**2. Current findings from scientific literature review and research**

#### **2.1. Information security awareness (ISA)**

A constant analysis of threats that companies face is essential to understanding how the strategies of attackers evolve and to building more reliable defenses. The summary of all the reports investigated reveals that cyberattacks target people not technologies [13]. The question is "why?" One main finding, by Solms, is that Internet- and web-based systems have been introduced for millions of customers without adequate IS [27]. One direct result of this has been that criminals have shifted their attention to the end user under their new motto: "Do not try to hack into the company's IT systems; it may be very difficult—go for the naïve end user!" [27].

The idea of considering the user as the "weakest link" in IS can be found in the large volume of studies that try to explain employee adherence to or noncompliance with IS. Companies' information security efforts are often threatened by employee negligence and insider breaches [29]. The lack of ISA, ignorance, negligence, apathy, mischief, and resistance are at the root of user mistakes [30]. Herath and Rao found that employees in their sample underestimate the probability of security breaches [31]. Pattinson et al. (2016) found a strong ISA correlation for the measure relating to the three behaviors "Internet use," "mobile computing," and "email use," while the other four behaviors investigated were not significantly correlated ("password management," "social networking," "information handling," "incident reporting") [32]. Moreover, how "dangerous" an employee is for his company is also determined by his age [18]. According to the study, 51- to 69-year-old people are particularly easy to fool—they are most likely to fall for phishing attacks and social engineering, but otherwise stick to the guidelines [18]. The middle group, on the other hand, is more arrogant: the group of 35- to 50-year-olds is most likely to ignore well-known rules [18]. However, in the study, the millennials age group (18–35) is—with 64%—the riskiest group: while they are less prone to fraud and arrogance, they use all sorts of technologies, such as unauthorized third-party apps and third-party mobile devices at work, and this results in a loss of control for the central IT [18]. However, it is important to bear in mind that if a single user action can compromise an entire security program, the problem is the security program itself [33].

According to the Federal Office for Information Security in Germany (BSI), the risk situation in the area of ISA is characterized by the following specific threats and vulnerabilities [10]:

• Insufficient knowledge of regulations

managed [22–24], as is particularly evident in social engineering (SE) attacks [24]. The human element plays a significant role in the successful delivery of IS in today's organizations, and security behavior is greatly influenced by employees' personal perceptions of risk. However, these perceptions can be changed [25] through awareness-raising and IS trainings. Therefore, the tasks and duties of the management of an institution play an important role [20:18]. First of all, the topmost management level has overall responsibility for the correct functioning of the institution and for IS too. IS must be integrated into all the institutional processes—"and for that the management has the responsibility. The management level must actively initiate, manage and supervise the security process"—as an important point, sufficient resources must be made available [20:18]. Moreover, as studies confirm [26], the management has the function of a role model, must set achievable goals within the institution's IS, and should set up/ initiate efficient communication and effective documentation. "One of the most difficult tasks is weighing up the costs of IS against the benefits and risks"—however, "experience shows

The aim of this chapter is to summarize current science-based findings in the area of ISA and to merge them with the requirements of the IS standards to derive practical benefits for awareness-raising and trainings in public administrations. The structure of the chapter is as follows: section two summarizes the current scientific findings concerning ISA (sub-Section 2.1), learning methods (sub-Section 2.2), and organizational culture (sub-Section 2.3). In Section 3, these ideas are transferred into the practice of public administrations. This means a focus on information security (awareness) trainings (ISAT) in general (sub-Section 3.1), as they relate to the IT-Grundschutz (sub-Section 3.2), and with regard to cultural aspects (sub-Section 3.3). Section 4 provides a summary and outlook. This is followed by the acknowledg-

that the most effective measures are not always the most expensive" [20:19].

**2. Current findings from scientific literature review and research**

company's IT systems; it may be very difficult—go for the naïve end user!" [27].

A constant analysis of threats that companies face is essential to understanding how the strategies of attackers evolve and to building more reliable defenses. The summary of all the reports investigated reveals that cyberattacks target people not technologies [13]. The question is "why?" One main finding, by Solms, is that Internet- and web-based systems have been introduced for millions of customers without adequate IS [27]. One direct result of this has been that criminals have shifted their attention to the end user under their new motto: "Do not try to hack into the

The idea of considering the user as the "weakest link" in IS can be found in the large volume of studies that try to explain employee adherence to or noncompliance with IS. Companies' information security efforts are often threatened by employee negligence and insider breaches [29]. The lack of ISA, ignorance, negligence, apathy, mischief, and resistance are at the root of user mistakes [30]. Herath and Rao found that employees in their sample underestimate the probability of security breaches [31]. Pattinson et al. (2016)

ments and references at the end.

