**3. Transference to practice and public administrations**

The improvement of perception and comprehension vis-à-vis IS can advance a person's ability to project real-life situations if there is an overall exchange in the institution. Moreover, it seems that the constructs of organizational impact and attacker assessment have a stronger influence on the ISA than technical knowledge. Management and employees need to understand the pivotal role they play for the IS of an organization [13]. The learning process in organizations must be based on the user-centered approach, which pays attention to target groups, gender, and culture, based on individual knowledge and skills as well as on concrete workplace needs and contexts. The user-centered approach should also allow staff exchanges regarding IS along the business process chain. The integration of formal and informal mechanisms—initiated by the management—can enhance the important exchange and interaction between employees and could be a stabilizing factor in raising ISA in the institution. Frequent interaction is the basis for the formation of interpersonal relationships and psychological attachment to the organization. Since threat analysis, self-efficacy, and response effectiveness have a significant impact on the intention to comply with IS guidelines, such aspects of emotionalization and motivation should be incorporated into the sensitization to and training of ISA [13].

In Germany, with its federal structure, public administrations are very differently positioned in respect of IS. Large federal agencies are often at the forefront of many current topics, such as legislation (IT security law, e-government law, and the digital agenda) or application content like big data analysis or IS. For example, almost two-thirds of the administrations currently surveyed continue to see issues of data security and privacy as a key challenge in using big data analytics [59]. Only one-third believe that a company's own staff has the skills and knowledge to continually drive the administration through data analytics [59]. However, only 37% invest sufficiently in appropriate education and training [59].

If we take a closer look at IS, my experience as a BAköV qualification center [60] is that it is very difficult for small and medium-sized enterprises (SME) and small municipalities to build up a corresponding IS know-how and general training program in their organization. Instead, the training program for the "IT Security Officer in Public Administration" (ITSO) has been established in the federal administration for a decade and is increasingly being used by medium-sized and large state administrations during an annual three-week summer academy in Brühl (Germany). Since 2007, the modular training course for ITSO has been developed and offered by the BaköV in coordination with the BSI acting internally for the federal agencies. Besides knowledge transfer in 5–15 days, it includes an IS-relevant written project submission and a two-hour exam on a personal computer (PC) program. A form with 120 questions must be filled out with a score higher than 75%—successful students are awarded a certificate valid for 5 years. A total of approximately 600 certificates have been awarded so far [62]. In addition, there are other certified training courses at federal level—e.g., for the data protection and emergency officer. Moreover, there are a wide range of e-learning courses for the employees of the federal authorities. Nevertheless, the development of procedures and models for measuring and assessing the level of IS in federal agencies remains a challenge.

The literature review reveals a general lack of trainings, which is cited as a top reason why contingency and response plans are not effective [22]. In particular, it seems that over the past 15 years institutions have not put their main focus on developing ISA and ISAT-responsible information users [61]. In Germany, after the establishment of the federal project "Security wins!" in 2010, about 80,000 employees from 143 federal authorities were sensitized to IS in the workplace prior to 2017 [62]. The insight from this federal ISA campaign with interactive methods and GBL scenarios is, on the one hand, that raising awareness is an issue that needs to be revisited again and again. On the other hand, the central control system of the federal agencies has proven itself with framework agreements and decentralized implementations and adjustments. For the federal administrations, very valuable materials have been compiled as a so-called "toolbox": flyers and posters, moderation cards, and a CD about live hacking, which is very popular. Hacker's live shows in particular demonstrate how well emotionalization can lead to concern and attention. Moreover, they also show the importance of awareness in thinking about or pointing out the role of the aggressor—a possibility which should be incorporated into awareness-raising and trainings that include psychological aspects [38, 39, 42, 46, 47]. Nevertheless, this campaign is just a drop in the ocean when we consider the entire group of employees. It should be noted that it is the Länder and Kommunen that represent the main proportion of employees in Germany's public administration; the proportion constituted by the federal government is only about one-eighth of the total number of employees. Moreover, public administrations are also responsible to their citizens, and the question arises as to whether information campaigns on IS in public places should not also be part of urban and regional planning [34].

#### **3.1. Information security (awareness) trainings (ISAT)**

trainings for ISA should be a continuous IS factor. Moreover, the emotional level should be explicitly addressed, because social participation in a communicative team process is a key component in awareness-raising activities based on psychological theories [45, 51]. Learners must directly see/feel the consequences of their actions and should get a sense of their knowledge level in dialog. Therefore, sensitization for ISA and trainings of IS should use the smart

The improvement of perception and comprehension vis-à-vis IS can advance a person's ability to project real-life situations if there is an overall exchange in the institution. Moreover, it seems that the constructs of organizational impact and attacker assessment have a stronger influence on the ISA than technical knowledge. Management and employees need to understand the pivotal role they play for the IS of an organization [13]. The learning process in organizations must be based on the user-centered approach, which pays attention to target groups, gender, and culture, based on individual knowledge and skills as well as on concrete workplace needs and contexts. The user-centered approach should also allow staff exchanges regarding IS along the business process chain. The integration of formal and informal mechanisms—initiated by the management—can enhance the important exchange and interaction between employees and could be a stabilizing factor in raising ISA in the institution. Frequent interaction is the basis for the formation of interpersonal relationships and psychological attachment to the organization. Since threat analysis, self-efficacy, and response effectiveness have a significant impact on the intention to comply with IS guidelines, such aspects of emotionalization and motivation should be incorporated into the sen-

