MedISA
Medical Centre Employee Centered Information Security Awareness
eHAIS-Q
Extended Human Aspects of Information Security Questionnaire (eHAIS-Q, based on Parsons et al., 2017)
Basis The extended questionnaire is based on the HAIS-Q, developed by Parsons et al. (2017). The original questionnaire measures behaviour, knowledge and attitudes related to information security across seven focus areas.
Source of the original:
Titel: The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies DOI: 10.1016/j.cose.2017.01.004
Jahr: 2017
Jahr: 2017
Note on adaptation Two items from the focus area "Mobile Devices" were slightly modified to reflect the current state of technology. In addition, two new focus areas were added: Preventive Security Orientation and Responsible Information Sharing. The extended HAIS-Q is available in both German and English.
Year 2025
Language of items German and English
Number of items 81
Reliability (McDonald's ω) Knowledge = 0.95, Attitude = 0.96, Behaviour = 0.94
Validity Factorial, convergent and discriminant validity demonstrated for the English version
Measurement invariance Scalar measurement invariance demonstrated for German and English
Sample for psychometric testing 1,182 individuals from access panels (DACH n = 601; UK n = 581)
Knowledge
- Instructions
- The following statements are about your knowledge of how you should behave to comply with the information security guidelines at work.
- Response Specifications
- "Strongly agree" means that the statement fully complies with the information security guidelines. "Strongly disagree" means that the statement does not comply with the information security guidelines at all. You can use the options in between to grade your answers. (5-Point-Likert Scale)
| Focus Area | Subcategories | Statements |
|---|---|---|
| Password Management | Using the same password | It´s acceptable to use my social media password on my work accounts. |
| Sharing passwords | I am allowed to share my work password with my colleagues. | |
| Using a strong password | A mixture of letters, numbers and symbols is necessary for short work passwords. | |
| Email use | Clicking on links in emails from known senders | I am allowed to click on any links in emails from people I know. |
| Clicking on links in emails from unknown senders | I am not permitted to click on a link in an email from an unknown sender. | |
| Opening attachments in emails from unknown senders | I am allowed to open email attachments from unknown senders. | |
| Internet use | Downloading files | I am allowed to download any files onto my work computer if they help me to do my job. |
| Accessing dubious websites | While I am at work, I shouldn´t access certain websites. | |
| Entering information online | I am allowed to enter any information on any website if it helps me do my job. | |
| Social media use | SM privacy settings | I must periodically review the privacy setting on my social media accounts. |
| Considering consequences | I can´t be fired for something I post on social media. | |
| Posting about work | I can post what I want about work on social media. | |
| Mobile devices | Physically securing mobile devices | When working in a public place, I have to keep portable devices such as laptop or tablet with me at all times. |
| Sending sensitive information via Wi-Fi | I am allowed to send sensitive work files via a public Wi-Fi network. | |
| Shoulder surfing | When working on a sensitive document, I must ensure that strangers can´t see the screen of my laptop or tablet. | |
| Information handling | Disposing of sensitive print-outs | Sensitive print-outs can be disposed of in the same way as non-sensitive ones. |
| Inserting removable media | If I find a USB stick in a public place, I shouldn´t plug it into my work computer. | |
| Leaving sensitive material | I am allowed to leave print-outs containing sensitive information on my desk when I step away from it. | |
| Incident reporting | Reporting suspicious behaviour | If I see someone acting suspiciously in my workplace, I should report it. |
| Ignoring poor security behaviour behaviour by colleagues | I must not ignore poor security behavior by my colleagues. | |
| Reporting all incidents | It´s optional to report security incidents. | |
| Preventive security orientation | Education & sensitivity | Staff must partake in training and educational courses on information security on a regular basis. |
| Policy knowledge | Staff must regularly keep themselves up to date on the organisation´s information security regulations and policies. | |
| Technical security measures | I am required to help ensuring that work equipment regularly undergoes security updates. | |
| Responsible information sharing | Authorized information sharing | I may only discuss confidential information with others if permission has been granted. |
| Conversation confidentiality | When discussing confidential information, it is necessary to ensure that unauthorised persons cannot overhear. | |
| Accountability in case of misconduct | The accidental disclosure of sensitive information to unauthorised persons must be reported. |
Attitude
- Instructions
- The following statements are about your attitude towards the information security guidelines at work. Now please tell us what you think about these guidelines.
