Raising the information security awareness level in Saudi Arabian organizations through an effective, culturally aware information security framework
2018-01-16T15:27:00Z (GMT) by
The focus of the research is to improve the security of information systems in Saudi Arabian knowledge-intensive organisations by raising the awareness level among all types of information system users. This is achieved by developing a culturally aware information security framework that requires the involvement of all types of information system user. Saudi Arabia has a unique culture that affects the security of information systems and, hence, the development of this information security framework. The research uses Princess Nora bint Abdul Rahman University (PNU), the largest all female university in Saudi Arabia, as a case study. The level of information security awareness among employees at Saudi Arabia Universities was tested. Surveys and interviews were conducted to gather data related to the information security system and its uses. It was found that most employees in Saudi Arabian organisations and universities are not involved in the development of any information security policy and, therefore, they are not fully aware of the importance of the security of information. The purpose of this study is to develop a cultural aware information security framework that does involve all types of employees contributing to the development of information security policy. The framework, consists of nine steps that were adapted, modified and arranged differently from the international best practice standard ISO 27K framework to fit the unique culture in Saudi Arabia. An additional step has been added to the framework to define and gather knowledge about the organisations population to justify its fit into the segregated working environment of many Saudi Arabian institutions. Part of the research objective is to educate employees to use this information security framework in order to help them recognise and report threats and risks they may encounter during their work, and therefore improve the overall level of information security awareness. The developed information security framework is a collection of ISO 27k best practice steps, re-ordered, and with the addition of one new step to enable the framework to fit the situation in Saudi Arabian segregation working environments. A before-assessment methodology was applied before the application of the culturally aware information security policy framework between two universities, Imam University which has ISO27K accreditation and PNU, the case study, to measure and compare their users information security awareness level. Then, an after-assessment methodology is used to demonstrate the framework effectiveness by comparing the level of awareness before the application of the culturally aware information security policy framework with the level of the awareness knowledge gained after the application.