MedISA
Medical Centre Employee Centered Information Security Awareness
Catalogue
As part of the MedISA research, various instruments for measuring Information Security Awareness have been compiled in a catalogue, which can be used for further research and practical applications. The compiled instruments provide evidence of reliability and validity; however, the scientific quality criteria vary. For more information, please refer to the associated publications.
Name: The Human Aspects of Information Security Questionnaire (HAIS-Q)
DOI: https://doi.org/10.1016/j.cose.2017.01.004
Added: 2017
Added: 2017
Name: Simplified Information Security Awareness Scale (SISA)
DOI: https://doi.org/10.3233/SHTI210248
Added: 2021
Added: 2021
Name: Information Security Attitude Questionnaire for Nurses (ISA-Q)
DOI: https://doi.org/10.1002/nop2.1353
Added: 2022
Added: 2022
Name: Mobile Information Security Awareness Scale (MISAS)
DOI: https://doi.org/10.1108/OIR-04-2020-0129
Added: 2021
Added: 2021
Name: Security Behavior Intentions Scale (SeBIS)
DOI: https://doi.org/10.1145/2702123.2702249
Added: 2015
Added: 2015
Name: SABS ISO/IEC 17799 Scale with Focus on Hospitals (SIIS)
DOI: https://www.cabidigitallibrary.org/doi/full/10.5555/20163074395
Added: 2015
Added: 2015
Name: Cyber Security Awareness Scale Based on Recommendation of ENISA and the U.S. HHS (CSAS)
DOI: http://hdl.handle.net/10125/64215
Added: 2020
Added: 2020
Name: End-User Security Attitudes Scale (SA-6)
DOI: https://www.usenix.org/conference/soups2019/presentation/faklaris
Added: 2019
Added: 2019
Name: Security Awareness Scale for Health Care Information Systems (SAS-HIPAA)
DOI: https://doi.org/10.48009/1_iis_2011_224-236
Added: 2011
Added: 2011
Name: Hospital Staff’s Risky Cybersecurity Practices Scales (RCSPS)
DOI: https://doi.org/10.1145/3465481.3470094
Added: 2021
Added: 2021
Security Awareness Scale for Health Care Information Systems (SAS-HIPAA)
Response Specification: Five-point Likert scale (1 = Strongly agree, 2 = Agree, 3 = Tend to agree, 4 = Disagree, 5 = Strongly disagree). Note: The statistical composition of items depends on the research question. See publication for more details.
| Item |
|---|
| In my organization, there is a predefined agreed upon plan for security and privacy compliance efforts. |
| There is a prevalent security culture where individuals look out for each other in my organization. |
| Creating security awareness is an ongoing process in my organization. |
| There is visible leadership about seriousness of security assurance efforts in my organization. |
| In my organization, there are adequate internal controls (policies, procedures, training, encryption, access restrictions) to provide security and privacy of health records. |
| Auditing is viewed as a necessary complimentary action to improve the security initiatives in my organization. |
| Security policies and procedures are easily accessible and comprehendible in my organization. |
| In my organization, there is an emphasis on establishing open communication channels about security issues without the fear of reprisal. |
| We emphasize having informal meetings and discussions about importance of managing security and privacy of the records in my organization. |
| In my organization, security controls (encryption, access control, password policy, segregation of duty) are viewed as a necessary component for security. |
| Access to the system is based on the role that I play in the organization. |
| Training about security measures is provided regularly to the staff/personnel in my organization. |
| In my organization, security policies and procedures are periodically reviewed to assess if the policies meet the changing organizational needs. |
| There exists a clear structure for disciplinary action in case of noncompliance with policies and procedures in my organization. |
| In my organization, there is an emphasis on establishing open communication channel about security issues without the fear of reprisal. |
| I am required to read the security policies frequently (Quarterly, bi-anually, annually) in my organization. |
| In my organization, I have frequent communication about social engineering issues and am aware of how such tactics can create vulnerability for our system. |
| In my organization, I understand what information I have access to and why? |
| I am required to access health information only through approved devices and software in the organization. |
| I am allowed to use removable storage media from outside on my machine in the organization. |
| In my organization, I am required to take permission to use social networking sites. |
| I am aware of the procedure about what to do when my system has malware in my organization. |
| Access to the system is based on the role that I play in the organization. |
| I am required to report any misuse of information (that I am in-charge of) or its inappropriate access. |
| I am aware of the password policy that I have to comply with, in my organization. |
| I frequently receive communication about acceptable security behavior in my organization. |
| In my organization, there is an ongoing effort on training and education of employees about security issues. |