MedISA
Medical Centre Employee Centered Information Security Awareness
sHAIS-Q
Short Human Aspects of Information Security Questionnaire (sHAIS-Q)
Basis: The sHAIS-Q is based on the HAIS-Q developed by Parsons et al. (2017) as well as the extended version (eHAIS-Q). The original questionnaire measures behaviour, knowledge and attitudes related to information security across seven focus areas.
Source of the original:
Year: 2017
Note on short version: The short version includes selected items that do not allow for in-depth analyses but provide a solid overview of knowledge, attitudes and behaviour regarding information security. This allows for the efficient collection of a reliable situational overview. It is also possible to use only the knowledge, only the attitude, or only the behaviour part.
Year: 2025
Language of items: German and English
Number of items: 21
Reliability (McDonald's ω): Knowledge = 0.89, Attitude = 0.92, Behaviour = 0.87
Validity: Factorial, convergent and discriminant validity demonstrated for the German version
Measurement invariance: Scalar measurement invariance demonstrated for German and English
Sample for psychometric testing: 1.182 Personen aus Access-Panels (DACH n = 601; UK n = 581)
Items:
Knowledge
- Instructions
- The following statements are about your knowledge of how you should behave to comply with the information security guidelines at work.
- Response Specifications
- "Strongly agree" means that the statement fully complies with the information security guidelines. "Strongly disagree" means that the statement does not comply with the information security guidelines at all. You can use the options in between to grade your answers. (5-Point-Likert Scale)
| Categories | Statements |
|---|---|
| Shoulder surfing | When working on a sensitive document, I must ensure that strangers can´t see the screen of my laptop or tablet. |
| Leaving sensitive material | I am allowed to leave print-outs containing sensitive information on my desk when I step away from it. |
| Reporting all incidents | It´s optional to report security incidents. |
| Education & sensitivity | Staff must partake in training and educational courses on information security on a regular basis. |
| Policy knowledge | Staff must regularly keep themselves up to date on the organisation´s information security regulations and policies. |
| Conversation confidentiality | When discussing confidential information, it is necessary to ensure that unauthorised persons cannot overhear. |
| Accountability in case of misconduct | The accidental disclosure of sensitive information to unauthorised persons must be reported. |
Attitude
- Instructions
- The following statements are about your attitude towards the information security guidelines at work. Now please tell us what you think about these guidelines.
- Response Specifications
- "Strongly agree" means that the statement completely aligns with your attitude. "Strongly disagree" means that the statement has nothing at all to do with your attitude. You can use the options in between to grade your responses. (5-Point-Likert Scale)
| Categories | Statements |
|---|---|
| Shoulder surfing | It´s risky to access sensitive work files on portable devices such as laptop or tablet if strangers can see my screen. |
| Leaving sensitive material | It´s risky to leave print-outs that contain sensitive information on my desk unattended. |
| Reporting all incidents | It´s risky to ignore security incidents, even if I think they´re not significant. |
| Education & sensitivity | It is useful for staff to take part in training and educational courses on information security on a regular basis. |
| Policy knowledge | It is appropriate to keep myself up to date with the organisation’s regulations and guidelines on information security on a regular basis. |
| Conversation confidentiality | It is risky to discuss confidential information if unauthorised persons are able to overhear. |
| Accountability in case of misconduct | It is important to report when sensitive information is accidentally disclosed to unauthorised persons. |
Behavior
- Instructions
- The following statements are about your behavior regarding information security at work. Now please tell us how you act at work.
- Response Specifications
- "Strongly agree" means that the statement completely aligns with your behavior. "Strongly disagree" means that the statement has nothing at all to do with your behavior. You can use the options in between to grade your responses. (5-Point-Likert Scale)
| Categories | Statements |
|---|---|
| Shoulder surfing | I check that strangers can´t see the screen of my portable device, such as laptop or tablet, if I´m working on a sensitive document. |
| Leaving sensitive material | I leave print-outs that contain sensitive information on my desk when I´m not there. |
| Reporting all incidents | If I notice a security incident, I would report it. |
| Education & sensitivity | I regularly attend courses or training on information security. |
| Policy knowledge | I regularly keep myself informed about the regulations and guidelines on information security within my organisation. |
| Conversation confidentiality | I sometimes discuss confidential information even though others may be listening. |
| Accountability in case of misconduct | I will report if I accidentally disclose sensitive information to an unauthorised person. |