HAIS-Q-tóla SAM-ig, a biztonságtudatosság mérésének modernizációja

  • Répás József
  • Berek László
  • Bak Gerda
  • Oláh Norbert
  • Ujhegyi Péter
doi: 10.32567/hm.2024.4.13

Absztrakt

A kiberbiztonság napjaink egyik legkritikusabb kihívása, amely folyamatos fejlődést és alkalmazkodást követel. A technológia exponenciális fejlődésével párhuzamosan a kibertámadások is egyre kifinomultabbá válnak, fokozva ezzel a veszélyt mind az egyénekre, mind a szervezetekre. Ebben a dinamikusan változó környezetben az információbiztonsági tudatosság kulcsfontosságú, amelynek mérése elengedhetetlen a hatékony védekezési stratégiák kialakításához és a fejlesztendő területek azonosításához.

A biztonságtudatosság mérésére számos eszköz áll rendelkezésre, amelyek közül kiemelkedik a HAIS-Q (Human Aspects of Information Security Questionnaire) modell. Jelen kutatásban egy új elméleti modellt, a SAM (Security Awareness Model) modellt mutatjuk be, amely a HAIS-Q modellre építve, de azt kibővítve és modernizálva közelíti meg a biztonságtudatosság mérését. A SAM hét fő dimenziót vizsgál: autentikáció, internetes szolgáltatások használata, információkezelés, eszközhasználat, incidensmenedzsment, szabályozás és tudatosság.

A SAM-modellre épülő kérdőív 120 kérdést tartalmaz, követve a KAB (Knowledge, Attitude, Behaviour) modellt. Ez a komplex mérőeszköz lehetővé teszi a biztonságtudatosság részletes és sokoldalú felmérését, hozzájárulva ezzel a hatékonyabb kiberbiztonsági stratégiák kialakításához.

Kulcsszavak:

Security Awareness Model kiberbiztonság adatbiztonság biztonságtudatosság kvantitatív mérés

Hogyan kell idézni

Répás, J., Berek, L., Bak, G., Oláh, N., & Ujhegyi, P. (2025). HAIS-Q-tóla SAM-ig, a biztonságtudatosság mérésének modernizációja. Hadmérnök, 19(4), 183–198. https://doi.org/10.32567/hm.2024.4.13

Hivatkozások

ALI, Omar – SHRESTHA, Anup – CHATFIELD, Akemi – MURRAY, Peter (2020): Assessing Information Security Risks in the Cloud: A Case Study of Australian Local Government Authorities. Government Information Quarterly, 37(1). Online: https://doi.org/10.1016/j.giq.2019.101419

ALMADANI, Mwaheb S. – ALOTAIBI, Suhair – ALSOBHI, Hada – HUSSAIN, Omar K. – HUSSAIN, Farookh K. (2023): Blockchain-Based Multi-Factor Authentication: A Systematic Literature Review. Internet of Things, 23. Online: https://doi.org/10.1016/j.iot.2023.100844

BAK, Gerda – BEREK, László – SOM, Zoltán – UJHEGYI, Péter – RÉPÁS, József (2024): On the Way to Updating the Measurement of Information Security Awareness: a Literature Analysis. Interdisciplinary Description Of Complex Systems, 22(3), 305–316. Online: https://doi.org/10.7906/indecs.22.3.6

BAKARE, Seun S. – ADENIYI, Adekunle O. – AKPUOKWE, Chidiogo U. – ENEH, Nkechi E. (2024): Data Privacy Laws and Compliance: A Comparative Review of the EU GDPR and USA Regulations. Computer Science & IT Research Journal, 5(3), 528–543. Online: https://doi.org/10.51594/csitrj.v5i3.859

BAMBERGER, Kenneth A. (2010): Technologies of Compliance: Risk and Regulation in a Digital Age. Texas Law Review, 88(4), 669–739.

BARANOWSKI, Tom – CULLEN, Karen W. – NICKLAS, Theresa – THOMPSON, Deborah – BARANOWSKI, Janice (2003): Are Current Health Behavioral Change Models Helpful in Guiding Prevention of Weight Gain Efforts? Obesity Research, 11(S10), 23S–43S. Online: https://doi.org/10.1038/oby.2003.222

BEREK László – SOM Zoltán – BAK Gerda – UJHEGYI Péter – RÉPÁS József – PETŐ Richárd (2024): Az egyén információbiztonsági tudatossági szintjének megállapítására elterjedt mérési módszerek összefoglaló elemzése nemzetközi kutatások alapján. In MOLNÁR György – TEMESVÁRI Zsolt – WÜHRL Tibor (szerk.): XXXIX. Kandó Konferencia 2023. Budapest: Óbudai Egyetem, 265–277.