30 Public Management and Administration

**2.1. Information security awareness (ISA)**

Just setting information security regulations does not guarantee that they will be respected. All employees must also be aware of the applicable regulations. Vulnerabilities due to insufficient knowledge of the regulations can compromise the confidentiality, availability, and integrity of information [10:2].

• Insufficient awareness of information security (ISA)

Experience shows that it is not enough just to implement certain security measures. Without an understanding of the reasons for the measures and their purpose, they are often ineffective or ignored. The security culture, the security goals, and the security strategy of the institution must be understood in the real world of work, otherwise this leads to a lack of acceptance of IS measures [10:2].

• Carelessness in handling information

It is frequently observed that despite a variety of organizational and technical security procedures, an institution's security requirements often go unheeded. When employees deal carelessly with information, established processes of information security become ineffective. Economic espionage can also take place [10:3].

But what is ISA actually? Our comprehensive review of leading academic journals shows that there is no uniform and binding definition of ISA [13]. Many theories build on the background of the scientific literature. A number of articles in the international scientific literature are based on the KAB model—knowledge, attitude, and behavior—and show that user knowledge of, or education about, IS is a basis for reflecting on their own attitudes. The overall goal of scientific literature in this research field is to get a better understanding of people's behavior and to develop it in the proper way [13]. Therefore, a large spectrum of theories has been consulted in this context to gain knowledge of actual security behavior and the factors that influence it. The theories that are most applied as a means to explain IS behavior are the Theory of Planned Behavior (TPB), the General Deterrence Theory (GDT), the Compliance Theory (CT), the Protection Motivation Theory (PMT), the Technology Acceptance Model (TAM), the Theory of Reasoned Action (TRA), the Social Bond Theory (SBT), and, as a final example, the Involvement Theory (InvT) (see also tables in [34]. For example, Briggs et al. (2017) provide a historical overview of Protection Motivation Theory (PMT) and apply it to cybersecurity [35]).

**2.2. Learning methods for ISA**

Learning methods for ISA should clarify threats, vulnerabilities, attacks, and possible damage as well as the main values of IS and data protection. The three basic values of IS used by the BSI in the IT-Grundschutz as well as in the international standard family ISO/IEC 2700x are confidentiality, integrity, and availability. Confidentiality requires protection against the unauthorized access to and disclosure of information. Confidential information should only be accessible to authorized persons and those using the permitted access methods. A situation in which unauthorized persons have access to data is referred to as a loss of confidentiality [2:22]. Integrity refers, on the one hand, to ensuring the correctness (uncorruptedness) of data and, on the other, to the correct operation of systems. A violation of the integrity of information takes place when the data itself—as well as other specifications relating to this data (metadata)—are changed without permission or are incomplete. Falsified data can lead to poor decisions and incorrect evaluations and can have serious consequences [2:22]. Availability means that services, the functions of an IT system, IT applications, IT networks, or even information are available and can be utilized as intended by the users at any time [2:22]. Additional values include authentication, commitment, and reliability. Authentication refers to the function that guarantees that a person, an IT component, or an application is actually the person or object it is presenting itself to be. Authenticating information is a means of ensuring that it was generated by the specific source [2:22]. Commitment combines the value of authenticity with one additional value, non-repudiation. When transmitting information, this means that the sender has provided verification of its identity and that the recipient is unable to deny having received the message [2:22]. Organizational commitment can be defined as follows: "In organizational behavior and industrial and organizational psychology, organizational commitment is the individual's psychological attachment to the organization" [40]. The reliability (also called dependability) of IT components is determined by their quality in terms of correctness, robustness, and fail-proofness so that their typical functions can be executed with the necessary precision and during the normal period of use [2:22].

Information Security Awareness in Public Administrations

http://dx.doi.org/10.5772/intechopen.74572

33

In many organizations, ISA and the training of corresponding competences (ISAT) are limited to knowledge-transfer measures. For example, trainings with appropriate presentations supported by flyers, posters, brochures, or web-based trainings (WBT) are often used as an awareness campaign, which the employees can or must complete at a particular place and at a time of their choosing. Notwithstanding the benefits of WBT, studies show that approaches that focus only on knowledge transfer do not generate any lasting safety/security awareness among employees [41–44]. We call these ways of raising ISA "1.0 Learning Theoretical Approaches" (see **Figure 1**) [45]. Based on these empirical findings and in addition to knowledge transfer, some awareness-raising activities include marketing elements, which capture the attention of the addressees and emotionalize them on the subject of IS—"2.0 Advertising Approaches," according to our classification (see **Figure 1**) [45]. However, psychologically based research [38, 39, 42, 46, 47] shows that in addition to the theoretical approach to knowledge transfer and the marketing-oriented approach of emotionalizing, a more comprehensive systemic approach with emotions and social participation in the team as well as personal communication and interaction in actionable scenarios is needed to create lasting sensitization to IS and promote security-related behaviors [41, 46, 48]. This is why the learning methodology for ISA should be

