3. Critique of Entities and Relationships of IS ................................................................. 19
3.1 Chapter Summary ......................................................................................................... 19
3.2 Information Security..................................................................................................... 19
3.3 Components of a Computer System ........................................................................... 21
3.4 Vulnerability: Peopleware, Software and Hardware ................................................ 24
3.5 Data and Information ................................................................................................... 27
3.6 Statistics of the Users System Vulnerability ............................................................. 29
3.7 Cost of the Users System’s Vulnerability .................................................................. 33
3.8 Challenges of Information Security............................................................................ 36
4. Methodology ........................................................................................................................ 42
4.1 Chapter Summary ......................................................................................................... 42
4.2 Choice of Method ......................................................................................................... 42
4.3 Data Collection ............................................................................................................. 46
5. Presentation of Data ........................................................................................................... 57
5.1 Chapter Summary ......................................................................................................... 57
5.2 Analysis and Presentation ............................................................................................ 57
5.3 Results Overview .......................................................................................................... 58
6. Results and Discussion....................................................................................................... 75
6.1 Discussion of Results ................................................................................................... 75

iii
 6.2 Themes Discussion ....................................................................................................... 75
6.3 Irony of Survey ............................................................................................................. 76
6.4 Researcher’s Observations .......................................................................................... 77
7. Conclusions .......................................................................................................................... 79
7.1 Future Study .................................................................................................................. 80
References ............................................................................................................................................ 81
Abbreviations ...................................................................................................................................... 89
Appendices ........................................................................................................................................... 90
Appendix A: Project Planning and Scheduling .............................................................................. 90
Appendix B: Questionnaire Form .................................................................................................... 91
Appendix C: Interview Form ........................................................................................................... 93
Appendix D: Johnny Mathisen’s Metrics for Awareness .............................................................. 94

Tables

Table 1: The research questions................................................................................................................ 11

Table 2: The main aspect of Information Technology .............................................................................. 20
Table 3: Component of the Computer System with causes of defects...................................................... 25
Table 4: Research roadmap table .............................................................................................................. 45
Table 5: Strengths and weaknesses of an Interview ................................................................................. 48
Table 6: Strengths and weaknesses of a questionnaire ............................................................................. 51
Table 7: Computer usage question............................................................................................................ 52
Table 8: Strengths and weaknesses of observation ................................................................................... 55
Table 9: Details on respondents by gender for both interview and questionnaire .................................... 58
Table 10: Respondent details by age range............................................................................................... 59
Table 11: Cross tabulation of interview question four.............................................................................. 67

Figures

Figure 1: Whiteman and Mattord Onion Model Security Level ............................................................... 20

Figure 2: Data protection vs. Information Security vs. Cyber Security.................................................... 21
Figure 3: The basic components of a computer system ............................................................................ 22
Figure 4: Interrelationship of Information System’s components ............................................................ 22
Figure 5: Building blocks of the users system .......................................................................................... 23
Figure 6: The three integral components of Information Technology ...................................................... 24
Figure 7: DIKW Pyramid ......................................................................................................................... 28
Figure 8: Survey on users’ negligence leading to IS risks and threats ..................................................... 30
Figure 9: Security breaches experienced by companies. .......................................................................... 31
Figure 10: Primary cause of data loss ....................................................................................................... 31
Figure 11: The weakest link survey .......................................................................................................... 32
Figure 12: Factors attributing to poor cybersecurity................................................................................. 33
Figure 13: The budget factor impacting IT Security ............................................................................... 34

iv
Figure 14: Data Breach per capita cost. .................................................................................................... 35
Figure 15: Threats and Risks per capita cost ............................................................................................ 36
Figure 16: Gender ratio graph ................................................................................................................... 58
Figure 17: Occupational summary ............................................................................................................ 60
Figure 18: Designation by Age ................................................................................................................. 61
Figure 19: Questionnaire User Skill Level ............................................................................................... 61
Figure 20: Questionnaire - Computer usage and Internet access .............................................................. 62
Figure 21: Questionnaire question 8 – Data is currency ........................................................................... 62
Figure 22: Questionnaire question 9 – Data is not currency ..................................................................... 63
Figure 23: Interview question 6 – Data’s value ........................................................................................ 63
Figure 24: Questionnaire question 10 – IT Policy understanding ............................................................ 64
Figure 25: Questionnaire question 1 of section D – Policy understanding ............................................... 65
Figure 26: Questionnaire question 2 of section D .................................................................................... 65
Figure 27: Questionnaire question 3 of section D .................................................................................... 66
Figure 28: Questionnaire question 4 of section D .................................................................................... 66
Figure 29: Interview question 4 of section B ............................................................................................ 67
Figure 30: Questionnaire question 13 - Management training role .......................................................... 68
Figure 31: Questionnaire question 5 of section D – Risk and threat training ........................................... 69
Figure 32: Interview question 5 ................................................................................................................ 69
Figure 33: Questionnaire question 6 of section D – Risks and needs assessments................................... 70
Figure 34: Questionnaire question 7 of section D – risks and threats knowledge .................................... 71
Figure 35: Questionnaire question 8 to 11 of section D – threats survey ................................................. 71
Figure 36: Questionnaire question 1 and 4 of section C – Pirated software ............................................. 72
Figure 37: Questionnaire questions 7, 8 and 9.......................................................................................... 73
Figure 38: Interview question 7 – Users’ behavior toward threats ........................................................... 74

v
1. Introduction

“We have seen the enemy, and he is us.” – Walt Kelly

The growing trend to keep information safe and secure from unauthorized access
in an age of highly interconnected technological resources has been and remains
a challenge to Information Security. This pattern described in the words of Clay
Shirky, an Internet scholar and a professor at NYU that “It used to be expensive
to make things public and cheap to make them private. Now it’s expensive to
make things private and cheap to make them public” (Thompson 2012). His
statement reveals not only the advantage of global interconnectivity, but also the
cost paid by many businesses and individuals in the wake of Information
Security. As the quest for unlimited access to data continues to increase, so is the
remodeling of data into a more valuable commodity – currency.

The CIA (Confidentiality, Integrity, and Availability) of Information Security is

not only battling intruders, but also internal weaknesses like the users (users
system) who are unaware of the present-day value data has accumulated. It is
certain that if the users component of the computer system arrives at
comprehending the fact that data is becoming the new global currency, then the
vulnerability level of the users system will make a gradual shift towards
improvements.

There have been similar research investigations to this report, but the challenge
to get users to accept information security as an issue, especially regarding them
(users) has been difficult, if not impossible to achieve under a relatively healthy
environment free of monitoring and evaluation. The various types of users
ranging from specialist to novice are not an exception to the misconception
leading to this mismanagement of data. Implementing a system to monitor and
provide training and awareness to users based on need, yet referencing data as
currency, should help eradicate the laisse-faire attitude of users.

6
Information Security will continue to lag if the users system does not look at data
as a currency upon which the exchange of knowledge-based financial
transactions are made. As it is, users are the most vulnerable system referencing
data as a currency.

1.1 Background

Since the first successful transmission of the instruction set and results between a
teletype machine and a Complex Number Calculator by George Stibitz in the
1940s, the quest to have computers share information irrespective of distance has
been on the increase. Presently, there is so much evidence of the successful
desire that humans are building machines to interact easily, but unquestionably
there are also accompanying challenges.

The world is a “global village” mentioned by McLuhan (n.d.) is a perfect picture

of a problem where it is easy to walk from one’s house to the next. Shouting
“hello” to a next-door neighbor seems easy and cordial. It becomes a bit more
complicated when other villagers with different intents decide to visit your home
or that of others – with or without permission, for reasons that are either black or
grey.

The world has become a huge pile of information on which every other thing
connects: information that grants knowledge for better decision making. Many
are unaware of information’s new trend; that information is not mare data, but a
global currency (Eggers, Hamill & Ali 2013, pp. 4-6). Users are more likely
uninformed about the prevailing risks of Information Security or noncompliance
issue on standard IT policies and procedures (Sherif 2012, pp. 19, 24). Power
users are also likely not skilled or educated to the changing environment of the
profession (Islam & Dong 2008).

7
Are users (employees) aware that data (video, audio, text, photo, et cetera) are
just the same as legal banknotes? If so, will they continue to treat company’s
finances with little security in mind? If not, how fluent is communication
between employer and employees about these risks?

Unnoticeably, many are doing away with the fact that ‘the users’ is the key
component of a computer system. It is indeed the most essential component
because all other components (hardware, software, and manual) of the computer
system evolve around the users – created by the user, for the user. These assets
result into tangible outcomes of which the ability to avail such valuable resources
to only specific and authorized users is a constant challenge.

A little pin statement like ‘garbage in – garbage out’ is just enough to pop the
balloon of Information Security, but we rather stay ashore by looking into how
users could themselves be risks and threats factors to the information system,
either knowingly or unknowingly. The computer system lacks a prolonged will
to uphold the integrity of information security due to a vulnerable system – users.

A new look at factors influencing vulnerabilities within the Information System

will change how we look at information security. Data loss to an organization is
interpreted as a substantial financial loss and should be taken seriously due to the
cost of trust (Cerrudo 2017). When data integrity, availability, and
confidentiality is looked at from the perspective of hard currency on a global
platform, there becomes much demand on Information Security. Due to this
reason, data cannot be considered as merely ones and zeros, but evidently the
new global currency.

The Deloitte report (Eggers et al. 2013) established the evolvement of currency
over time from stones and seashells to the sophisticated forms of legal tender that
enables today’s global financial transactions. The report further notes that “the
evolution of the notion of currency continues today, as new, alternative
currencies grow in popularity, from bitcoin to the online game World of
Warcraft’s holy dust.” It also encourages the understanding of how data fits into
this evolution, and how we must rethink our conception of currencies –

8
“currency is how we create and exchange economic value across geography and
through time, it is anything that can serve as a medium of exchange, something
that can” store value for future use.

Data (Information) being the core of Information Security puts such a high
demand for this commodity. Data for a business can mean a simple decision
which could lead to competitive advantage. Data can also be interpreted as
electronic identity of an individual concerning online banking detail, email and
web login information of sites with meaningful information. With this in mind, a
new perspective is seen along with new factors and actors coming into play with
each other with redefined roles. Most parts of the computer system are
engineered by humans, putting more demand on humans for the perfection of
these extremely complex systems (Revnivykh & Fedotov 2016). Because we are
not in short supply of imperfect humans, computer-based systems created by
them will not run short of vulnerabilities.

Today, we see that the most secured Information Systems are often exploited by
insiders because of their failure to continually follow standard practices and
procedures based on policy to avoid threats and risks to Information Security.

According to PwC (Sims & Pollard 2014), “businesses cite employees as the
number-one source of cyber compromises; insider incidents rarely get the same
media attention as those committed by the intruders. They stated that insiders
often fly under the radar and may be very difficult to root out because the
perpetrators have trusted—and often privileged—access to networks and data.
Internal incidents also can be more damaging than those caused by external
threat actors, in part because insiders may know exactly where critical assets are
stored, how to access them, and how to side-step security measures”, they added.
These observations are true and must be balanced with the fact (Sherif 2012, pp.
24-30) that some users are threats due to lack of awareness of vulnerabilities or
management’s inability to enforce best practice policies.

9
 1.2 Objectives

The primary objective of this research is to assess users’ understanding of data value as
a currency and to link the result to vulnerabilities found within the users system of
corporate entities’ Information Systems within Liberia. The findings intent is to help
strengthen existing IT threats and risks mitigation processes that are designed and
structured to promote users’ education, awareness, and policy implementation by
giving a new meaning to data – redefining it as a currency. The project also seeks to
apply researcher’s gain (over 15 years) experience of users’ interaction with IT
systems, to identify avoidable breaches within the Information Security system. Other
gaps contributing to the flaws of the Information System (users system) as a result of
misconception, poor infrastructure, and inadequate information (training) will be
identified, analyzed, and recommendations made to mitigate threats.

1.3 Problem Definition

The world has become a massive pile of information on which every other thing is
connected: information that grants knowledge for better decision making and
competitive business advantage. In the wake of increasing connectivity and growing
data, Information Security stands as a balance between Users and threats.

However, computer users and systems are yet shielded by Information Security. The
purpose of Information Security is to keep data safe, but in the real sense of it all –
users are unaware that data is the new global currency, thereby creating more problems
to Information Security.

1.4 Aim of Research

The main goal of this research study is to create an awareness among technology users
about data threats and data security and helping users understand the value of data. This
research also intends to help solve some internal threat issues within Information
10
Security by identifying behaviors that overlook the adverse effects on IS from a data-
money or currency perspective.

1.5 Research Questions

The questions at issue the researcher will answer in the report is:
 What effect on Information Security vulnerabilities has an awareness of users that
data is the new global currency?

The underlined derivatives posed by the research are presented in Table 1. The main
question mentioned above comes from questioning the thesis statement; why is the
users system the most vulnerable? Arguments are made when users are asked about
how aware are they that data is a global currency?

Table 1: The research questions

Question derivatives

Main Theme 1 Users awareness of data value (is data currency?)

Sub-question 1.1 What value is attributed to data by users?

Sub-question 1.2 How do users see data from a user’s view?

Main Theme 2 Users awareness on policy (IT/IS)

Sub-question 2.1 Users understanding of policy and implementation

Sub-question 2.2 Management’s role in policy awareness and implementation

Main Theme 3 Users training and risks assessment on threats

Sub-question 3.1 Users understanding of threats

Sub-question 3.2 Users being a threat

10
These questions (Table 1) are motivated to generate firsthand data in addition to
findings from nearly similar research literature under review. They will help in
harnessing updated perception set of users for further analysis.

1.6 Targeted Audience

The results obtained from this research are to be used mainly by users of information
technology systems based in Liberia. The study is bent on affording data users a full
understanding of current data trend amid it rapid evolution, and how to effectively
apply conscious methods in dealing with data that are coherent to Information security.
The research is accommodative to anyone finding interest in understanding IS risks and
threats relative to data’s monetary value. The research will also seek to help promote
best practices among businesses and companies that are heavily dependent on IT
infrastructure within Liberia regarding data threats, i.e. relative to training users to
become more proactive in risks analysis. If data is the new currency, it should therefore
be considered as such.

The research will be conducted within a couple of large and medium corporate entities
that have Information Security infrastructure across Liberia; a case study emphasis on
Liberia’s IT infrastructure shall be under review. The applicability, findings, and
recommendation are not geographically limited.

The research entails preparation of questionnaires to be distributed to respondents and

hosting of formal and informal interviews to arrive at a meaningful collection of data.

1.7 Delimitations

Instead of paying much focus on Information Security threats in general, the researcher
looks at users’ view of Information Security from the scope of the data value being
equivalent to currency. The change in behavior by data users after adopting the idea
that the value of data is currency, due to time constraints, monitoring and evaluation of
10
the effect set were not undertaken but is reflective of the researcher’s results.

The researcher included participants from outside Liberia to reinforce his premise that
users have little or no knowledge of the trending value of data. The reason was that
much of the literature on the causes and effects of vulnerabilities deriving from the
users system did not objectify the currency value of data in relation to that of the users’
behavior.

