Old Monarchy in the New Cyberspace: Empirical Examination of Information Security Awareness among Austrian and Hungarian Enterprises

can also be concluded that employees with higher digital literacy have a higher level of information security awareness in Austria compared to the Hungarian business sector.


Introduction
As our information society develops, in other words, as more and more individuals, companies and governments use information communication technologies (ICT) -computers, information systems, mobile phones, intelligent sensors, internet applications, etc. -the more we are exposed to the new challenges of cybercrime, cyberterrorism, cyber espionage and -as far as governments are concerned -even to cyber warfare.[8] [19] The concept Development, Associate Professor, E-mail: sasvari.peter@uni-nke.huDevelopment, Full Professor, E-mail: nemeslaki.andras@uni-nke.hu Professor, E-mail: wolf.rauch@uni-graz.at(14) 1 (2015) SASVÁRI Péter, NEMESLAKI András, WOLF Rauch: Old Monarchy in the New Cyberspace… tions' hacked for steeling commercial information, and hundreds of thousands individual bank accounts compromised.[11] Kovács and Krasznay in their visionary article describe how the so called critical infrastructure -energy, water, transportation, electronic media and commerce -could collapse in Hungary if she was exposed to a systematic cyberattack from hostile enemies.[12] The answer to these new ICT challenges are naturally new technologies, but regardless of the fact that many organizations have deployed hardware and software-based protection of organizations.As some research has found, risks and attacks are evolving to elude many current technology-based protections.
[3] According to the 2005 Computer Crime and Security Survey conducted jointly by the Computer Security Institute and the Federal Bureau of small and medium-sized enterprises, as central regulation of security which is systematically used by larger corporations is less typical of them.[13] Our intention has been to contribute to this stream of research basically by providing empirical evidence for the relevance of information security awareness (ISA) in corporations.
For increasing generalizability we have chosen companies of different sizes in Hungary and Austria, the research design has enabled us to compare ISA in two different yet similar econtheir history, culture and intertwining business relations.On the other hand, both the level economy and information society are different in the two neighboring countries which according to our hypothesis impacts ISA.
The structure of the paper is as follows.First, we introduce the concept of information security awareness and our instrument to measure it.Then we describe the key characteristics of the Austrian and Hungarian information society together with the descriptive data of our draw conclusions and suggest further extensions of our research model.