BUCKLEY, Gerard – CAULFIELD, Tristan – BECKER, Ingolf (2024): GDPR and the Indefinable Effectiveness of Privacy Regulators: Can Performance Assessment be Improved? Journal of Cybersecurity, 10(1). Online: https://doi.org/10.1093/cybsec/tyae017

BUCKLEY, Oliver – NURSE, Jason R. C. (2019): The Language of Biometrics: Analysing Public Perceptions. Journal of Information Security and Applications, 47, 112–119. Online: https://doi.org/10.1016/j.jisa.2019.05.001

DIESCH, Rainer – PFAFF, Matthias – KRCMAR, Helmut (2020): A Comprehensive Model of Information Security Factors for Decision-Makers. Computers and Security, 92. Online: https://doi.org/10.1016/j.cose.2020.101747

EGELMAN, Serge – HARBACH, Marian – PEER, Eyal (2016): Behavior Ever Follows Intention? A Validation of the Security Behavior Intentions Scale (SeBIS). Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems, 5257–5261. Online: https://doi.org/10.1145/2858036.2858265

GOKULKUMARI, G. (2020): Analytical Outlook on Customer Awareness Towards Biometrics Mechanism of Unimodal and Multimodal in Online Transactions. Multimedia Tools and Applications, 79(41–42), 31691–31714. Online: https://doi.org/10.1007/s11042-020-09526-w

HÄNSCH, Norman – BENENSON, Zinaida (2014): Specifying IT Security Awareness. 2014 25th International Workshop on Database and Expert Systems Applications (DEXA), 326–330. Online: https://doi.org/10.1109/DEXA.2014.71

HERMAWAN, Deni S. – SETIADI, Farisya – OKTARIA, Dita (2022): Measurement Level of Information Security Awareness for Employees Using KAB Model with Study Case at XYZ Agency. 1st International Conference on Software Engineering and Information Technology (ICoSEIT) Bandung, Indonesia, 2022, 174–179. Online: https://doi.org/10.1109/ICoSEIT55604.2022.10029989

HESS, Elie – TOLBERT, Matthew – NASCIMENTO, Mattheus (2021): Vulnerabilities of Multi-factor Authentication in Modern Computer Networks. Worcester, UK: Worcester Polytechnic Institute.

KASHEVNIK, Alexey – LASHKOV, Igor – PONOMAREV, Andrew – TESLYA, Nikolay – GURTOV, Andrei (2020): Cloud-Based Driver Monitoring System Using a Smartphone. IEEE Sensors Journal, 20(12), 6701–6715. Online: https://doi.org/10.1109/JSEN.2020.2975382

KAYA, Feridun – AYDIN, Fatih – SCHEPMAN, Astrid – RODWAY, Paul – YETIŞENSOY, Okan – DEMIR KAYA, Meva (2024): The Roles of Personality Traits, AI Anxiety, and Demographic Factors in Attitudes toward Artificial Intelligence. International Journal of Human-Computer Interaction, 40(2), 497–514. Online: https://doi.org/10.1080/10447318.2022.2151730

KELLY, Sage – KAYE, Sherrie-Anne – OVIEDO-TRESPALACIOS, Oscar (2023): What Factors Contribute to the Acceptance of Artificial Intelligence? A Systematic Review. Telematics and Informatics, 77. Online: https://doi.org/10.1016/j.tele.2022.101925

KESSLER, Stacey R. – PINDEK, Shani – KLEINMAN, Gary – ANDEL, Stephanie A. – SPECTOR, Paul E. (2020): Information Security Climate and the Assessment of Information Security Risk Among Healthcare Employees. Health Informatics Journal, 26(1), 461–473. Online: https://doi.org/10.1177/1460458219832048

KOLLMUSS, Anja – AGYEMAN, Julian (2002): Mind the Gap: Why Do People Act Environmentally and What Are the Barriers to Pro-Environmental Behavior? Environmental Education Research, 8(3), 239–260. Online: https://doi.org/10.1080/13504620220145401

KOZA, Erfan (2022): Information Security Awareness and Training as a Holistic Key Factor – How Can a Human Firewall Take on a Complementary Role in Information Security? In AHRAM, Tareq – KARWOWSKI, Waldemar (szerk.): Human Factors in Cybersecurity. New York: AHFE International, 49–57. Online: https://doi.org/10.54941/ahfe1002201

KRUGER, H. A. – KEARNEY, W. D. (2006): A Prototype for Assessing Information Security Awareness. Computers & Security, 25(4), 289–296. Online: https://doi.org/10.1016/j.cose.2006.02.008

MCCORMAC, Agata – ZWAANS, Tara – PARSONS, Kathryn – CALIC, Dragana – BUTAVICIUS, Marcus – PATTINSON, Malcolm (2017): Individual Differences and Information Security Awareness. Computers in Human Behavior, 69, 151–156. Online: https://doi.org/10.1016/j.chb.2016.11.065

MUJEYE, Stephen (2021): A Survey on Multi-Factor Authentication Methods for Mobile Devices. Proceedings of the 2021 4th International Conference on Software Engineering and Information Management, 199–205. Online: https://doi.org/10.1145/3451471.3451503