Due to the vast and growing scope of data currency relative to big-data, the researcher
shied from an in-depth analysis of web users’ online data currency value.

1.8 Limitation

The researcher’s access to important literature on Information Security threats and

countermeasures and the evolution of data up to present is a limitation. The gap
between users understanding of data (personal and business) as equally currency has
not been clearly identify as a problem by most of the literature accessed by the
researcher.

The qualitative research design allowed flexibility and lack of control, thus making it
difficult to check researcher’s bias (Kumar 2011). The sampling size was small, male
dominant, and might not be enough to conclude the hypothesis definitely.

1.9 Ethical Issue

Institutions identified by the researcher to form part of the research survey decided to
leave the choice of partaking to individual users. The users chose to be anonymous. The
organizations also asked not to be mentioned to avoid unforeseen damage. (Bryman &
Bell 2007).

10
2. Review of Literature

“Both organizations and individuals have sensitive information that requires adequate
protection. Organizations will certainly be in possession of delicate information on their
staff, budget, financial reports and business strategies. For the purpose of gaining
competitive advantage, organizations will have research reports, trade secrets and other
forms of sensitive data. Today, information is viewed as the lifeblood of the present-
day enterprise. Organizations dependence on information is rapidly increasing, and for
some organizations, IT loss means a loss of business. Individuals perform various tasks
on their computers such as online shopping, e-banking and visiting social networks.
Their computers therefore contain critical personal information that needs to be
secured. (Mindful.com 2009)”, Kandel and Ndungu 2015, p.3).

The field of Information Security tends to deal with much information targeted at
computer users about measures and countermeasure to keep computer data and systems
safe. Nevertheless, the users system is faced with numerous challenges within every
computer-based system. Balancing these problems with the level of users’ awareness in
order to keep up with the rapidly changing technological environment, the users system
is evidently the weakest component of the computer system. And more so, piecing out
the actual value of data as a new global currency, the users system without this
knowledge is most vulnerable.

Revnivykh and Fedotov (2015, p.1) explain that:

Information technologies are based on three interdependent components, namely,
hardware, software and human resource. The susceptibility of final technologies to
a number of threats challenging the information security takes roots in each of the
abovementioned aspects both taken separately and in their complex combination.

For the propose of this research, the researcher will interchangeably use human
resource with users system as mentioned by Revinvykh and Fedotov. Others may refer
to the users system as humanware; meaning a group of personnel associated with
various stages, from manufacturer to actual use of a computer, which includes
Hardware Engineers, System Analyst, Programmers, and Operators (agriinfo.in 2015).
My agreement with Revnivykh and Fedotov regarding each component of a computer
system’s (hardware, software and user system) separate susceptibility to threats

14
becomes a disagreement in the context of the overall maker of each component.
Divorcing humans from any of these components would leave us in the era of the Stone
Age. They explain that human factor also includes a widespread evidence of creating
various types of malicious software that could potentially disrupt proper operation of
both hardware and software components of information system (Revnivykh 2015).
They remarkably observe that a users’ motive, considering a new look at data as
currency, as compared to the motive of computer hackers have completely changed.
Earlier malicious programs were developed by programmers mainly for fun, vandalism
or showing off their capabilities to others. Currently, the main reason for external
threats - real possibility of financial gain. Revinvykh and Fedotov find agreement,
ironically, after inspecting each component’s vulnerabilities and then rerouting them to
the human factor. They explain that the complexity of the each of these systems pose a
higher risk factor to Information Security. Schneier (2000) note that “Security is a
chain; only as secure as the weakest link,” unseemly pointing out the users system as
the culprit of vulnerability, but later on went further to imply that the users system is
overwhelmed by the growing complexity of interdependent systems. Schneier also
state that “Complexity is the worst enemy of security. The more complex – the less
secure. Today, computer and networks are less secure than they were long ago – and
will be less secure even in the future”. This complexity of technological systems along
with the urge to have more complex systems integrate with each other in an
interoperable environment will only increase the risks (Poulsen 2016). Evidently,
software and hardware “inevitable are risks of infringement of the reliability and
security in the operation of information systems, conceived, created and operated by
and for people” (Revinvykh 2016, p.7), and these humans are not in short supply of
imperfections.

According to IBM’s (Cyber Security Intelligence Index 2015) report, it is claimed that
95 percent of cybersecurity breaches are as a result of human error; while over half of
all security attacks are as a result of insiders to an organization (Ponemon Institute LLC
2015). With regard to the most vulnerable or weakest link of the users system, i.e.,
information system, Wolff (2016) expose a different view by adding that technologies
themselves are the ones failing the humans as a result of being poorly designed. She
went on to say that the weakness of the users system should not be imputed with users’
stupidity requiring them to be re-engineered or bypassed as asserted by Mims (2016).

15
She was keen to note that technology is created with the onus of bettering the lives of
people, but people end up being painted as the problems (Wolff 2016, para.1).
Ironically, the researcher tends to agree that computer security is not just about
technology and systems (Butavicius 2016 and Wright 2016). It is also about people, as
they can be both first line of defense or the most vulnerable (Better Business Brain,
2016). This statement fortifies the assertion that the users system is the most susceptible
system when it comes to vulnerability (Culp 2016; Krazit 2016; Butavicius 2016;
Wright 2016; MBA White Paper 2015). People are the makers of all other systems, the
breakers, and targets as well.

Information security, computer security, and information assurance are interchangeable

terms (Sen & Samanta 2014) that refer to protecting data (information) and information
systems from unauthorized access, use, disclosure, disruption, modification, perusal,
inspection, recording or destruction (Gupta n.d.). As the world makes giant leaps into
technological advancement, racing against complexity and sophistication, Information
security will remain a model on which systems and data Confidentiality, Integrity, and
Availability are built (Kandel & Ndungu, 2015). On the contrary, Schneier (2000) say
that “If you think technology can solve your security problems, then you don’t
understand the problems and you don’t understand the technology”. Understandably,
we look to securing data and services by re-identifying, redefining, and reanalyzing the
continual processes in existence, and not consider the act of security as a finished
product (Schneier 2000).

When it comes to the primary objective as to why data should be protected, the answers
conveyed is that data is sensitive. Therefore, it should be protected to avoid identity
theft and privacy breach (MIT Journal n.d.). Data in itself would not be all that smart if
it were just sitting there. Computer Hope (2017, para.1-2) explain that data without a
context is useless (Yau 2013, p. 36), or just a collection of ones and zeros. This means
that any data with no set of facts or circumstances for interpretation would be
meaningless even if visualized, it will also be useless (Yau 2013, p. 11). The researcher
appreciates how Lacey and Danes' (Lacey 2009; Danes 2017) contextualization of data
encourages people to treat data like hard cash because it is a valuable asset. Until users
can grasp what data is (how much value we are talking about?), data will continue to
remain the most chased asset by a few, and least sought after content by many.

16
What are we protecting? The Deloitte Review (Eggers et al. 2013; Culp 2016; Reding
2013, p.2) demonstrate the evolvement of currencies over time from stones and
seashells to the sophisticated forms of legal tender that enable today’s global financial
transactions. According to the review, currency continues to evolve today as new
alternative currencies grow in popularity, from bitcoin to the online game World of
Warcraft’s holy dust. It also encourages the understanding of how data fits into this
evolution, and how we must rethink our conception of currencies - currency is how we
create and exchange economic value across geography and through time […] it is
anything that can serve as a medium of exchange, something that can …store value for
future use (Eggers et al. 2013). On the other hand, the estimated value of EU Citizens’
data was €315 billion in 2011(Reding 2013, p.2); with the potential to grow to nearly
€1 trillion annually in 2020. “This is why personal data are often described as the
lifeblood or basic currency of the information economy, being arguably a key asset, a
central organizing principle and a critical enabler for business competitiveness in
today’s world” (Robinson, Graux, Botterman, & Valeri 2009). Data is now considered
to be an entity around which economies are formed. Data has now become the new raw
material of businesses: an economic input comparable to capital and labour (Data, Data
Everywhere 2010, para.15).

A blind eye to the value of data, irrespective of the source and destination, will continue
to pose challenges in terms of Information Security on a Brobdingnagian proportion.
McAfee (cited in Risen 2014) depicts the cost analysis of the total global effect on
information security breaches at around $455 billion per annum. This cost effect by
McAfee is epic, attributed to hardware, software, and the users systems. Metzger (2015)
state the findings of a data lose health check conducted by Databarrack, an IT security
company, showed that out of 404 IT professionals from across 20 sectors, the biggest
cause of data loss (24 percent) was human error. Ponemon 2015 Endpoint Report:
User-Centric Risk indicates that the biggest threat to data security is negligent or
careless employees who don’t follow data security policies (Holdgrafer 2015; Ponemon
Institute LLC 2015). Unlike StoreyCraft survey (Data Loss Statistics 2017) putting
human error at 29 percent, while 31 percent is as a result of hardware or system failure.
These statistics are a balance between the cause of data loss and the effect of data loss
in hard cash.

17
Musayeva (2017) in her blog describes data currency to be the lives of the very users,
referencing well-known politician, environmental activist and TEDGlobal speaker,
Malte Spitz, who took on Deutsche Telekom for evasion of privacy. He sued the
company for logging and showing his location 35,000 times between August 2009 and
February 2010. Google, Facebook, Twitter, Instagram, Whatsapp, etc. offer
applications and services free, ironically, these companies are worth billions. It may
come as a surprise, but many users do not understand the devil’s pact that free services
come with — a loss of privacy. Data is the only real currency of the web (Musayeva
2017). Press (2017) analysis of companies that collect and analyze a dozen terabytes of
data a day from online users is for free. This is the big data trend that is growing
exponentially and has a market value in the billions.

CISCO (2014) survey in about ten counties in information system risks assessments,
threats analysis, and behavioral evaluation points to willful ignorance of policies, and
the figure on the impact is alarming. It has been identified that investment into the user
systems would be rewarding through training and awareness (Soltanmohammadi et al
2013; Lord 2017; Wright 2016; Butavicius 2016; Culp 2016; Krazit 2016; Poulsen
2016; Islam & Dong 2008; Ndungu & Kandel 2015; Sheriff 2012; Xiong 2011; MBA
2015). Models like ITIL, COBIT, COSO, ISO 27001 and NIST are such relevant
models to monitor and streamline business processes to conform to secure IS
functionality (Leal 2016), but the gap remains. By coming to the understanding that
data is money and or currency of this age will change (improve) the mind sets of users’
interactions with technology.

Information Security users’ unawareness of data as the new global currency consider
the humanware as the most vulnerable component of the computer system after
comparing and contrasting relevant research works and articles and also conducting a
research survey. The findings of this study identify the gap and propose for a new
value-based definition of data [data is strictly the new global currency] to be used in
users training and awareness framework to impact positive cognitive change within all
sub-fields of Information Security. Further research study on a larger scale is needed to
identify that indeed users have not perceived data’s value from a financial standpoint.

18
 3. Critique of Entities and Relationships of IS

3.1 Chapter Summary

The major components of the Computer System, namely: hardware, software, people,
procedure, data, and network, work together to produce an overwhelming result that is
benefiting the world as technological advancement. The combining effects are driving
economic, socio-politics, education, religions, medicine, military, aeronautics, marine,
geology, and globalization at a more equilibrium level and pace.

This chapter is intended to give a critical cross analysis of major components and the
relationships existing among them with respect to Information Security.

3.2 Information Security

Pettersson (2008) quoted Professor Gene Spafford: “The only truly secure system is
one that is powered off, cast in a block of concrete and sealed in a lead-lined room with
armed guards—and even then, I have my doubts.”
The researcher too has his doubts, but also his hopes.

The overall scope of the CIA module (see table 2) of Information Security examines
various network protocols, focusing on vulnerabilities, exploits, attacks, and diverse
methods of mitigating attacks. Information Security’s key function involves protecting
information and the systems on which information is produced, hosted, and distributed
from unauthorized access, use, disclosure, disruption, modification, perusal, inspection,
recording or destruction. In so doing, confidentiality, integrity, and availability of data
and services are met (Gupta n.d.).

19
 Table 2: The main aspect of Information Technology

Availability Relevance/Integrity Confidentiality

Availability of data Relevance and consistency of Protection from

Availability of services information Protection from unauthorized data reading
unauthorized modification
and deletion

Source: Adapted from “Main Reasons of Information Systems Vulnerability,” Revnivykh et al. 2016,
Global Journal of Pure and Applied Mathematics. Vol. 12, No. 3 (2016), p. 2135

The deployment of the multiple security layers (Figure 1) is essential because it helps
meet security standard which is “the quality or state of being secure—to be free from
danger.”

 Physical security: to protect physical

items, objects, or areas from
Physical Security
unauthorized access and misuse
 Personnel security: to protect the Network Security

individual or group of individuals who Operations Security

are authorized to access the organization Communication

Security
and its operations
Personnel
 Operations security: to protect the details Security

of a particular operation or series of Information

Security

activities
 Communications security: to protect
communications media, technology, and Figure 1: Whiteman and Mattord
content Onion Model Security Level
 Network security: to protect networking
components, connections, and contents
 Information security, to protect the confidentiality, integrity, and availability of
information assets, whether in storage, processing, or transmission. It is achieved
via the application of policy, education, training and awareness, and technology.
(CourseHero n.d.)

20
3.2.1 Information Security and Cyber Security

Information security differs slightly from cybersecurity but are usually confused and
interchangeably used.

Due to the rapid evaluation of Cyber

Security, there is now a blurred line
differentiating the two often misused
terms – Information Security and Cyber
Security. The reason for the clarity is
because these terms are almost
synonymous used (Stevens 2016;
VinciWorks 2015). Both information
security and cybersecurity are defined as Figure 2: Data protection vs. Information
the practice of defending information Security vs. Cyber Security.
Source: Adapted from
from unauthorized access, use, VinciWorks (2015).
modification or disruption.

The main difference between these two disciplines is in the form of the data (Figure 2).
While cybersecurity refers only to electronic security, information security is a broader
term that encompasses all data, both physical and digital (VinciWorks 2015).

3.3 Components of a Computer System

Information system (IS) has developed over the years from a simple computer hardware
to an entire set of software, hardware, people, data, procedures, and networks that make
possible the use of information resources in the organization (see Figure 3). These six
critical components (shown in Figure 4) work together to enable information input,
process, output, and storage. Each of these IS elements has its strengths and
weaknesses, as well as its characteristics and uses. Each part has its security
requirements (Whitman & Mattord 2012, p.16).
21
 SOFTWARE
HARDWARE Programs
Computer

DATA
Information

PEOPLE
User

Figure 3: The basic components of a computer system. Source: Adapted

from Computer Atlas (2017).

Hardware

Data Software

Information
System

People Procedure

Network

Figure 4: Interrelationship of Information System’s components

22
 3.3.1 The Users System

The Users System or People (Peopleware) or humanware is a group of personnel

associated with various stages (from manufactory to actual use) of a computer system.
These are interfaces between a machine and the end user. It might include the following
personnel (agriinfo.in 2015).