In Germany, with its federal structure, public administrations are very differently positioned in respect of IS. Large federal agencies are often at the forefront of many current topics, such as legislation (IT security law, e-government law, and the digital agenda) or application content like big data analysis or IS. For example, almost two-thirds of the administrations currently surveyed continue to see issues of data security and privacy as a key challenge in using big data analytics [59]. Only one-third believe that a company's own staff has the skills and knowledge to continually drive the administration through data analytics [59]. However, only

If we take a closer look at IS, my experience as a BAköV qualification center [60] is that it is very difficult for small and medium-sized enterprises (SME) and small municipalities to build up a corresponding IS know-how and general training program in their organization. Instead, the training program for the "IT Security Officer in Public Administration" (ITSO) has been established in the federal administration for a decade and is increasingly being used by medium-sized and large state administrations during an annual three-week summer academy in Brühl (Germany). Since 2007, the modular training course for ITSO has been developed and offered by the BaköV in coordination with the BSI acting internally for the federal agencies. Besides knowledge transfer in 5–15 days, it includes an IS-relevant written project

combination of GBL plus PBL plus AL based on real-life situations.

**3. Transference to practice and public administrations**

37% invest sufficiently in appropriate education and training [59].

sitization to and training of ISA [13].

40 Public Management and Administration

Although scientific research indicates a general need for (cyberthreat) education, trainings, and awareness [22, 63, 64], our review of the scientific literature [13, 65] shows that the design of the ISA trainings has not been the subject of significant research. Only a few studies from the literary field of knowledge, attitude, and behavior give (general) recommendations on the design of training measures (see [66, 67]). As mentioned above, it should be a user-centered approach and "awareness campaigns should be tailored to employees' needs" [25]. The BSI training describes in general how to set up and maintain an (effective) awareness-raising and training program for IS [10]. The aim of such programs is for employees to perceive safety-critical situations and mitigate their impact, while also providing the necessary knowledge and skills for safety-conscious behavior [10]. In particular, the module "ORP.3 Sensitization and Training" describes the procedural, technical, methodological, and organizational requirements for awareness-raising and IS training [10]:

#### • *Few successful awareness-raising and training activities*

The activities carried out for ISAT are not always as successful as desired. The causes for this can be lack of management support, unclear goals, bad planning, lack of success control, lack of continuity, or too few financial and human resources. If no appropriate measures are taken to ensure the success of the activities carried out, the goal of the respective training activity can often not be achieved. If the institution has insufficient activities to raise awareness and train employees, IS can be at risk, which leads directly to restrictions on task performance [10:2].

• One aspect might be a "technocratic" view of risk communication, meaning the tendency for technical experts to tell people what they think and ought to know [69]. This is fundamentally flawed and has been strongly criticized by experts in safety risk communications as ineffective and inefficient [69]. However, providing simple advice directly to nonexperts is no trivial matter, and even experts can disagree about what is important [70]. Moreover, it might disregard the daily mix and overlap between work and home, and therefore ignore an insight from practice—as stated by Ian Kilpatrick, chairman of the Wick Hill Group—"If you don't change home security behavior, it is hugely more difficult to effect change in the office" [71]. • A second aspect might be in policies "ending up as long lists of dos and don'ts located on web pages most employees only access when they have to complete their mandatory annual 'security training' and which has little to no effect on their security behavior" [56]. Maybe there is also a "proxy agency effect" [36], where a person defers to experts to ensure that they themselves can still do the things they want to do [28]. Forget et al. [72] consider that users may "disengage" from security if they have already transferred the responsibility to somebody else. Moreover, employees may look for routines to prevent life from "tipping into chaos" and to give them "the confidence to go about their daily activities" [73]. • A third aspect relating to IS campaigns is that a training aimed at addressing security awareness gaps cannot be sufficient to ensure compliance with a security culture [74]. The necessary cultural change in institutions must go hand in hand with a mutual learning process between the top-down requirements of the management and the bottom-up activities

Information Security Awareness in Public Administrations

http://dx.doi.org/10.5772/intechopen.74572

43

of the employees—described as a "spiral of transformative interaction" [13, 34].

involvement of human actors.

