The enemy within: A behavioural intention model and an information security awareness process

Most employees in small and medium enterprise (SME) engineering firms now have access to their own personal workstations which have become part of their daily functions. This has led to an increased need for information security management to safeguard against loss/alteration or theft of the firm´s important information. SMEs tend to be concerned with vulnerabilities from external threats, although industry research suggests that a substantial proportion of security incidents originate from insiders within the firm. Hence, physical preventative measures such as antivirus software and firewalls are proving to solve only part of the problem as the employees controlling them do not have adequate information security knowledge. This tends to expose the firm to costly mistakes that can be made by naïve/uninformed employees. This paper presents an information security awareness process that seeks to cultivate positive security behaviours using the behavioural intentions models i.e. the Theory of Reasoned Action and the Protection Motivation Theory. The process presented has been tested at an SME engineering firm, and findings are also presented and discussed in this paper.