3.3.2 Types of Computer Users

For this research, computer users are divided into three categories by the researcher:
expert, intermediate, and novice. Expert users have a subcategory of software and
hardware engineers and system analyst. The intermediate users have gamers, graphic
artists, and Internet users are a subcategory. The novice category has SOHO business,
home, and mobile users (see Figure 5).

The sub-sub-category of IT professionals & support, social networker, hackers (black,

white and grey) are not statically defined to any of the top-level categories as they can
shift to any of the mentioned categories.

Computer Users

Expert Intermediate Novice

Software Graphic
Hardware System SOHO - Mobile
Engineer Gamers designer/ Internet Home
Engineer Analyst Business device
(Coders) artist

IT
Social
Profesionels Hackers
networker
& Support

Figure 5: Building blocks of the users system. Was derived model by the researcher.

23
 3.4 Vulnerability: Peopleware, Software, and Hardware

There are three integral components (see Figure 6) on which Information technology is
based. These components are interrelated and interoperable: hardware, software, and
humanware. These components individually contribute to a multitude of threats and
vulnerabilities within end-technology as it relates to information security (Mazov et al.
2011).

Human
ware

Information
System
imperfection

Software Hardware

Figure 6: The three integral components of Information Technology.

Source: Adapted from Revnivykh et al. (2016).

Information System is best understood modularly -: every system is built up as a group

of smaller modules into a complete unit or system. Take for an example; a tablet is
created by different groups of people. Correspondingly, these teams’ products interact
with each other on certain interfaces, but programmers cannot delve into the principle
of a processor or power supply unit operation (Revnivykh 2016). The touchscreen team
works separately from the battery team that concerns themselves with the longevity of
the full operations of the complete unit. If the battery overheats causing a problem to
another separate team unit, they will have to collaborate to resolve the issue
(Revnivykh 2016).

Thus, it is the complexity of modern information systems (which is continually

growing) that will be the central idea of the further narrative (Revnivykh 2016).

24
 It is true that computer systems were quite less vulnerable in the early years of
computer invention as compared to now. The reason is simple: scarcity of computer
systems was just good enough, but as networking capabilities grew, and access to
computers and Internet became prevalent, coupled with the need to have many smaller
systems work with larger systems, vulnerability increase. This is better stated in the
words of Schneier (2000): “The future of digital systems is complexity, and complexity
is the worst enemy of security.” He meant that the more we advance in the Information
Age, the more the need for many different systems to coexist interoperably will arise
and this will give way to defects and errors - an opened door used by opportunist for
malicious reasons.

Each component of the computer system (hardware, software, and userware) is subject
to some level of defects. In Table 3, we see a comparative analysis of the cause factor
leading to the weaknesses found in each of the systems.

Table 3: Component of the Computer System with causes of defects

Hardware Userware Software

NOTES DEFECT NOTES DEFECT NOTES DEFECT

In the 1950s–1960s Rapid The life cycle of Memory Software is of two types Rapid
computers and data developme any information lapse, – system software (is developm
transmission networks, nt leads to system consists of meeting operation systems and ent leads
were a priority for design a sequence of deadline, drivers), and application to design
research and production flaw, several stages, overconfi software – all other flaw.
mainly due to the need product beginning with the -dence, programs. Multiplat-
for their application for incon- idea of establishing not form, ever
the military-industrial sistency, an appropriate following The problem of changing
complex of the world and poor information system standards complexity and complex
powers. Since quality (usually to simplify and development time coding,
perfection and some aspects of life procedure limitations applies fully difficult
destructive power of of potential users; , malice, to software as well as testing,
weapons were the basis for economic com- hardware. Modern lack of
of the defense capability reasons, etc.), placency, programmers do not knowledg
and the impact factor of followed by the trustworth have a detailed e, modular
a large state, it required stages of its iness, understanding of the complexit
the rapid development creation, testing, knowledg functioning of all the y, bulky
of technologies. operation and final e gap, nuances of their codes
Scientists and engineers disposal. The fact emotional program. The versatility
were rushed by the that each of these and of software entails its

25
military – it was stages involves psycholog modular creation by a
necessary to as quickly human activity. ical flaw. team of developers,
as possible conduct Inevitable are risks
large amounts of of infringement of
calculations, store and the reliability and
process the ever- security in the
increasing volumes of operation of
data. information
systems,
conceived, created
Beginning with the and
1970s the development operated by and for
of hardware began to people
shift on the commercial
side, as information
technologies were Human factor also
increasingly being used includes a
for peaceful purposes. widespread
In the 1980s, computers evidence of
appear not only in large creating various
companies but are also types of malicious
used in homes, and in software that could
the next decade, potentially disrupt
portable electronics is proper operation of
beginning to spread. both hardware and
This ever-growing software
competition in the components of
electronics market information
forces developers and systems. Malicious
manufacturers to hurry software can
with the terms of appear as a result
launching new devices, of programmers’
as each generation of errors, although the
hardware devices most common
becomes outdated very reason for its
quickly. occurrence is
malice.
Additionally,
developers release
newer versions of
their information
systems, for
example, every six
months. As soon as
users have learned
to more or less
confidently handle
the system, when
its new version
comes out, which
again should be
dealt with, in which
faults are fixed to
which they are
already used and
adapted, and new
each of whom has
information only about
his own developed
module that
communicates with
other modules using
special interfaces. A
working tool for modern
programmers is mostly
high-level programming
languages, compilers,
and interpreters for
which are written using
previously developed
programming
languages. Application
programmers, who
create their products in
a high-level language,
cannot know the
nuances of the working
algorithm of the created
program as it is
executed by the
operating system only
after numerous
translations, which are
ultimately converted
into an algorithm,
written in the form of
machine codes. In
addition, it should be
noted that the earlier
generations
programming languages
(and translators from
these languages) had
different characteristics,
which can affect
everything created in
child translators.
The ever-changing or
improvement of system
and application software
leaves enough room for
loopholes on which
upgrades, updates, and
patches are forever
trying to perfect. Note
also the same type of
operating systems used
as host platforms. In the
world, there is not a
26
 ones are added to very wide variety of
which they have operating systems,
yet to get used to therefore having studied
and adapt. the features of most of
them, an attacker can
determine the type of
operating system used
in the object of interest
and take advantage of
its vulnerabilities, which
can be regarded as
undocumented
possibilities.
Source: Adapted from “Main Reasons of Information Systems Vulnerability”, Revnivykh et al 2016,
Global Journal of Pure and Applied Mathematics. Vol. 12, No. 3 (2016), p. 2135

3.5 Data and Information

For the purpose of this research paper, data and information will be used
interchangeably, but in a wider context, both words would be used alongside to indicate
their differences.

3.5.1 Data

Data is a derivative of the Latin word datum, meaning “something given.” As the
English language evolved using data as plural, datum amasses hundreds of thousands of
pieces of “data” it a unit. This was the first clue that data represents units of
measurement. Stored it in bits and bytes, megabytes, gigabytes and more, data is the 1s
and 0s that fills a digital storage capacity (hard drive, memory unit, RAM, EPROM,
etc.), and it is designed to be read by computers–not humans.

3.5.1.1 The Properties of Data

The properties of data are as follows:

 Data is, when clean, a fact.
 Data can be stored easily, and at a low cost.
 Data can be copied easily, often using computerized methods.
27
  Data can exist in more than one place, so data is often duplicated.
 Data can be modified and moved quickly and simply.
 Data can be misrepresented, depending on its interpretation.
 Data has no value until it is used.
 Data does not mature, nor does it improve with age — in fact, data decays.
All data has to be interpreted to be useful to humans, which leads us to our definition
of information (Doyle 2015).

3.5.2 Information

The word ‘information’ has existed in the English language far longer than the
word data. The concept of informing someone is well understood, and that gives us
some clues to its meaning. When we talk about data, we think of megabytes of binary
code. In contrast, think of all the ways we can measure information. We can use
practically any meaningful unit: time, distance, amount, rankings, speed, and weight.
We can add additional variants to the units too (for example, an amount of money in a
particular currency). (Doyle 2015).

We can see that information has context. It gives us a fact relative to something else. It
offers a yardstick for our decision making. It lets us derive some kind of conclusion
once we understand it (Doyle 2015).

Defining information

 Data that has been processed to

make it useful
 The right information in the right
place
 Data plus meaning
 The foundation of correct
decisions Figure 7: DIKW Pyramid. Source: Adapted
from Doyle (2015)

28
 A known fact, or thing, used as a basis for inference or reckoning
 Data in context
After all, without context, information does not inform (Yau 2013).

On the DIKW Pyramid (see Figure 7), data and information are separated by a space of
comparison. This could be possible, alongside the evolution of data and information,
why the compare-space is almost invisible; allowing data and information to be
interchangeably used regardless of their distinctions. Nevertheless, data does not
depend on information, but information depends on data. Data has no meaning, but
information should provide a logical meaning to the raw materials we work with (Doyle
2015).

3.6 Statistics of the Users System Vulnerability

This paper would have no need in the absence of hard evidence. Nevertheless, it is still
prudent to capture the word vulnerability. Users System ‘vulnerability’ as derived from
the base word ‘vulnerable,' which means: capable of being physically or emotionally
wounded; or open to attack or damage (Merriam-Webster 2017).
The definition does not run short of the physical and emotional harms, wounds, attacks,
and or damages done to Information Security, and in many ways, these effects are as a
result of misconception, personal gains, poor judgment, lack of awareness, negligence
to follow policy or best practice, among others.

According to a Ponemon Institute LLC (2015) User-centric survey, the shift from
endpoint risk to user-centric risk negligent employees (users) is seen as the most
significant source of endpoint risk. Figure 8 shows specific threats to endpoint security
are increasing significantly. Since 2013, the percentage of respondents who say the
threat of employees working offsite and using insecure WiFi increased from 16 percent
to 38 percent (22 percent increase) and more personal devices connected to the network
increased from 51 percent to 68 percent (17 percent increase). For the first time,
negligent employees who do not follow security policies are a threat to endpoint
security. Seventy-eight percent of respondents agree, making it the number one threat.

29
 Figure 8: Survey on users’ negligence leading to IS risks and threats. Source: Adapted
from State of the Endpoint Report (2015, p.4)

An elementary mistake by user can cause pose a big single risk to information security.
Even technical staff who should know better are not immune to social engineering (see
Section 3.8.2). A few precautions also go a long way when it comes to stopping the
spread of viruses. Many viruses travel inside e-mail messages, but require the user to
click them in order to start propagation. Some pose as games, utilities, anti-virus updates
or even as nude photographs of celebrities. The curious user double-clicks, nothing
seems to happen, and the user thinks no more about it, but the virus had started to
spread. There is a higher likelihood from an insider as compared to outside causes of
security risks (see Figure 9). Educating users, especially not to click on dubious
attachments is a simple but effective counter-measure against viruses (The Economist
2002).

30
 Figure 9: Security breaches experienced by companies. Source: Adapted from
Digital Security (2002).

Figure 10 shows a survey detail from a data recovery firm about the causes of data loss.
According to the graph, hardware failure ranks number one with 44 percent and human
factor with 32 percent. The information presented puts the odds at the hardware rather
than the human factor. However, the hardware was created by the human factor. Very
often, the researcher has seen the likely impact from user manhandling hardware
leading to failure.

Figure 10: Primary cause of data loss. Source: Adapted from Devery (2015)
31
A survey conducted by Blackhat.com (2015) among “IT pros say that ‘end users who
violate security policy and are easily fooled by social engineering attacks’ are the
weakest links in the IT security chain of defense. Interestingly, however, one-fifth of
respondents are also worried about their own defense strategies, citing ‘a lack of
security architecture and planning that goes beyond firefighting’ as their weakest link.
(Figure 11). This attitude is also pervasive in IT security discussions: A sense that the
‘layering’ of single-purpose technologies and solutions might be leaving too many
cracks for attackers to get.”

Figure 11: The weakest link survey. Source: Accessed from Black Hat Attendee
Survey (2015)

An identical trend of users being threats or cause of security breaches is also seen in
another survey (Figure 12) by CyberEdge (2015) depicting the heist threats as a result
of low awareness on the part of users.
32
 Figure 12: Factors attributing to poor cyber security. Source: Adapted from
CyberEdge Cyberthreat Defence Report (2015).

3.7 Cost of the Users System’s Vulnerability

The cost incurred as a result of the users system risks factor is captured while
referencing data as currency. A presentation of a collage of recent survey is included in
this research to show financial damages in real-time.

According to the Blackhat.com (2015) survey regarding the highest budget allocation
for IT spending, 26 percent of respondents ranked targeted attacks as one of their top
three priorities for spending. Accidental leaks (26 percent), potential regulatory
compliance issues (25 percent), and security vulnerabilities introduced by internally
developed applications (23 percent) also ranked most frequently among the top three
spending priorities. The wide range of spending priorities in the survey shows that
budgets may be failing to keep up with the latest threats and that security professionals
are not able to tune that spending to meet their most current concerns. (Figure 13).

33
 Figure 13: The budget factor impacting IT Security. Source: Accessed from Black
Hat Attendee Survey (2015).

IBM and Ponemon Institute LLC (2016) released the 2016 Cost of Data Breach Study:
Global Analysis. According to their research (Figure 14), the average total cost of a
data breach for the 383 companies participating in this research increased from $3.79 to
$4 million. The average cost paid for each lost or stolen record containing sensitive and
confidential information increased from $154 in 2015 to $158 million in the year of the
study.

34
According to the report’s result (Figure 14), the heavily regulated industries such as
healthcare, education and financial organizations have a per capita data breach cost
substantially above the overall means of $158. The public sector, research, and
transportation organizations have a per capita cost well below the overall mean value
(IBM and Ponemon Institute LLC 2016, p.8).

Figure 14: Data Breach per capita cost. Source: Accessed from Cost of Data
Breach Study (2016, p.7).

The per capita cost of a data breach for three root causes of the breach incident in 2016
due to malicious or criminal attacks was $170 (Figure 15). This is significantly above
the per capita cost of breaches caused by system glitch and human factors ($138 and
$133, respectively).

35
 Figure 15: Threats and Risk per capita cost. Source: Accessed from Cost of
Data Breach Study (2016, p.8)

There are too many variables contributing to the total impact of a corporate security
breach. The consequences are also different: for some businesses, it’s the slight
increase of the total IT budget, for others it’s a significant financial and reputational
damage, and for some, it’s going out of business with all assets wiped out. One thing is
certain - the cost of a security breach is always higher than the cost of protection: the
ability to reduce the risk and avoid the shaky path of recovery always pays off
(Kaspersky Lab 2015).

3.8 Challenges of Information Security

3.8.1 Challenges of Cyber Security

For an effective cybersecurity, an organization needs to coordinate its efforts

throughout its entire information system. Elements of cyber encompass all of the
following:
 Network security
 Application security
 Endpoint security

36
  Data security
 Identity management
 Database and infrastructure security
 Cloud security
 Mobile security
 Disaster recovery/business continuity planning
 End-user education. (Lord 2017).

