MedISA
Medical Centre Employee Centered Information Security Awareness
Catalogue
As part of the MedISA research, various instruments for measuring Information Security Awareness have been compiled in a catalogue, which can be used for further research and practical applications. The compiled instruments provide evidence of reliability and validity; however, the scientific quality criteria vary. For more information, please refer to the associated publications.
Name: The Human Aspects of Information Security Questionnaire (HAIS-Q)
DOI: https://doi.org/10.1016/j.cose.2017.01.004
Added: 2017
Added: 2017
Name: Simplified Information Security Awareness Scale (SISA)
DOI: https://doi.org/10.3233/SHTI210248
Added: 2021
Added: 2021
Name: Information Security Attitude Questionnaire for Nurses (ISA-Q)
DOI: https://doi.org/10.1002/nop2.1353
Added: 2022
Added: 2022
Name: Mobile Information Security Awareness Scale (MISAS)
DOI: https://doi.org/10.1108/OIR-04-2020-0129
Added: 2021
Added: 2021
Name: Security Behavior Intentions Scale (SeBIS)
DOI: https://doi.org/10.1145/2702123.2702249
Added: 2015
Added: 2015
Name: SABS ISO/IEC 17799 Scale with Focus on Hospitals (SIIS)
DOI: https://www.cabidigitallibrary.org/doi/full/10.5555/20163074395
Added: 2015
Added: 2015
Name: Cyber Security Awareness Scale Based on Recommendation of ENISA and the U.S. HHS (CSAS)
DOI: http://hdl.handle.net/10125/64215
Added: 2020
Added: 2020
Name: End-User Security Attitudes Scale (SA-6)
DOI: https://www.usenix.org/conference/soups2019/presentation/faklaris
Added: 2019
Added: 2019
Name: Security Awareness Scale for Health Care Information Systems (SAS-HIPAA)
DOI: https://doi.org/10.48009/1_iis_2011_224-236
Added: 2011
Added: 2011
Name: Hospital Staff’s Risky Cybersecurity Practices Scales (RCSPS)
DOI: https://doi.org/10.1145/3465481.3470094
Added: 2021
Added: 2021
The Human Aspects of Information Security Questionnaire (HAIS-Q)
You will now be asked to complete three sets of questions about using a computer for work. These sets of questions are about: (1) your knowledge of computer use guidelines, (2) your attitude towards these computer use guidelines, (3) your behaviour when using a computer for work. Knowledge: The following statements are about your knowledge of how you should use a computer for work. Attitude: The following statements are about your attitude. You’ve told us about your knowledge of computer use guidelines. Now please tell us what you think about these guidelines. Behaviour: The following statements are about your behaviour. You’ve told us what you know, and what you think about computer use guidelines. Now please tell us what you do when using a computer for work.
Response Specification: Five-point Likert scale from “Strongly Disagree” to “Strongly Agree”.
Knowledge
Attitude
Behavior
| Item |
|---|
| It´s acceptable to use my social media password on my work accounts. |
| I am allowed to share my work password with my colleagues. |
| A mixture of letters, numbers and symbols is necessary for work passwords. |
| Item |
|---|
| I am allowed to click on any links in emails from people I know. |
| I am not permitted to click on a link in an email from an unknown sender. |
| I am allowed to open email attachments from unknown senders. |
| Item |
|---|
| I am allowed to download any files onto my work computer if they help me to do my job. |
| While I am at work, I shouldn´t access certain websites. |
| I am allowed to enter any information an any website if it helps me do my job. |
| Item |
|---|
| I must periodically review the privacy setting on my social media accounts. |
| I can´t be fired for something I post on social media. |
| I can post what I want about work on social media. |
| Item |
|---|
| When working in a public place, I have to keep my laptop with me at all times. |
| I am allowed to send sensitive work files via a public Wi-Fi network. |
| When working on a sensitive document, I must ensure that strangers can´t see my laptop screen. |
| Item |
|---|
| Sensitive print-outs can be disposed of in the same way as non-sensitive ones. |
| If I find a USB stick in a public place, I shouldn´t plug it into my work computer. |
| I am allowed to leave print-outs containing sensitive information on my desk overnight. |
| Item |
|---|
| If I see someone acting suspiciously in my workplace, I should report it. |
| I must not ignore poor security behavior by my colleagues. |
| It´s optional to report security incidents. |
| Item |
|---|
| It´s safe to use the same password for social media and work accounts. |
| It´s a bad idea to share my work passwords, even if a colleague asks for it. |
| It´s safe to have a work password with just letters. |
| Item |
|---|
| It´s always safe to click on links in emails from people I know. |
| Nothing bad can happen if I click on a link in an email from an unknown sender. |
| It´s risky to open an email attachment from an unknown sender. |
| Item |
|---|
| It can be risky to download files on my work computer. |
| Just because I can access a website at work, doesn´t mean that it´s safe. |
| If it helps me to do my job, it doesn´t matter what information I put on a website. |
| Item |
|---|
| It´s a good idea to regularly review my social media privacy settings. |
| It doesn´t matter if I post things on social media that I wouldn´t normally say in public. |
| It´s risky to post certain information about my work on social media. |
| Item |
|---|
| When working in a café, it´s safe to leave my laptop unattended for a minute. |
| It´s risky to send sensitive work files using a public Wi-Fi network |
| It´s risky to access sensitive work files on a laptop if strangers can see my screen. |
| Item |
|---|
| Disposing of sensitive print-outs by putting them in the rubbish bin is safe. |
| If I find a USB stick in a public place, nothing bad can happen if I plug it into my work computer. |
| It´s risky to leave print-outs that contain sensitive information on my desk overnight. |
| Item |
|---|
| If I ignore someone acting suspiciously in my workplace, nothing bad can happen. |
| Nothing bad can happen if I ignore poor security behavior by a colleague. |
| It´s risky to ignore security incidents, even if I think they´re not significant. |
| Item |
|---|
| I use a different password for my social media and work accounts. |
| I share my work passwords with my colleagues. |
| I use a combination of letters, numbers and symbols in my work password. |
| Item |
|---|
| I don´t always click in links in emails just because they come from someone I know. |
| If an email from an unknown sender looks interesting, I click on a link within it. |
| I don´t open email attachments if the sender is unknown to me. |
| Item |
|---|
| I download any files onto my work computer that will help me get the job done. |
| When accessing the Internet at work, I visit any website that I want to. |
| I assess the safety of websites before entering information. |
| Item |
|---|
| I don´t regularly review my social media privacy settings. |
| I don´t post anything on social media before considering any negative consequences. |
| I post whatever I want about my work on social media. |
| Item |
|---|
| When working in a public place, I leave my laptop unattended. |
| I send sensitive work files using a public Wi-Fi network. |
| I check that strangers can´t see my laptop screen if I´m working on a sensitive document. |
| Item |
|---|
| When sensitive print-outs need to be disposed of, I ensure that they are shredded or destroyed. |
| I wouldn´t plug a USB stick found in a public place into my work computer. |
| I leave print-outs that contain sensitive information on my desk when I´m not there. |
| Item |
|---|
| If I saw someone acting suspiciously in my workplace, I would do something about it. |
| If I notice my colleague ignoring security rules, I wouldn´t take any action. |
| If I notice a security incident, I would report it. |