The Conceptual Model of Information Security Awareness
According to Muha, information security is related to the protection of data that are stored either in the form of drawing, writing or by communication, information technology and other electronic systems, or treated in any other way.[7] [16] Information security awareness (ISA), on the other hand goes beyond information security, it is part of the organizational culture, a way of thinking and behavior which ensures that the employees of the organizations are committed to acknowledge the legitimacy of security measures, they abide by them and they also make them known to others and enforce their application.[2] In order to measure the construct of ISA we use the work of Illéssy, Nemeslaki and Som who suggested dividing ISA into three main dimensions: [9] Organizational dimension where the organizational habits and procedures are measured.
Individual dimension where a general knowledge of the organization and working habits are measured and analyzed.
Infrastructural dimension, which includes opinions about the general security and concrete IT systems of the organization.
Figure 1.The construct of ISA.[9] In Figure 1.we depicted the general model of ISA which in that form can serve as a measurement instrument about employees' perception on different dimensions of security.
In organizational dimension the following items can be tested: the ways the management of the organization controls and regulates the department or the concrete person in charge for information security; Both external (eg.legislation, standards, policy impacts) and internal factors (eg.regulations, the direct instructions of management, human resources management) have effects on organizational awareness.[10] The individual dimension measures the IT knowledge, skills and abilities of the employees.Only those employees can make proper use of ICT who consciously apply information employee: recognizes the dangers threatening the operation of information systems; gives assistance to preventive measures; follows the proper procedure in case of an information security incident.Thirdly, infrastructure dimension covers partly communication (network) systems, departly those organizational tools and resources which provide basic or value-added (information security etc.) services.[18] In view of the above, the infrastructural dimension includes the employees in charge of operating the infrastructure who: information; take the necessary information security measures.Our model also suggests a normative approach to ISA; organizational, individual and infrastructural efforts should provide protection against sources of danger and to minimize risk causing breaches in information security.Sources of danger could be anything which results in a non-desired change in the function of one or more components of the information system.[17] In order to classify employees into ISA categories we have used the Security Awareness employees belonging to the are aware of the security principles as well as the dangers, they are well-educated, their everyday behavior meets workplace safety rules and guidelines; employees found in the second category participated in some kind of information security training, they are also aware of the dangers, but do not fully follow the relevant safety principles and rules; third category represents the group of average risk, those employees, who are aware of the dangers and know that they should keep some basic safety principles but they are in need of further education on the subject.They do not recognize IT incidents and do not know what to do in such cases; the employees included in the fourth category are neither aware of the dangers and safety principles, nor of the security regulations in their organization; are not aware of the dangers and do not comply with the security regulations, either.with employees' general ICT awareness which is described by their ICT literacy.For its general use in the literature, we used the concept of digital literacy which often overlaps with other similar notions (eg.information literacy, computer literacy), and can be applied as a suitliteracy, media literacy, communication literacy, visual literacy and technology literacy as part of digital literacy.
excellent if the users recognize information needs, they have long shown excellence in managing IT networks, they have reached a high level of hardware and software against them; good if the users almost always recognize their information needs, they use network communication devices, they are excellent at certain areas of hardware and software average if the users need some help to recognize their information needs, they use network communication devices with assistance, they suffer from some shortcomings in the area of hardware and software management, they make occasional mistakes in the area of information security; bad if the users do not recognize their information needs because of lack of training they are incapable of identifying network threats and dangers; very bad if the users have no idea about their information needs, they lack even basic knowledge on the use of network communication, and they lack any software and hardware skills.During our research design we included measurement for ISA and for digital literacy conand Hungarian sample.In the following section we describe this part of the design and the characteristics of our two datasets.

Comparing Austrian and Hungarian Companies in ISA: Methodology and Sample Characteristics
The analysis of the level of ISA in the Austrian and Hungarian business sector is at the centre of our research.Its primary purpose is to determine the conditions of information security awareness in both countries, in different size categories.We assume that the level of ISA in the business sector depends on: company size and; the economic and information society development level of the country.Our assumptions are based on the following research results: [21] the strategic importance of information security has already been recognized by Hungarian corporations and enterprises but in terms of actual measures, they are still behind countries with a higher level of IT development such as Austria; in comparison to the international trends, the issue of information security is given less attention by Hungarian corporations and enterprises.
business sector and of the size of enterprises in Hungary is determined by Act XXXIV of 2004 on The Small and Medium-Sized Enterprises dium-sized enterprises as well as corporations.
The basis of our primary research was SANS which had already been developed and Miskolc in Hungary, regardless of the demographic and employment data of the respondents.
November of 2014.The number of respondents employed in the Austrian business sector was 152 persons and 116 persons in Hungary.-124,000 in Austria per enterprise, which was nearly 7.5 times higher than the Hungarian data in 2012.The added value created by small-sized enterprises was eight times higher in Austria terprises.The added value generated by the Hungarian medium-sized enterprises was only country lagged behind their Austrian counterparts to the least extent.The added value per enterprise in Austria was three times higher in the case of small-and medium-sized enterprises and two times higher in the case of corporations compared to their peers in Hungary. [20] We also see large differences in the state of the information society according to the EGDI dex) and HCI (Human Capital Index).Leading

The Situation of ISA in Austria and Hungary
medium-sized enterprises) in our sample in Austria, the rate of organizations belonging to the by the corporations as well as the medium-sized enterprises in the Hungarian sample.The employees are aware of the possible dangers but they do not keep all the regulations, show Comparing ISA in the business sector in the two countries, it can be stated that Austria performs better in the size category of microenterprises and medium enterprises, while Hungary shows better results in the size categories of corporations and small-sized enterprises.
an IT security department.
microenterprises with low levels of capital and human resources.
In terms of the organizational dimension, only the Hungarian corporations produce good results, appearing in the top two risk categories.