The most difficult challenge in cybersecurity is the ever-evolving nature of security

risks themselves. Traditionally, organizations and the government have focused most of
their cybersecurity resources on perimeter security to protect only their most crucial
system components and defend against known threats. Today, this approach seems
insufficient, as the threats advance and change more quickly than organizations can
keep up with. As a result, advisory organizations promote more proactive and adaptive
approaches to cybersecurity. Similarly, the National Institute of Standards and
Technology (NIST) issued guidelines in its risk assessment framework that recommend
a shift toward continuous monitoring and real-time assessments, a data-focused
approach to security as opposed to the traditional perimeter-based model (Lord 2017).

3.8.2 Social Engineering

Social engineering has been and continues to be a leading trend when it comes to
security threats. Although this is a technique deployed by criminals to gain access to
their pry, it has proven to be very effective by non-technical criminals as well as
cybercriminals. There are a number of different methods when it comes to social
engineering:

Baiting – this is the curiosity kills a cat scenario wherein a cybercriminal intentional
leaves device like pen drive, external hard drive, CD/DVD, memory card and other
such (devices that are pre-infected with malicious applications) in public places.
Someone might come along and think they have found a treasure, but most unlikely
when the device is inserted into a system, that system becomes compromised.
37
Phishing – just as it sounds, the humans are the fish. This method has been around for
as long as computers themselves, but yet, it is as effective. Phishing preys on users who
make fear-based decisions that are voluntary per user’s concurrent state of emotion
rather than their state of reasoning. An intruder would fashion emails which would
seem to have come from someone in authority (within a company) requesting or
demanding users’ credentials to be changed or submitted. Based on the sense of
urgency, especially from someone from higher authority, people are most likely to
comply with such request or email. Timing (for instance, Friday evening when people
are in a weekend haste) is also key in factoring a user into making decisions based on
poor impulse control.

Spear Phishing – this kind of phishing is very similar to phishing but very specific and
complex in nature. It tends to target employees of specific companies in an attempt to
steal data. Only specific targets (organizations) are sought after based on some research
online about their target. “Once the criminal has a sense of their target, they will then
start to send emails that seem personally relevant to the victim in order to entice them
to click on a malicious link that hosts malware or download a malicious file. Sure, we
all check our personal emails and social media while on our company’s network, which
is what the cybercriminal is depending upon. Once the user has been successfully
tricked, the malware is then installed on the computer on the network, which will allow
the malware to easily spread to other computers within the company’s network” –
Norton (Emerging Threat, n.d.).

Vishing – this method is the most human interactive methods of all the social
engineering stunts. The criminal engages an employee of company via a phone call,
posing as a trusted individual, or a representative from a bank, insurance company, or
some institution that the employee does business with, and then they will try to fish for
information from their targets by posing as a fellow employee that has lost their
password and requests employee’s, or they may ask target a series of questions to verify
and steal their identity.

Email Hacking – when a user has fallen prey to phishing, the next thing on the
cybercriminal’s mind is to hack the email of the victim. From phished information, the
cybercriminal can gain access to victim’s email account(s) and cause further mayhem.
38
Contact Spamming – once a cybercriminal has access to a victim’s email account(s),
they are able to spam the contacts, and even create additional fabrication, modification,
interception, and interruption problems; to them that is more profitable.

Pretexting: – This method is also not new, but people still fall prey to it, unfortunately.
Cybercriminal usually develops a contextualized story to lure their victims into
believing. Once the victim is ‘hooked’ then the process is initiated with sharing of false
information and sometimes voice impersonation via telephone to validate the
cybercriminal’s story. The stories are usually around wanting help to get a huge sum of
money from a bank or being stranded in a foreign land and the likes of requesting
financial assistance.

Farming: - As if pretexting is not enough, farming is when a cybercriminal profiles a

victim from social media and tries to create a fake family-like relationship. As soon the
cybercriminal is successful, the cybercriminal initiates pretexting and solicits financial
and other forms of benefits as long as the victims continue to believe the pseudo-family
ties between them.

The list of these mentioned social engineering techniques is not finite, and an attacker
may choose to use one (single attack) or combine a couple (complex attack) of these
attacks to achieve the best possible results.

“Social engineering is everywhere, online and offline. It is extremely successful

because of the one element involved that we can’t install security software on- the
human being. Your best defenses against these kinds of attacks is educating yourself
and being aware of what to be on the lookout for” – Norton (Emerging Threat, n.d.).

39
3.8.3 Data Privacy

Data privacy is a very controversial topic in developing and developed countries. The
better way to understand data privacy is from the user endpoint as prey. What if all the
Yahoo and Google search a user made were cataloged and made public so that every
other person could see what that user has been looking up…what if, every web page a
user ever visited since they started using the Internet was cataloged into a book for
every other person to read what that user has been up to? As embarrassing as it may
sound, this is exactly what is going on behind the web page as users browse the
Internet. On a minute by minute basis, data on who a user is, what a user does, what a
user knows, where a user is, where a user has been, where a user plans to go, what a
user likes, dislikes, dirty and secret hobbies. The types and amount of data about each
and every Internet users are insurmountable. Imagine if anything done online is a data
and data about another data that creates more data. Think of personal data as the digital
record of “everything a person makes and does online and in the world.” (David et al
2010). The scary part is when those digital records hit the public without the permission
of the creator(s). TechTarget defines data or information privacy as “the aspect of
information technology (IT) that deals with the ability an organization or individual has
to determine what data in a computer system can be shared with third parties”.

Users happily give away (without forethought) personal data in exchange for services
like Twitter, Facebook, Google and so on. Users may not want to bother reading the
long scrolls of terms and conditions, so they simply select ‘agree’ or ‘I accept’,
meaning that their data in form of money should be used by the provider of these
services. “The economies of the Internet have long been made viable by digital
advertising enabling most free services to indeed be free. Most news sites, social
networks, and other online applications are ostensibly free to access because their
revenue comes from marketing partners, not consumers. This is in obvious contrast to
e-commerce properties, which realize revenue directly from consumers and hence,
rarely rely on advertising” (Sivaramakrishnan 2014).

Free has become very expensive nowadays, and user of the Internet must take
precaution on how they give away their data ‘for free’ in exchange for free apps and
services. The personal data of users is drives business interconnections. “Personal data

40
is the new oil of the Internet and the new currency of the digital world.” (Kuneva
2009).

In the end, personal data collected from users are harnessed and retargeted at them in
form of advertisement worth over millions in competitive marketing strategy - The big
data revolution.

41
4. Methodology

4.1 Chapter Summary

For this research purpose, the researcher chose an applied analytical (a little
ethnographically empirical in nature) research method that is exploratory in order to
look at the research problem from a different view with the intent to help identify an
overlooked contributing factor to the weaknesses of the users system. The aim is to help
improve the answers to the problem (Prochaska 2009). The primary criterion for
success in applied research is the contribution to the solution of specific practical
problems (Roll-Hansen 2009, p.4).

4.2 Choice of Method

The researcher intended to identify, understand, and bring change to the perception of
the users system that will in return lead to a behavior change by reinforcing users’
awareness through the redefinition of data; referencing data as a currency. Trauth (cited
Kaplan 2004) enumerated five influences regarding the choice of qualitative analysis in
line with the context of Information System research: “The five influences are the
research problem, the researcher’s theoretical lens, the degree of uncertainty
surrounding the phenomenon, the researcher’s skills, and contemporary academic
politics.” These are factors that led to the application of the method because the
researcher was concerned about the change from a perspective that would, if verified,
be meaningful in upgrading perception, thus reducing vulnerability in Information
Security, cognitively.

The paradigm used for information gathering was qualitative as it investigated the
‘why’ and ‘how’ questions (Yin 2008, p.9). However, Yin (2008, p.9) state that case
study is viewed as a less desirable form of inquiry than either experiments or surveys
due to lack of rigor. Very often, case study investigators have been sloppy, have not
followed systematic procedures, or have allowed equivocal evidence or biased views to
influence the direction of the findings and conclusions (Šimundić 2013).

42
A qualitative method was used to capture descriptive information not conveyed in
quantitative data about beliefs, values, feelings, and motivations that underlie behaviors
(Lincoln & Guba 1985; Kumar 2011). A quantitative model is not used because much
focus is not attributed to measuring the magnitude of variables (Kumar 2011). To drift
from a scientific demand of analyzing results, the nature of qualitative research is
primarily exploratory focusing much on gaining an understanding of underlying
reasons, opinions, and motivations. It provides insights to the problem or helps to
develop ideas or hypotheses for potential quantitative research. Qualitative research is
also used to uncover trends in thoughts and opinions and delve deeper into the problem.
Qualitative data collection methods vary using unstructured or semi-structured
techniques, and at the same time may include focus groups (group discussions),
individual interviews, and participation/observations. The sample size is typically
small, and respondents are selected to fulfill a given quota (Wyse 2016).

The researcher also used acquired knowledge from my many years of direct
observation of users in diverse office cultures (Ventres & Frankel 1996). Primarily,
open-ended questionnaire and interview sampling were under review.

By adopting an indirect case study with the users and systems at some leading private
corporate entities in Liberia (with participating regional offices), the researcher was
provided original information, because case study is actually one of the most flexible
research designs. It allowed the researcher to retain a holistic picture of the real-life
events while at the same time investigating empirical events (Schell 1992). A case
study in general is an empirical inquiry that:
a) investigates a contemporary phenomenon within its real-life context: when…
b) …the boundaries between phenomenon and context are not clearly evident, and
in which…
c) …multiple sources of evidence are used (Yin 1984).
The research chose to empathize with members of the users system by tuning down the
high level of security awareness to furthermore minimize biases or being judgmental.
The ethnographic look of thing is more appropriate wherein the need to persuade
change is of a high necessity. ‘Change’ in the view of the researcher is usually resisted
– thereby making change as ‘one of us’ is easier than making ‘them to change us’.
According to Sauro (2015), “Ethnography has its roots in cultural anthropology where

43
researchers immerse themselves in a culture, often for years! Rather than relying on
interviews or surveys, you experience the environment first hand, and sometimes as a
‘participant observer’.” Every office has a culture, and now we see that there is a
growing culture for the way computer users interact with the computer, as well as with
each other on social media. Being one of them allows the complete understanding into
why they do what they do.

Other information were gathered from research literature containing information on

Information Security vulnerabilities, data currency, and more similar documentation.
According to Berndtsson et al. (2008), selecting a case study as an approach requires
site identification, academics or professionals' role, and analyzing and evaluation of
data. On the other hand, Yin (cited in Baxter & Jack 2008) state that a case study design
should be considered when:
a) the focus of the study is to answer “how” and “why” questions;
b) one cannot manipulate the behavior of those involved in the study;
c) one wants to cover contextual conditions because he believes they are relevant
to the phenomenon under study; or
d) the boundaries are not clear between the phenomenon and context.
While this is true, a case study may be explanatory, descriptive, or exploratory, with the
most rigorous demands made upon the explanatory case (Schell 1992).

For instance, a study of the decision making of nursing students conducted by Baxter
(2008) sought to determine the types of decisions made by nursing students and the
factors that influenced the decision making. A case study was chosen because the case
was the decision making of nursing students, but the case could not be considered
without the context, the School of Nursing, and more specifically the clinical and
classroom settings. It was in these settings that the decision-making skills were
developed and utilized. It would have been impossible for this author to have a true
picture of nursing student decision making without considering the context within
which it occurred (Baxter & Jack 2008).

There are drawbacks of the case study as a research strategy ranging from the most
practical to the most abstract. Some of the criticisms of the case study method relate to
the highly labor-intensive nature of this research strategy. Other critics claim that the

44
 process of preparing case studies takes too long and result is massive, unreadable
documents or report with only the researcher’s conclusions: “The analysis and
presentation of case study data requires more skill, hence more highly qualified
researchers and is subject to more risk of researcher bias than other research strategies.
Actors may provide inconsistent or conflicting accounts, because of either a desire to
manipulate results or inconsistency of private and public opinions” (Schell 1992).
These could also be inherent problems with more 'quantitative forms of research as
well. Yin (1984, as cited by Schell 1992) agrees to some extent that there are
shortcomings in the methodology of case study research, but nevertheless, contends that
these shortcomings are not innate, and represent opportunities for development within
the research strategy, or even more importantly, recognition of methodological
constructs which are already known.

The various modes and methods of facts finding, data collation, and analysis used in this
research, along with the objective of the research are outlined in Table 4.

Table 4: Research roadmap table

Task Description

Goal of Research The research goal is to identify a link between

currency and data and create users’ awareness
on the value of data (i.e., data equals
currency). This knowledge should change
users’ perception and reduce the threats to data
by their precautious actions.

Study Methodology Case study (ethnographically empirical)

Research Method Interview, questionnaire, and observation of

organizations’ users’ understanding,
perception and behavior towards Information
Security, policy, and data. (Kaplan &
Maxwell)

Analysis Method Thematic analysis

45
Organization’s Case Study Selection The case study selection is a continuation of
personal experience with computer users who
were willing to participate in the research

Information Sources Literature reviews

Personal experience
Observation
Open-ended interviews
Closed-ended questionnaires (discrete and
rating)

Thesis evaluation criteria Kaplan et al. (2004)

4.3 Data Collection

4.3.1 Research Instruments

There are various procedures for data collection, but the main instruments used in this
research is a mixed method research that consisted of closed-ended questionnaires,
open-ended interviews, along with documentation of researcher’s observation. These
different ways of gathering information can supplement each other and hence boost the
validity and dependability of the data. The researcher iterated questions in different
ways to get specific facts since it was more likely that respondent could be
misunderstood due to external and or internal factors, like mood, lack of interest in the
topic, … (Zohrabi 2013).

4.3.2 Profile and Setting: Respondents and Interviewees

The interviewees were employees of four large corporate entities ranging from junior to
senior management staff members who were directly involved with the Information
Systems. These were a mixture of a humanitarian organization, governmental,
corporate entity, religious humanitarian non-governmental, and developmental
institutions. Causes promoted by the selected institutions include the equality of
46
gender, the reduction of poverty through relief and development, and advocacy for
human rights. Their offices have a range of well-structured Information Systems that
allows for ITIL customer helpdesk, centralized email systems, replica servers, SAP
implementation servers, and filing systems with internal web resource via VPN.
The respondents included residents of Liberia, Nigeria, Chad, Senegal, and Mali.

4.3.2.1 Interview

The researcher included an interview to get firsthand information from some

knowledgeable informants as to the perception of the world around them (Zohrabi
2013). Flick (2006, as cited in Zohrabo 2013) adds that the purpose of interview “is to
reveal existing knowledge in a way that can be expressed in the form of answers and so
become accessible to interpretation.” The face-to-face interview will transmit facial,
body, and interpersonal data that cannot be attained by other methods (Kvale 2007,
p.56). This “involves systematic and detailed study of individuals in natural settings,
instead of in settings contrived by the researcher, often using open-ended interviews
intended to elicit detailed, in-depth accounts of the interviewee’s experiences and
perspectives on specific issues, situations, or events” (Kaplan & Maxwell 2004).

