MedISA
Medical Centre Employee Centered Information Security Awareness
LISA
Lightweight Information Security Awareness Scale (LISA)
| DOI: | 10.22029/JLUPUB-20830 Download |
|---|---|
| Note on LISA: | The short version specifically captures the latent dimensions of knowledge, attitude, and behavior in the field of information security, providing a valid situational overview even across heterogeneous workforce structures. As a practical screener, it enables a reliable assessment with minimal effort. The three dimensions can be applied flexibly: together for a comprehensive picture, or individually when the focus is placed specifically on knowledge, attitude, or behavior. |
| Year: | 2026 |
| Language of items: | German and English |
| Number of items: | 21 |
| Reliability (McDonald's ω): | Knowledge = .89, Attitude = .92, Behavior = .87 |
| Validity: | Factorial, convergent, discriminant, and nomological validity as well as known-groups validity established. Criterion validity not yet demonstrated for the English version. |
| Measurement invariance: | Scalar invariance for German and English supported |
| Sample for psychometric testing: | A total of 1,182 participants were recruited via online access panels (DACH region: n = 601; UK: n = 581) |
Items:
Knowledge
- Instructions
- The following statements are about your knowledge of how you should behave to comply with the information security guidelines at work.
- Response Specifications
- "Strongly agree" means that the statement fully complies with the information security guidelines. "Strongly disagree" means that the statement does not comply with the information security guidelines at all. You can use the options in between to grade your answers. (5-Point-Likert Scale)
| Categories | Statements |
|---|---|
| Shoulder surfing | When working on a sensitive document, I must ensure that strangers can´t see the screen of my laptop or tablet. |
| Leaving sensitive material | I am allowed to leave print-outs containing sensitive information on my desk when I step away from it. |
| Reporting all incidents | It´s optional to report security incidents. |
| Education & sensitivity | Staff must partake in training and educational courses on information security on a regular basis. |
| Policy knowledge | Staff must regularly keep themselves up to date on the organisation´s information security regulations and policies. |
| Conversation confidentiality | When discussing confidential information, it is necessary to ensure that unauthorised persons cannot overhear. |
| Accountability in case of misconduct | The accidental disclosure of sensitive information to unauthorised persons must be reported. |
Attitude
- Instructions
- The following statements are about your attitude towards the information security guidelines at work. Now please tell us what you think about these guidelines.
- Response Specifications
- "Strongly agree" means that the statement completely aligns with your attitude. "Strongly disagree" means that the statement has nothing at all to do with your attitude. You can use the options in between to grade your responses. (5-Point-Likert Scale)
| Categories | Statements |
|---|---|
| Shoulder surfing | It´s risky to access sensitive work files on portable devices such as laptop or tablet if strangers can see my screen. |
| Leaving sensitive material | It´s risky to leave print-outs that contain sensitive information on my desk unattended. |
| Reporting all incidents | It´s risky to ignore security incidents, even if I think they´re not significant. |
| Education & sensitivity | It is useful for staff to take part in training and educational courses on information security on a regular basis. |
| Policy knowledge | It is appropriate to keep myself up to date with the organisation’s regulations and guidelines on information security on a regular basis. |
| Conversation confidentiality | It is risky to discuss confidential information if unauthorised persons are able to overhear. |
| Accountability in case of misconduct | It is important to report when sensitive information is accidentally disclosed to unauthorised persons. |
Behavior
- Instructions
- The following statements are about your behavior regarding information security at work. Now please tell us how you act at work.
- Response Specifications
- "Strongly agree" means that the statement completely aligns with your behavior. "Strongly disagree" means that the statement has nothing at all to do with your behavior. You can use the options in between to grade your responses. (5-Point-Likert Scale)
| Categories | Statements |
|---|---|
| Shoulder surfing | I check that strangers can´t see the screen of my portable device, such as laptop or tablet, if I´m working on a sensitive document. |
| Leaving sensitive material | I leave print-outs that contain sensitive information on my desk when I´m not there. |
| Reporting all incidents | If I notice a security incident, I would report it. |
| Education & sensitivity | I regularly attend courses or training on information security. |
| Policy knowledge | I regularly keep myself informed about the regulations and guidelines on information security within my organisation. |
| Conversation confidentiality | I sometimes discuss confidential information even though others may be listening. |
| Accountability in case of misconduct | I will report if I accidentally disclose sensitive information to an unauthorised person. |