From HAIS-Q to SAM: Modernising Security Awareness Measurement
Copyright (c) 2025 Répás József, Berek László, Bak Gerda, Oláh Norbert, Ujhegyi Péter
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Abstract
Cybersecurity is one of the most critical challenges of our time, requiring continuous evolution and adaptation. As technology evolves exponentially, cyberattacks has become more sophisticated, increasing the threat to individuals and organisations. In this dynamically changing environment, security awareness is crucial, and its measurement is essential to developing effective protection strategies and identifying areas for improvement.
Several tools are available to measure security awareness, most notably the HAISQ (Human Aspects of Information Security Questionnaire) model. The present research proposes a new SAM (Security Awareness Model), which builds on the HAISQ model and significantly extends and modernises its approach to measuring security awareness. The SAM examines seven main dimensions: authentication, use of internet services, information management, use of devices, incident management, regulation and human awareness.
Keywords:
How to Cite
References
ALI, Omar – SHRESTHA, Anup – CHATFIELD, Akemi – MURRAY, Peter (2020): Assessing Information Security Risks in the Cloud: A Case Study of Australian Local Government Authorities. Government Information Quarterly, 37(1). Online: https://doi.org/10.1016/j.giq.2019.101419
ALMADANI, Mwaheb S. – ALOTAIBI, Suhair – ALSOBHI, Hada – HUSSAIN, Omar K. – HUSSAIN, Farookh K. (2023): Blockchain-Based Multi-Factor Authentication: A Systematic Literature Review. Internet of Things, 23. Online: https://doi.org/10.1016/j.iot.2023.100844
BAK, Gerda – BEREK, László – SOM, Zoltán – UJHEGYI, Péter – RÉPÁS, József (2024): On the Way to Updating the Measurement of Information Security Awareness: a Literature Analysis. Interdisciplinary Description Of Complex Systems, 22(3), 305–316. Online: https://doi.org/10.7906/indecs.22.3.6
BAKARE, Seun S. – ADENIYI, Adekunle O. – AKPUOKWE, Chidiogo U. – ENEH, Nkechi E. (2024): Data Privacy Laws and Compliance: A Comparative Review of the EU GDPR and USA Regulations. Computer Science & IT Research Journal, 5(3), 528–543. Online: https://doi.org/10.51594/csitrj.v5i3.859
BAMBERGER, Kenneth A. (2010): Technologies of Compliance: Risk and Regulation in a Digital Age. Texas Law Review, 88(4), 669–739.
BARANOWSKI, Tom – CULLEN, Karen W. – NICKLAS, Theresa – THOMPSON, Deborah – BARANOWSKI, Janice (2003): Are Current Health Behavioral Change Models Helpful in Guiding Prevention of Weight Gain Efforts? Obesity Research, 11(S10), 23S–43S. Online: https://doi.org/10.1038/oby.2003.222
BEREK László – SOM Zoltán – BAK Gerda – UJHEGYI Péter – RÉPÁS József – PETŐ Richárd (2024): Az egyén információbiztonsági tudatossági szintjének megállapítására elterjedt mérési módszerek összefoglaló elemzése nemzetközi kutatások alapján. In MOLNÁR György – TEMESVÁRI Zsolt – WÜHRL Tibor (szerk.): XXXIX. Kandó Konferencia 2023. Budapest: Óbudai Egyetem, 265–277.
BUCKLEY, Gerard – CAULFIELD, Tristan – BECKER, Ingolf (2024): GDPR and the Indefinable Effectiveness of Privacy Regulators: Can Performance Assessment be Improved? Journal of Cybersecurity, 10(1). Online: https://doi.org/10.1093/cybsec/tyae017
BUCKLEY, Oliver – NURSE, Jason R. C. (2019): The Language of Biometrics: Analysing Public Perceptions. Journal of Information Security and Applications, 47, 112–119. Online: https://doi.org/10.1016/j.jisa.2019.05.001
DIESCH, Rainer – PFAFF, Matthias – KRCMAR, Helmut (2020): A Comprehensive Model of Information Security Factors for Decision-Makers. Computers and Security, 92. Online: https://doi.org/10.1016/j.cose.2020.101747
EGELMAN, Serge – HARBACH, Marian – PEER, Eyal (2016): Behavior Ever Follows Intention? A Validation of the Security Behavior Intentions Scale (SeBIS). Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems, 5257–5261. Online: https://doi.org/10.1145/2858036.2858265
GOKULKUMARI, G. (2020): Analytical Outlook on Customer Awareness Towards Biometrics Mechanism of Unimodal and Multimodal in Online Transactions. Multimedia Tools and Applications, 79(41–42), 31691–31714. Online: https://doi.org/10.1007/s11042-020-09526-w
HÄNSCH, Norman – BENENSON, Zinaida (2014): Specifying IT Security Awareness. 2014 25th International Workshop on Database and Expert Systems Applications (DEXA), 326–330. Online: https://doi.org/10.1109/DEXA.2014.71
HERMAWAN, Deni S. – SETIADI, Farisya – OKTARIA, Dita (2022): Measurement Level of Information Security Awareness for Employees Using KAB Model with Study Case at XYZ Agency. 1st International Conference on Software Engineering and Information Technology (ICoSEIT) Bandung, Indonesia, 2022, 174–179. Online: https://doi.org/10.1109/ICoSEIT55604.2022.10029989
HESS, Elie – TOLBERT, Matthew – NASCIMENTO, Mattheus (2021): Vulnerabilities of Multi-factor Authentication in Modern Computer Networks. Worcester, UK: Worcester Polytechnic Institute.