Interview is not exclusive neither subjective nor objective, it is intersubjective (Laing

1967). Interviews enable participants (interviewers and interviewees) to discuss their
interpretations of the world in which they live, and to express how they regard
situations from their own points of view. By so doing, the interview is not simply
concerned with collecting data about life, but it is part of life itself; its human
embeddedness is inescapable. However, interview is a flexible data collection tool that
enables multi-sensory channels to be used: verbal, non-verbal, spoken and heard.
Cohen et al. (2007, p.349) state that “the order of the interview may be controlled while
still giving space for spontaneity, and the interviewer can press not only for complete
answers but also for responses about complex and deep issues. In short, the interview is
a powerful implement for researchers. On the other hand, the researcher using
interviews has to be aware that they are expensive in time, they are open to interviewer
bias, they may be inconvenient for respondents, issues of interviewee fatigue may
hamper the interview, and anonymity may be difficult.”
47
While interview seems to be more of an appropriate tool for this research, it is
important to point out that interviews and discussions held with employees of the
various institutions in combination with other qualitative methods drew relevant results.
It is worth mentioning (see Table 5) that interview is more appropriate regardless of its
weaknesses based on the quality of data collected.

Table 5: Strengths and weaknesses of an Interview

Strengths: Weaknesses:

Detailed information can Difficult to analyze if unstructured

be obtained and avoids and qualitative in nature.
oversimplifying complex issues.

Greater attention to individual's point of Time-consuming, expensive.

view; this is important in clinical
psychology.

Unstructured, casual interviews may Possible interviewer effects. For

encourage openness in answers. example, people affected by the
attractiveness of interviewer.

4.3.2.1.1 Profile and Setting of Interview

Two corporate organizations were interviewed (for ethical reason, they are not named
herein). One of the organizations was a public-private entity, while the other was non-
governmental. One of the two companies delves into developmental work in third-
world nations, while the other is more of a relief aid agency. What they both shared in
common is their ability to have IT systems as an integral part of their operations to
foster productivity.
Fifteen persons across both institutions willingly participated in the interview. The
designation includes finance manager, administrative personnel, civil engineer,

48
economist, senior managers, IT personnel, among others. They were all active
computer (also mobile and Internet) users.

4.3.2.1.2 Interview Questions

The interview questions were purposely designed to reduce the urge to introduce biases
during data analysis, such as by fabricating, abusing or manipulating the data
(Šimundic, AM 2013). Stinger (1999 [55], as cited in Peng Xiong 2011) “a major
problem with interview is that questions are easily influenced by the researcher’s
perceptions, perspectives, interests, and agendas.” So, to avoid this, the opening
questions the researcher propose (a new method developed by researcher – ‘educate
and validate’ – as explained subsequently) is educative but concluded with behavioral
questions to validate if the interviewee is truthful by the trends of action after education
or awareness. Education and validate is a derived method of information gathering
wherein respondents are initially provided facts about a research topic during interview
or with questionnaire as questions are slightly repeated during intervals to check
respondent’s consistency or inconsistency based on knowledge, ignorance, change
resistance, and or behavioral pattern.

The interview session lasted under 15 minutes for each participant. The list of questions
are as follows:

Questions were asked in an unstructured way:

1) What can you say data is?

a. What do you view information to be?
b. State some examples, if you can.
Purpose: To identity interviewee’s knowledge level on data and information

2) Have you experienced data loss?

a. How did you feel about the situation and how did you react?
b. How do you protect your data?
Purpose: To educate interviewees on the importance of data and information

49
3) Do you use purchased antivirus for personal or office computer?
a. Have you experienced virus effects?
Purpose: To understand interviewee’s awareness on some IT risk and educate at the
same time on prevention to take.

4) Do you know what is: an IT policy, email policy, Internet usage policy?
a. Explain if yes.
Purpose: To understand interviewee’s awareness on policy as it relates to IS.

5) Do you undergo periodic training about computer threats and risks, either by
employer or self-innovation?
Purpose: To understand employer’s intervention in providing awareness as well as
interviewee’s drive to understand the threats.

6) How do you value data and information?

a. What would you consider data to be?
b. Can you say that data is equivalent to money or almost equivalent to money
or a bit more valuable than money?
Purpose: To understand and educate interviewees on the value of data and information.

NOTE: The question does not leave the interviewee to ponder too long for an answer. It
provided a clue, but the actual attitude towards the value of data and information is
found in question seven.

7) Do you find it irritating to keep changing your email, windows login, and other
computer accounts password?
a. Do you find it necessary to keep using difficult password?
Purpose: To validate the interviewee’s actual behavior towards data and information.
After education on the value of data is done, what do they think about the value of data
as depicted in question number seven.

8 Any important question arising from interview

Purpose: To conclude, verify, answer any other issues or questions arising from the
interview.

50
 4.3.2.2 Questionnaire

The items of the questionnaires were mainly developed based on the research
objectives and research questions (Zohrabi 2013). Regardless that the field of
questionnaire design is vast, questionnaire is a widely used and useful instrument for
collecting survey information, providing structured, often numerical data, and often
being comparatively straightforward to analyze (Wilson & McLean 1994; Cohen 2007).
Cohen (2007) notice that these attractions have to be counterbalanced by the time taken
to develop, pilot and refine the questionnaire, by the possible unsophistication and
limited scope of the data that are collected, and from the likely limited flexibility of
response (though, as Wilson and McLean (1994) observe, this can frequently be an
attraction). The researcher will have to judge the appropriateness of using a
questionnaire for data collection, and, if so, what kind of questionnaire it should be.

Table 6: Strengths and weaknesses of a questionnaire

Strengths: Weaknesses:

Many people can be tested quickly. It Social desirability - people say what
is easy to generate quantitative data they think looks good.
and easy to analyze.

Used to collect large amounts of data People may not tell the truth,
about what people think as well as especially on sensitive issues, for
what they do. example, sexual behavior.

Convenient - researcher does not need If researcher is present, then this may
to be present as answers can be mailed affect answers. Also, postal surveys
so respondent has time to consider may have low response rate.
answers.

Can quickly show changes in attitudes Difficult to phrase questions clearly.

or behavior before and after specific You may obtain different
events interpretations of questions

51
4.3.2.2.1 Profile and Setting of Questionnaire

Respondents participating in the questionnaire spanned across four corporate

organizations (for ethical reason, they are not named herein). One of the organizations
is a public-private entity while the other three are non-governmental establishments.
One of the four companies deals with developmental works in third-world nations
while the others are relief aid agencies. They all have strong IT backbone as an integral
part of their operations to enhance productivity.

Fifteen respondents across the four institutions willingly participated in the interview.
The designation includes managers, procurement, monitoring and evaluation personnel,
administrative personnel, technical expert, and others. These were also active computer
(also mobile and Internet) users.

4.3.2.2.2 Questionnaire Questions

The questions were grouped into three sections or themes: i) pre-computer

usage/literacy, ii) Information Security knowledge skills, and iii) computer usage/IS
proficient. The main aim of the questionnaire was to gather from respondents their
perception of what data and information are to them. The ‘educate and validate’
method was not relevant for this mode of data collection.

The questionnaires were issued to IT personnel at each of the various institutions

identified, totaling 15 respondents. The list of questions by section are as follows:

A. Computer usage question. Please tick  your answer.

Table 7: Computer usage question

Question Answers
i What is your computer skill level? Novice  Intermediate  Expert 
ii How proficient are you with the Internet? Novice  Intermediate  Expert 

Select many where applicable

iii From where do you access the Internet? Public  Home  Office Mobile 
iv Which access(es) to a computer do you have? Public  Home  Office

52
Purpose: To identify respondent’s skillset on Information Technology

Concerning maintaining information confidential, integrity, and availability within an

Information System, and users’ interaction with these Information Systems, please
indicate the extent to which you agree or disagree with the following statements:

 = Strongly Agree  = Agree  = Neutral  = Disagree  = Strongly Disagree

1) Application(s) running on office computer is(are) licensed software (Office,

antivirus, etc.)
2) Personal computer and mobile device running free or unpurchased antivirus
application software
3) Sometimes use cracked application on personal device
4) Sometimes use cracked application on office device
5) Hardware makes the most vulnerable component of an information system
6) Software makes the most vulnerable component of an information system
7) Users make the most vulnerable component of an information system
8) Data has the same value as money or currency
9) Information could produce money but it is not yet money
10) Users within establishment meet the competence to mitigate high IT risks and
threats to data and systems if the situation presents itself.
11) Users within establishment are fully aware of all IT Policies and procedures
12) Skills of users or employees are good enough to avoid possible IT risks and
threats to establishment’s data
13) Management is hugely investing in the training of computer users to avoid
threats, risks, and improve proficiency
Purpose: To obtain information from respondents about institution’s involvement in
mitigating risks through training, and also validating how valuable respondents and
organization regard data and information.

B. Validation of computer usage referencing security threats:

 Yes  No  I don’t know

53
1) Do you know what an IT Policy is all about?
2) Have you read your IT Policy entirely and understood it?
3) Have you been given a policy manual on how to use a computer, Internet, Email,
etc., by your employer?
4) Has your employer done any sort of education about their IT Policy?
5) Do you undergo regular IT training about prevailing IT risks and threats by your
employer?
6) Employer conducts periodic risk analysis assessment to identify users’
weakness(es) and improve upon said weakness(es) to avoid risks
7) Do you know and understand what are IT risks and threats?
8) Do you follow up on current IT risks and threats?
9) Do buy a licensed application for your personal home and mobile devices?
10) Do you use USB devices (stick, external drives, etc.) between home, office, and
public facilities?
11) Do you understand what an update, upgrade, and patch is as it relates to IT?

Purpose: The section (above) gives a forecast of the respondent’s knowledge of IS

policies, computer risks, and threats.

4.3.2.3 Observation

According to Singh (2010), the most common method used for getting information
about the various things around us is to observe those things and also the various
processes related to those things. Observation acts as a fundamental and the basic
method of getting information about anything, but one must be keep in mind that
observation is not just seeing things, but rather it is carefully watching and trying to
understand them in depth in order to get some meaningful information about them. The
observation will consider past attitudes and behaviors about the problem statement. The
reason is that a distinction can be summed up by contrasting “what people say” versus
“what people do” (very often the two are quite different). The purpose of attitudinal
research is usually to understand or measure people's stated beliefs (Rohrer 2014,
para.4).

54
 Observations sometimes act scientifically, when used by the researchers in various
research works but it should be noted that all observations are not scientific in nature. It
is important to compare (see Table 8) the pros and cons of a data collection method and
making selection based on the most outcome.

Table 8: Strengths and weaknesses of an observation

Strengths: Weaknesses:

Collect data where and when an event or Susceptible to observer bias

activity is occurring

Does not rely on people’s willingness to Hawthorne effect – people usually

provide information perform better when they know they are
being observed

Directly see what people do rather than Does not increase understanding of why
relying on what they say they do people behave the way they do

Access situation and people where Time consuming

questionnaires and interviews are
inappropriate to use

Primary Data Collection – Observations (2012) explain that: “a key advantage of

observation is that you can observe what people actually do or say, rather than
what they say they do. People are not always willing to write their true views on
a questionnaire or tell a stranger what they really think at interview.
Observations can be made in real life situations, allowing the researcher access
to the context and meaning surrounding what people say and do. There are
numerous situations in the area of criminology, and related disciplines, where
approaching people for interview or questionnaire completion is unlikely to
yield a positive response, but where observations could yield valuable insights
on an issue.

55
On the other hand, there are a number of very important problems associated with
observational research. One relates to the role of the observer and what effect he or she
has on the people and situations observed. This is difficult to gauge. There is also the
additional problem of being able to write an account, as a researcher, when one is
immersed in a situation or culture. This latter situation can mean that the research is
dismissed as too subjective. Observation can be very time-consuming. Some well-
known observational pieces of research took some years of observation and immersion
in a situation or culture. However, it is more common in modern research to reduce the
observation time substantially. Observation time may be further reduced in experimental
conditions (laboratory or simulation) in other words, controlled settings. An important
potential disadvantage, in conducting observational research, is the ethical dilemmas
inherent in observing real-life situations for research purposes.”

4.3.2.4 Data Analysis Procedure

The total collected raw data from the case study adopted in this research came from
across four corporate organizations (for ethical reason, they are not named herein)
having strong IT backbone as an integral part of their operations to enhance
productivity was analyzed using Microsoft Word tables and Microsoft Excel chart
diagrams. This advanced form of analysis provided for a cross-tabulated overview of
the demographic.

The analysis of the data collated gave a true visualization of with the participants
(respondents) during the interview and questionnaire exercises think and feel about the
topic sentence (as mentioned in chapter one). Notwithstanding, it was understandable
that the variations amongst the respondents’ views on the derived questions posed by
the topic sentence are a clear indication of facts.

56
5. Presentation of Data

5.1 Chapter Summary

This chapter details the results of the data analysis. The collected data from interviews,
questionnaires, and observations are processed to provide answers to the thesis’
statement mentioned in chapter one of the dissertation. The fundamental pillars on
which the data collection and analysis process was built derived from the research
question in chapter one.

In obtaining these objectives, the finding presented herein this chapter portrays how
practicality is the model on which theory is based and when they are synchronized,
outstanding results are produced. This chapter includes conclusions that are presented
as well.

5.2 Analysis and Presentation

The presentation of analysis was thematically divided into three main groups of
questions that derived from questioning the thesis statement in chapter one. These
questions sub-derived more in-depth questions to form the basis on which the
questionnaire, interview, and observation conclusions were drawn. The three primary
questions were to derive: users awareness of data value (is data currency), users
awareness on policy (IT/IS), and users training and risks assessment on threats. Data
was presented for both questionnaire and interview through qualitative and quantitative
themes side-by-side for unbiased analysis.

The demographic presentation portrays a peculiar sampling void of biases. Majority of

the total sampling population were males (Figure 16). However, this by no means
projects biases but rather informs of the dominance of male within the professional
social corporate environment.

57
 Gender Analysis

Questionnaire 67% 33%

n=15

Interview 53% 47%

n=15

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Male Female

Figure 16: Gender ratio graph

5.3 Results Overview

The total number of respondents (15 participants) for the questionnaire process
included top to operational management levels personnel that have relevant computer-
related job designations. Participants included in the process were not limited to Liberia
but included other countries (Nigeria, Mali, Chad, and Senegal) within West Africa
under similar institution’s sub-regional offices with similar ICT infrastructure.

Table 9 indicates the frequency for respondents partaking in both the questionnaire and
interview. The table shows a male-dominant representation in both the interview and
questionnaire. However, the sampling was selected randomly, and each respondent
were given equal and fair opportunity as to their responses.

Table 9: Details on respondents by gender for both interview and questionnaire

A. Questionnaire
GENDER FREQUENCY PERCENTAGE
Male 10 67
Female 5 33
TOTAL 15 100

58
 B. Interview
GENDER FREQUENCY PERCENTAGE
Male 8 53
Female 7 47
TOTAL 15 100

Table 10 - Section A: shows that all respondents for the questionnaire were between 30
as minimum age and 65 as maximum age. The average age for total female respondents
was approximately 40, while the average age for male was approximately 50. It also
shows that most of the participants for the questionnaire were between the age of 30 to
49, approximately.