**3.2. Content of ISAT and institutional programs**

In the design of ISAT, emotionalization—as mentioned above—is extremely important for the motivation of employees. Emotionalization must address people's specific concerns, be it at work or at home—including aggressor thinking—to create PBL and AL scenarios for ISAT. Psychological studies [38, 39] show that people have to "understand"—through emotional engagement—that they are themselves affected. GBL is increasingly viewed as an effective method for teaching and learning in education. It is especially effective as a means to stimulate motivation and change behavior and should be explicitly used for ISAT. With the learning approach 3.0 (see Section 2.2), learners can directly see the consequences of their actions and get a sense of their knowledge level in dialog. The integrated AL/PBL scenario development and usage of interactive analog/digital GBL also support IS abilities, which we increasingly need in daily life and in the workplace—for example, communication, cooperation, social interaction, and creativity [49–51]. The emotional level should be explicitly addressed, because social participation in a communicative team process is a key component in this third stage of awareness-raising activities based on psychological theories [45]. Integrated analog and digital game-based ISAT with interactive elements lead to the further

The "IT-Grundschutz catalogs" published by the BSI [8] provide a summary of the elementary hazards that are important for ISA and ISAT. Institutions and employees should be aware of

• *Inadequate training of staff on security functionalities*

Employees often do not apply newly introduced security programs and features, because they do not know how to operate them, and because they are considered time-consuming in their day-to-day work. In addition, the lack of ISAT after the introduction of new software can lead to unintentional operating errors or incorrect configurations and to errors in the operation and delays in work processes. Therefore, the procurement and installation of (security) software is not enough. In critical IT systems and applications, misuse can threaten the very existence of the business [10:3].

• *Risk that security incidents will not be identified*

The daily operation of IT and ITC components can cause many failures and errors. There is a risk that security incidents will not be identified as such by staff and that cybersecurity attacks or attempted attacks go undetected. Security incidents and technical errors are sometimes not easy to distinguish. If users and administrators are not specifically trained and sensitized, vulnerabilities can go undetected and may be exploited. If security incidents are not detected in time or are completely missed, full countermeasures cannot be taken in time. Small security loopholes in the institution may be exacerbated and become critical threats to integrity, confidentiality, and availability. This can hinder business processes, cause financial damage, or lead to regulatory and legal sanctions [10:3].

• *Understanding and accepting safeguards*

Technical security safeguards often lead to less user-friendly IT. Users will only accept such safeguards when they understand why the restrictions—for example, for surfing, for sending and receiving e-mails, or for password usage—are necessary [2:204]. Employees are only able to actually follow the security policies that have been decided upon when they know how to handle the IT securely and confidently [10:3]. Insufficient acceptance of IS must be corrected.

Neither the BSI training description [10] nor the BAköV manual [2] describes specific learning and teaching methods in detail but only refers to the possible content of training courses and potential confounding factors. Tsohou et al. conclude from recent global security surveys that ISAT are not currently working [68] and the question is, why have mainstream ISA techniques failed for so long? The following aspects are likely to play a role:

• One aspect might be a "technocratic" view of risk communication, meaning the tendency for technical experts to tell people what they think and ought to know [69]. This is fundamentally flawed and has been strongly criticized by experts in safety risk communications as ineffective and inefficient [69]. However, providing simple advice directly to nonexperts is no trivial matter, and even experts can disagree about what is important [70]. Moreover, it might disregard the daily mix and overlap between work and home, and therefore ignore an insight from practice—as stated by Ian Kilpatrick, chairman of the Wick Hill Group—"If you don't change home security behavior, it is hugely more difficult to effect change in the office" [71].

• *Few successful awareness-raising and training activities*

• *Inadequate training of staff on security functionalities*

threaten the very existence of the business [10:3].

• *Risk that security incidents will not be identified*

on task performance [10:2].

42 Public Management and Administration

legal sanctions [10:3].

IS must be corrected.

• *Understanding and accepting safeguards*

The activities carried out for ISAT are not always as successful as desired. The causes for this can be lack of management support, unclear goals, bad planning, lack of success control, lack of continuity, or too few financial and human resources. If no appropriate measures are taken to ensure the success of the activities carried out, the goal of the respective training activity can often not be achieved. If the institution has insufficient activities to raise awareness and train employees, IS can be at risk, which leads directly to restrictions

Employees often do not apply newly introduced security programs and features, because they do not know how to operate them, and because they are considered time-consuming in their day-to-day work. In addition, the lack of ISAT after the introduction of new software can lead to unintentional operating errors or incorrect configurations and to errors in the operation and delays in work processes. Therefore, the procurement and installation of (security) software is not enough. In critical IT systems and applications, misuse can

The daily operation of IT and ITC components can cause many failures and errors. There is a risk that security incidents will not be identified as such by staff and that cybersecurity attacks or attempted attacks go undetected. Security incidents and technical errors are sometimes not easy to distinguish. If users and administrators are not specifically trained and sensitized, vulnerabilities can go undetected and may be exploited. If security incidents are not detected in time or are completely missed, full countermeasures cannot be taken in time. Small security loopholes in the institution may be exacerbated and become critical threats to integrity, confidentiality, and availability. This can hinder business processes, cause financial damage, or lead to regulatory and