KASHEVNIK, Alexey – LASHKOV, Igor – PONOMAREV, Andrew – TESLYA, Nikolay – GURTOV, Andrei (2020): Cloud-Based Driver Monitoring System Using a Smartphone. IEEE Sensors Journal, 20(12), 6701–6715. Online: https://doi.org/10.1109/JSEN.2020.2975382
KAYA, Feridun – AYDIN, Fatih – SCHEPMAN, Astrid – RODWAY, Paul – YETIŞENSOY, Okan – DEMIR KAYA, Meva (2024): The Roles of Personality Traits, AI Anxiety, and Demographic Factors in Attitudes toward Artificial Intelligence. International Journal of Human-Computer Interaction, 40(2), 497–514. Online: https://doi.org/10.1080/10447318.2022.2151730
KELLY, Sage – KAYE, Sherrie-Anne – OVIEDO-TRESPALACIOS, Oscar (2023): What Factors Contribute to the Acceptance of Artificial Intelligence? A Systematic Review. Telematics and Informatics, 77. Online: https://doi.org/10.1016/j.tele.2022.101925
KESSLER, Stacey R. – PINDEK, Shani – KLEINMAN, Gary – ANDEL, Stephanie A. – SPECTOR, Paul E. (2020): Information Security Climate and the Assessment of Information Security Risk Among Healthcare Employees. Health Informatics Journal, 26(1), 461–473. Online: https://doi.org/10.1177/1460458219832048
KOLLMUSS, Anja – AGYEMAN, Julian (2002): Mind the Gap: Why Do People Act Environmentally and What Are the Barriers to Pro-Environmental Behavior? Environmental Education Research, 8(3), 239–260. Online: https://doi.org/10.1080/13504620220145401
KOZA, Erfan (2022): Information Security Awareness and Training as a Holistic Key Factor – How Can a Human Firewall Take on a Complementary Role in Information Security? In AHRAM, Tareq – KARWOWSKI, Waldemar (szerk.): Human Factors in Cybersecurity. New York: AHFE International, 49–57. Online: https://doi.org/10.54941/ahfe1002201
KRUGER, H. A. – KEARNEY, W. D. (2006): A Prototype for Assessing Information Security Awareness. Computers & Security, 25(4), 289–296. Online: https://doi.org/10.1016/j.cose.2006.02.008
MCCORMAC, Agata – ZWAANS, Tara – PARSONS, Kathryn – CALIC, Dragana – BUTAVICIUS, Marcus – PATTINSON, Malcolm (2017): Individual Differences and Information Security Awareness. Computers in Human Behavior, 69, 151–156. Online: https://doi.org/10.1016/j.chb.2016.11.065
MUJEYE, Stephen (2021): A Survey on Multi-Factor Authentication Methods for Mobile Devices. Proceedings of the 2021 4th International Conference on Software Engineering and Information Management, 199–205. Online: https://doi.org/10.1145/3451471.3451503
National Data Guardian (2016): National Data Guardian for Health and Care: Review of Data Security, Consent and Opt-Outs. Online: https://www.gov.uk/government/publications/review-of-data-security-consent-and-opt-outs
OMETOV, Aleksandr – BEZZATEEV, Sergey – MÄKITALO, Niko – ANDREEV, Sergey – MIKKONEN, Tommi – KOUCHERYAVY, Yevgeni (2018): Multi-Factor Authentication: A Survey. Cryptography, 2(1), 1. Online: https://doi.org/10.3390/cryptography2010001
OTTA, Souma P. – PANDA, Subhrakanta – GUPTA, Maanak – HOTA, Chittaranjan (2023): A Systematic Survey of Multi-Factor Authentication for Cloud Infrastructure. Future Internet, 15(4). Online: https://doi.org/10.3390/fi15040146
PARSONS, Kathryn – MCCORMAC, Agata – BUTAVICIUS, Marcus – PATTINSON, Malcolm – JERRAM, Cate (2014): Determining Employee Awareness Using the Human Aspects of Information Security Questionnaire (HAIS-Q). Computers and Security, 42, 165–176. Online: https://doi.org/10.1016/j.cose.2013.12.003