Applying the Fogg Behavior Model (FBM) [36], we can identify a wide range of factors that can affect motivation and the ability to adopt secure behaviors. The FBM [37] asserts that for a person to perform a target behavior, he or she must (a) be sufficiently motivated, (b) have the ability to perform the behavior, and (c) be triggered to perform the behavior. Fogg further introduced the notion of *kairos*—the idea that the trigger needs to be present at an opportune moment to succeed. Fogg defines that moment as "any time motivation and ability put people above the behavior activation threshold" [37]. The investigations in [36]—based on the FBM and in-store interviews with 85 customers across 4 branches of a major UK retailer—showed that low motivation and ability among the customers questioned are, for example, combined with the attitude that because risky activities are avoided, no security is required. In contrast, high motivation and high ability among customers are not only coupled with technical affinity and the implementation of security advice but also with the desire to keep children safe and protect work files [36]. This suggests that those customers have a sense of responsibility and take social considerations into account.

One increasing threat is the human social engineering (SE) attack as a first step for further cyberattacks on institutions. SE has increasingly become a standard tool for criminals—the prospects of success are high and the awareness rate is low [38]. In SE, one is—to different degrees, depending on the perspective—perpetrator and victim at the same time: perpetrator, because one may have made a mistake and violated the security policy of one's own organization (e.g., as a result of disclosing confidential information to the attacker), and victim, because such a disclosure is always achieved as a result of deception or manipulation [38]. From the point of view of communication and psychology, a person directly affected by SE is, in any case, always a victim—the fact that someone, possibly because of "reckless" behavior, has "fallen for" an SE attack does not make him or her a culprit and, from the perspective of the social sciences, only to some extent an accomplice. And even the security experts should not view "social weaknesses" as connivance but should treat the victims as victims and therefore see them as important witnesses who contribute to the investigation of whitecollar crime. However, such an attitude is not found in many organizations, and, where this is lacking, companies rarely have full access to the valuable feedback they could receive [38].

All in all, there are gaps between human knowledge and human attitudes as well as between human attitudes and *real* human behavior. Psychological factors, subjective norms, and the sociocultural, gender, and age background in nonlinear and complex interactions have a major influence on human ISA and IS behavior [13]. A main problem for human beings seems to be the application of IS knowledge in *real-world* situations [39]. But this—the concrete application of IS knowledge and situation-appropriate behavior—is necessary in real time for each employee in an organization. Employees themselves must decide how to implement IS in their own specific work contexts, and this needs higher-level ISA skills and intention as a motivational factor.

#### **2.2. Learning methods for ISA**

influence it. The theories that are most applied as a means to explain IS behavior are the Theory of Planned Behavior (TPB), the General Deterrence Theory (GDT), the Compliance Theory (CT), the Protection Motivation Theory (PMT), the Technology Acceptance Model (TAM), the Theory of Reasoned Action (TRA), the Social Bond Theory (SBT), and, as a final example, the Involvement Theory (InvT) (see also tables in [34]. For example, Briggs et al. (2017) provide a historical overview of Protection Motivation Theory (PMT) and apply it to cybersecurity [35]). Applying the Fogg Behavior Model (FBM) [36], we can identify a wide range of factors that can affect motivation and the ability to adopt secure behaviors. The FBM [37] asserts that for a person to perform a target behavior, he or she must (a) be sufficiently motivated, (b) have the ability to perform the behavior, and (c) be triggered to perform the behavior. Fogg further introduced the notion of *kairos*—the idea that the trigger needs to be present at an opportune moment to succeed. Fogg defines that moment as "any time motivation and ability put people above the behavior activation threshold" [37]. The investigations in [36]—based on the FBM and in-store interviews with 85 customers across 4 branches of a major UK retailer—showed that low motivation and ability among the customers questioned are, for example, combined with the attitude that because risky activities are avoided, no security is required. In contrast, high motivation and high ability among customers are not only coupled with technical affinity and the implementation of security advice but also with the desire to keep children safe and protect work files [36]. This suggests that those customers have a sense of responsibility

One increasing threat is the human social engineering (SE) attack as a first step for further cyberattacks on institutions. SE has increasingly become a standard tool for criminals—the prospects of success are high and the awareness rate is low [38]. In SE, one is—to different degrees, depending on the perspective—perpetrator and victim at the same time: perpetrator, because one may have made a mistake and violated the security policy of one's own organization (e.g., as a result of disclosing confidential information to the attacker), and victim, because such a disclosure is always achieved as a result of deception or manipulation [38]. From the point of view of communication and psychology, a person directly affected by SE is, in any case, always a victim—the fact that someone, possibly because of "reckless" behavior, has "fallen for" an SE attack does not make him or her a culprit and, from the perspective of the social sciences, only to some extent an accomplice. And even the security experts should not view "social weaknesses" as connivance but should treat the victims as victims and therefore see them as important witnesses who contribute to the investigation of whitecollar crime. However, such an attitude is not found in many organizations, and, where this is lacking, companies rarely have full access to the valuable feedback they could receive [38].