Name
Austria Hungary It is important to examine in each department whether there is a regulation on the use of IT tools or if they apply general rules that also include the use of IT tools.A third of the Hungarian counterparts reported that they did not apply any regulations relating to information technology.On the other hand, half of the Austrian corporations and two-thirds of their their general regulations.Half of the medium-sized enterprises in Hungary also included their IT rules into their general regulations.In the size category of small-sized enterprises, on the use of IT devices.
of the training they received on information security, contrary to this, the same rate was only As for the Austrian business sector, worse rates were measured.Nearly a third of the respondents in the Austrian microenterprises, small and medium-sized enterprises reported that they corporations reported the same.
Another part of the organizational dimension is the examination of access to certain websites (14) 1 (2015) SASVÁRI Péter, NEMESLAKI András, WOLF Rauch: Old Monarchy in the New Cyberspace… enterprises had regulations on the accessibility of certain websites and they were kept by corporations in both countries.
A further part of the organizational dimension is the regulation of mail delivery systems.In this case it is also true that the rate of regulation increases together with the size of the organization -both in the number of employees and in terms of asset value.There are regula-and Hungary regulated the use of mail systems by their employees.Nearly half of the small and medium-sized enterprises both in Austria and Hungary did not regulate the use of mail systems.
The idea behind the emergence of cloud computing is that information procession is much cessible through a network.It is also a part of the organizational dimension is derived from the representation of the Internet network diagrams and is used to indicate services is regulated at their workplace.Corporations both in Austria and Hungary either did authorized to use such applications as Dropbox and Google Drive for storing institutional or business data.At half of the small-sized enterprises in Hungary and at a third of their peers in Austria, the use of cloud computing is forbidden.The lowest rate of use was measured in the When examining the individual dimension, basically the general IT knowledge of the respondents is measured.It largely depends on the practice the employees had earned in previous years as well.The respondents mentioned an average duration of 16 to 18 years in Austria and 15 to 17 years in Hungary with regard to the use of computers.In terms of using the Internet, however, the average duration mentioned by the employees was an average of 12 and 14 years in Austria and 10 to 13 years in Hungary.If the daily use of computers is examined, we can conclude that the employees working in every company size category spend between 6 and 8 hours a day in front of the computer on average in both countries.From this, it can be concluded that, regardless of the size of their company, the respondents in the in the case of the Austrian and Hungarian corporations and medium-sized enterprises, which principles.

Name
Austria Hungary from this, that the results were better in Austria in every size category from the perspective of data security.
As another interesting part of the individual dimension, it was also asked if the employees noticed when their workstations were hacked into.Hacking into a computer or computer system occurs when someone unlawfully enters or, by violating their scope of authorization, employees working in corporations in Hungary thought that they were able to notice when garian small-sized enterprises thought the same.In the case of the other examined Austrian Another important element in the framework of the individual dimension was the proportion of employees voluntarily granting their company passwords ees working in the Hungarian small-sized enterprises were the most reluctant to give their practice of granting company passwords voluntarily also occurred.ever asked for their company password or not.Surprisingly, such a case has already occurred at almost half of the Austrian small-sized enterprises.The same can be said about nearly a the case of the Austrian and Hungarian microenterprises, and the Hungarian medium-sized surveyed size categories.
Time and again, rumours start spreading about renowned portals being hacked into and unauthorized access to the passwords of hundreds of thousands or even millions of users coming to light.In reality, it represents a serious security risk if many people use the same (14) 1 (2015) SASVÁRI Péter, NEMESLAKI András, WOLF Rauch: Old Monarchy in the New Cyberspace… password everywhere.Within the context of the individual dimensions, we examined how them in Hungary stated that they used the same password at work and in their private life as the same password while there were just a few people at the Hungarian small-sized enterpris-If we look at the organizations where there are rules to change passwords and whether they actually change them, it can be stated that half of the Austrian microenterprises and small-sized enterprises as well as two-thirds of the Hungarian medium-sized enterprises did not have any rules or regulations to change passwords and they did not actually change them.
lations for changing passwords and their employees actually kept those rules sometimes even without having any regulation on the change of passwords.
The illegal installation and use of software (software piracy) for personal use also has to be examined within the concept of the individual dimension.sized enterprises in 2014.In Austria, these rates were lower, half of the microenterprises, a third of the small-sized enterprises and a tenth of the corporations reported that their employinfrastructural dimension, a Such a statement can be the one according to which the information stored in the employee's computer is of no value for hackers.More than a third of the employees working both in the business and private sector were convinced that their computers were not targeted by corporations thought that they were not a target of this type of attack.In Hungary, nearly half the corporations thought the same.
In Austria, corporations achieved the best ratings in the infrastructural dimension of ISA -- As part of the infrastructural dimension, the availability of installed, updated and licensed antivirus programs in the surveyed Austrian and Hungarian organizations said that they had antivirus software installed on their computer.
the employees found a virus on their computers.A computer virus is a program that hides its own copies in other executable proa computer virus during their work.A higher proportion was found in the case of the Austri--enterprises could not say if they had ever found such undesired programs on their computers.
Within the framework of the infrastructural dimension, the frequency of automatic updates -government organizations could not tell whether there was an automatic update function on their own computers at work.It can be concluded that a close relationship can be observed between the information security awareness and the digital literacy of employees.As for Hungary, each respondent havgood and excellent IT skills were mainly found in the second category in the largest number.
IT skills fell into the third risk category in terms of information security in Hungary.