PARSONS, Kathryn – CALIC, Dragana – PATTINSON, Malcolm – BUTAVICIUS, Marcus – MCCORMAC, Agata – ZWAANS, Tara (2017): The Human Aspects of Information Security Questionnaire (HAIS-Q): Two Further Validation Studies. Computers and Security, 66, 40–51. Online: https://doi.org/10.1016/j.cose.2017.01.004
REIS, Oluwatosin – ENEH, Nkechi E. – EHIMUAN, Benedicta – ANYANWU, Anthony – OLORUNSOGO, Temidayo – ABRAHAMS, Temitayo O. (2024): Privacy Law Challenges in the Digital Age: A Global Review of Legislation and Enforcement. International Journal of Applied Research in Social Sciences, 6(1), 73–88. Online: https://doi.org/10.51594/ijarss.v6i1.733
ROHAN, Rohani – FUNILKUL, Suree – PAL, Debajyoti – CHUTIMASKUL, Wichian (2021): Understanding of Human Factors in Cybersecurity: A Systematic Literature Review. 2021 International Conference on Computational Performance Evaluation (ComPE), Shillong, India, 133–140. Online: https://doi.org/10.1109/ComPE53109.2021.9752358
SAFA, Nader S. – SOOKHAK, Mehdi – VON SOLMS, Rossouw – FURNELL, Steven – GHANI, Norjihan A. – HERAWAN, Tutut (2015): Information Security Conscious Care Behaviour Formation in Organizations. Computers & Security, 53, 65–78. Online: https://doi.org/10.1016/j.cose.2015.05.012
SANGWAN, Aarti (2024): Human Factors in Cybersecurity Awareness. 2024 International Conference on Intelligent Systems for Cybersecurity (ISCS), Gurugram, India, 1–7. Online: https://doi.org/10.1109/ISCS61804.2024.10581139
SRINIVASAN, Srihari (2023): Understanding User Perception of Biometric Privacy in the Era of Generative AI. 4th International Conference on Communication, Computing and Industry 6.0 (C216) 2023, Bangalore, India, 01–06. Online: https://doi.org/10.1109/C2I659362.2023.10430931
STEIN, Jan-Philipp – MESSINGSCHLAGER, Tanja – GNAMBS, Timo – HUTMACHER, Fabian – APPEL, Markus (2024): Attitudes Towards AI: Measurement and Associations with Personality. Scientific Reports, 14(1). Online: https://doi.org/10.1038/s41598-024-53335-2
TANESKI, Viktor – HERIČKO, Marjan – BRUMEN, Boštjan (2014): Password Security – No Change in 35 Years? 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), 1360–1365. Online: https://doi.org/10.1109/MIPRO.2014.6859779
WANG, Ding – SHAN, Xuan – DONG, Qiying – SHEN, Yaosheng – JIA, Chunfu (2023): No Single Silver Bullet: Measuring the Accuracy of Password Strength Meters. 32nd USENIX Security Symposium (USENIX Security 23), 947–964.
WEBER, James E. – GUSTER, Dennis – SAFONOV, Paul – SCHMIDT, Mark B. (2008): Weak Password Security: An Empirical Study. Information Security Journal: A Global Perspective, 17(1), 45–54. Online: https://doi.org/10.1080/10658980701824432
WILSON, Mark – PITCHER, S. I. – TRESSLER, J. D. – IPPOLITO, J. B. – DE ZAFRA, D. E. (1998): Information Technology Security Training Requirements: A Role- and Performance-Based Model. National Institute of Standards and Technology Special Publication 800-16. DOI: https://doi.org/10.6028/NIST.SP.800-16
YEO, John (2013): Using Penetration Testing to Enhance Your Company’s Security. Computer Fraud & Security, 2013(4), 17–20. Online: https://doi.org/10.1016/S1361-3723(13)70039-3