All in all, there are gaps between human knowledge and human attitudes as well as between human attitudes and *real* human behavior. Psychological factors, subjective norms, and the sociocultural, gender, and age background in nonlinear and complex interactions have a major influence on human ISA and IS behavior [13]. A main problem for human beings seems to be the application of IS knowledge in *real-world* situations [39]. But this—the concrete application of IS knowledge and situation-appropriate behavior—is necessary in real time for each employee in an organization. Employees themselves must decide how to implement IS in their own specific work contexts, and this needs higher-level ISA skills and intention as a motivational factor.

and take social considerations into account.

32 Public Management and Administration

Learning methods for ISA should clarify threats, vulnerabilities, attacks, and possible damage as well as the main values of IS and data protection. The three basic values of IS used by the BSI in the IT-Grundschutz as well as in the international standard family ISO/IEC 2700x are confidentiality, integrity, and availability. Confidentiality requires protection against the unauthorized access to and disclosure of information. Confidential information should only be accessible to authorized persons and those using the permitted access methods. A situation in which unauthorized persons have access to data is referred to as a loss of confidentiality [2:22]. Integrity refers, on the one hand, to ensuring the correctness (uncorruptedness) of data and, on the other, to the correct operation of systems. A violation of the integrity of information takes place when the data itself—as well as other specifications relating to this data (metadata)—are changed without permission or are incomplete. Falsified data can lead to poor decisions and incorrect evaluations and can have serious consequences [2:22]. Availability means that services, the functions of an IT system, IT applications, IT networks, or even information are available and can be utilized as intended by the users at any time [2:22].

Additional values include authentication, commitment, and reliability. Authentication refers to the function that guarantees that a person, an IT component, or an application is actually the person or object it is presenting itself to be. Authenticating information is a means of ensuring that it was generated by the specific source [2:22]. Commitment combines the value of authenticity with one additional value, non-repudiation. When transmitting information, this means that the sender has provided verification of its identity and that the recipient is unable to deny having received the message [2:22]. Organizational commitment can be defined as follows: "In organizational behavior and industrial and organizational psychology, organizational commitment is the individual's psychological attachment to the organization" [40]. The reliability (also called dependability) of IT components is determined by their quality in terms of correctness, robustness, and fail-proofness so that their typical functions can be executed with the necessary precision and during the normal period of use [2:22].

In many organizations, ISA and the training of corresponding competences (ISAT) are limited to knowledge-transfer measures. For example, trainings with appropriate presentations supported by flyers, posters, brochures, or web-based trainings (WBT) are often used as an awareness campaign, which the employees can or must complete at a particular place and at a time of their choosing. Notwithstanding the benefits of WBT, studies show that approaches that focus only on knowledge transfer do not generate any lasting safety/security awareness among employees [41–44]. We call these ways of raising ISA "1.0 Learning Theoretical Approaches" (see **Figure 1**) [45]. Based on these empirical findings and in addition to knowledge transfer, some awareness-raising activities include marketing elements, which capture the attention of the addressees and emotionalize them on the subject of IS—"2.0 Advertising Approaches," according to our classification (see **Figure 1**) [45]. However, psychologically based research [38, 39, 42, 46, 47] shows that in addition to the theoretical approach to knowledge transfer and the marketing-oriented approach of emotionalizing, a more comprehensive systemic approach with emotions and social participation in the team as well as personal communication and interaction in actionable scenarios is needed to create lasting sensitization to IS and promote security-related behaviors [41, 46, 48]. This is why the learning methodology for ISA should be

• develop the competencies in IS required for starting a career, • encourage and support changes in consciousness and behavior,

• provide traceable, certified qualifications for entry into the profession [50].