Technical security safeguards often lead to less user-friendly IT. Users will only accept such safeguards when they understand why the restrictions—for example, for surfing, for sending and receiving e-mails, or for password usage—are necessary [2:204]. Employees are only able to actually follow the security policies that have been decided upon when they know how to handle the IT securely and confidently [10:3]. Insufficient acceptance of

Neither the BSI training description [10] nor the BAköV manual [2] describes specific learning and teaching methods in detail but only refers to the possible content of training courses and potential confounding factors. Tsohou et al. conclude from recent global security surveys that ISAT are not currently working [68] and the question is, why have mainstream ISA techniques

failed for so long? The following aspects are likely to play a role:


In the design of ISAT, emotionalization—as mentioned above—is extremely important for the motivation of employees. Emotionalization must address people's specific concerns, be it at work or at home—including aggressor thinking—to create PBL and AL scenarios for ISAT. Psychological studies [38, 39] show that people have to "understand"—through emotional engagement—that they are themselves affected. GBL is increasingly viewed as an effective method for teaching and learning in education. It is especially effective as a means to stimulate motivation and change behavior and should be explicitly used for ISAT. With the learning approach 3.0 (see Section 2.2), learners can directly see the consequences of their actions and get a sense of their knowledge level in dialog. The integrated AL/PBL scenario development and usage of interactive analog/digital GBL also support IS abilities, which we increasingly need in daily life and in the workplace—for example, communication, cooperation, social interaction, and creativity [49–51]. The emotional level should be explicitly addressed, because social participation in a communicative team process is a key component in this third stage of awareness-raising activities based on psychological theories [45]. Integrated analog and digital game-based ISAT with interactive elements lead to the further involvement of human actors.

#### **3.2. Content of ISAT and institutional programs**

The "IT-Grundschutz catalogs" published by the BSI [8] provide a summary of the elementary hazards that are important for ISA and ISAT. Institutions and employees should be aware of cyber espionage, which can cause considerable damage. In addition, the disclosure of information that is meant to be protected, identity theft, abuse of personal data, abuse of permissions, and social engineering in general are growing threats. If aggressors are able to infiltrate the institution, it is possible that equipment or data carriers may be destroyed or that unauthorized persons use or get administrator access to devices and systems. Lower levels of knowledge and awareness among employees could lead to the incorrect use or administration of devices and systems, data loss, and the loss of integrity of sensitive information. As stipulated in the EU's new GDPR, the violation of laws or regulations can result in huge damage claims. Moreover, without a good work atmosphere, employees may deny having made a mistake, and there is also the potential for insider threats to arise. All these elementary hazards must be addressed in any case in an ISAT oriented to the target group.

reviewed and updated. However, it should be noted that, according to the research findings, a target group and needs analysis should be mandatory to ensure the success of the action. Moreover, according to BSI [10:5], the training of all employees with regard to their responsibilities for information security issues is also only a SHOULD. Sensitization and training programs SHOULD be regularly checked to ensure that they are up-to-date and adjusted and further developed as necessary [10:5]. Security officers SHOULD be familiar with the IT-Grundschutz methodology and for that, an appropriate IT-Grundschutz training course should be planned on the basis of practical examples [10:5]. The learning success in the field of information security SHOULD be measured and evaluated according to the target group to determine to what extent the objectives described in the awareness-raising and training programs are reached. The measurements should include both quantitative and qualitative aspects and the results should be used to enhance sensitization and improve the appropriate training courses [10:5]. Further requirements may be necessary to increase the protection of any exposed institutions or organizational areas. Particularly exposed persons such as managers and security workers SHOULD undertake in-depth training with regard to possible

Since 2007, the BaköV training course for the ITSO of federal agencies [2] has recommended that security officers initiate and establish the sensitization and training of employees in a modular manner. The course content is grouped into the following 13 training areas, which are in turn assigned to six defined target groups (see **Table 1**). Of course, not all target groups

**A B C D E F …**

Information Security Awareness in Public Administrations

http://dx.doi.org/10.5772/intechopen.74572

45

need all the training modules, so some can be used optionally or are not needed at all.

1. Basic concepts of information security (IS) x x x x x x 2. IS in the workspace x x x x x x

4. The organization's security concept x x x x x 5. Risk management x x x

7. IT systems x x 8. Operational area x x 9. Technical implementation of security safeguards x x 10. Emergency management x x x 11. New developments in the IT sector o x x x

13. Infrastructure security x x o

Recommendation of training modules and target groups from the BAköV [2: 207] (x: the module is recommended, o: the module is optional). Six examples of defined target groups (A: supervisor, B: security management, C: data protection officer, D: infrastructure security officer, E: users, F: administrators). In order to clarify that this assignment is only meant to serve as an example and must be adapted concretely to the particular institution, undefined target groups are listed here as… .

hazards and appropriate behaviors and precautions [10:6].

