1. An Investigation into Information Security Culture within
Students at Edinburgh Napier University
1. Overview
The Importance?
• Technological security components, such as
firewalls, only provide a fragment of the overall
security system.
• Large percentage of security incidents are
caused by, insiders, neglect staff or students
who demonstrate poor security behaviour.
Security Culture
• The shared collective values and beliefs towards
information security within stakeholders.
• Can create a positive security conscious attitude
amongst stakeholders through:
- Education & training
- Security polices & procedures
- Organisational management
• Investigate the security culture that is
present in students at Edinburgh Napier
University
• Identify and adapted a framework that
structures the research to produce an
overall evaluation.
Key Questions
• What are students attitudes towards
information?
• Do students who possess more computer
knowledge display an alternative behaviour
towards information security, compared to
students with less technical knowledge?
• How do these attitudes align with Napier IT
Services expectations?
Information
Security
Knowledge
Visible layer of security:
Technology, security handbooks,
awareness courses
Strategies & goals: Security
policies and procedures
Beliefs and values: Shared
attitude within the
organisation
Level of information
security knowledge
Security Culture
Framework
Shared Tacit
Assumptions
Espoused
Values
Artefacts
Research Methods
Listed below are the approaches that were
used to analyse the different levels of the De
Veiga and Eloff framework: (adapted from
Schein’s model of organisational culture)
• Artefacts: Observation and document
analysis
• Espoused values: Interview with IT
Services & document analysis
• Shared Assumptions: Group
discussion with students
• Security knowledge: Group
discussions and observation
• Framework for evaluation adapted well in the university
organisational structure.
• Overall culture is good, but certain aspects need improving:
• Students comfortable leaving computers unattended and
only worried about losing unsaved work. Many privacy risks
are possible through unattended student profiles .
• Students are happy to distribute academic papers, which could
lead to university copyright issues.
• Security polices have proven to be invisible, as no students
are aware of there presence. Security roadshows, currently
being conducted, could be a step in the right direction.
• Computer students feel less at risk to low level security risks
compared to students without technical knowledge but more
vulnerable to high level specific threats.
Future Work
• Investigate the actual behaviour of students, not just their
feelings by recording computer logs and quantitative data.
• Investigate further afield in the university. Research students
from different campuses and staff behaviour.
Andrew Kerr
40056581
Supervisor – Peter Cruickshank
2nd marker – Dr Colin Smith
2. Aims
3. Design 4. Findings
4. Conclusion and Future Work
“Majority have never seen the
Napier security polices”
“Remember no security training
or awareness schemes”
“Would share passwords to my
friends” “Willing to share university
software and documents”
“Regularly leave my profile
logged-in but unattended”
“Biggest risk is losing saved files”
“Never heard of security culture
before or what it might mean”