MedISA Logo

MedISA

Medical Centre Employee Centered Information Security Awareness

Catalogue

As part of the MedISA research, various instruments for measuring Information Security Awareness have been compiled in a catalogue, which can be used for further research and practical applications.

The compiled instruments provide evidence of reliability and validity; however, the scientific quality criteria vary. For more information, please refer to the associated publications.

Cataloguetitles.catalogue | MedISA

The Human Aspects of Information Security Questionnaire (HAIS-Q)

Authors: Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., Zwaans, T.
Publication Title: The Human Aspects of Information Security Questionnaire (HAIS-Q); Two further validation studies.
DOI: https://doi.org/10.1016/j.cose.2017.01.004
Date: 2017

Language of Items: English
Number of Items: 63
Reliability: Cronbach’s alpha (.75 - .82)
Validity: Convergent and construct validity

You will now be asked to complete three sets of questions about using a computer for work. These sets of questions are about: (1) your knowledge of computer use guidelines, (2) your attitude towards these computer use guidelines, (3) your behaviour when using a computer for work.

Knowledge: The following statements are about your knowledge of how you should use a computer for work.

Attitude: The following statements are about your attitude. You’ve told us about your knowledge of computer use guidelines. Now please tell us what you think about these guidelines.

Behaviour: The following statements are about your behaviour. You’ve told us what you know, and what you think about computer use guidelines. Now please tell us what you do when using a computer for work.


Response Specification: Five-point Likert scale from “Strongly Disagree” to “Strongly Agree”.

Knowledge
Item
It´s acceptable to use my social media password on my work accounts.
I am allowed to share my work password with my colleagues.
A mixture of letters, numbers and symbols is necessary for work passwords.
Item
I am allowed to click on any links in emails from people I know.
I am not permitted to click on a link in an email from an unknown sender.
I am allowed to open email attachments from unknown senders.
Item
I am allowed to download any files onto my work computer if they help me to do my job.
While I am at work, I shouldn´t access certain websites.
I am allowed to enter any information an any website if it helps me do my job.
Item
I must periodically review the privacy setting on my social media accounts.
I can´t be fired for something I post on social media.
I can post what I want about work on social media.
Item
When working in a public place, I have to keep my laptop with me at all times.
I am allowed to send sensitive work files via a public Wi-Fi network.
When working on a sensitive document, I must ensure that strangers can´t see my laptop screen.
Item
Sensitive print-outs can be disposed of in the same way as non-sensitive ones.
If I find a USB stick in a public place, I shouldn´t plug it into my work computer.
I am allowed to leave print-outs containing sensitive information on my desk overnight.
Item
If I see someone acting suspiciously in my workplace, I should report it.
I must not ignore poor security behavior by my colleagues.
It´s optional to report security incidents.

Attitude
Item
It´s safe to use the same password for social media and work accounts.
It´s a bad idea to share my work passwords, even if a colleague asks for it.
It´s safe to have a work password with just letters.
Item
It´s always safe to click on links in emails from people I know.
Nothing bad can happen if I click on a link in an email from an unknown sender.
It´s risky to open an email attachment from an unknown sender.
Item
It can be risky to download files on my work computer.
Just because I can access a website at work, doesn´t mean that it´s safe.
If it helps me to do my job, it doesn´t matter what information I put on a website.
Item
It´s a good idea to regularly review my social media privacy settings.
It doesn´t matter if I post things on social media that I wouldn´t normally say in public.
It´s risky to post certain information about my work on social media.
Item
When working in a café, it´s safe to leave my laptop unattended for a minute.
It´s risky to send sensitive work files using a public Wi-Fi network
It´s risky to access sensitive work files on a laptop if strangers can see my screen.
Item
Disposing of sensitive print-outs by putting them in the rubbish bin is safe.
If I find a USB stick in a public place, nothing bad can happen if I plug it into my work computer.
It´s risky to leave print-outs that contain sensitive information on my desk overnight.
Item
If I ignore someone acting suspiciously in my workplace, nothing bad can happen.
Nothing bad can happen if I ignore poor security behavior by a colleague.
It´s risky to ignore security incidents, even if I think they´re not significant.

Behavior
Item
I use a different password for my social media and work accounts.
I share my work passwords with my colleagues.
I use a combination of letters, numbers and symbols in my work password.
Item
I don´t always click in links in emails just because they come from someone I know.
If an email from an unknown sender looks interesting, I click on a link within it.
I don´t open email attachments if the sender is unknown to me.
Item
I download any files onto my work computer that will help me get the job done.
When accessing the Internet at work, I visit any website that I want to.
I assess the safety of websites before entering information.
Item
I don´t regularly review my social media privacy settings.
I don´t post anything on social media before considering any negative consequences.
I post whatever I want about my work on social media.
Item
When working in a public place, I leave my laptop unattended.
I send sensitive work files using a public Wi-Fi network.
I check that strangers can´t see my laptop screen if I´m working on a sensitive document.
Item
When sensitive print-outs need to be disposed of, I ensure that they are shredded or destroyed.
I wouldn´t plug a USB stick found in a public place into my work computer.
I leave print-outs that contain sensitive information on my desk when I´m not there.
Item
If I saw someone acting suspiciously in my workplace, I would do something about it.
If I notice my colleague ignoring security rules, I wouldn´t take any action.
If I notice a security incident, I would report it.