Study on Employee Information Security: Human Issue: Gaborone University College of Law and Professional Studies (GUC)

Abstract

The purpose of the study was to establish the level Information Security among End User in order to address the Human issue and its impacts on Information Security (IS) in organizations. Human errors likely to result into excessive security breaches than technical vulnerabilities (Hinson, 2003). Notable human errors include, deleting wrong file by mistake, entering wrong value, pull out the wrong plug by mistake and configuration mistakes can leave the network ports open, firewall vulnerable and system completely unprotected (Hinson, 2003). Employee errors impact negatively on security controls such as firewalls and data protection policies adopted by the organization (Hadlington, 2018). Human issues are the major hindrance in achieving security goals such as maintaining confidentiality, insuring integrity, and assuring availability of information in an organization (Cherdentseva and Hilton 2013). It is also notable that employees who either work inside or outside the organization can compromise the essential characteristics of information such as Confidentiality, Integrity and Availability (CIA). Despite intense technical and physical security controls adopted by the organization, the availability of malicious and none malicious employee in an organization hinders the effectiveness of counter measures adopted to protect information (Greitzer and Hohimer, 2011). A none malicious employee is an employee who is not aware of security controls adopted by the organization and lack efficiency to protect data from threats but instead create security loopholes which can exploited by an attacker. A malicious employee has the motive to disrupt, steal information, bypass processes and procedures. However, none technical security counter measures such as security awareness, training and organizational policy implementation can be used to mitigate internal threats (Cherdentseva and Hilton 2013). In order to understand the human issue information security, the research study adopted theoretical research models such as Protection Motivation Theory (PMT), Technology Acceptance Model (TAM) and Theory of Planned Behavior (TPB) Shenbagaraman 2016). The research population included Lectures and Administrative personnel in the organization. The independent variable included employee behavior, attitude and knowledge which were measured against dependent variables such as password usage, email usage, knowledge on malicious protection and security controls in the organization. Quantitative research methodology was adopted because data collected was translated into figures for further analysis. A questionnaire of 33 questions were distributed to 32 participants to collect data. The survey found out that some employee engages in risk behavior such as sharing password, using the same password to log in different systems or applications. Some employee in the organization also lack knowledge on threat to information security and are not security conscious to online cyber scams.