In order to convey the abstract and complex topic of IS with all its facets (legal framework, standards, protective measures, security concepts, etc.) to the students in an easily comprehensible and tangible way, a methodical approach to the additional qualification was chosen that includes as many creative and interactive teaching and learning methods as possible. Based on current research findings on the effectiveness of awareness-raising measures, analog and digital game-based learning (GBL) scenarios were developed and tested according to the GBL approach [49]. Ten stations in the "Security Arena," which had been procured via the former third-party project "IT-Security@SME" in the period 2013/14 and adapted with the project partner known\_sense, are now focused on the new target group (students) and also translated into English (see **Figure 2**) [50]. In addition, five analog GBL scenarios have been redesigned and implemented, including a new board game "Keep your data private. Every day." (see **Figure 3**) and a social engineering role-playing game, which are two very comprehensive game developments in the research project SecAware4job [50]. To supplement and complete the analog learning scenarios, eight digital GBL scenarios were conceived and programmed:

Information Security Awareness in Public Administrations

http://dx.doi.org/10.5772/intechopen.74572

35

these can be retrieved via the SecAware4job website [52] and used free of charge [50].

(see **Figure 4**), which will be tested in the coming months with other target groups.

Overall, the application of materials and methods to ISA in many other events and with other target groups like employees and guests at the TUAS always leads to very positive feedback. The challenges in developing the IS learning scenarios lie in a good didactical structure as well as in simplifying complexity and limiting the content to the essentials. The strength

The additional qualification that had been developed was tested in three rounds as a (compulsory) module "Sensitization for IS". The accompanying scientific research on the effectiveness of the additional qualification and the learning scenarios developed show that the students are very satisfied with the methodological approach. In terms of an authentic learning (AL) approach, adaptations of GBL scenarios to the specific target group and their real references are of great importance for learning success. Further teaching and learning methods have already been compiled in the former European project "Community of Integrated Blended Learning in Europe" (COMBLE) [53] as Methopedia [54]. Moreover, by discussing current public security incidents, the problem-based learning (PBL) method has been introduced into the classroom too. So, the challenge of the general learning approach for ISA is to combine AL with GBL and PBL in a smart way. In addition to the specification of content, cultural and linguistic aspects must be taken into account. In the project SecAware4job, English-language learning stations were designed and tested and will now be available in international degree courses like European Management. Moreover, in this winter semester (WS 2017/18), the master's degree course European Management (EMM17) developed new ideas for GBL scenarios relating to the European Union's new General Data Protection Regulation (GDPR) as pilot games. The student project teams presented three analog games and one digital App game in January 2018

• facilitate risk assessment and decision making, and

**Figure 1.** IAS needs learning 3.0, meaning a systemic approach that includes not only knowledge transfer and emotionalization but also interactivity with team-oriented exchange.

"3.0 Systemic Approaches" (see **Figure 1**) [45], which were implemented at the Technical University of Applied Sciences (TUAS) Wildau [49–51]. Here, at a research university with a strong practical emphasis, a consistent combination of research and teaching not only serves to meet future challenges but is also crucial for starting a career. The education of students as future employees should therefore be based on the current state of science and on practical requirements in companies, administrations, and institutions. This includes building knowledge to engender a holistic understanding of technology and develop sensitivity to IS issues. This applies, above all, to less technology-related courses such as business and administrative studies because awareness of and competence in IS cannot be delegated only to IT professionals. Instead, every employee must contribute to IS and is responsible for it in his or her specific environment.

The project "Information Security Awareness for Job Beginners" (SecAware4job) at the TUAS Wildau, which was funded by the Horst Görtz Foundation in the period from September 1, 2015, to August 31, 2017 [50], set out to sensitize students as future employees (especially those doing nontechnical courses) to the day-to-day challenges involved in creating IS and protecting digital infrastructure. With SecAware4job, a job-oriented additional qualification for students has been created in the past 2 years in the form of an innovative training with certification to increase ISA and competencies in IS. Specifically, the additional qualification should


"3.0 Systemic Approaches" (see **Figure 1**) [45], which were implemented at the Technical University of Applied Sciences (TUAS) Wildau [49–51]. Here, at a research university with a strong practical emphasis, a consistent combination of research and teaching not only serves to meet future challenges but is also crucial for starting a career. The education of students as future employees should therefore be based on the current state of science and on practical requirements in companies, administrations, and institutions. This includes building knowledge to engender a holistic understanding of technology and develop sensitivity to IS issues. This applies, above all, to less technology-related courses such as business and administrative studies because awareness of and competence in IS cannot be delegated only to IT professionals. Instead, every employee must contribute to IS and is responsible for it in his or her specific environment. The project "Information Security Awareness for Job Beginners" (SecAware4job) at the TUAS Wildau, which was funded by the Horst Görtz Foundation in the period from September 1, 2015, to August 31, 2017 [50], set out to sensitize students as future employees (especially those doing nontechnical courses) to the day-to-day challenges involved in creating IS and protecting digital infrastructure. With SecAware4job, a job-oriented additional qualification for students has been created in the past 2 years in the form of an innovative training with certification to increase ISA and competencies in IS. Specifically, the additional qualification should

**Figure 1.** IAS needs learning 3.0, meaning a systemic approach that includes not only knowledge transfer and

emotionalization but also interactivity with team-oriented exchange.

