MedISA
Medical Centre Employee Centered Information Security Awareness
Publications
Authors: David Langer, Jan Tolsdorf, Luigi Lo Iacono |
TL;DR
- This paper introduces LISA (Lightweight Information Security Awareness), a new, scientifically validated survey scale designed to measure information security awareness (ISA) in organizations
- Why? Because existing tools are often too long, too focused on narrow IT behaviors (like password management), available only in English, or lack the psychometric rigor needed for reliable research and practical use
Motivation
While Information Security Awareness (ISA) is a cornerstone of organizational defense, measuring it effectively remains a challenge. Existing tools are often 'broken' by three main issues: they are too long for real-world use, they are limited to English-speaking or IT-centric contexts, and they lack the scientific validation required for reliable decision-making. This research is motivated by the need to overcome these barriers, introducing a scale that is simultaneously brief, multilingual, and psychometrically robust, designed specifically to function within the time-critical and heterogeneous environments of modern organizations.
Methodology
We conducted two studies:
- In Study I, we gathered input from experts and focus groups to create the items. We then tested the scale on 1,182 participants (DACH region: n = 601; UK: n = 581) via online panels, in order to establish that the scale is reliable and valid.
- In Study II, we deployed LISA in a large German university hospital, with 579 employees. By doing so, we proved it works in high-pressure, real-world settings with diverse staff, from doctors to IT / administrators.
Key Features
LISA...- consists of only 21 items
- 7 for knowledge
- 7 for attitude
- 7 for behavior
- takes approximately 3 minutes to complete
- provides a reliable overview of knowledge, attitudes, and behaviors regarding information security across a heterogeneous workforce
- is validated in both English and German, it measures the same concept accurately in both languages
- is built on the Knowledge-Attitude-Behavior model
- moves beyond just cybersecurity to include broader, non-digital information handling, which is relevant to diverse workplaces
Main Findings
- The scale successfully differentiates between groups. For example, clinical staff (doctors/nurses) scored lower on ISA than administrative or IT staff, likely due to time pressure and work interruptions.
- LISA scores correlate strongly with organizational enablers (like management commitment and training) and organizational barriers (like workload and "shadow work" processes).
- We proved that simple "sum scores" are a reliable substitute for complex statistical modeling, making the tool easy for HR or managers to use without being statistics experts.
Reliability
We measured LISA's reliability via McDonald’s ω
- Knowledge = 0.89
- Attitude = 0.92
- Behavior = 0.87
Acknowledgements
We would like to express our sincere gratitude to the participating hospital, particularly the CISO team, for making this study possible. We thank the IT department, staff councils, and data protection officers for resolving technical, legal, and ethical issues. Above all, we are deeply grateful to the hospital staff, whose participation enabled us to gain a deeper understanding of phishing susceptibility. We also want to thank the reviewers and our shepherd for their incredibly valuable feedback, which helped us improve this paper. This research was supported by the German Federal Ministry of Health with grant number ZMI1-2521FSB801.