- Response Specifications
- "Strongly agree" means that the statement completely aligns with your attitude. "Strongly disagree" means that the statement has nothing at all to do with your attitude. You can use the options in between to grade your responses. (5-Point-Likert Scale)
| Focus Area | Subcategories | Statements |
|---|---|---|
| Password Management | Using the same password | It´s safe to use the same password for social media and work accounts. |
| Sharing passwords | It´s a bad idea to share my work passwords, even if a colleague asks for it. | |
| Using a strong password | It´s safe to have a short work password with just letters. | |
| Email use | Clicking on links in emails from known senders | It´s always safe to click on links in emails from people I know. |
| Clicking on links in emails from unknown senders | Nothing bad can happen if I click on a link in an email from an unknown sender. | |
| Opening attachments in emails from unknown senders | It´s risky to open an email attachment from an unknown sender. | |
| Internet use | Downloading files | I can be risky to download files on my work computer. |
| Accessing dubious websites | Just because I can access a website at work, doesn´t mean that it´s safe. | |
| Entering information online | If it helps me to do my job, it doesn´t matter what information I put on a website. | |
| Social media use | SM privacy settings | It´s a good idea to regularly review my social media privacy settings. |
| Considering consequences | It doesn´t matter if I post things on social media that I wouldn´t normally say in public. | |
| Posting about work | It´s risky to post certain information about my work on social media. | |
| Mobile devices | Physically securing mobile devices | When working in a public place, it´s safe to leave portable devices such as laptop or tablet unattended for a minute. |
| Sending sensitive information via Wi-Fi | It´s risky to send sensitive work files using a public Wi-Fi network. | |
| Shoulder surfing | It´s risky to access sensitive work files on portable devices such as laptop or tablet if strangers can see my screen. | |
| Information handling | Disposing of sensitive print-outs | Disposing of sensitive print-outs by putting them in the rubbish bin is safe. |
| Inserting removable media | If I find a USB stick in a public place, nothing bad can happen if I plug it into my work computer. | |
| Leaving sensitive material | It´s risky to leave print-outs that contain sensitive information on my desk unattended. | |
| Incident reporting | Reporting suspicious behaviour | If I ignore someone acting suspiciously in my workplace, nothing bad can happen. |
| Ignoring poor security behaviour behaviour by colleagues | Nothing bad can happen if I ignore poor security behavior by a colleague. | |
| Reporting all incidents | It´s risky to ignore security incidents, even if I think they´re not significant. | |
| Preventive security orientation | Education & sensitivity | It is useful for staff to take part in training and educational courses on information security on a regular basis. |
| Policy knowledge | It is appropriate to keep myself up to date with the organisation’s regulations and guidelines on information security on a regular basis. | |
| Technical security measures | It is important for work equipment to undergo security updates on a regular basis. | |
| Responsible information sharing | Authorized information sharing | It is important not to discuss confidential information with unauthorised persons. |
| Conversation confidentiality | It is risky to discuss confidential information if unauthorised persons are able to overhear. | |
| Accountability in case of misconduct | It is important to report when sensitive information is accidentally disclosed to unauthorised persons. |
Behavior
- Instructions
- The following statements are about your behavior regarding information security at work. Now please tell us how you act at work.
- Response Specifications
- "Strongly agree" means that the statement completely aligns with your behavior. "Strongly disagree" means that the statement has nothing at all to do with your behavior. You can use the options in between to grade your responses. (5-Point-Likert Scale)
| Focus Area | Subcategories | Statements |
|---|---|---|
| Password Management | Using the same password | I use a different password for my social media and work accounts. |
| Sharing passwords | I share my work passwords with my colleagues. | |
| Using a strong password | I use a combination of letters, numbers and symbols in my short work password. | |
| Email use | Clicking on links in emails from known senders | I don´t always click in links in emails just because they come from someone I know. |
| Clicking on links in emails from unknown senders | If an email from an unknown sender looks interesting, I click on a link within it. | |
| Opening attachments in emails from unknown senders | I don´t open email attachments if the sender is unknown to me. | |
| Internet use | Downloading files | I download any files onto my work computer that will help me get the job done. |
| Accessing dubious websites | When accessing the Internet at work, I visit any website that I want to. | |
| Entering information online | I assess the safety of websites before entering information. | |
| Social media use | SM privacy settings | I don´t regularly review my social media privacy settings. |
| Considering consequences | I don´t post anything on social media before considering any negative consequences. | |
| Posting about work | I post whatever I want about my work on social media. | |
| Mobile devices | Physically securing mobile devices | When working in a public place, I leave portable devices such as laptop or tablet unattended. |
| Sending sensitive information via Wi-Fi | I send sensitive work files using a public Wi-Fi network. | |
| Shoulder surfing | I check that strangers can´t see the screen of my portable device, such as laptop or tablet, if I´m working on a sensitive document. | |
| Information handling | Disposing of sensitive print-outs | When sensitive print-outs need to be disposed of, I ensure that they are shredded or destroyed. |
| Inserting removable media | I wouldn´t plug a USB stick found in a public place into my work computer. | |
| Leaving sensitive material | I leave print-outs that contain sensitive information on my desk when I´m not there. | |
| Incident reporting | Reporting suspicious behaviour | If I saw someone acting suspiciously in my workplace, I would do something about it. |
| Ignoring poor security behaviour behaviour by colleagues | If I notice my colleague ignoring security rules, I wouldn´t take any action. | |
| Reporting all incidents | If I notice a security incident, I would report it. | |
| Preventive security orientation | Education & sensitivity | I regularly attend courses or training on information security. |
| Policy knowledge | I regularly keep myself informed about the regulations and guidelines on information security within my organisation. | |
| Technical security measures | I make sure that available security updates are installed on my work equipment. | |
| Responsible information sharing | Authorized information sharing | I sometimes discuss confidential information with others without permission. |
| Conversation confidentiality | I sometimes discuss confidential information even though others may be listening. | |
| Accountability in case of misconduct | I will report if I accidentally disclose sensitive information to an unauthorised person. |