Conclusions
In our study, we reviewed the conditions of information security awareness in the Austrian and Hungarian business sector as well as their positions relative to one another.
It is true about both countries that the level of information security awareness is lower in the case of enterprises belonging to smaller size categories, when compared to the larger certain websites and the use of mail delivery systems are regulated, and password changes regulations on IT are mostly missing, and they rarely participate in training in information technology.Access to certain websites and the use of mail delivery systems are also rarely regulated.Because of the lack of training, considerably fewer employees know about cloud computing in the enterprises employing less than 50 people in comparison to their counterparts working in bigger enterprises.It is also typical of the microenterprises that their employees are less likely to give their passwords whether they are forced to do so or not.When comparing the two countries by size categories, differences can hardly be found in terms of information security awareness.
As for the organizational dimension, the Hungarian enterprises performed better in all size categories.It can be traced back to a lower level of regulation and a more critical attitude towards training shown by the employees in Austria.A good level of information security SASVÁRI Péter, NEMESLAKI András, WOLF Rauch: Old Monarchy in the New Cyberspace… ( 14) 1 (2015) 77 awareness was observed among the Austrian medium-sized enterprises with less than 250 ters of the Hungarian microenterprises.
In terms of the individual dimension, the Austrian enterprises came up with better results -Hungarian enterprises have distressing gaps in their knowledge in this area.
As far as the infrastructural dimension is concerned, the Austrian small and medium-sized enterprises outperformed their Hungarian peers in every size category.Furthermore, it can also be concluded that employees with higher digital literacy have a higher level of information security awareness in a surveyed country, and the rate of employees with excellent digital literacy is also higher than it was measured in Hungary, resulting in a more favorable level of information security awareness compared to the Hungarian business sector.

(
14) 1 (2015) SASVÁRI Péter, NEMESLAKI András, WOLF Rauch: Old Monarchy in the New Cyberspace… Since we had no previous insights into the conditions of ISA in the business sectors either in Austria or in Hungary exploratory research was the suitable approach, and the analysis of For comparative analysis we have to note that added value of corporate ICT use is very difference between gross output (at basic prices) and intermediate consumption (at purchaser prices) and can be decomposed into the following components: Compensation of Employees; Gross Operating Surplus; Mixed Income; Other Taxes on Production less Subsidies on Production.[20]

( 14 )
1 (2015)SASVÁRI Péter, NEMESLAKI András, WOLF Rauch: Old Monarchy in the New Cyberspace… enterprises in Austria belong to this category.As for the Hungarian small-sized enterpris-nology.Moreover, there are some employees who are not aware of the dangers of microenterprises pose a serious threat in terms of security.The same can be said -

Figure 2 .
Figure 2. The connection between global risk categories and the digital literacy

Table 1 .
Average added value by size categories in Austria andHungary in 2012.[20] countries in the world according to most