**BAköV training modules [2] Target group/function**

3. Laws and regulations x x x x

6. (Information) security management x o

12. The business management side of IS x x o

**Table 1.** BAköV matrix.

The following are specific requirements for ISAT set out by the BSI. The ITSO—nowadays also called Information Security Officer (ISB in German)—is responsible for meeting these requirements. Deviations should be mentioned separately in an institution's requirement guidelines. The ITSO/ISB of an institution should always be involved in all processes and also in strategic decisions. Besides that, the ITSO/ISB is responsible for ensuring that all requirements are met in accordance with the security policy that has been defined and then checked [10]. The BSI differentiates between basic requirements for ISAT, which must be met by institutions in any case, and standard requirements, which should be met in principle [10]. In addition, exemplary proposals are made for requirements that should be taken into account when there is increased need for an institution to be protected. Here, the concrete determination takes place within the framework of a separate risk analysis [10]. It should be clear which basic values are given priority by the requirement.

The basic requirements are as follows [10]:


Contrary to the findings from the research, the BSI sees the gearing of ISAT and the program to the respective target groups only as a SHOULD in the standard requirements [10]. An audience analysis should be carried out so that action is based on specific requirements. The program can then be created in response to different background needs. It should be regularly reviewed and updated. However, it should be noted that, according to the research findings, a target group and needs analysis should be mandatory to ensure the success of the action. Moreover, according to BSI [10:5], the training of all employees with regard to their responsibilities for information security issues is also only a SHOULD. Sensitization and training programs SHOULD be regularly checked to ensure that they are up-to-date and adjusted and further developed as necessary [10:5]. Security officers SHOULD be familiar with the IT-Grundschutz methodology and for that, an appropriate IT-Grundschutz training course should be planned on the basis of practical examples [10:5]. The learning success in the field of information security SHOULD be measured and evaluated according to the target group to determine to what extent the objectives described in the awareness-raising and training programs are reached. The measurements should include both quantitative and qualitative aspects and the results should be used to enhance sensitization and improve the appropriate training courses [10:5]. Further requirements may be necessary to increase the protection of any exposed institutions or organizational areas. Particularly exposed persons such as managers and security workers SHOULD undertake in-depth training with regard to possible hazards and appropriate behaviors and precautions [10:6].

Since 2007, the BaköV training course for the ITSO of federal agencies [2] has recommended that security officers initiate and establish the sensitization and training of employees in a modular manner. The course content is grouped into the following 13 training areas, which are in turn assigned to six defined target groups (see **Table 1**). Of course, not all target groups need all the training modules, so some can be used optionally or are not needed at all.


Recommendation of training modules and target groups from the BAköV [2: 207] (x: the module is recommended, o: the module is optional). Six examples of defined target groups (A: supervisor, B: security management, C: data protection officer, D: infrastructure security officer, E: users, F: administrators). In order to clarify that this assignment is only meant to serve as an example and must be adapted concretely to the particular institution, undefined target groups are listed here as… .

**Table 1.** BAköV matrix.

cyber espionage, which can cause considerable damage. In addition, the disclosure of information that is meant to be protected, identity theft, abuse of personal data, abuse of permissions, and social engineering in general are growing threats. If aggressors are able to infiltrate the institution, it is possible that equipment or data carriers may be destroyed or that unauthorized persons use or get administrator access to devices and systems. Lower levels of knowledge and awareness among employees could lead to the incorrect use or administration of devices and systems, data loss, and the loss of integrity of sensitive information. As stipulated in the EU's new GDPR, the violation of laws or regulations can result in huge damage claims. Moreover, without a good work atmosphere, employees may deny having made a mistake, and there is also the potential for insider threats to arise. All these elementary hazards must be

The following are specific requirements for ISAT set out by the BSI. The ITSO—nowadays also called Information Security Officer (ISB in German)—is responsible for meeting these requirements. Deviations should be mentioned separately in an institution's requirement guidelines. The ITSO/ISB of an institution should always be involved in all processes and also in strategic decisions. Besides that, the ITSO/ISB is responsible for ensuring that all requirements are met in accordance with the security policy that has been defined and then checked [10]. The BSI differentiates between basic requirements for ISAT, which must be met by institutions in any case, and standard requirements, which should be met in principle [10]. In addition, exemplary proposals are made for requirements that should be taken into account when there is increased need for an institution to be protected. Here, the concrete determination takes place within the framework of a separate risk analysis [10]. It should be clear which basic values are

• The institution's top management MUST actively support security campaigns and trainings for its employees. Therefore, before the start of ISAT and the IS program, the support of the management must be ensured. The management must be sufficiently sensitized to security issues. All supervisors must support IS by setting a good example. Managers must

• There MUST be contact persons (ITSO/ISB) for security issues who can answer both seemingly simple and complex or technical questions. The contact persons MUST be known to all employees of the institution. This information must be easily accessible and available to

• All employees and external users who use the ICT and IoT components MUST be trained and sensitized, inasmuch as this is relevant for their work. To this end, the organization must have binding, understandable, current, and available guidelines specifying the use of the respective components. If ICT or IoT systems or services are used in a way that is in the

Contrary to the findings from the research, the BSI sees the gearing of ISAT and the program to the respective target groups only as a SHOULD in the standard requirements [10]. An audience analysis should be carried out so that action is based on specific requirements. The program can then be created in response to different background needs. It should be regularly

enforce security standards and alert their employees to compliance [10:4].

interests of a competitor institution, this must be communicated [10:5].

addressed in any case in an ISAT oriented to the target group.

given priority by the requirement.

