MedISA
Medical Centre Employee Centered Information Security Awareness
Catalogue
As part of the MedISA research, various instruments for measuring Information Security Awareness have been compiled in a catalogue, which can be used for further research and practical applications. The compiled instruments provide evidence of reliability and validity; however, the scientific quality criteria vary. For more information, please refer to the associated publications.
Name: The Human Aspects of Information Security Questionnaire (HAIS-Q) DOI: https://doi.org/10.1016/j.cose.2017.01.004
Added: 2017
Added: 2017
Name: Simplified Information Security Awareness Scale (SISA) DOI: https://doi.org/10.3233/SHTI210248
Added: 2021
Added: 2021
Name: Information Security Attitude Questionnaire for Nurses (ISA-Q) DOI: https://doi.org/10.1002/nop2.1353
Added: 2022
Added: 2022
Name: Mobile Information Security Awareness Scale (MISAS) DOI: https://doi.org/10.1108/OIR-04-2020-0129
Added: 2021
Added: 2021
Name: Security Behavior Intentions Scale (SeBIS) DOI: https://doi.org/10.1145/2702123.2702249
Added: 2015
Added: 2015
Name: SABS ISO/IEC 17799 Scale with Focus on Hospitals (SIIS) DOI: https://www.cabidigitallibrary.org/doi/full/10.5555/20163074395
Added: 2015
Added: 2015
Name: Cyber Security Awareness Scale Based on Recommendation of ENISA and the U.S. HHS (CSAS) DOI: http://hdl.handle.net/10125/64215
Added: 2020
Added: 2020
Name: End-User Security Attitudes Scale (SA-6) DOI: https://www.usenix.org/conference/soups2019/presentation/faklaris
Added: 2019
Added: 2019
Name: Security Awareness Scale for Health Care Information Systems (SAS-HIPAA) DOI: https://doi.org/10.48009/1_iis_2011_224-236
Added: 2011
Added: 2011
Name: Hospital Staff’s Risky Cybersecurity Practices Scales (RCSPS) DOI: https://doi.org/10.1145/3465481.3470094
Added: 2021
Added: 2021
SABS ISO/IEC 17799 Scale with Focus on Hospitals (SIIS)
Response Specification: Five-point Likert scale (1 = Strongly disagree, 2 = Disagree, 3 = Neutral, 4 = Agree, 5 = Strongly agree)
| Item |
|---|
| Users may not logon / gain access to our systems without being formerly registered with their own user account. |
| We ensure that information processing facilities are only used for authorised business purposes. |
| Our organisation controls access to information via an access control policy which specifies which users have access to what data. |
| Despite being connected to public networks, we are confident that our systems are adequately protected by our internet service provider’s security and / or our own firewalling systems. |
| We are confident that our anti-virus systems are up to date and in the event of a virus outbreak, we should be able to protect our systems as best as possible. |
| In the event of a security incident, procedures clearly define what to do and who to call for assistance. |
| A password management system is in place which specifies the frequency of password changes as well as the minimum password complexity. |
| Appropriate mechanisms are in place to authenticate users logging onto our systems. |
| Item |
|---|
| There is a formal disciplinary process for employees who have violated our security policies and processes. |
| Staff have been trained to secure their computers at all times, when moving away from their work stations. |
| Staff are aware that security incidents must be reported to management immediately. |
| Expertise on information security is available internally and where not, external advice is sought. |
| We are confident that in the event of equipment failure, theft or site disaster, our data backups and storage would enable us to retrieve our information with minimal business interruption. |
| Item |
|---|
| Changes in the workflow with computer use, do not prevent the granting of the necessary importance to information security. |
| Information security process does not adversely affect the quality of service. |
| Information security is a priority issue among daily works. |
| Having more workload in a organisations does not prevent the granting of the necessary importance to information security |
| Item |
|---|
| A director (or equivalent) member of our staff has responsibility for information security. |
| There is a nominated person in our organisation who is expertise on information security. |
| Directors take care to improve information security in the organisation. |
| Staffs take care to improve information security in the organisation. |
| Staff are well informed as to what is considered to be acceptable and unacceptable usage of our information systems. |
| Item |
|---|
| Staff are aware of our information security policy. |
| We have a documented information security policy. |
| Roles and responsibilities for information security in our organization are well defined. |
| All staff are given adequate and appropriate information security education and training. |