---

Short Human Aspects of Information Security Questionnaire (sHAIS-Q)

Basis The sHAIS-Q is based on the HAIS-Q developed by Parsons et al. (2017) as well as the extended version (eHAIS-Q). The original questionnaire measures behaviour, knowledge and attitudes related to information security across seven focus areas.

Source of the original

Title:The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies

Authors:Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., & Zwaans, T.

DOI:10.1016/j.cose.2017.01.004
Year:2017

Note on short version The short version includes selected items that do not allow for in-depth analyses but provide a solid overview of knowledge, attitudes and behaviour regarding information security. This allows for the efficient collection of a reliable situational overview. It is also possible to use only the knowledge, only the attitude, or only the behaviour part.

Year 2025

Language of items German and English

Number of items 21

Reliability (McDonald's ω) Knowledge = 0.89, Attitude = 0.92, Behaviour = 0.87

Validity Factorial, convergent and discriminant validity demonstrated for the German version

Measurement invariance Scalar measurement invariance demonstrated for German and English

Sample for psychometric testing 1.182 Personen aus Access-Panels (DACH n = 601; UK n = 581)

Items

Knowledge

Instructions

The following statements are about your knowledge of how you should behave to comply with the information security guidelines at work.

Response Specifications

"Strongly agree" means that the statement fully complies with the information security guidelines. "Strongly disagree" means that the statement does not comply with the information security guidelines at all. You can use the options in between to grade your answers. (5-Point-Likert Scale)

Categories

Shoulder surfing

When working on a sensitive document, I must ensure that strangers can´t see the screen of my laptop or tablet.

Leaving sensitive material

I am allowed to leave print-outs containing sensitive information on my desk when I step away from it.

Reporting all incidents

It´s optional to report security incidents.

Education & sensitivity

Staff must partake in training and educational courses on information security on a regular basis.

Policy knowledge

Staff must regularly keep themselves up to date on the organisation´s information security regulations and policies.

Conversation confidentiality

When discussing confidential information, it is necessary to ensure that unauthorised persons cannot overhear.

Accountability in case of misconduct

The accidental disclosure of sensitive information to unauthorised persons must be reported.

Attitude

Instructions

The following statements are about your attitude towards the information security guidelines at work. Now please tell us what you think about these guidelines.

Response Specifications

"Strongly agree" means that the statement completely aligns with your attitude. "Strongly disagree" means that the statement has nothing at all to do with your attitude. You can use the options in between to grade your responses. (5-Point-Likert Scale)

Categories

Shoulder surfing

It´s risky to access sensitive work files on portable devices such as laptop or tablet if strangers can see my screen.

Leaving sensitive material

It´s risky to leave print-outs that contain sensitive information on my desk unattended.

Reporting all incidents

It´s risky to ignore security incidents, even if I think they´re not significant.

Education & sensitivity

It is useful for staff to take part in training and educational courses on information security on a regular basis.

Policy knowledge

It is appropriate to keep myself up to date with the organisation’s regulations and guidelines on information security on a regular basis.

Conversation confidentiality

It is risky to discuss confidential information if unauthorised persons are able to overhear.

Accountability in case of misconduct

It is important to report when sensitive information is accidentally disclosed to unauthorised persons.

Behavior

Instructions

The following statements are about your behavior regarding information security at work. Now please tell us how you act at work.

Response Specifications

"Strongly agree" means that the statement completely aligns with your behavior. "Strongly disagree" means that the statement has nothing at all to do with your behavior. You can use the options in between to grade your responses. (5-Point-Likert Scale)

Categories

Shoulder surfing

I check that strangers can´t see the screen of my portable device, such as laptop or tablet, if I´m working on a sensitive document.

Leaving sensitive material

I leave print-outs that contain sensitive information on my desk when I´m not there.

Reporting all incidents

If I notice a security incident, I would report it.

Education & sensitivity

I regularly attend courses or training on information security.

Policy knowledge

I regularly keep myself informed about the regulations and guidelines on information security within my organisation.

Conversation confidentiality

I sometimes discuss confidential information even though others may be listening.

Accountability in case of misconduct

I will report if I accidentally disclose sensitive information to an unauthorised person.