Table 10 - Section B: shows that all respondents for the interview ages ranged
approximately between 19 as minimum age and 65 as maximum age. The average age
for total female respondents was approximately 35, while the average male age was
approximately 45. Section B of the chart also shows that most of the participants for the
interview were between the age of 19 to 49, approximately.

Table 10: Respondent details by age range

A. Questionnaire

AGE RANGE MALE % FEMALE % TOTAL % M. AVE. F. AVE.

AGE AGE

18 and below 0 0 0 0 0 0 0 0
19-29 0 0 0 0 0 0 0 0
30-39 4 40 2 40 6 0.9 34.5 34.5
40-49 4 40 3 60 7 1.05 44.5 44.5
50-59 1 10 0 0 1 0.15 54.5 0
60 and +5 1 10 0 0 1 0.15 62.5 0

TOTAL 10 100 5 100 15 2.25 49.5 39.5

59
B. Interview

AGE RANGE MALE % FEMALE % TOTAL % M. AVE. F. AVE.

AGE AGE

18 and below 0 0 0 0 0 0 0 0
19-29 1 12.5 3 42.9 4 0.6 24 24
30-39 2 25 2 28.5 4 0.6 34.5 34.5
40-49 3 37.5 2 28.5 5 0.7 44.5 44.5
50-59 1 12.5 0 0 1 0.15 54.5 0
60 and +5 1 12.5 0 0 1 0.15 62.5 0

TOTAL 8 100 7 100 15 2.20 44.5 34.5

The highest collected questionnaire data came from Managers and Technical Experts,
and in the majority for interview were Finance/Admin and Support Staffs. (Figure 17).

6
33%
5
27%
4
20% 20%
3
13.3% 13.3% 13%
2
6.6% 6.6% 6.6% 6.6% 6.6% 6.6%
1

Interview Questionnaire

Figure 17: Occupational Summary

60
Figure 18 shows that between age 30 through 49 has a complete mixture of all
occupations selected for the data collection exercise, and at the same time age 30
through 49 has majority of respondents.

60+ Fin/Admin Staff

IT Personel
Engineer
50-59
Economist
Health Pratitioner
40-49
Social Worker
Support Staff
30-39 Manager
M&E

19-29 Logisitcs
Technical Expert
0 2 4 6 8 10 12 14

Figure 18: Designation by Age

Skill level
n=15
20
18
16
53.3%
14
12
10
8
6 40% 73.3%
4
2 20% 1
0 0 1
Expert Intermediate Novice na

Computer Internet

Figure 19: Questionnaire User Skill Level

Figure 19 indicates, according to the survey that 11 questionnaire respondents have

intermediate skill level in computer, while three of respondents are experts. The data
shows no novice. One respondent did not select a skill level in computer according to
the chart. Most of the computer and Internet users are intermediate. (Figure 19).
61
 Mobile 73.3%
Device

100%
Office

60%
Home

20%
Public

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Internet Computer

Figure 20: Questionnaire - Computer usage and Internet access

According to the survey (Figure 20), all 15 respondents access the Internet using office
computers. The report also shows that nine respondents of 15 respondents also access
Internet using their home computers, while 12 of the same 15 respondents at the same
time use mobile computing. Eleven respondents out of the 15 in total access Internet
using Mobile device only.

5.3.1 Section 1: Question Themes

Data is currency
n=15
6
33%
5
Strongly agree
4
20% 20% 20% Agree
3
Neutral
2 Disgree
6.6%
1 Strongly disagree
0
Data has the same value as money or currency

Figure 21: Questionnaire question 8 – Data is currency

62
Question eight [Data has the same value as money or currency] asked respondents
shows that most of the respondents agree that data is money or currency. (Figure 21).

Data is not currency

n=15
5
26% 26% 26%
4
Strongly agree
20%
3 Agree
Neutral
2
Disgree
1
Strongly disagree
0
Information could produce money but it is not yet money

Figure 22: Questionnaire question 9 – Data is not currency

Question nine [Information could produce money, but it is not yet money] asked
respondents shows that respondents strongly agree and agree that data is not a near
value to currency (Figure 22). This is in contrast to the agreement made by respondents
that data is money or currency reported by the survey in question eight. (Figure 21).

Data's Value
n=15
9
56.3%
8
7
40%
6
5
4
3
2
6.6%
1
0
Almost money Is money More than money

Figure 23: Interview question 6 – Data’s value

63
Question six [How do you value data and information? What would you consider data
to be? Can you say data is equivalent to money or almost equivalent to money or a bit
more valuable than money?] asked respondents during the interview shows that most of
the respondents say that data is money. (Figure 23).

5.3.2 Section 2: Question Theme

IT Policy Understanding
n=15
6
33.3% 33.3%
5

4 Strongly agree
Agree
3
13.3% 13.3% Neutral
2
Disgree
6.6%
1 Strongly disagree

0
Users within establishment meet the competence to mitigate high IT risks
and threats to data and systems if the situation presents itself

Figure 24: Questionnaire question 10 – IT Policy understanding

Question ten as shown in the graph (Figure 24) asked respondents shows that five
respondents agree that users are aware of IT Policy, and five respondents also remain
neutral. This sets an equal number of respondents who agree and were neutral
according to the report.

64
 Do you know what an IT Policy is all about?

30%
Male
n=10 70%

40%
Female
n=5 60%

0 1 2 3 4 5 6 7 8

No Yes

Figure 25: Questionnaire question 1 of section D – Policy understanding

Questionnaire question one (Figure 25) shows that majority of the respondents,
irrespective of gender, know about IT Policy. It can also be seen from the survey that
the management of the institutions partaking in the survey are educating users for the
most part on IT policy.

Have you read your IT Policy entirely and

understood it?

30%
Male
n=10 70%

40%
Female
n=5 60%

0 1 2 3 4 5 6 7 8

No Yes

Figure 26: Questionnaire question 2 of section D

From question two of the questionnaire (Figure 26), it can be seen that majority of the
respondents have read an IT Policy.
65
 Have you been given a policy manual on how to
use computer, Internet, Email, etc., by your
employer?

30%
Male
n=10 70%

40%
Female
n=5 60%

0 1 2 3 4 5 6 7 8

No Yes

Figure 27: Questionnaire question 3 of section D

Questionnaire question three shows that majority of the respondents have been issued
an IT Policy by their employer. (Figure 27).

Has your employer done any sort of education

about their IT Policy?

30%
Male
n=10 70%

60%
Female
n=5 40%

0 1 2 3 4 5 6 7 8

No Yes

Figure 28: Questionnaire question 4 of section D

From Figure 28, it can be seen that majority of the respondents have had their employer
educate them on IT Policy.

66
 Do you know what is: an IT policy, email policy,
Internet usage policy

6.6%
Male 46.6%

Female 33.3% 6.6% 6.6%

0 1 2 3 4 5 6 7 8 9

n=15 Yes Somewhat Yes No

Figure 29: Interview question 4 of section B

The graph (Figure 29) shows that most of the respondents have an understanding of an
IT Policy, regardless of gender. In order to have a wider perspective of the relationship
existing between the available variables, a cross-tabulation was done (Table 11). The
table contains findings from the question ‘Do you know what is: an IT policy, email
policy, Internet usage policy?’ by age range and gender.

Table 11: Cross tabulation of interview question 4

AGE RANGE MALE FEMALE

Yes Somewhat Yes No Yes Somewhat Yes No

19-29 1 1 1 1
30-39 2 2
40-49 3 2
50-59 1
60 and +5 1

TOTAL 7 1 0 5 1 1

The details in Table 11 shows a set of knowledge gap for both genders (male and
female) in regardless of age. According to Table 11, the younger (19-29) population is
the only group with little or no IT Policy knowledge as compared to the other age
groups.

67
 n=15
Management role in IT Training
7
40%
6

5
Strongly agree
4 Agree
20% 20%
3 Neutral
13.3%
2 Disgree
6.6%
1 Strongly disagree

0
Management is hugely investing in the training of computer users to avoid
threats, risks, and improve proficiency

Figure 30: Questionnaire question 13 - Management Training Role

Findings from question 13 F 30) shows that most of the respondents agree that
management is hugely investing in training to avoid risks.

5.3.3 Section 3: Question Theme

Table 11 and Figure 30 are borderline items in this section. The reason is that both
questions show details on users’ training/awareness relative to the role
employers/institutions play in risks and threat management.

68
 Do you undergo regular IT trainings about
prevailing IT risks and threats by your employer?

Male 20% 80%

n=10

Female 20% 80%

n=5

0 1 2 3 4 5 6 7 8 9 10 11

Yes No

Figure 31: Questionnaire question 5 of section D – Risk and threat training

The result from question five indicates that majority of respondents said ‘no’ regarding
regular IT training by the employer on risks and threats. According to the survey, this is
a sharp contrast to question 13 (Figure 30) that management is hugely investing in IT
risks management training.

Do you undergo periodic training about computer

threats and risks, either by employer or self-
innovation?

Male

Female

0 1 2 3 4 5 6 7 8 9 10 11 12 13

Yes Self No

* Answer required multiple: answers, therefore total number of responses does not represent the
number of respondents in sampling population

Figure 32: Interview question 5

69
The results show that the largest portion of respondents do not undergo IT risks and
threats training by employer initiative. According to the report, a larger portion of the
respondents is self-innovative on risk and threats awareness. (Figure 32).

Employer conducts periodic risk analysis assessment to

identify users’ weakness(es) and improve upon said
weakness(es) to avoid risks

Male 20% 10% 70%

n=10

Female 60% 20% 20%

n=5

0 1 2 3 4 5 6 7 8 9 10 11

Yes I Don’t Know No

Figure 33: Questionnaire question 6 of section D – Risks and needs assessments

Question 13 (Figure 33) shows that most of the male respondents said ‘no’, while most
of the female respondents said ‘yes’ that management is hugely investing in training to
avoid risks.

70
 Do you know and understand what are IT risks and
threats?

Male 80% 20%

n=10

Female 60% 40%

n=5

0 1 2 3 4 5 6 7 8 9 10 11

Yes No

Figure 34: Questionnaire question 7 of section D – risks and threats knowledge

In Figure 34, the survey shows that most of the respondents said ‘yes’ to understanding
IT risk and threats.

Threats Survey
n=15

Do you understand what an update, upgrade, and patch is 6.6%

26.6%
as it relates to IT? 66.6%

Do you use USB devices between home, office, and

20%
public facilities? 80%

Do buy licensed application for your personal home and 6.6%

46.6%
mobile devices?

Do you follow up on current IT risks and threats? 60%

40%

0 1 2 3 4 5 6 7 8 9 10 11 12 13

I Don’t Know No Yes

Figure 35: Questionnaire question 8 to 11 of section D – threats survey

Figure 35 shows a summary of complex information. According to the survey, most of

the respondents said ‘yes’ to understanding IT update, upgrade and patch. Most of the
respondents said ‘yes’ to using USB device between home, office and public facilities.

71
The survey also shows that respondents who purchase licenses for personal and mobile
devices were of equal ratio. The result shows that most of the respondents are not
following up on current trends of IT risks.

Threats Survey (Pirated Software)

40%
20%
Sometimes use cracked application on office device
n=15 13.3%

26.6%
13.3%
Sometimes use cracked application on personal device 33.3%

n=15 26.6%

0 1 2 3 4 5 6 7

Strongly disagree Disgree Neutral Agree Strongly agree

Figure 36: Questionnaire question 1 and 4 of section C – Pirated software

From question one and four of the questionnaire, the survey shows that most of the
respondents strongly disagree with the use of cracked applications on office devices.
However, a higher number of respondents stood neutral on the same matter regarding
personal devices. (Figure 36).

72
 Most Vulnerable System (by Users)

Users make the most vulnerable component of an

40%
information system 26.6%
33.3%
n=15
6.6%
Software makes the most vulnerable component of an 33.3%
20%
information system 13.3%
26.6%
n=15
6.6%
Hardware makes the most vulnerable component of 26.6%
33.3%
an information system 13.3%
20%
n=15
0 1 2 3 4 5 6 7

Strongly disagree Disgree Neutral Agree Strongly agree

Figure 37: Questionnaire questions 7, 8 and 9

The survey result from Figure 37 shows that most of the respondents chose to remain
neutral on the question that ask about users being the most vulnerable system, while on
the other hand, a higher number of the respondents strongly agree with users make the
most vulnerable system. On the question of software and hardware being the most
vulnerable systems, the result shows that most of the respondents disagree and
remained neutral, respectively.

73
 Do you find it necessary to keep using difficult password? Do you find
it irritating to keep changing your email, windows login, and other
computer accounts passwords?

Necessary 40% 60%

n=15

Irritating 73.3% 26.6%

n=15

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Yes No

Figure 38: Interview question 7 – Users’ behavior toward threats

The result according to the survey (Figure 38) shows that most of the respondents find
using securely difficult password unnecessary. The result also shows that most of the
respondents find it irritating to follow security measures by periodically change
password credential.

74
 6. Results and Discussion

6.1 Discussion of Results

Based on the researcher’s observations that are mentioned later on in this chapter, this
research was inspired to understand and validate attributes of the vulnerabilities of day-
to-day computer and data users (Users system) in relation to the current financial value
of data – currency. A case study was adopted across four corporate institutions
spanning across five countries, with primary reference to Liberia. These institutions are
solely dependent on IT infrastructure for business operations and decisions making.

The researcher’s expectation raised the question as to what effect(s) on Information

Security vulnerabilities has the awareness of users that data is the new global currency.
The question brought in to review a subset of three main points requiring separate
answers. The results obtained from the sets of sub-questions presented in chapter one
validated and showed light on new findings. Information Security from a financial
perspective that the most vulnerable system (Users system) will soon reach a point
where the high demand for access to unrestricted data or information will come to an
end seems to be a consolatory truth (untrue).

6.2 Themes Discussion

The first primary question relating to users’ awareness of data values as currency led to
an initial unexpected finding quite contrary to the expectation of the researcher.
However, the researcher’s own developed method ‘educate and validate’ mentioned in
chapter four validated the truthfulness of this finding. The finding is that, prior to
applying ‘educate and validate’, users are aware that data and or information are indeed
money or currency; but after the method is applied, the finding is exactly the opposite.
This annuls the previous fact and validates the researcher’s observation of users’
behavior that they are unaware of the present-day currency value of data and or
information.

75
The finding of the second primary question regarding users’ awareness on IS and IT
policy issues comes against the researcher’s expectation that users are unaware of best
practices, procedures, and policies of Information Security. The researcher was more
focused on proposing training to help mitigate the problem of IS vulnerabilities.
According to the survey, the users are, for the most part, fully aware and informed of IT
policy-based issues and best practices to avoid security threats and risks affecting the
Users System.

The third section of the primary question that focuses on users’ training and risks
assessment on threats by the employer/management shows a little contrast, but a rather
understandable view. According to the data collected, continual training on IS threats
and risks does not meet users’ expectation. Users themselves seem to lack personal
innovation according to the survey. Therefore, it is logical to say that the corporate
entities and institutions under review are not following up on periodic threats and risks
training of their users, neither are users self-motivated to take on self-training role.

