{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,16]],"date-time":"2026-04-16T10:18:56Z","timestamp":1776334736725,"version":"3.51.2"},"reference-count":14,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2017,6,12]],"date-time":"2017-06-12T00:00:00Z","timestamp":1497225600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,6,12]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>The aim of this study was first to confirm that a specific bank\u2019s employees were generally more information security-aware than employees in other Australian industries and second to identify the major factors that contributed to this bank\u2019s high levels of information security awareness (ISA).<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>A Web-based questionnaire (the Human Aspects of Information Security Questionnaire \u2013 HAIS-Q) was used in two separate studies to assess the ISA of individuals who used computers at their workplace. The first study assessed 198 employees at an Australian bank and the second study assessed 500 working Australians from various industries. Both studies used a Qualtrics-based questionnaire that was distributed via an email link.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The results showed that the average level of ISA among bank employees was consistently 20 per cent higher than that among general workforce participants in all focus areas and overall. There were no significant differences between the ISA scores for those who received more frequent training compared to those who received less frequent training. This result suggests that the frequency of training is not a contributing factor to an employee\u2019s level of ISA.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>This current research did not investigate the information security (InfoSec) culture that prevailed within the bank in question because the objective of the research was to compare a bank\u2019s employees with general workforce employees rather than compare organisations. The Research did not include questions relating to the type of training participants had received at work.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This study provided the bank\u2019s InfoSec management with evidence that their multi-channelled InfoSec training regime was responsible for a substantially higher-than-average ISA for their employees. Future research of this nature should examine the effectiveness of various ISA programmes in light of individual differences and learning styles. This would form the basis of an adaptive control framework that would complement many of the current international standards, such as ISO\u2019s 27000 series, NIST\u2019s SP800 series and ISACA\u2019s COBIT5.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-03-2017-0017","type":"journal-article","created":{"date-parts":[[2017,4,27]],"date-time":"2017-04-27T07:54:51Z","timestamp":1493279691000},"page":"181-189","source":"Crossref","is-referenced-by-count":18,"title":["Managing information security awareness at an Australian bank: a comparative study"],"prefix":"10.1108","volume":"25","author":[{"given":"Malcolm","family":"Pattinson","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Marcus","family":"Butavicius","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kathryn","family":"Parsons","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Agata","family":"McCormac","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dragana","family":"Calic","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"issue":"3","key":"key2020120706142168700_ref001","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"issue":"1","key":"key2020120706142168700_ref002","doi-asserted-by":"crossref","first-page":"15","DOI":"10.4018\/IJMCMC.2016010102","article-title":"Awareness of mobile device security: a survey of user\u2019s attitudes","volume":"7","year":"2016","journal-title":"International Journal of Mobile Computing and Multimedia Communications (IJMCMC)"},{"issue":"4","key":"key2020120706142168700_ref003","doi-asserted-by":"crossref","first-page":"349","DOI":"10.1037\/h0047358","article-title":"A new scale of social desirability independent of psychopathology","volume":"24","year":"1960","journal-title":"Journal of Consulting Psychology"},{"issue":"2","key":"key2020120706142168700_ref004","doi-asserted-by":"crossref","first-page":"245","DOI":"10.1023\/A:1019637632584","article-title":"Understanding self-report bias in organizational behavior research","volume":"17","year":"2002","journal-title":"Journal of Business and Psychology"},{"issue":"4","key":"key2020120706142168700_ref005","doi-asserted-by":"crossref","first-page":"289","DOI":"10.1016\/j.cose.2006.02.008","article-title":"A prototype for assessing information security awareness","volume":"25","year":"2006","journal-title":"Computers & Security"},{"key":"key2020120706142168700_ref007","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1016\/j.cose.2013.12.003","article-title":"Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q)","volume":"42","year":"2014","journal-title":"Computers & Security"},{"key":"key2020120706142168700_ref006","first-page":"366","article-title":"Phishing for the truth: A scenario-based experiment of users\u2019 behavioural response to emails","volume-title":"Proceedings of the 28th IFIP TC-11 International Information Security and Privacy Conference (SEC2013), Auckland, NZ","year":"2013"},{"key":"key2020120706142168700_ref008","article-title":"Risk communication, risk perception and information security","year":"2005"},{"key":"key2020120706142168700_ref009","first-page":"231","article-title":"Factors that influence information security behaviour: an Australian Web-based study","volume-title":"Human Aspects of Information Security, Privacy & Trust (HCI 2015)","year":"2015"},{"key":"key2020120706142168700_ref010","volume-title":"The Development and Evaluation of an Information Security Awareness Capability Model: Linking ISO\/IEC 27002 controls with Awareness Importance, Capability and Risk","year":"2015"},{"issue":"2","key":"key2020120706142168700_ref014","doi-asserted-by":"crossref","first-page":"24","DOI":"10.1145\/503345.503348","article-title":"Five dimensions of information security awareness","volume":"31","year":"2001","journal-title":"Computers and Society"},{"key":"key2020120706142168700_ref011","first-page":"1388","article-title":"Behavioral information security: two end user survey studies of motivation and security practices","year":"2004"},{"key":"key2020120706142168700_ref012","unstructured":"Talib, S. (2014), \u201cPersonalising information security education\u201d, PhD thesis, available at: https:\/\/pearl.plymouth.ac.uk\/handle\/10026.1\/2896 (accessed 23 March 2017)."},{"issue":"2","key":"key2020120706142168700_ref013","doi-asserted-by":"crossref","first-page":"113","DOI":"10.1080\/01449290500330299","article-title":"Information systems security and human behaviour","volume":"26","year":"2007","journal-title":"Behaviour & Information Technology"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-03-2017-0017\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-03-2017-0017\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:45Z","timestamp":1753406565000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/2\/181-189\/110991"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,6,12]]},"references-count":14,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2017,6,12]]}},"alternative-id":["10.1108\/ICS-03-2017-0017"],"URL":"https:\/\/doi.org\/10.1108\/ics-03-2017-0017","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2017,6,12]]}}}