44 Public Management and Administration

The basic requirements are as follows [10]:

everyone in the institution [10:4].

#### **3.3. Measurements of ISA and compliance for information security**

To support organizations in discovering the evaluation methods and metrics that meet their individual needs, an overview of current measures for assessing effectiveness was given in [65]. The advantages, disadvantages, and appropriate application of methods like monitoring security procedures, surveys, and security benchmarks are discussed [65]. While the number of firms that apply such measures is increasing, surveys of corporations show that it is unusual for these measures to be accompanied by specific in-depth evaluations of their effectiveness. The literature review reveals that only a few organizations use different metrics for deeper and continuous measurement of their awareness program [65]. However, ISAT should be ongoing as the organization changes and employees move into and across roles, with a focus on what is necessary for their jobs [75]. Therefore, ISAT should not overwhelm employees with information or take up excessive paid work time [76]. As a consequence, security officers should specifically adapt the above BAköV matrix (Section 3.2) to their institution, to their content, and to their target groups. Rather than relying on generalized computerbased packages, IS training should be geared to the specific work environment. IS officers should carefully analyze the concrete situation in the institution: for example, if factors such as noncompliance with security measures, poor acceptance, or social engineering are present, as described in the BSI training [10]. In addition, they should determine which IS core values are particularly at risk in which processes, at which locations, and at which times. Since these awareness-raising measures demand resources such as time, money, and the willingness of employees, every institution should have an interest in assessing their effectiveness [65].

BaköV training program [2] gives suggestions for target-group-oriented themes, particularly for the federal administration, which can be adjusted for the federal state and local public

Information Security Awareness in Public Administrations

http://dx.doi.org/10.5772/intechopen.74572

47

A lack of understanding of security issues coupled with the pervasive use of computers often makes employees the "critical factor" in the IS equation. However, as Dark points out [79], knowledgeable human beings are better at preventing IS breaches that occur due to negligence or accident as well as those that stem from malicious activity and the anomalous behavior of systems. They can efficiently and effectively respond to incidents by reporting them promptly, quarantining problems, and diagnosing and treating these problems correctly [79]. We see an increase in social engineering (SE), which is an attack on, and manipulation of, people to get hold of sensitive information and protected data from the institution in preparation for attacks that will not be carried out at once but rather later—e.g., advanced persistence threats (APT). Attacks via SE are often multilevel. By the aggressor pretending to have insider knowledge and at the same time appealing to people's desire to help, he can expand his knowledge in a series of further steps [10:4]. If employees are not adequately sensitized to attacks of this kind, there is a risk that they can be manipulated through skillful communication so that they act inappropriately. This can lead to internal information being passed on via malicious software or even money transferred to alleged business partners. The subsequent worldwide damages can run into the billions [10:4]. Regulations can be more easily complied with, the more informed the employees are about the facts and the better they understand the reasons. ISA is necessary for successful digitization: this requires an organizational strategy, the guarantee of an appropriate IT security level, sufficiently qualified personnel, and a cultural change in the

organization, with ongoing, target-group-oriented training for all employees.

We know from our research, experience, and trainings that

• technical security alone is not enough;

However, there is no simple linear cause-and-effect relationship between institutional safeguards and knowledge, attitudes, and real behavior. Despite the increasing interest of researchers in the topic, awareness remains a critical issue in IS [36]. To protect the organizational assets, including user information and systems, the human side of security should also be managed [22, 24], and this plays a significant role in the successful delivery of IS in today's organizations [25]. Therefore, ISAT and programs must be developed as a user-centered approach. Moreover, a clear set of IS principles needs to be identified and communicated [56]. Learning in IS should be developed by integrating target-oriented, interactive analog/ digital GBL scenarios and team-oriented methods as an ongoing process. Depth psychological studies [38, 47] show that emotionalization and motivation should be important factors in creating short-term scenarios in real-life situations using AL and PBL. Our own extensive experience with such learning materials and methods in projects and events suggests that ISA and the knowledge associated with it could be improved in almost all participants and behavioral

• there is still a lack of sensitivity in the business processes of companies and administrations;

• security behavior is necessary for all employees, and not only in the workplace; and

administrations.

changes triggered.

The developed spiral of transformative interaction between an organization and its staff with regard to (IS) learning processes [13] shows the interaction between top-down specifications and individual bottom-up influences on the establishment of a modern, futureoriented organizational security culture. We seek to implement and test our conceptual project design on the transformative interaction between human-based and organizational (IS) learning processes and to promote in-depth ISA measurement in game-based learning environments. Situational and specific ISAT combined with IS awareness-raising measures and evaluation should be an indispensable part of today's organizations with livable IS and policies [34].