The report in Figure 37 clearly indicates that users are indeed the most vulnerable
system. From the survey, this fact is validated by users themselves.

6.3 Irony of Survey

The findings of the survey clearly validate (see Presentation of Data in Chapter 5) that
the users system is aware of the currency value of data. It further amplifies the users
system’s knowledge on IS/IT policy issues but falls short on management’s and users’
ability to pursue risks assessments, continual training, and update on mitigating threats.
Ironically, while the user system is fully cognizant of the threats and risks previously
mentioned, they fail to follow best practices proposed by IS/IT policies. The threats
survey (Figure 35) shows that users are inclined not to use pirated applications on
corporate computers and devices, but on the other hand, the results show that users do
not apply similar caution to personal computers and devices, rather ignore same threats
posed to their personal devices. It is further ironic that these personal compromised
devices are the same ones with which, according to Figure 35, user claim to use
interchangeably between home and office computers.
76
6.4 Researcher’s Observations

a) Users’ (basic, senior managers, and security professionals) behavior within

corporate entities are very similar regarding IS noncompliance. Cognizant users
make equally bad decisions as uninformed users.

b) Users who have experienced data loss, identify theft, security bridge, email hack,
etc., will definitely repeat same mistake(s) that led to similar incident.

c) IS thrive better in systems where the users are capable of making timely and right
decisions when threats and risks are imminent. The weaker the users, so is the
system.

d) The more users are informed about threats, the less proactive they become over time
without monitoring and evaluation. Monitoring, evaluating, reporting, and rewarding
or reprimanding may prove helpful to IS, based on certain office culture. Often,
users tend to resist stringent IT environment regardless of the benefits to the entity’s
or personal data.

e) Why is the users system the most vulnerable? Humans are prone to making bad
decisions and choices in form of mistakes and errors.

Based on the above observations, a periodic and continual training of the Users System
is a better module to drive a gradual change in the users’ behavior and improve the
competence level of the users. Islam and Dong (2008) on the other hand recommend a
‘mandatory’ approach for training and security awareness program to improve users’
proficiency levels. Carpenter (2017) encourage ‘security culture management’ if the
desired impact is a straight line across diverse cultures; and if countermeasure is
perceived negatively could pose another risk in terms of internal threats (Sheriff 2012).
These are all method of achieving positive user awareness output, but the researcher
finds Xiong (2011) proposed metrics of measuring Information Security Awareness as
derived from Mathisen (2004) as useful to pre- and post-planning of training and
awareness. The three-measuring metrics he derived out of the nine (see Appendix D)
original measuring metrics are:

77
 1. Percentage of individuals tested on the security policy (passing and failing)
2. Percentage of employee recognizing critical information in business
3. Percentage of users recognizing a security event scenario (Xiong 2011)

From these measuring metrics can useful continual awareness modules be developed
based on policy implementation. This implementation requires managements’
involvement from planning, implementation, to evaluation in order to have a positive
overall behavior change.

Carpenter’s (2017) in some way disagree with the harsh authoritative tone as a way to
check users behavior. He see it practicable in some cultures and not a great working
model in other cultures; but recommend a parent-child empathy module. This approach
deals with users from a support standpoint where the force of authority is not
encouraged to yield a result (which would in return meet resistance) but foster a cordial
relationship and forecast the wellbeing of users (and users’ family) as the priority of the
institution (employer). It tends to explain to users in a more persuasive way why the
effects of users’ negative actions are important to both the users and entity. Due to the
nature of humans to act based on feelings, timing, reasoning, emotions, it is difficult to
predict (over a long period of time) exactly how a person would react to a given
situation. Carpenter’s approach to the human side of IS tries to understand the security
cultural, and then reverse the use of this method used by intruders to create a diversion
to invalidate intruders’ social engineering successes.

To understand why users keep circling in unsafe and unproductive behavior trends that
cause threats and risks, Carpenter (cited BJ Fogg, n.d.) say that the best was to deal with
continual unconscious behavior trend is to firstly single out or deal with two to three
behaviors at a time. He then breaks the circle of recurrent unconscious decisions by
applying pattern interrupt. A pattern interrupt is a way to change a person's state or
strategy. We all have behavior patterns that are habit sequences or mental pathways
(NLP.com n.d.). Carpenter explain that when a person is moved from unconscious
incompetence to conscious competence, there is no need to lax on regular follow up and
training because there is a likely tendency of the user going back to atrophy. The goal
now becomes to move the user to an unconscious competence level.

78
 7. Conclusions

Without a doubt, the researcher was amazed to find out (as mentioned in Chapter 6) that
users are aware of the currency value of data regardless of the fact that these users did
not treat data as currency.

Therefore, the researcher finds it is unnecessary to recreate new users’ awareness

program based of the findings herein. Already existing awareness programs are effective
enough if tied to the proposition of this report – which is redefining data and
information.

However, the researcher finds truth in the statement of Revnivykh & Fedotov (2016) that
security is the last thing that users care about as long as it (technology) works. The Users
System which includes basic users as well as IT and security professionals who are all
found in the regularly habit of violating security policies. IT and IS professionals are
most often found in acts of noncompliance. Just as users (less technical) are lured into
being preys of social engineering, IT and IS professionals are drawn to torrent software,
P2P movie download streaming, gaming, and the likes of unnoticeable vulnerabilities.
The monitors of the monitored feel a sense of ‘piety’ when not monitored. The risk
factors are more about the human (Users System) rather than technologies. Deploying the
most sophisticated and cutting-edge defensive technologies could blow up in smokes by
a singular act of:
 deficient security awareness
 inadequate considerations of security issues…
 ignoring security alerts
 lack of security analysis before choosing products
 ignoring user’s responsibilities
 improper system configuration
 lack of periodical monitoring and maintenance, or timely update of security
devices
 underestimating the severity of security threats
 low competency level of the security management team (Revnivykh & Fedotov
2016)

79
The core of every system is the people. The users are a vital part of any business process
because the system is built for, by, and about the people. Much focus needs to go
towards empowering the Users System in ways that would help mitigate prevailing risks
and threats to Information Security (Carpenter 2017). As the world has seen data and
information grow from a set of ones and zeros to more complex monetary assets or
currency, it is paramount that awareness and training to be undertaken highlights
and bolds out the true value of data. It should clearly state that data is the ‘new
global currency’ with which the exchange of information, ideas, and competitive
business decisions are made. This will help make users not only think or feel that data
is money, but it will also ignite a cognitive mindset that will cause them to treat it like
hard cash (Danes 2017). Therefore, much caution should be taken when dealing with
data and information, be it personal or business. The reason is simple – data theft, data
loss, or identity theft is just a bad as money stolen from a person’s bank account. Data
should be redefined throughout all computer awareness programs as money. This new
definition will help users clearly understand data value and make them to act differently
about how they create, process, and store data.

7.1 Future Study

This research aimed to answer three themes of questions but intriguingly arose other
interesting concerns. One of those concerns worth mentioning for future investigation is
to understanding the predictable and unpredictable behavior trend of the Users System
based on specific change factors to develop a users system fail proof environment. It is
safe to understand a predictable and unpredictable response action of the Users System
and develop a reengineered procedure – same methods used by intruders – as a training
module to help the users understand their very own thought process in real-time. This will
help to a greater extent to reduce the risks and threats posed to Information Security
(Carpenter 2017).

80
 References

Baxter, P., & Jack, S 2008, Qualitative Case Study Methodology: Study Design and
Implementation for Novice Researchers. The Qualitative Report, 13(4), 544-559,
viewed 5 May 2017, <http://nsuworks.nova.edu/tqr/vol13/iss4/2>.
Berndtsson, M., Hansson, J., Olsson, B., & Lundell, B 2008, Thesis Projects: A Guide for
Students in Computer Science and Information Systems, Springer, 2nd edn, London.
Better Business Bureau 2016, The human factor of cybersecurity, Better Business Bureau,
viewed 13 July 2017, <http://newsok.com/article/5523925>.
Black Hat Attendee Survey 2015, ‘Time to Rethink Enterprise IT Security’, Blackhat.com,
USA, viewed 2 May 2017, <https://www.blackhat.com/docs/us-15/2015-Black-Hat-
Attendee-Survey.pdf>
Bryman, A. & Bell, E 2007, Business Research Methods, 2nd edn, Oxford University Press
Butavicius, M 2016, Humans, the weakest link in information security chain, DST Group,
viewed 30 July 2017, <https://www.dst.defence.gov.au/news/2016/03/15/humans-
weakest-link-information-security-chain>
Carpenter, P 2017, Security Culture Management, Podcast, viewed 4 September 2017,
<https://cybersecurityinterviews.com/033-perry-carpenter-security-culture-
management>.
Cerrudo, C 2017, Why Cybersecurity Should Be The Biggest Concern Of 2017, Forbes.com,
viewed 7 April 2017,
<https://www.forbes.com/sites/forbestechcouncil/2017/01/17/why-cybersecurity-
should-be-the-biggest-concern-of-2017/2/#23155ca7274c>
CISCO 2014, ‘Data Leakage Worldwide: Common Risks and Mistakes Employees Make’,
viewed 27 April 2017,
<http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/data-loss-
prevention/white_paper_c11-499060.html>.
Cohen, L. Manion, L. & Morrison, K 2007, Research Methods in Education, 6th edn,
Routledge,
Computer Atlas 2017, The basic components of a computer system [online]. Available at:
http://computer.atlas4e.com/Project_E1/chapter01/chapter1.htm [Accessed 11 May
2017].
81
Computer Hope 2017, Data, viewed 26 April 2017,
<https://www.computerhope.com/jargon/d/data.htm>
Coughlin, R 2015, The Residual And The Emergent: Reflections On Double Movements And
Contemporary History. NAAAS Conference Proceedings, C99.
Culp, S 2016, Cyber Risk: People Are Often The Weakest Link In The Security Chain,
forbes.com, viewed 20 June 2017,
<https://www.forbes.com/sites/steveculp/2016/05/10/cyber-risk-people-are-often-
the-weakest-link-in-the-security-chain/#7e6931852167>.
CyberEdge 2015, ‘Cyberthreat Defense Report North America & Europe’, CyberEDGE
Group, United State of America, viewed 29 April 2017,
<https://www.netiq.com/docrep/documents/xvbozdzzxj/CyberEdge_2015_CDR_Re
port.pdf>
Danes, R 2017, ‘Your data is worth a lot. It’s time to start treating it like money’, Silicon
Angle Mag., viewed 29 June 2017, <https://siliconangle.com/blog/2017/01/29/data-
worth-lot-time-start-treating-like-money>
Data Backup 2015, Data loss – It’ll never happen to me, right? Netsupport.com, viewed 29
April 2017, <https://www.netsupport.ie/blog/data-loss-itll-never-happen-to-me-
right>.
Data, data everywhere 2010, Managing Information, The Economist, viewed 24 April 2017,
<https://www.emc.com/collateral/analyst-reports/ar-the-economist-data-data-
everywhere.pdf>.
doi:10.4304/tpls.3.2.254-262
Data Loss Statistics – Infographic 2017, StorageCraft Technology Corporation, viewed 26
April 2017, <https://www.storagecraft.com/blog/data-loss-statistics-infographic>.
Davis, M., Martinez, R. & Kalaboukis, C 2010, ‘Rethinking Personal Information –
Workshop Pre-read’, Invention Arts and World Economic Forum, June 2010
Doyle, M 2015, ‘What Is the Difference Between Data and Information?’, Sales POP
Journal, viewed 28 April 2017, <https://salespop.pipelinersales.com/sales-
management/difference-between-data-and-information>.
Eggers, D. W., Hamill, R & Ali, A 2013, ‘Data as the new currency’, Deloitte Review, issue
13, viewed 2 April 2017, <https://dupress.deloitte.com/dup-us-en/deloitte-
review/issue-13/data-as-the-new-currency.html>
Gupta, H n.d., Information Security Manual, Amity Online University manual, InfoSec

82
Holdgrafer, R 2015, ‘Humans: Still the weakest link in the enterprise data security posture’,
Data On The Edge’, viewed 25 April 2017, <http://blog.code42.com/insider-threat-
still-biggest-enterprise-data-security-risk>.
http://dx.doi.org/10.17485/ijst%2F2015%2Fv8i36%2F90549
IBM Security Research Report, IBM Cyber Security Intelligence Index 2015, viewed 5 May,
2017, < https://essextec.com/wp-content/uploads/2015/09/IBM-2015-Cyber-
Security-Intelligence-Index_FULL-REPORT.pdf>
Islam, S & Dong, W 2008, ‘Human Factors in Software Security Risk Management’, IS
thesis, Technische Universität München, viewed 11 June 2017,
<http://citeseerx.ist.psu.edu/viewdoc/citations;jsessionid=74BF605E9A7561444C29
5FE4755C1F88?doi=10.1.1.426.7558>
Is Security Exam 1 Flashcards - Course Hero, n.p., n.d., viewed 21 May 2017 ,
<https://www.coursehero.com/flashcards/693134/IS-Security-Exam-1>.
Kandel, S. and Ndungu, M 2015). ‘Information Security Management in Organizations’, IT
B.Sc. thesis, Centrai University of Applied Science, viewed 5 April 2017,
<https://publications.theseus.fi/bitstream/handle/10024/96779/Thesis_maryanne_sus
hila.pdf?sequence=1>
Kaplan, B & Maxwell, J.A 2004, ‘Information Systems Research: Relevant Theory and
Informed Practice’, Kluwer Academic Publishers, Manchester, UK.
Kaspersky Lab 2015, ‘Damage Control: The Cost of Security Breaches It Security Risks
Special Report Series’, Kaspersky Lab, viewed 30 April 2017,
<https://media.kaspersky.com/pdf/it-risks-survey-report-cost-of-security-
breaches.pdf>.
Krazit, T 2016, Employees Are the Weakest Link in Computer Security, Fortune.com, viewed
20 June 2016, <http://fortune.com/2016/06/20/employees-computer-security>.
Kuneva, M 2009, ‘Personal data is the new oil of the Internet and the new currency of the
digital world’, European Consumer Commissioner, Brussel, viewed 27 July 2017,
<http://europa.eu/rapid/press-release_SPEECH-09-156_en.htm>.
Kumar, R 2011, Research Methodology, A step-by-step guide for beginners, 3rd edn, SAGE,
New Dehli.
Kvale, S 2007, Doing Interviews, Sage, London.
Lacey, D 2009, Managing the Human Factor in Information Security: How to win over Staff
and Influence Business Managers, John Wiles & Son.
Laing, R. D 1967, The Politics of Experience and the Bird of Paradise, Harmondsworth: Penguin.