National Data Guardian (2016): National Data Guardian for Health and Care: Review of Data Security, Consent and Opt-Outs. Online: https://www.gov.uk/government/publications/review-of-data-security-consent-and-opt-outs

OMETOV, Aleksandr – BEZZATEEV, Sergey – MÄKITALO, Niko – ANDREEV, Sergey – MIKKONEN, Tommi – KOUCHERYAVY, Yevgeni (2018): Multi-Factor Authentication: A Survey. Cryptography, 2(1), 1. Online: https://doi.org/10.3390/cryptography2010001

OTTA, Souma P. – PANDA, Subhrakanta – GUPTA, Maanak – HOTA, Chittaranjan (2023): A Systematic Survey of Multi-Factor Authentication for Cloud Infrastructure. Future Internet, 15(4). Online: https://doi.org/10.3390/fi15040146

PARSONS, Kathryn – MCCORMAC, Agata – BUTAVICIUS, Marcus – PATTINSON, Malcolm – JERRAM, Cate (2014): Determining Employee Awareness Using the Human Aspects of Information Security Questionnaire (HAIS-Q). Computers and Security, 42, 165–176. Online: https://doi.org/10.1016/j.cose.2013.12.003

PARSONS, Kathryn – CALIC, Dragana – PATTINSON, Malcolm – BUTAVICIUS, Marcus – MCCORMAC, Agata – ZWAANS, Tara (2017): The Human Aspects of Information Security Questionnaire (HAIS-Q): Two Further Validation Studies. Computers and Security, 66, 40–51. Online: https://doi.org/10.1016/j.cose.2017.01.004

REIS, Oluwatosin – ENEH, Nkechi E. – EHIMUAN, Benedicta – ANYANWU, Anthony – OLORUNSOGO, Temidayo – ABRAHAMS, Temitayo O. (2024): Privacy Law Challenges in the Digital Age: A Global Review of Legislation and Enforcement. International Journal of Applied Research in Social Sciences, 6(1), 73–88. Online: https://doi.org/10.51594/ijarss.v6i1.733

ROHAN, Rohani – FUNILKUL, Suree – PAL, Debajyoti – CHUTIMASKUL, Wichian (2021): Understanding of Human Factors in Cybersecurity: A Systematic Literature Review. 2021 International Conference on Computational Performance Evaluation (ComPE), Shillong, India, 133–140. Online: https://doi.org/10.1109/ComPE53109.2021.9752358

SAFA, Nader S. – SOOKHAK, Mehdi – VON SOLMS, Rossouw – FURNELL, Steven – GHANI, Norjihan A. – HERAWAN, Tutut (2015): Information Security Conscious Care Behaviour Formation in Organizations. Computers & Security, 53, 65–78. Online: https://doi.org/10.1016/j.cose.2015.05.012

SANGWAN, Aarti (2024): Human Factors in Cybersecurity Awareness. 2024 International Conference on Intelligent Systems for Cybersecurity (ISCS), Gurugram, India, 1–7. Online: https://doi.org/10.1109/ISCS61804.2024.10581139

SRINIVASAN, Srihari (2023): Understanding User Perception of Biometric Privacy in the Era of Generative AI. 4th International Conference on Communication, Computing and Industry 6.0 (C216) 2023, Bangalore, India, 01–06. Online: https://doi.org/10.1109/C2I659362.2023.10430931

STEIN, Jan-Philipp – MESSINGSCHLAGER, Tanja – GNAMBS, Timo – HUTMACHER, Fabian – APPEL, Markus (2024): Attitudes Towards AI: Measurement and Associations with Personality. Scientific Reports, 14(1). Online: https://doi.org/10.1038/s41598-024-53335-2

TANESKI, Viktor – HERIČKO, Marjan – BRUMEN, Boštjan (2014): Password Security – No Change in 35 Years? 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), 1360–1365. Online: https://doi.org/10.1109/MIPRO.2014.6859779

WANG, Ding – SHAN, Xuan – DONG, Qiying – SHEN, Yaosheng – JIA, Chunfu (2023): No Single Silver Bullet: Measuring the Accuracy of Password Strength Meters. 32nd USENIX Security Symposium (USENIX Security 23), 947–964.

WEBER, James E. – GUSTER, Dennis – SAFONOV, Paul – SCHMIDT, Mark B. (2008): Weak Password Security: An Empirical Study. Information Security Journal: A Global Perspective, 17(1), 45–54. Online: https://doi.org/10.1080/10658980701824432

WILSON, Mark – PITCHER, S. I. – TRESSLER, J. D. – IPPOLITO, J. B. – DE ZAFRA, D. E. (1998): Information Technology Security Training Requirements: A Role- and Performance-Based Model. National Institute of Standards and Technology Special Publication 800-16. DOI: https://doi.org/10.6028/NIST.SP.800-16

YEO, John (2013): Using Penetration Testing to Enhance Your Company’s Security. Computer Fraud & Security, 2013(4), 17–20. Online: https://doi.org/10.1016/S1361-3723(13)70039-3