This study examined that gap between knowledge and behaviour, why employees wilfully omit, and the role of attitude in bridging that gap. The study was conducted as a web-administered survey using the Human Aspects of Information Security Questionnaire (HAIS-Q), to which 287 participants responded. The data was analysed using linear regression, Baron-Kenny mediation, and comparison of means. The primary results indicated that attitude is a stronger determinant for behaviour than knowledge. In the mediation analysis, results suggested that most of the influence between knowledge and behaviour is mediated through attitude. However, although knowledge was weakly correlated with behaviour, the gap effect was inverse and did thus not support the existence of a knowing-doing gap. Nevertheless, the results provide an incentive for information security professionals to focus on fostering attitudes rather than only building knowledge. Furthermore, reasons to why employees omit secure behaviour and scientifically supported recommendations for improving information security awareness are presented, which may benefit professionals in their work.
Research on the effectiveness of cyber security awareness in ICS Risk Assessment Frameworks
Assessing security awareness among users is essential for protecting industrial control systems (ICSs) from social...