34 Public Management and Administration

• provide traceable, certified qualifications for entry into the profession [50].

In order to convey the abstract and complex topic of IS with all its facets (legal framework, standards, protective measures, security concepts, etc.) to the students in an easily comprehensible and tangible way, a methodical approach to the additional qualification was chosen that includes as many creative and interactive teaching and learning methods as possible. Based on current research findings on the effectiveness of awareness-raising measures, analog and digital game-based learning (GBL) scenarios were developed and tested according to the GBL approach [49]. Ten stations in the "Security Arena," which had been procured via the former third-party project "IT-Security@SME" in the period 2013/14 and adapted with the project partner known\_sense, are now focused on the new target group (students) and also translated into English (see **Figure 2**) [50]. In addition, five analog GBL scenarios have been redesigned and implemented, including a new board game "Keep your data private. Every day." (see **Figure 3**) and a social engineering role-playing game, which are two very comprehensive game developments in the research project SecAware4job [50]. To supplement and complete the analog learning scenarios, eight digital GBL scenarios were conceived and programmed: these can be retrieved via the SecAware4job website [52] and used free of charge [50].

The additional qualification that had been developed was tested in three rounds as a (compulsory) module "Sensitization for IS". The accompanying scientific research on the effectiveness of the additional qualification and the learning scenarios developed show that the students are very satisfied with the methodological approach. In terms of an authentic learning (AL) approach, adaptations of GBL scenarios to the specific target group and their real references are of great importance for learning success. Further teaching and learning methods have already been compiled in the former European project "Community of Integrated Blended Learning in Europe" (COMBLE) [53] as Methopedia [54]. Moreover, by discussing current public security incidents, the problem-based learning (PBL) method has been introduced into the classroom too. So, the challenge of the general learning approach for ISA is to combine AL with GBL and PBL in a smart way. In addition to the specification of content, cultural and linguistic aspects must be taken into account. In the project SecAware4job, English-language learning stations were designed and tested and will now be available in international degree courses like European Management. Moreover, in this winter semester (WS 2017/18), the master's degree course European Management (EMM17) developed new ideas for GBL scenarios relating to the European Union's new General Data Protection Regulation (GDPR) as pilot games. The student project teams presented three analog games and one digital App game in January 2018 (see **Figure 4**), which will be tested in the coming months with other target groups.

Overall, the application of materials and methods to ISA in many other events and with other target groups like employees and guests at the TUAS always leads to very positive feedback. The challenges in developing the IS learning scenarios lie in a good didactical structure as well as in simplifying complexity and limiting the content to the essentials. The strength

of the analog games is in the necessary systemic approach with emotionalization and the exchange of peoples' experiences. As part of the "Security Arena," most games are designed to be completed and discussed in less than 15 minutes. They can also be used very well as team circuit training, which can also be set up as a competition. The goal of the digital learning scenarios, which can be completed alone and irrespective of time and place, is to expand, deepen, and sustainably anchor individual knowledge. However, this alone would not help

**Figure 3.** Newly developed analog game-based learning scenarios (in German) relating to Internet services and data protection as a final result of the project "SecAware4job" [50]. The game can be purchased through our project and

Information Security Awareness in Public Administrations

http://dx.doi.org/10.5772/intechopen.74572

37

As the BSI points out in all standard documents, IS concerns all personnel without exception. By acting responsibly and with quality awareness, every individual can avoid causing damage and contribute to success. Increasing ISA and providing appropriate training for staff members and all management personnel are therefore fundamental prerequisites

to raise ISA. We need a smart combination (**Figure 5**).

cooperation partner, the Cologne-based company known\_sense.

**2.3. Information security awareness culture in an organization**

**Figure 2.** Adapted, analog game-based learning scenarios in the English-speaking "Security Arena" as final results of the project "SecAware4job" [50]. The games can be purchased through our project and cooperation partner, the Colognebased company known\_sense.

**Figure 3.** Newly developed analog game-based learning scenarios (in German) relating to Internet services and data protection as a final result of the project "SecAware4job" [50]. The game can be purchased through our project and cooperation partner, the Cologne-based company known\_sense.

of the analog games is in the necessary systemic approach with emotionalization and the exchange of peoples' experiences. As part of the "Security Arena," most games are designed to be completed and discussed in less than 15 minutes. They can also be used very well as team circuit training, which can also be set up as a competition. The goal of the digital learning scenarios, which can be completed alone and irrespective of time and place, is to expand, deepen, and sustainably anchor individual knowledge. However, this alone would not help to raise ISA. We need a smart combination (**Figure 5**).