83
Leal, R 2016, How to integrate COSO, COBIT, and ISO 27001 frameworks, Advis, viewed 27
April 2017, <https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-
coso-cobit-and-iso-27001-frameworks>.
Lincoln Y.S. & Guba E.G 1985, Naturalistic Inquiry, Sage Publications, Beverly Hills,
California.
Lord, N 2017, What is Cyber Security? Digital Guardian, viewed 29 April 2017
<https://digitalguardian.com/blog/what-cyber-security>.
Mathisen, J 2004, ‘Measuring Information Security Awareness. A survey showing the
Norwegian way to do it’, M.Sc. thesis, Stockholm University, Sweden, viewed 27
August 2017, <https://brage.bibsys.no/xmlui/handle/11250/143904>.
Mazov N.A., Revnivykh A.V., & Fedotov A.M 2015, ‘Analysis of information security
Risks’, Indian Journal of Science and Technology, vol 8(36),
10.17485/ijst/2015/v8i36/90549.
MBA 2015, ‘The Basic Components of an Information Security Program’, Mortgage Bankers
Association, viewed 9 May 2017,
<http://mba.informz.net/MBA/data/images/15466_MBA_Technology_White_Paper.
pdf>.
McLuhan, E n.d., The source of the term, “Global Village”, McLuhan Studies, issue 2, viewed 3
April 2017, < http://projects.chass.utoronto.ca/mcluhan-studies/v1_iss2/1_2art2.htm>
Merriam-Webster, ‘security’, Merriam-Webster [Online], viewed 10 March 2017,
<https://www.merriam-webster.com/dictionary/security>.
Merriam-Webster, ‘vulnerable’, Merriam-Webster [Online], viewed 14 May 2017,
<https://www.merriam-webster.com/dictionary/vulnerable>.
Metzger, M 2015, ‘Human error no.1 cause of data loss, say IT professionals’, SC Media,
viewed 25 April 2017, <https://www.scmagazineuk.com/human-error-no1-cause-of-
data-loss-say-it-professionals/article/534280>.
Mims, C. and Pollard, N 2016, How to Improve Cybersecurity? PWC.com, viewed 16 August
16, 2017, <http://usblogs.pwc.com/cybersecurity/what-to-do-about-increasing-
insider-threats>.
MIT n.d., Protecting data, Massachusetts Institute of Technology, viewed 18 May 2017,
<https://ist.mit.edu/security/protecting_data>
Musayeva, A 2015, ‘Is data the new currency?’, TEDxAmsterdam, viewed 27 April 2017,
<http://tedx.amsterdam/2015/07/is-data-a-new-currency>.

84
Neal, C 2014, ‘My Quotes’, Blogger.com, viewed 7 April 2017,
<http://chrichtian.blogspot.com/2014/05/my-quotes.html>
NLP.com n.d., ‘Pattern Interrupt to Change a Strategy’, viewed 24 September 2017,
<http://nlp-mentor.com/pattern-interrupt>.
Norton n.d., ‘Emerging Threats’, viewed 1 May 2017,
<https://us.norton.com/internetsecurity-emerging-threats-what-is-social-
engineering.html>
Pettersson, G 2008, ‘Defining Information Security As a Policy’, B.Sc. IT Thesis, University
of Göteborg, Gothenburg, Sweden, viewed 12 April 2017, <
https://gupea.ub.gu.se/bitstream/2077/10538/1/gupea_2077_10538_1.pdf>
Ponemon Institute LLC 2015, State of the Endpoint Report: User-Centric Risk, viewed 8 July
2017, <https://www.ponemon.org/blog/2015-state-of-the-endpoint-report-user-
centric-risk>
Ponemon Institute LLC 2016, Cost of Data Breach Study: Global Analysis, viewed 30 April
2017, < http://www-01.ibm.com/common/ssi/cgi-
bin/ssialias?htmlfid=SEL03094WWEN>.
Poulsen, K 2016, Security Is (And Always Will Be) Messy, viewed 30 July 2017,
<https://medium.com/@marknca/security-is-and-always-will-be-messy-
26c682113902>
Press, P 2017, ‘6 Predictions for the $203 Billion Big Data Analytics Market’, Big Data,
Forbes.com, viewed 26 April 2017,
<https://www.forbes.com/sites/gilpress/2017/01/20/6-predictions-for-the-203-
billion-big-data-analytics-market/#7fa15b762083>
Primary Data Collection – Observations 2012, Advantages and Disadvantages of Conducting
Observational Research, University of Portsmouth, viewed 23 July 2017,
<http://compass.port.ac.uk/UoP/file/664e8001-f121-4e5d-aa06-
6c95c797e8af/1/Observations_IMSLRN.zip/page_04.htm>
Prochaska, F 2009, ‘Basic vs. Applied Research’, Lawrence Berkeley National Laboratory,
viewed 1 May 2017,
<http://www.sjsu.edu/people/fred.prochaska/courses/ScWk170/s0/Basic-vs.-
Applied-Research.pdf>.
Reding, V 2013, ‘Data protection reform: restoring trust and building the digital single
market’, 4th Annual European Data Protection Conference, Brussels, viewed 10
June 2017, <http://europa.eu/rapid/press-release_SPEECH-13-720_en.htm>

85
Revnivykh, A. V. and Fedotov, A. M 2015, Root Causes of Information Systems
Vulnerabilities, India Journal of Science and Technology, vol. 8, issue 36,
Revnivykh, A.V. and Fedotov, A.M. 2016, Main Reasons of Information Systems
Vulnerability, Global Journal of Pure and Applied Mathematics, ISSN 0973-1768
vol. 12, no.3 (2016), pp. 2133–2142.
Risen, T 2014, ‘Study: Hackers Cost More Than $445 Billion Annually’, USNews.com, 9
June, viewed 25 April 2017,
<https://www.usnews.com/news/articles/2014/06/09/study-hackers-cost-more-than-
445-billion-annually?src=usn_fb>
Robinson, N. Graus, H. Botterman, M. & Valeri, L 2009, Rand Europe, Review of the
European Data Protection Directive, Rand Corporation, UK, viewed 23 April 2017,
<http://www.rand.org/content/dam/rand/pubs/technical_reports/2009/RAND_TR710
.pdf>
Rohrer, C 2014, ‘When to Use Which User-Experience Research Methods’, Research
Methods Strategy User Testing, viewed 14 June 2017,
<https://www.nngroup.com/articles/which-ux-research-methods>.
Roll-Hansen, N 2009, ‘Why the distinction between basic (theoretical) and applied (practical)
research is important in the politics of science’, Studies in East European thought,
viewed 2 May 2017,
<https://pdfs.semanticscholar.org/62f0/dced123c24c7bc89b7d0d72bfcf885634a43.p
df >
Sauro, J 2015, ‘5 Types of Qualitative Methods’, Measuring U, viewed 5 May 2017,
<https://measuringu.com/qual-methods>.
Schell, C 1992, ‘The Value of the Case Study as a Research Strategy’, MBA thesis,
Manchester Business School, viewed 4 May 2017, < http://www.finance-
mba.com/Case%20Method.pdf>
Schneier, B. 2000. Secrets and Lies: Digital. Security in a Networked World. Except from
Terabyte, May 5, 2014. Retrieved July 26, 2017, from
http://terebrate.blogspot.com/2014/05/book-review-secrets-and-lies-digital.html
Sen, S. and Samanta, S 2014, Information Security, IJIRT, vol. 1, issue 11, ISSN: 2349-6002,
Dronacharya College of Engineering, Gurgaon, India.
Sheriff, E 2012, ‘Information Security Policy (The National Payment System in Lybia)’, IMS
M.Sc. thesis, University of Bedfordshire, Luton England.

86
Sims, S. and Pollard, N. 2014, What to do about increasing insider threats, PWC, viewed 1
May 2017, <http://usblogs.pwc.com/cybersecurity/what-to-do-about-increasing-
insider-threats/>
Šimundic, AM 2013, Bias in research - Lessons in biostatistics, University Department of
Chemistry, University Hospital Center “Sestre Milosrdnice”, Zagreb, Croatia,
viewed 2 May 2017, <https://hrcak.srce.hr/file/142923>.
Singh, K.J 2010, ‘Features, Advantages and Disadvantages of Observation’, MBA Official,
viewed 3 June 2016, <http://www.mbaofficial.com/mba-courses/research-
methodology/features-advantages-and-disadvantages-of-observation>.
Sivaramakrishnan, K 2014, “We Shouldn't Have to Give Away Our Identity to Use the
Internet’, Recode, viewed 7 October 2017, <
https://www.recode.net/2014/11/24/11633228/we-shouldnt-have-to-give-away-our-
identity-to-use-the-internet>.
Soltanmohammadi, S. Asadi, S. Ithnin, & N 2013, ‘Main human factors affecting information
system security’, Interdisciplinary Journal of Contemporary Research in Business,
vol. 5, no. 7, pp. 332-348, viewed 28 April 2017, < http://journal-
archieves36.webs.com/329-354.pdf>.
Stevens, M 2016, CyberSecurity vs. Information Security, Bitsight Security Ratings Blog,
blog, viewed 22 April 2017, <https://www.bitsighttech.com/blog/cybersecurity-vs-
information-security>
TechTarget, ‘data privacy’, Rouse M, SocioCIO, viewed 30 July 2017,
<http://searchcio.techtarget.com/definition/data-privacy-information-privacy>.
The Economist 2002, ‘The weakest link’, Digital Security, viewed 28 April 2017,
<http://www.economist.com/node/1389553>.
The Organization of Computer System 2015, My Agriculture Information Bank, viewed 19
April 2017, <http://agriinfo.in/default.aspx?page=topic&superid=8&topicid=1695>
Thompson, N 2012, ‘How to get privacy right’, The New Yorker, viewed 3 April 2017,
<http://www.newyorker.com/culture/culture-desk/how-to-get-privacy-right>
Ventres W.B. & Frankel R.M 1996, ‘Ethnography: a stepwise approach for primary care
researchers’, Family Medicine, viewed 4 May 2017,
<https://www.researchgate.net/profile/William_Ventres/publication/14482638_Ethn
ography_A_stepwise_approach_for_primary_care_researchers/links/0a85e532e3ae6
73d36000000/Ethnography-A-stepwise-approach-for-primary-care-researchers.pdf>.

87
VinciWorks 2015, Data protection vs. information security vs. cybersecurity, Legal Future
Associates, viewed 26 April 2017, <http://www.legalfutures.co.uk/associate-
news/data-protection-vs-information-security-vs-cyber-security>
Whitman, M. E & Mattord, H. J 2012, Principles of Information Security, 4th edn, Course
Technology, Cengage Learning, United States, viewed 27 April 2017, <
http://classbunk.in.net/infosecurity1pp.pdf>.
Wilson, N. & McLean, S 1994, Questionnaire Design: A Practical Introduction, Newtown
Abbey, Co. Antrim: University of Ulster Press.
Wolff, J 2016, Calling Humans the “Weakest Link” in Computer Security Is Dangerous and
Unhelpful, Future Tense Journal, viewed 24 May 2016,
<http://www.slate.com/blogs/future_tense/2016/01/22/calling_humans_the_weakest
_link_in_computer_security_is_dangerous.html>.
Wright, A 2016, Humans in cyber security – the weakest link, IT Governance Blog, viewed
29 July 2017, <https://www.itgovernance.co.uk/blog/humans-in-cyber-security-the-
weakest-link/>
Wyse, S.E 2011, ‘What is the Difference between Qualitative Research and Quantitative
Research?’, SnAp Survey, viewed 4 May 2017,
<https://www.snapsurveys.com/blog/what-is-the-difference-between-qualitative-
research-and-quantitative-research>
Xiong, P 2011, ‘Building a Successful Information Security Awareness Programme for NLI’,
M.Sc. IT Thesis, Gjøvik University College, viewed 25 April 2017,
<https://brage.bibsys.no/xmlui/bitstream/handle/11250/143974/Peng%20Xiong.pdf?
sequence=1>.
Yau, N 2013, Data Points: Visualization That Means Something, John Wiles & Son,
Indianapolis.
Yin, R 1984, Case Study Research: Design and Methods: Applied Social Research Methods
Series, 2nd edn, vol. 5, SAGE Publications, London.
Yin, R 2008, Case Study Research: Design and Methods, 4th edn, vol. 5, SAGE Publications,
United States of America.
Zohrabi, M 2013, Mixed Method Research: Instruments, Validity, Reliability and Reporting
Findings, Theory and Practice in Language Studies, vol. 3, No.2, pp. 254-262,
Academy Publisher, Finland

88
Abbreviations

BYOD Bring Your Own Device

CD Compact Disc
CIA Confidentiality, Integrity, and Availability
COBIT Control Objectives for Information and Related Technologies
COSO The Committee of Sponsoring Organizations
DIKW Data Information Knowledge Wisdom
DVD Digital Versatile Disc
EPROM Erasable Programmable Read-Only Memory
EU European Union
IBM International Business Machines, Corporation
ICT Information and Communication Technology
IS Information Security
ISO International Organization for Standard
IT Information Technology
ITIL Information Technology Infrastructural Library
MBA Mortgage Bankers Association
MIT Massachusetts Institute of Technology
NIST National Institute of Standards and Technologies
NYU New York University
P2P Peer-to-Peer
PwC PricewaterhouseCoopers, Company
RAM Radom Access Memory
SAP System, Application, and Product
SOHO Small Office Home Office
USB Universal Serial Bus
VPN Virtual Private Network
WiFi Wireless Fidelity

89
 Appendices

Appendix A: Project Planning and Scheduling

Project timeline (Gantt Chart)

ID Task Procedures Duration Apr May Jun Jul Aug Sep Oct

Project start 7months

1 Phase1: Introduction and Background 3 weeks

2 Phase2: Literature View and analysis 6 weeks

3 Phase3: Concept framework (ER Critique) 2 weeks

4 Phase4: Methodology 3 weeks

5 Phase5: Question and interview (final write out) 1 week

6 Phase6: Data collection and interview 10 weeks

7 Phase7: Analyzing of data 3 weeks

8 Phase8: Data presentation and analysis 1 week

9 Phase9: Project Guided feedback 4 weeks

10 Phase10: Result and Discussion 2 weeks

11 Phase11: Conclusion, abstract, and achievement 4 weeks

12 Phase12: Review, editing, and formatting 2 weeks

13 Phase13: Plagiarism and grammar check 1 week

Project Completion

The time duration displayed by the Gantt Chart captures a 6-month period timeline to
complete project tasks. In addition, this chart depicts an estimated time value, but due to
unavoidable circumstances, schedule incurred fluctuation.

90
Appendix B: Questionnaire Form

[page 1]

91
[page 2]

92
Appendix C: Interview Form

93
Appendix D: Johnny Mathisen’s Metrics for Awareness

We have identified the following nine metrics that can be used to measure
awareness and behavior in different ways:

A-1. Percentage of employees having finished the necessary security

training
A-2. Number of reported security incidents
A-3. Percentage of employees leaving their desk clean at the end of the
day
A-4. Percentage of paper waste being shredded
A-5. Percentage of illegal traffic on the internal computer network
A-6. Percentage of weak user passwords
A-7. Number of hits to security web pages
A-8. Number of requests to security department
A-9. Customer satisfaction

The list by no means is meant to be complete, but hopefully, the identified metrics
can serve as examples and inspiration for identifying and defining other similar
metrics.

94