#### **4. Summary and outlook**

In a general way, ISA programs and ISATs may generate a false sense of security, as taking part in ISA programs reduces perceptions of vulnerability, while the intentions for compliant security behavior are not affected [77]. Information and IT security awareness-raising measures and the evaluation of these measures are an indispensable part of today's information and knowledge society [65]. This assumes that—according to the BSI concept [8, 10, 20, 78] —the relevant IS issues must be regularly trained in accordance with institutional requirements and the necessary sensitization created [10]. Moreover, it gives practical hints for the efficient design of ISAT as a planned, cyclical, and organizational approach. In addition, the BaköV training program [2] gives suggestions for target-group-oriented themes, particularly for the federal administration, which can be adjusted for the federal state and local public administrations.

A lack of understanding of security issues coupled with the pervasive use of computers often makes employees the "critical factor" in the IS equation. However, as Dark points out [79], knowledgeable human beings are better at preventing IS breaches that occur due to negligence or accident as well as those that stem from malicious activity and the anomalous behavior of systems. They can efficiently and effectively respond to incidents by reporting them promptly, quarantining problems, and diagnosing and treating these problems correctly [79]. We see an increase in social engineering (SE), which is an attack on, and manipulation of, people to get hold of sensitive information and protected data from the institution in preparation for attacks that will not be carried out at once but rather later—e.g., advanced persistence threats (APT). Attacks via SE are often multilevel. By the aggressor pretending to have insider knowledge and at the same time appealing to people's desire to help, he can expand his knowledge in a series of further steps [10:4]. If employees are not adequately sensitized to attacks of this kind, there is a risk that they can be manipulated through skillful communication so that they act inappropriately. This can lead to internal information being passed on via malicious software or even money transferred to alleged business partners. The subsequent worldwide damages can run into the billions [10:4]. Regulations can be more easily complied with, the more informed the employees are about the facts and the better they understand the reasons. ISA is necessary for successful digitization: this requires an organizational strategy, the guarantee of an appropriate IT security level, sufficiently qualified personnel, and a cultural change in the organization, with ongoing, target-group-oriented training for all employees.

However, there is no simple linear cause-and-effect relationship between institutional safeguards and knowledge, attitudes, and real behavior. Despite the increasing interest of researchers in the topic, awareness remains a critical issue in IS [36]. To protect the organizational assets, including user information and systems, the human side of security should also be managed [22, 24], and this plays a significant role in the successful delivery of IS in today's organizations [25]. Therefore, ISAT and programs must be developed as a user-centered approach. Moreover, a clear set of IS principles needs to be identified and communicated [56]. Learning in IS should be developed by integrating target-oriented, interactive analog/ digital GBL scenarios and team-oriented methods as an ongoing process. Depth psychological studies [38, 47] show that emotionalization and motivation should be important factors in creating short-term scenarios in real-life situations using AL and PBL. Our own extensive experience with such learning materials and methods in projects and events suggests that ISA and the knowledge associated with it could be improved in almost all participants and behavioral changes triggered.

We know from our research, experience, and trainings that

• technical security alone is not enough;

**3.3. Measurements of ISA and compliance for information security**

46 Public Management and Administration

To support organizations in discovering the evaluation methods and metrics that meet their individual needs, an overview of current measures for assessing effectiveness was given in [65]. The advantages, disadvantages, and appropriate application of methods like monitoring security procedures, surveys, and security benchmarks are discussed [65]. While the number of firms that apply such measures is increasing, surveys of corporations show that it is unusual for these measures to be accompanied by specific in-depth evaluations of their effectiveness. The literature review reveals that only a few organizations use different metrics for deeper and continuous measurement of their awareness program [65]. However, ISAT should be ongoing as the organization changes and employees move into and across roles, with a focus on what is necessary for their jobs [75]. Therefore, ISAT should not overwhelm employees with information or take up excessive paid work time [76]. As a consequence, security officers should specifically adapt the above BAköV matrix (Section 3.2) to their institution, to their content, and to their target groups. Rather than relying on generalized computerbased packages, IS training should be geared to the specific work environment. IS officers should carefully analyze the concrete situation in the institution: for example, if factors such as noncompliance with security measures, poor acceptance, or social engineering are present, as described in the BSI training [10]. In addition, they should determine which IS core values are particularly at risk in which processes, at which locations, and at which times. Since these awareness-raising measures demand resources such as time, money, and the willingness of employees, every institution should have an interest in assessing their effectiveness [65].

The developed spiral of transformative interaction between an organization and its staff with regard to (IS) learning processes [13] shows the interaction between top-down specifications and individual bottom-up influences on the establishment of a modern, futureoriented organizational security culture. We seek to implement and test our conceptual project design on the transformative interaction between human-based and organizational (IS) learning processes and to promote in-depth ISA measurement in game-based learning environments. Situational and specific ISAT combined with IS awareness-raising measures and evaluation should be an indispensable part of today's organizations with livable IS and

In a general way, ISA programs and ISATs may generate a false sense of security, as taking part in ISA programs reduces perceptions of vulnerability, while the intentions for compliant security behavior are not affected [77]. Information and IT security awareness-raising measures and the evaluation of these measures are an indispensable part of today's information and knowledge society [65]. This assumes that—according to the BSI concept [8, 10, 20, 78] —the relevant IS issues must be regularly trained in accordance with institutional requirements and the necessary sensitization created [10]. Moreover, it gives practical hints for the efficient design of ISAT as a planned, cyclical, and organizational approach. In addition, the

policies [34].