#### **2.3. Information security awareness culture in an organization**

**Figure 2.** Adapted, analog game-based learning scenarios in the English-speaking "Security Arena" as final results of the project "SecAware4job" [50]. The games can be purchased through our project and cooperation partner, the Cologne-

based company known\_sense.

36 Public Management and Administration

As the BSI points out in all standard documents, IS concerns all personnel without exception. By acting responsibly and with quality awareness, every individual can avoid causing damage and contribute to success. Increasing ISA and providing appropriate training for staff members and all management personnel are therefore fundamental prerequisites

**Figure 4.** Newly developed ideas for game-based learning scenarios (A, B, C analog; D digital) focused on the General Data Protection Regulation (EU), generated by the student group EMM17 in WS 17/18.

approach does not work for modern enterprises where employees collaborate, share, and show initiative, they do not have an alternative approach to fostering secure behavior [56]. "Countermeasure awareness was shown to be a significant indicator of the perceived need for digital IS. This implies that increasing users' security awareness level through education and training may be an effective way to encourage the adoption of security tools that leads to safer technology use" [57]. It seems that attitudes toward compliance with IS organizational policies also have a significant effect on behavioral intention with regard to IS compliance, whereby the policies must be livable. Tsohou et al. argue that ISA processes are associated with interrelated changes that occur at the organizational, technological, and individual level [58]. As a result of this, an organization needs to roll out a series of ISA programs oriented

**Figure 5.** Integrative usage of analog and digital game-based learning (GBL), combined with problem-based learning (PBL) and authentic learning (AL) for sensitization and to mimic real situations in the workplace and private life as well as interactive learning methods with emotionalization through user experience, team exchange, and storytelling as a

Information Security Awareness in Public Administrations

http://dx.doi.org/10.5772/intechopen.74572

39

• creating an effective ISA program requires targeted communication and training that ca-

• for proper commitment to security, the optimal IS culture must be carefully defined in each

• the top management must be a role model and give advice—they should be seen as an

In light of the gaps between IS knowledge, attitudes, and real behavior and the fact that acting in real-life situations is very important for an appropriate security level in institutions,

toward perception, comprehension, and projection [23].

ters to specific employee groups;

means to raise information security awareness (ISA).

enabler supporting the organization's goals.

case; and

As summarized in [13], for organizations it is important to realize that

for IS. In order to be able to implement security measures as planned, personnel must have the necessary basic skills to do so [20:24]. Here, the top management has responsibility as a role model. The management must play a proactive role in shaping employee compliance with IS behavior [26]. Advice should be seen as an enabler that supports the organization's goals [25]. In addition to knowledge about how security mechanisms must be operated, this also involves an understanding of the spirit and purpose of security measures. The work atmosphere, common ideals, and the commitment of personnel are all factors that decisively influence IS. If new personnel are taken on or existing ones are given new tasks, they must be provided with thorough training so that they can adjust to the new situation. This must also involve teaching them about the security-related aspects of their job. If personnel leave the institution or their responsibilities change, this process must be accompanied by appropriate security safeguards (e.g., the withdrawal of authorization or the returning of keys and identity cards) [20:24].

Employees must be made aware of relevant hazards and know how they can affect their institution. The better the employees know the risk situation, the sooner the corresponding security measures will be accepted. Employees must have the necessary knowledge to be able to understand and apply measures correctly. For this, there must be an awareness of security and a safety culture can be set up and designed [10]. Although there are many sanctions available in dealing with disregard of the rules, employees will not be rewarded if they comply with the IS security policy [55]. While many organizations are aware that this "comply or die"

**Figure 5.** Integrative usage of analog and digital game-based learning (GBL), combined with problem-based learning (PBL) and authentic learning (AL) for sensitization and to mimic real situations in the workplace and private life as well as interactive learning methods with emotionalization through user experience, team exchange, and storytelling as a means to raise information security awareness (ISA).

approach does not work for modern enterprises where employees collaborate, share, and show initiative, they do not have an alternative approach to fostering secure behavior [56]. "Countermeasure awareness was shown to be a significant indicator of the perceived need for digital IS. This implies that increasing users' security awareness level through education and training may be an effective way to encourage the adoption of security tools that leads to safer technology use" [57]. It seems that attitudes toward compliance with IS organizational policies also have a significant effect on behavioral intention with regard to IS compliance, whereby the policies must be livable. Tsohou et al. argue that ISA processes are associated with interrelated changes that occur at the organizational, technological, and individual level [58]. As a result of this, an organization needs to roll out a series of ISA programs oriented toward perception, comprehension, and projection [23].