**4. Summary and outlook**


• predefined regulations have to be lived, and this requires a cultural change in the organizations.

**Acknowledgements**

based learning scenarios.

Address all correspondence to: margit.scholl@th-wildau.de

Wildau, Wildau, Brandenburg, Germany

**Author details**

Margit Scholl

**References**

I would like to thank my interdisciplinary research and development team for their reliable and creative cooperation in the field of information security awareness. I thank Frauke Fuhrmann, Denis Edich, Ernst-Peter Ehrlich, Kai-Benjamin Leiner, Lars Robin Scholl, and Peter Koppatz for the successful completion of our "SecAware4job" project funded by the Horst Görtz Foundation (HGS). I would like to thank Dr. Horst Görtz and the HGS for financial support of the "SecAware4job" project and for publication of this book chapter. Moreover, I thank our project partner Dietmar Pokoyski and his company known\_sense in Cologne for their cooperation—he is also the sole distribution partner for all of our game-

Information Security Awareness in Public Administrations

http://dx.doi.org/10.5772/intechopen.74572

49

Department Business, Computing, Law, Technical University of Applied Sciences (TUAS)

[1] Bundesministerium für Wirtschaft und Energie (BMWi)/Federal Ministry of Economics and Energy. International Dimension: EU – Digital Agenda. Bonn; 2014. Available from: http://www.bmwi.de/Redaktion/EN/Dossier/digitisation.html [Accessed: 2017-05-29] [2] Bundesakademie für öffentliche Verwaltung im Bundesministerium des Innern (BAköV)/ Federal Academy of Public Administration in the Federal Ministry of Interior. Manual of

[3] Available from: https://www.verfassungsschutz.de/de/aktuelles/zur-sache/zs-2017-004-

[4] Bundesamt für Sicherheit in der Informationstechnik (BSI)/Federal Office for Information Security. 14. Deutscher IT Sicherheitskongress. Knowing risks, accepting challenges, designing solutions. In: Conference Proceedings for the 14th German IT Security Conference, Preface. Bonn, Bad Godesberg; 2015. Available from: https:// www.bsi.bund.de/DE/Service/Aktuell/Veranstaltungen/IT-Sicherheitskongress/14\_

[5] Available from: https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/cyber-sicher-

IT Security Officer in the Public Administration, version 3.0. Brühl; 2009

ITSicherheitskongress/14\_ITSiKongress.html [Accessed: 2018-01-20]

gastbeitrag-handelsblatt-20171127 [Accessed: 2017-12-28]

heit\_node.html [Accessed: 2017-10-28]

Moreover, the author can enrich the current report results of [80] with her own experience and findings for future activities in public administrations as well as in companies:

#### 1. Strategically anchor digitization

Note: No digitization without IS; no IS without continuously increasing ISA and user-centered ISAT.

2. Create organizational units

Introduce ISMS for the institution. Create a position for the IS and introduce security officers.

3. Define responsibilities

Big institutions may consider whether a Chief Digital Officer makes sense nowadays. Undoubtedly, all institutions today need IS officers plus a data protection officer and an emergency officer—and they should think carefully about an awareness officer too.

4. Build up digital literacy

The knowledge assets of an institution and the value of IS are crucial factors in the success of the digital transformation. The use of digital technologies requires new skills from the employees and creates new job profiles. Such new job profiles should include awareness, particularly ISA.

5. Distinguish business processes and models

Businesses should clearly distinguish between the digital strategy for business processes and business models, because the transformation processes have different results to the goal and require different approaches. Public administrations should think about new processes too, combined, however, with IS and ISA.

According to [81], the six major digital trends (mobility, big data, social media, cloud computing, artificial intelligence, and robotics) primarily affect six areas in companies (business models, products and services, customer segments, channels, business processes, and workplaces). The IS challenges will not diminish; attacks will become more diverse. Institutions must make efforts to educate all employees not only in the work environment but also as a means to safeguard their private lives and thus society. Game-based learning (GBL) is especially effective as a means to stimulate motivation and change behavior and should be explicitly used for raising awareness. ISATs should combine GBL plus PBL plus AL in line with real-life situations [51]. Because of complex nonlinear relations between knowledge of IS, attitudes, and the secure behavior of human beings in day-to-day organizational work and in their private lives, further scientific explorations of ISA and ISAT are needed in future. This further research work can be carried out very well at the TUAS Wildau in a research and teaching unit with practical relevance, since here studies for nontechnical public administration have been offered for years, and in winter semester 2018/19 the degree program in administrative computer science will be launched.