As summarized in [13], for organizations it is important to realize that

for IS. In order to be able to implement security measures as planned, personnel must have the necessary basic skills to do so [20:24]. Here, the top management has responsibility as a role model. The management must play a proactive role in shaping employee compliance with IS behavior [26]. Advice should be seen as an enabler that supports the organization's goals [25]. In addition to knowledge about how security mechanisms must be operated, this also involves an understanding of the spirit and purpose of security measures. The work atmosphere, common ideals, and the commitment of personnel are all factors that decisively influence IS. If new personnel are taken on or existing ones are given new tasks, they must be provided with thorough training so that they can adjust to the new situation. This must also involve teaching them about the security-related aspects of their job. If personnel leave the institution or their responsibilities change, this process must be accompanied by appropriate security safeguards (e.g., the withdrawal of authorization or the returning of keys and

**Figure 4.** Newly developed ideas for game-based learning scenarios (A, B, C analog; D digital) focused on the General

Data Protection Regulation (EU), generated by the student group EMM17 in WS 17/18.

Employees must be made aware of relevant hazards and know how they can affect their institution. The better the employees know the risk situation, the sooner the corresponding security measures will be accepted. Employees must have the necessary knowledge to be able to understand and apply measures correctly. For this, there must be an awareness of security and a safety culture can be set up and designed [10]. Although there are many sanctions available in dealing with disregard of the rules, employees will not be rewarded if they comply with the IS security policy [55]. While many organizations are aware that this "comply or die"

identity cards) [20:24].

38 Public Management and Administration


In light of the gaps between IS knowledge, attitudes, and real behavior and the fact that acting in real-life situations is very important for an appropriate security level in institutions, trainings for ISA should be a continuous IS factor. Moreover, the emotional level should be explicitly addressed, because social participation in a communicative team process is a key component in awareness-raising activities based on psychological theories [45, 51]. Learners must directly see/feel the consequences of their actions and should get a sense of their knowledge level in dialog. Therefore, sensitization for ISA and trainings of IS should use the smart combination of GBL plus PBL plus AL based on real-life situations.

submission and a two-hour exam on a personal computer (PC) program. A form with 120 questions must be filled out with a score higher than 75%—successful students are awarded a certificate valid for 5 years. A total of approximately 600 certificates have been awarded so far [62]. In addition, there are other certified training courses at federal level—e.g., for the data protection and emergency officer. Moreover, there are a wide range of e-learning courses for the employees of the federal authorities. Nevertheless, the development of procedures and models for measuring and assessing the level of IS in federal agencies remains a challenge. The literature review reveals a general lack of trainings, which is cited as a top reason why contingency and response plans are not effective [22]. In particular, it seems that over the past 15 years institutions have not put their main focus on developing ISA and ISAT-responsible information users [61]. In Germany, after the establishment of the federal project "Security wins!" in 2010, about 80,000 employees from 143 federal authorities were sensitized to IS in the workplace prior to 2017 [62]. The insight from this federal ISA campaign with interactive methods and GBL scenarios is, on the one hand, that raising awareness is an issue that needs to be revisited again and again. On the other hand, the central control system of the federal agencies has proven itself with framework agreements and decentralized implementations and adjustments. For the federal administrations, very valuable materials have been compiled as a so-called "toolbox": flyers and posters, moderation cards, and a CD about live hacking, which is very popular. Hacker's live shows in particular demonstrate how well emotionalization can lead to concern and attention. Moreover, they also show the importance of awareness in thinking about or pointing out the role of the aggressor—a possibility which should be incorporated into awareness-raising and trainings that include psychological aspects [38, 39, 42, 46, 47]. Nevertheless, this campaign is just a drop in the ocean when we consider the entire group of employees. It should be noted that it is the Länder and Kommunen that represent the main proportion of employees in Germany's public administration; the proportion constituted by the federal government is only about one-eighth of the total number of employees. Moreover, public administrations are also responsible to their citizens, and the question arises as to whether information campaigns

Information Security Awareness in Public Administrations

http://dx.doi.org/10.5772/intechopen.74572

41

on IS in public places should not also be part of urban and regional planning [34].

Although scientific research indicates a general need for (cyberthreat) education, trainings, and awareness [22, 63, 64], our review of the scientific literature [13, 65] shows that the design of the ISA trainings has not been the subject of significant research. Only a few studies from the literary field of knowledge, attitude, and behavior give (general) recommendations on the design of training measures (see [66, 67]). As mentioned above, it should be a user-centered approach and "awareness campaigns should be tailored to employees' needs" [25]. The BSI training describes in general how to set up and maintain an (effective) awareness-raising and training program for IS [10]. The aim of such programs is for employees to perceive safety-critical situations and mitigate their impact, while also providing the necessary knowledge and skills for safety-conscious behavior [10]. In particular, the module "ORP.3 Sensitization and Training" describes the procedural, technical, methodological, and organizational require-

**3.1. Information security (awareness) trainings (ISAT)**

ments for awareness-raising and IS training [10]:
